Rss

    Archives for : security

    Interesting results from social search engines

    I went to a security presentation yesterday with one of the guys from work which summarised some of the cooler Blackhat and Defcon presentations from Las Vegas this year.

    One of these presentations demonstrated the use of the open API’s available for some of the social media sites. The below list represents some of the search engine I’ve found that allow search words to be queried against publicly available information. I’ve found that these searches far exceed what is indexed on the social media site search option.

    Search engines

    Google Buzz API Browser: explore what’s publicly visible through the Google Buzz API
    Facebook API Browser: explore what’s publicly visible through the Facebook Graph API
    Wink People Search
    Showdan HQ – Computer search engine (looks for MAC address)

    No need to bypass security with a boot disk – 17 year old Windows exploit found

    The problem has been discovered in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

    The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

    Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H’s associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

    The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer ConfigurationAdministrative TemplatesWindows ComponentsApplication Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don’t cause any major compatibility problems for most users while no 16-bit applications are being used.

    Update – The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsAppCompat]

    “VDMDisallowed”=dword:00000001

    into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

    Update 2 - Microsoft has now confirmed the privilege escalation hole in Windows. The company says that it wants to complete its investigation of the vulnerability and will then decide whether, how and when to close it.

    See Also:

    REDMOND — When it rains, it pours. Especially in the Seattle area. Tavis Ormandy has published full details on a privilege escalation hack of all versions of Windows including Windows 7.

    The exploit takes advantage of a bug in the Windows implementation of the ‘virtual DOS machine’ used to run legacy 16-bit programs. The exploit can be avoided by turning the VDM ‘feature’ off but the danger of course is that enough Windows lusers won’t know about the bug and/or bother turning the ‘feature’ off.

    16-bit applications need BIOS support; the Windows kernel supports virtual BIOS interrupts in its ‘Virtual-8086’ mode monitor code. The code is implemented in two stages. The #GP trap handler transitions to the second stage when CS:EIP faults with specific ‘magic’ values.

    The transition requires (subsequent to authentication) restoring the context and the call stack from the faulting trap frame. But the authentication process is flawed, relying as it does on three incorrect assumptions.

    • Setting up a VDM context requires SeTcbPrivilege.The barrier to getting a VDM context can be subverted by requesting the NT VDM subsystem and then using CreateRemoteThread() to run code in the context of the VDM subsystem. The VDM subsystem already has the necessary flag set.
    • Ring 3 (unprivileged) code cannot install arbitrary code segment selectors.Using the two least significant bits of CS/SS to calculate the privilege of a task doesn’t work when it comes to Virtual-8086 mode. The 20-bit addressing (by adding CS << 4 to the 16-bit IP) is also used to map onto the protected linear Virtual-8086 address space. If CS can be set to an arbitrary value, then the privilege calculation can be circumvented.
    • Ring 3 (unprivileged) code cannot forge a trap frame.Returns to user mode are through IRET. An invalid context can cause IRET to fail pre-commit, which in turn forges a trap frame. And even with address randomisation it’s trivial to use NtQuerySystemInformation() to obtain the address of the second stage BIOS handler.

    Affected Systems

    This bug dates back 17 years and affects all systems released since 27 July 1993 – Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. See the links below for further details.

    See Also
    MITRE: CVE-2010-0232
    Windows plagued by 17-year-old privilege escalation bug
    NEOPHASIS: Trap Handler Allows Users to Switch Kernel Stack

    SSLv3 / TLS Man in the Middle vulnerability

    Recently I have been looking into the vulnerabilities in the TLS negotiation process discovered late last year.

    There are a range of experts debating the exploit methods, tools and how it may be fixed (server or client site or both). From what I have seen so far this may prompt a change to the TLS standard to introduce an extension to the protocol to validate sessions (session hand off and certificate validity).

    www.ietf.org

    isc.sans.org

    www.win.tue.nl/hashclash/rogue-ca/

    www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html

    I’m also trying to find some tools which may assist in testing for this. It looks like the exploit relies on an ARP poison or similar and then inserting plain text into the negotiation process.

    Could be something that can be fixed over time as servers and clients are patched.

