Darknet – The Darkside

The trend of paying for bugs is certainly catching on, the most recent entrant to the field is Deutsche Post the German postal service. They announced this week a security cup for their new online secure messaging service. The bug bounty trend has resurfaced recently with Mozilla increasing its bounty to $3000 and Google increasing their offering shortly after that too.

Teams will have seed money and will be awarded additional bounties for major and minor bugs. There’s quite a lot of money up for grabs if you count the seed money + find at least 2 critical bugs and a few minor bugs you could walk away with quite a fat stash.

Deutsche Post, the successor to the German federal postal service, will offer bounties for bugs researchers find in its E-Postbrief secure message service, the company announced this week.

The firm, which also operates the DHL overnight delivery service, will kick off a contest in October after it pre-approves research teams that apply for what it’s calling the Deutsche Post Security Cup. Each team will be seeded with €3,000 ($3,800), but must use their own tools and agree to not touch any private data they come across during their work. The teams must also keep quiet about any vulnerabilities they find until December, when Deutsche Post will award prizes and reveal the bugs it’s patched.

You can look at this two ways really, on one hand this is a good initiative meaning the system will be secured in some way. Of course that’s entirely dependant on the skill level of the people who enter the ‘cup’. But judging by the bounty amounts I’d say they are likely to attract a fairly decent crowd.

On the other hand you could say this is a form of crowd-sourcing, they are avoiding paying big bucks to a proper security company for an audit and farming it out under the guise of a bounty scheme to whoever shows up.

Bounties of €6,000 ($6,400) and €1,000 ($1,300) will be paid for major and minor bugs, respectively, with a four-member jury classifying the reported vulnerabilities. The jury includes Jennifer Granick, the civil liberties director of the Electronic Frontier Foundation (EFF) and Thorsten Holz, the co-founder of the German Honeynet Project, which places vulnerable systems on the Internet to collect malware.

Bug bounties and prizes gained momentum this summer after Mozilla and Google both hiked the rewards they pay to researchers who report vulnerabilities in Firefox and Chrome, respectively. Shortly after the bounty boosts, the long-running Zero Day Initiative (ZDI) bug payment program run by HP TippingPoint announced new rules, including a six-month deadline for patching reported problems.

More information about Deutsche Post’s bug contest can be found on its Web site.

I hope all findings are publicly published so we can really judge the value of the outcome and what kind of opportunity this represents for corporations who are looking for security solutions. It could bring about a whole new breed of ‘bounty hackers’ that solely exist (professionally) on these kind of offerings.

Plus the fact they do actually have some well-known judges who are credible and known in the industry. It seems like the whole bounty scheme could be heating up.

Source: Network World

This is a Windows PowerShell Script to help you with blacklisting domains you wish to block in your networks.

We have written about PowerShell before, it is something which can make the windows shell a lot more flexible.

On the external DNS servers you can create primary zones for the domain names and FQDNs you do not want your users to resolve correctly. These DNS zones will all return an incorrect IP address, such as “0.0.0.0″ or the address of an internal server, not the real address. Because the organization’s internal DNS servers are configured to forward their requests to these external DNS servers in the DMZ, the internal DNS servers will cache these incorrect addresses too when the external DNS servers respond. So, when an internal client tries to resolve an unwanted DNS name, it will receive a response, but the IP address returned will be incorrect. Because an IP address of “0.0.0.0″ is unreachable, these unwanted zones created on the external DNS servers are said to be “blackholed”, “blacklisted” or “blocklisted”.

What to block? You can obtain lists of FQDNs and domain names to blackhole for free. Some lists are only for malware, others might be just for pornography, but be aware that they are never 100% complete or accurate (you get what you pay for, so don’t be surprised to find gaps a small number of false positives).

Some of the more popular blackhole lists include (in no particular order):

www.MalwareDomains.com
www.Malware.com.br
www.MalwareDomainList.com
www.MalwareURL.com
www.SomeoneWhoCares.org
mtc.sri.com
www.MVPs.org
www.UrlBlacklist.com (not free)

From sites like the above you can download lists of FQDNs and simple domain names which can be fed into the PowerShell script for this article in order to create blackhole zones on Windows DNS servers. If you have DNS servers running BIND, perhaps on Linux or BSD, then the sites above will also help you import blackhole domains on those DNS servers too (scripts for blackholing on BIND are common).

Requirements

To use the PowerShell DNS blackhole script, you must:

• Have PowerShell 2.0 or later on the computer where the script will be run, which may be the DNS server itself or another management workstation.
• Use Windows Server 2003 with SP2 or later for the DNS server.
• Allow network access to the RPC ports of the Windows Management Instrumentation (WMI) service from the workstation where the script will be run.
• Be a member of the local Administrators group on the DNS server.

