Blog
Playing with Python Pickle #3
[This is the third in a series of posts on Pickle. Link to part one and two.]
Thanks for stopping by. This is the third posting on the bowels of Python Pickle, and it’s going to get a little more complicated before it gets easier. In the previous two entries I introduced Pickle as an attack vector present in many memcached instances, and documented tricks for executing OS commands across Python versions as well as a mechanism for generically calling class instance methods from within the Pickle VM.
Playing with Python Pickle #2
[This is the second in a series of posts on Pickle. Link to part one.]
In the previous post I introduced Python’s Pickle mechanism for serializing and deserializing data and provided a bit of background regarding where we came across serialized data, how the virtual machine works and noted that Python intentionally does not perform security checks when unpickling.
In this post, we’ll work through a number of examples that depict exactly why unpickling untrusted data is a dangerous operation. Since we’re going to handcraft Pickle streams, it helps to have an opcode reference handy; here are the opcodes we’ll use:
Playing with Python Pickle #1
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized data. The caches were not homogenous and so the data was quite varied: Java objects, ActiveRecord objects from RoR, JSON, pre-rendered HTML, .Net serialized objects and serialized Python objects. Serialized objects can be useful to an attacker from a number of standpoints: such objects could expose data where naive developers make use of the objects to hold secrets and rely on the user to proxy the objects to various parts of an application. In addition, altering serialized objects could impact on the deserialization process, leading to compromise of the system on which the deserialization takes place.
Black Hat Abu Dhabi – Full … NOT!
The bad news is that our course at Black Hat Abu Dhabi is completely full. The good news is … they’ve given us a bigger room! So if you’ve been told the course is full, or if you haven’t registered yet, please do it quickly before it fills up again.
Problems? Please contact us or mail training[at]sensepost[dot]com.
Analysis of a UDP worm
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate. Anti-Virus coverage was 15/43 (35.7%) based on a virustotal.com report and Norman sandbox did not detect any suspicious activity as shown in the report below:
Norman sandbox report did not show any registry or network activity. This might be due to the use of virtual CPU or sandbox bypass techniques by the malware. Sunbelt sandbox was down at the time of the analysis.
Sensepost Training in November
Our next scheduled training sessions have been planned for November. If you’re interested in attending, the dates and locations are:
1) HBN Bootcamp Edition 7-9th November, BlackHat Abu Dhabi
‘Hacking By Numbers – Bootcamp Edition‘ is our ‘introduction to hacking’ course. It is strongly method-based and emphasizes structure, approach and thinking over tools and tricks. The course is popular with beginners, who gain their first view into the world of hacking, and experts, who appreciate the sound, structured approach.
Gitex 2010 Dubai
At the invitation of the South African Department of Trade and Industry SensePost will form part of a South African delegation represented at GITEX 2010 from 17-21 October 2010:
Dubai International Convention and Exhibition Centre (DICEC) Dubai, United Arab Emirates Hall 5, Stand C6-20B If you are in Dubai or intend to visit the Gitex event, come over and visit me, Shane Kemp, at the SensePost stand.
http://www.sensepost.com/gitex
Hacking By Numbers – South Africa – September ’10
From the team that won the world’s first Soccer Hack Cup, we bring you the latest and the greatest in computer hacking training – SensePost Hacking By Numbers Extended Edition – a local course that combines two of the brand new courses we just finished presenting at Black Hat Las Vegas.
The training will be offered in Brooklyn Pretoria from 14 – 17 September 2010. Here’s how it will work:
14 – 15 September: Cadet Edition 16 – 17 September: Bootcamp Edition Ok ok ok, so Pretoria is not exactly Vegas, but the courses are fresh and updated and packed full of exciting new content, tools and techniques.
Information Security South Africa (ISSA) 2010
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.)
The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of “Isn’t Privacy just directed Security? Privacy is to private info what PCI is to card info?” It was further prompted by discussion with Joe the Plumber along the lines of “Privacy is dead!”
Memcached talk update
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to this; explanations for the interest are welcome!
We wanted to highlight a few points that didn’t make the slides but were mentioned in the talk:
Bit.ly and GoWalla repaired the flaws extremely quickly, prior to the talk. PBS didn’t get back to us. GlobWorld is in beta and isn’t publicly available yet. For those blaming admins or developers, I think the criticism is overly harsh (certainly I’m not much of a dev as the “go-derper” source will show). The issues we found were in cloud-based systems and an important differentiating factor between deploying apps on local systems as opposed to in the cloud is that developers become responsible for security issues that were never within their job descriptions; network-level security is oftentimes a foreign language to developers who are more familiar with app-level controls. With cloud deployments (such as those found in small startups without dedicated network-security people) the devs have to figure all this out.