    SCADA Security Presentation

    This is a presentation I gave on SCADA security some time ago. It was originally set for about 2 hrs, although I broke it into 2 halves so if time permitted (or the partisipants wanted more inforamation), the backend of the presentation has many more areas and guidence relaing to SCADA, devices, environment security, etc.

    I defined the following outcomes for the presentation:

    • Broaden the awareness and necessity of security within the SCADA environment.
    • Understanding of business role in the governance/risk identification process.
    • Heighten the understanding of technology risks.

    I hope people find the material interesting and useful.

    SCADA Security Presentation Derek Grocke

    Hacking SCADA/SAS Systems Used Techniques, Known Incidents and Possible Mitigations

    I have been working in the SCADA engineering, network design, project governance and security area for lots of years.

    As a result I have many documents and techniques I will be sharing here. This is the first of many documents which I hope others will find informative and help others to understand and shape their approach to these environments.

    Local file

    Next Generation SCADA Security: Best Practices and Client Puzzles

    SCADA Presentation

    A cool document I thought I would share. It shows some good understanding and presents some good ideas.

    SCADA considerations

    Procedures

    • Corporate Information Protection
    • Security Management
    • Information Classification
    • Physical (and Environmental) Security
    • Personnel Security
    • Security Awareness Training
    • Security Incident Response
    • Security Monitoring
    • Network Security
    • PC/Workstation Security
    • Support and Operational Security Related
    • Encryption and Information Confidentiality
    • Authorization Controls
    • Identification and Authentication Mechanisms
    • Systems Life Cycle Security
    • Business Continuity Planning
    • Media Security
    • Third Party Services

    Typical concerns and points discussion:

    • Inbound and out Bound FTP
    • Suggest use of DMZ
    • Suggest use of Secure FTP
    • Suggest use of restricted secure IP addresses / tunnelling
    • Suggest use of private feeds

    Modem issues used with dial in services

    • No dial back
    • No Authentication
    • No Secure ID
    • Possibly automated scripts used, so hard coded usernames and passwords used.
    • Internet sharing may be turned on, allowing routing via workstations.

    Increased data security and integrity considerations

    • Data backups
    • System redundancy
    • Site and content filtering
    • Virus protection
    • Standard system procurement (discounts and spares)
    • Network and services redundancy
    • Network monitoring
    • Service availability monitoring
    • Internal controls
    • Vendor / external service supplier
    • Capacity management
    • Change management system
    • Asset management system
    • Telecommunication and telephony bulk cost discounting
    • Etc.

    Use and support for corporate application considerations

    • Email
    • Intranet
    • Internet
    • Corporate virus protection
    • Asset management
    • Change management
    • Project management
    • Performance / capacity management
    • Reduction of Cost
    • Use of corporate applications
    • Reduction of manual processes

    Other things to keep in mind:

    • SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
    • Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
    • Review of router configurations
    • Use of change management system
    • Review remote dial in systems
    • Firewall SCADA systems off from corporate applications
    • Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
    • Determine if systems used within SCADA are built to a standard operating environment.

    Nmap Examples

    Some Nmap examples I thought I would post.

    Scanning past Watchguard Firewalls: nmap -sS -iL targetlist.txt -P0 -sV -T4

    Verbose Scan: nmap -v

    This option scans all reserved TCP ports on the target machine. The -v option enables verbose mode.

    nmap -sS -O /24

    Launches a stealth SYN scan against each machine that is up out of the 256 IPs on “class C” sized network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection.

    nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

    Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116 class B address space. This tests whether the systems run SSH, DNS, POP3, or IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

    nmap -v -iR 100000 -PN -p 80

    Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -PN since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway.

    nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

    This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

    Instead of limiting ourselves to scanning just one target., let’s broaden our horizon’s to bigger and better things. In example 2 we used our IP address to base a scan against. Using that address again we can get a look at numerous targets in our “community”. At the command line type the following (substituting a valid address of your choice of course):

    nmap -sT -O 206.212.15.0-50

    What this does is instruct nmap to scan every host between the IP addresses of 206.212.15.0 and 206.212.15.50. If you happen to find many interesting feedback results from this or a larger scale scan then you can always pipe the output into your choice of a human readable file or a machine parsable file for future reference by issuing the following option:

    To create a human readable output file issue the -oN command into your nmap string so that it would look similar to this:

    nmap -sT -O -oN sample.txt 206.212.15.0-50

    Rather have a machine parsable file? Enter the -oM to pipe the output into a machine parsable file:

    nmap -sT -O -oM sample.txt 206.212.15.0-50

    *Back when I was becoming aquatinted with all the nmap options, I ran my first large scale scan against 250 consecutive machines using an arbitrary number (nmap -sX -O -oN sample.txt XXX.XXX.XXX.0-250).To my great surprise I was confronted with 250 up and running virgin Linux machines. Another reason why Linux enthusiasts should NEVER become bored.

    -I This is a handy little call that activates nmap’s TCP reverse ident scanning option. This divulges information that gives the username that owns available processes. Let’s take a look (Note that the host has to be running ident). At the command line issue this command against your target, in this case our default Eve running Linux:

    -iR Use this command to instruct nmap to scan random hosts for you.

    -p Port range option allows you to pick what port or ports you wish nmap to scan against.

    -v Use verbosity to display more output data. Use twice (-v -v) for maximum verbosity.

    -h Displays a quick reference of nmap’s calls

    Now that we have looked at nmap’s three basic usage types and some of it’s other options, let’s mix and match them.

    nmap -v -v -sS -O 209.212.53.50-100

    This instructs nmap to use a maximum amount of verbosity to run a stealth scan and OS detection against all machines between IP addresses 209.212.53.50 and 209.212.53.100. This command will also require root privileges due to both the -sS and -O calls. Of course this will display a very overwhelming amount of data so let’s log our results into a human readable file for future reference:

    nmap -v -v -sS -O -oN sample.txt 209.212.53.50-100

    Now let’s make nmap run a stealth scan and instruct it to look only for machines offering http and ftp services between the addresses of 209.212.53.50 and 209.212.53.100. Once again we will log the output (I’m a log junkie) for future reference into a human readable file called ftphttpscan.txt:

    nmap -sS -p 23,80 -oN ftphttpscan.txt 209.212.53.50-100

    Remember the -iR option mentioned previously? Let’s use it to take a random sampling of Internet web servers using the verbatim example from nmap’s man page:

    nmap -sS -iR -p 80

    Last but certainly not least, while gleaning information, don’t forget to nmap yourself. Just type at the command line: nmap 127.0.0.1 This is especially useful and recommended if you’re a newcomer to Linux and connected to the Internet via DSL or cable modem.

    Detect promiscuous network devices or sniffers on a network

    Old versions       nmap –script=promiscuous 10.0.1.0/24

    New Versions     nmap -sV –script=sniffer-detect 10.0.1.0/24

    WPA cracking is getting quicker

    I was reading some posts on the Full-disclosure mailing list and came across the some posts relating to WPA hacking (WPA attack improved to 1min). After spending hundreds of hours using the AIR tools to crack WEP encryption and looking into networks as part of my previous job, I was very interested to see how things are progressing.

    The thread mentioned the paper “A Practical Message Falsification Attack on WPA” posted on http://bit.ly/8qwQt.

    It was a coincidence as I was only taking to one of the executives at work about how easy WEP is to crack and what you can do/discover once you are in.

    I hope you enjoy the paper.

    —– Update —–

    Once this was posted I received many message s and a few more links for the post.

    So here thet are:

    http://www.youtube.com/watch?v=ZeCVkWMUSzE

    http://www.crn.com.au/News/154177,researchers-crack-wpa-encryption-in-60-seconds.aspx

    http://www.renderlab.net/projects/WPA-tables/
    http://205.127.87.136:6969/torrents
    /wpa_psk-h1kari_renderman.torrent?95896A255A82D1FE8B6A2BFFC098B735058B30D7
    http://www.churchofwifi.org/Project_Display.asp?PID=90
    http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf – Though will only help with TKIP

    Thanks to

    Oliver from ethicalhack.org

    Michael from SA Government

    Tim from CQR Consulting

    —– End Update ——