You can download the PowerShell DNS Blackhole script here:

Blackhole-DNS.zip

Or read more here.

China catches a lot of flack in the infosec World, mostly for being suspected of cyber-terrorism and for propagating nasty malware.

Lately things have been getting more political especially during their tussle with Google over the whole ‘search freedom’ issue and censorship.

The latest is that they are starting to check for compliance on a 3 year old initiative called the Multi-Level Protection Scheme or MLPS which effectively mandates all core services that the government uses must be provided by local Chinese companies.

China is stepping up efforts to keep the security systems that protect its critical infrastructure in the hands of local firms, and that could be bad news for companies based outside the country.

China has started sending out inspectors to check for compliance with a little-known initiative called the Multi-Level Protection Scheme (MLPS), the Associated Press reported Wednesday. Introduced three years ago by China’s Ministry of Public Security, it mandates that core products used by government and infrastructure companies such as banks and transportation must be provided by Chinese companies.

Over the past year, government inspectors have been telling some companies that they must switch to Chinese firewalls and other types of security technology, the AP said. The development could force security vendors such as Cisco Systems and Symantec out of important parts of the growing market, or force them to partner with local businesses, said Stephen Kho, senior counsel with Akin Gump Strauss Hauer & Feld, an international law firm based in Washington. “Right now, it seems to only affect the companies that are in the information security sector,” he said.

The MLPS regulations have been public since 2007, but it wasn’t clear until recently that China would actually enforce them, Kho said. “When they put this one in place, nobody really paid any attention to it,” he said. “A lot of times these laws stay on the books and they do nothing.”

The regulations have been in place for 3 years but are only being enforced now, it seems like a concerted effort by the Chinese government to start pushing foreign companies out of China. Some could also say it’s to get back at the US rejecting takeover bids by Huawei citing ‘security concerns’.

It’s a two way street, you don’t let China in…they are going to push you out. So much for bilateral ties?

Critics worry that China may be leveraging security concerns to shut down free trade in its growing security products market.

The MLPS covers critical infrastructure companies, and China has said most government agencies and state-owned companies must be fully compliant by this year, according to a recent report by the American Chamber of Commerce in China. This requirement could have “serious implications” for companies that sell to critical infrastructure operators in China, the report states.

The MLPS is just one of several policies designed by China over the past few years to spur homegrown technology development. Groups like the American Chamber of Commerce worry that they simply close out foreign competition. “[P]olicies that China is adopting under the banner of ‘indigenous innovation’ are increasingly closed and protectionist in nature,” the group wrote in its report.

In a blog post last year, Oracle Director of Standards Strategy and Policy Trond Undheim said other laws and regulations are also at play here, including the Chinese Compulsory Certification (CCC), which requires the disclosure of intellectual property in some security products.

“China is at the moment poised to limit the global IT industry’s footprint in their country,” Undheim wrote. “They have devised a quite devious set of schemes to do this, centered around IT security legislation.”

This could cause some serious issues for big hardware players like Cisco and Juniper and honestly I think if China really pushes this policy their only choice will be to form some kind of joint venture with China shareholders being in the majority.

It seems China have things locked down pretty tight and if they so wish they can shut everyone down or just simply push them out of the market by making it illegal for them to do business.

Either way, it’s not looking good for some of the big US players.

Source: Network World

The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.

It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows.

The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes.

Current features also include disassembling x86 native code (using the open source diStorm project, see https://code.google.com/p/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.

What’s new in this version?

• fully supports Python 2.4 through 2.7
• fully supports Windows XP through Windows 7, 32 and 64 bit editions
• crash report tool now supports MSSQL (requires pyodbc)
• now supports downloading debugging symbols from Microsoft (thanks Neitsa!)
• new tool: sehtest.py (Windows SEH buffer overflow jump address bruteforcer, inspired by the same tool by Nicolas Economou)
• now with only one MSI installer for all supported Python versions
• now using cerealizer instead of pickle whenever possible

You can view the entire changelog for all versions here.

You can download WinAppDbg here:

Win (32-bit) – winappdbg-1.4.win32.exe
Win (64-bit) – winappdbg-1.4.win-amd64.exe
Source Code – winappdbg-1.4.zip

Or read more here.

The big news that is turning the infosec world inside out this week is about a new DLL pre-loading/hijacking bug which effects more than 200 Windows applications including some produced by Microsoft itself.

The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This of course can and is being abused.

The big problem with is the fact that it can’t really be patched by Microsoft, each vulnerable application vendor needs to issue an update to their applications to fix the way in which they deal with DLL files.

The Microsoft Security Response Center has written about the issue here:

Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.

Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately.

More information about the DLL Preloading remote attack vector

Microsoft also has published some Registry tweaks which can change the default DLL library search behaviour (downloads are available for each version of Windows):

A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Microsoft and quite a few other researchers have known about this for some time and have stated they won’t be patching it but will be looking at ways to address it in future versions of Windows.

MIcrosoft has told a researcher that it won’t patch a problem that has left scores of Windows applications open to attack. According to a growing number of reports, crucial Windows functionality has been misused by countless developers, including Microsoft’s, leaving a large number of Windows programs vulnerable to attack because of the way they load components.

The issue first surfaced last week when HD Moore, chief security officer of Rapid7 and creator of the open-source Metasploit hacking toolkit, said he had found 40 vulnerable applications , including the Windows shell. A day later, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began in November 2008.

Over the weekend, Taeho Kwon, a Ph.D. candidate in computer science at the University of California Davis, stepped forward to cite his research, which he published in a February 2010 paper.

Microsoft won’t patch critical DLL loading bugs

The attack code was posted yesterday to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live email and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint.

Some more info is available here:

Microsoft Binary Planting Bug: What You Need to Know

If you want to scan your own system you can do so here:

DLLHijackAuditKit v2

It includes complete instructions and the steps to scan for vulnerable apps, build test cases for each application and assemble an exploit.

A simple PERL tool which detects several Directory Traversal Vulnerabilities on HTTP/FTP Servers. This AttackDB version currently has 871 traversal payloads. This tool was tested against various Kolibri+ WebServer v2.0 and Gefest WebServer v1.0 (HTTP servers) giving good results identifying the right vulnerability strings. Those HTTP servers were vulnerable, and somebody reported those vulns on sites such as exploit-db, but those advisories just reported some (1 or 2) traversal strings with a difference with DotDotPwn which detected between 10 or 20 different attack strings on those vulnerable servers.

Features

• Detects Directory traversal vulnerabilities on remote HTTP/FTP server systems.
• DotDotPwn checks the presence of boot.ini on the vulnerable systems through Directory traversal vulnerabilities, so it is assumed that the tested systems are Windows based HTTP/FTP servers.
• Currently, the traversal database holds 871 attack payloads. Use the -update flag to perform an online fresh update.

Requirements

Perl with support of HTTP::Lite and Net::FTP modules

The full README file is available here.

You can download DotDotPwn v1.0 here:

ddpwn.tar.gz

Or read more here.

We’ve seen a trend in recent years, especially in the technology sector of acquisitions and consolidations. It’s been something Microsoft has been doing for a long time, acquiring smaller niche companies to improve/supplement their existing product lines.

In recent years the trends has shifted towards web services and of course security, many smaller security companies have been acquired, most recently would be the Sunbelt acquisition by GFI.

Back in 2007 Google Acquired Web Security Startup GreenBorder. There have been many others of course, a lot of which we haven’t covered as they are more business related than anything else.

Bruce Schneier has also been talking about these kind of acquisitions for over two years.

There has been a pretty unanimous WTF from the tech community as Intel isn’t even a software provider, they are a hardware manufacturer…and yes they’ve had some flaws in their products but does that justify spending almost $8 Billion USD to acquire a security company?

And well McAfee isn’t exactly highly thought of within the security community.

Both boards of directors have approved the deal, which is still subject to McAfee shareholder approval and regulatory approval.

Intel said the deal signalled its decision to put security on par with energy-efficient performance and internet connectivity as a strategic focus area.

“Today’s security approach does not fully address the billions of new Internet-ready devices connecting, including mobile and wireless devices, TVs, cars, medical devices and ATM machines as well as the accompanying surge in cyber threats,”

The details can be seen on Market Watch here.

And well McAfee don’t even provide hardware security functions, which is I assume what Intel is looking for. Who knows, this may just be a capital investment strategy from Intel and not particularly related to what McAfee produces.

Intel of course can benefit from the security knowledge McAfee has and integrate that into their hardware – but that is going to take some time.

Several security analysts have given their opinions of what this could mean and how it could effect Intel, McAfee and the industry in general.

Source: The Register

Tshark is actually part of the Wireshark package, and has some similar functionality. It does some cool stuff though so I thought it’s worthy of its own post.

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.

TShark is able to detect, read and write the same capture files that are supported by Wireshark. The input file doesn’t need a specific filename extension; the file format and an optional gzip compression will be automatically detected. Near the beginning of the DESCRIPTION section of wireshark(1) is a detailed description of the way Wireshark handles this, which is the same way Tshark handles this.

Compressed file support uses (and therefore requires) the zlib library. If the zlib library is not present, TShark will compile, but will be unable to read compressed files.

If the -w option is not specified, TShark writes to the standard output the text of a decoded form of the packets it captures or reads. If the -w option is specified, TShark writes to the file specified by that option the raw data of the packets, along with the packets’ time stamps.

When writing a decoded form of packets, TShark writes, by default, a summary line containing the fields specified by the preferences file (which are also the fields displayed in the packet list pane in Wireshark), although if it’s writing packets as it captures them, rather than writing packets from a saved capture file, it won’t show the “frame number” field. If the -V option is specified, it writes instead a view of the details of the packet, showing all the fields of all protocols in the packet.

If you want to write the decoded form of packets to a file, run TShark without the -w option, and redirect its standard output to the file (do not use the -w option).

When writing packets to a file, TShark, by default, writes the file in libpcap format, and writes all of the packets it sees to the output file. The -F option can be used to specify the format in which to write the file. This list of available file formats is displayed by the -F flag without a value. However, you can’t specify a file format for a live capture.

Read filters in TShark, which allow you to select which packets are to be decoded or written to a file, are very powerful; more fields are filterable in TShark than in other protocol analyzers, and the syntax you can use to create your filters is richer. As TShark progresses, expect more and more protocol fields to be allowed in read filters.

Packet capturing is performed with the pcap library. The capture filter syntax follows the rules of the pcap library. This syntax is different from the read filter syntax. A read filter can also be specified when capturing, and only packets that pass the read filter will be displayed or saved to the output file; note, however, that capture filters are much more efficient than read filters, and it may be more difficult for TShark to keep up with a busy network if a read filter is specified for a live capture.

A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you’re using a read filter. If the filter is specified with command-line arguments after the option arguments, it’s a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).

Tshark is available for download as part of the Wireshark package here:

Windows (32-bit) – wireshark-win32-1.2.10.exe
Source Code – wireshark-1.2.10.tar.bz2

Or read more here.

We haven’t often reported anything relating to ColdFusion, the application server from Adobe, most likely because it’s not a very prevalent hosting platform. It was quite popular earlier in the decade before PHP became so popular, the choices back then were early versions of ASP, JSP and CFM.

We’ve only posted one tool related to ColdFusion too which was – Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications.

Adobe seems to have tried to hide this one away and downgrade the severity of the exploit by classifying it as ‘important’ but not ‘critical’. Stating it could only lead to information disclosure via directory traversal. It seems however publicly released exploit code can utilise this vulnerability to take full control of any server running the unpatched version of ColdFusion.

A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

From what has been written about the flaw by researchers that have tested it out, it really should have been rated as critical. Plus the fact you can use some old school Google Hacking to find vulnerable servers means this could lead to some widespread mass defacements.

Well perhaps I shouldn’t really say mass defacements as there just aren’t that many servers running ColdFusion, and yes most of which are indeed running on Windows machines and most likely poorly maintained and not particularly secure Windows machines.

The bottom line, if you have any ColdFusion servers in your organization or within your realm of responsibility, get them patched ASAP.

One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that’s not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”

Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.

Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.

Adobe on Monday issued the following statement:

“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”

To take complete control however the server admin would have had to ignore the ‘best-practice’ guidelines and allowed public access to administrative components of the ColdFusion server.

If you are interested you can find reliable exploit code here:

Adobe ColdFusion Directory Traversal Vulnerability

Source: The Register

RSMangler will take a word list and perform various manipulations on it similar to those done by John the Ripper with a few extras. It goes along well with our previous post on Password Cracking Wordlists and Tools for Brute Forcing.

There are other options too like Wyd – Automated Password Profiling Tool, which is a little more advanced – or The Associative Word List Generator (AWLG).

The main new feature is permutations mode which takes each word in the list and combines it with the others to produce all possible permutations (not combinations, order matters). For example the words freds, fresh, fish will produce the following list:

freds
fresh
fish
fredsfresh
fredsfish
freshfreds
freshfish
fishfreds
fishfresh
fredsfreshfish
fredsfishfresh
freshfredsfish
freshfishfreds
fishfredsfresh
fishfreshfreds

Each of these new words is then subject to the other mangles, because of this we strongly recommend with permutations mode enabled (default) you use a very small wordlist, 3 start words create a final list containing 4245 words and 5 start words creates a list containing 91975. As a test we tried it with a few hundred words and gave up when the output file got to 3G. If you try to use a file with more than 5 words you will get a warning and the option to abort. Other mangles include adding the numbers 1 to 123 to the start and end, 01 to 09 to the start and end, various case manipulations, leet speak, word reversal, ed and ing on the end and doubling words up.

The initial wordlist can either be specified as a file or can be piped in through STDIN.

Installation

RSMangler is written in Ruby and therefore needs Ruby to be installed and working. The script needs to be made executable and it doesn’t rely on any gems or anything external.

You can download RSMangler here:

rsmangler_1.0.tar.bz2

Or read more here.