Monday, March 18, 2013

WIN at CBC

I win at the demo-run of Immunity Web Hacking class today. Who want to try to be "superuser" ? 



Friday, March 15, 2013

Immunity Releases an Exploit for the Linux Kernel PTRACE vulnerability


Linux PTRACE CVE_2013_0871

Solar Designer calls this one of the more dangerous Linux local exploits since  CVE-2010-3081. (c.f. http://seclists.org/oss-sec/2013/q1/342 )

There's some contention over how easy it is to exploit, and like many race conditions, it's not simple. Our current version works on 64 bit kernels in VM's (which have not been patched). To be perfectly honest, we largely tested this on VMWare VMs, so on other hypervisors YMMV.

2.6.29 changed the creds structure, so currently our released exploit is only 2.6.29 or greater. We do have a 32 bit version and a 2.x version which we'll finish testing and release at some point in the near future. And we'll try to fix the 64 bit version to work on non-VM's. It's going to be a while until this hits normal CANVAS as we need to finish 64-bit Linux MOSDEF in order to integrate it properly.

That said, VM's are in fairly common use at the moment so we thought people would get value out of it as-is.

Enjoy!


Exploit discussed in this blog post is here: https://ceu.immunityinc.com/immpartners/linux_ptrace_setregs.tar

Of course, you'll need a CANVAS Early Updates subscription to download this. You can email sales@immunityinc.com if you don't have one.

Thursday, March 14, 2013

Hacking the web: Exploiting CBC with Padding Oracle

The process of writing the material of a training is very organic. Not in the way where you replace meat with tofu, but rather a process of evolving the material for each new edition.

No matter how experienced a teacher can be on the subject, students learning process are different for everyone and so is their background experience. In short, building training that is effective for a large range of people is as hard as building an exploit that is effective against a large range of machines.

That's why after each edition we try to re-write what we think are the weakest parts to make the training more targeted towards how students learn best.

As a good example, last year the Web Hacking class had a Padding Oracle section. Not only it was very a novel technique, but we where seeing all kind of bad implementations on our consulting gigs that we were exploiting with this. We decide it to rush it into our class, and fit it into a two hours period. Whether most people in the class understood it and was able to exploit it at the end, we felt that they might have not have grasped the whole concept, so this year we decide it to turn it in a whole Web Crypto day.

Importantly, we decided to build an interactive framework for ECB and CBC (if you're not sure the difference, you should attend the class!), so you could understand how to exploit Padding Oracle in a Web 2.0 environment.

It was painful, but the results are looking good:


Kudos to Matias for the great work, and we are hoping to see you there in less than a month at INFILTRATE 2013's Web Hacking class!

Monday, March 11, 2013

Infiltrate Preview - TrueType Font Fuzzing and Vulnerability

TrueType font files are made up of a number of tables; each table begins on a 4 byte boundary that comprises an outline font and must be long aligned and padded with zeroes if necessary. Referring to the “TrueType 1.0 Font File Technical Specification”, provided by Microsoft; the TrueType font file begins at byte 0 with the Offset Table. Offset Table is divided into 5 subtable:


sfnt version : 65536(0x0001 0000) for version 1.0
numTables : Number of tables
searchRange : (Maximum power of 2 ≤ numTables) x 16
entrySelector : Log2(Maximum power of 2 ≤ numTables)
rangeShift : numTables x 16 – searchRange

Beginning at byte 12, after the Offset Table, is the Font Table Directory. Entries in the Table Directory must be sorted in ascending order by ‘tag’ name. Overall, the Font Table Directory Header consists of:

tag : 4 byte identifier
checkSum : checksum of the table
offset : Beginning offset of the font table entry
length : Length of the table

The Structure of True Type Font Directory


The required tables in the Font Table Directory:

cmap : character to glyph mapping
glyf : glyph data
head : font header
hhea : horizontal header
hmtx : horizontal metrics
loca : index to location 
maxp : maximum profile
name : naming table
post : PostScript information
OS/2 : OS/2 and Windows specific metrics

The optional tables in the Font Table Directory:

cvt : Control Value Table
EBDT : Embedded bitmap data
EBLC : Embedded bitmap location data
EBSC : Embedded bitmap Scaling data
fpgm : font program
gasp : grid-fitting and scan conversion procedure
hdmx : horizontal device metrics
kern : kerning
LTSH : Linear threshold table
prep : CVT Program
PCLT :PCL5
VDMX : Vertical Metrics header
vhea : Vertical Metrics

Due to font validation purposes, the dumb fuzzing technique is not recommended for these fields: ‘checkSum’, ‘offset’, ‘length’ and ‘Table’. To reduce the number of irrelevant tests, a checksum validation program is used to determine the checksum of ‘head’ table.

Fix the Checksum value of the “head” Font Table Directory

During the fuzzing process, the table checksum has to re-compute. The checksum calculation implies 4 byte boundaries as shown in Python program below:


<NOTE TO NICO: NO PYTHON PROGRAM IS HERE>

Our font fuzzer is to fuzz the TrueType font file into different sizes which enables the generation of the test cases to determine the size of font in triggering the vulnerability. Each fuzzing process starts with automating the installation of the mutated font in Windows system. It will then display the font; both in open the font file via fontview.exe and displaying the character maps. Lastly, uninstall the font and repeat the process if no vulnerability is found.

The windll.gdi32.AddFontResourceExA function is used to automate the installation of the crafted font into the “C:\Windows\Fonts” folder.

htr = windll.gdi32.AddFontResourceExA(FileFont, FR_PRIVATE, None)

Once the fuzzing environment is ready, a LOGFONT object is created to define the attributes of a font. 

lf=win32gui.LOGFONT()

Assuming no vulnerability has been found at a font with a specified size that has been called; the windll.gdi32.RemoveFontResourceExW function will be called to remove the fonts in “C:\Windows\Fonts” folder.

windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None)

Another size of font in the range that has been set will be called and the same process will repeat until vulnerability is found or the list of font size elements under a loop function has all been called and no vulnerability is found.

Figure below shows the Blue Screen of Death (BSOD) proof of concept via our font fuzzer. [Editor's note: BOOM! :>]

BSOD of Windows 8 Pro 


The details of the fuzzer and findings will be discussed in the talk. Looking forward to see you guys in INFILTRATE 2013.

--- Ling Chuan Lee & Lee Yee Chan from F13 Labs

Monday, March 4, 2013

Infiltrate Preview - Stephen Watt Keynote


A common public misconception is that "real punishment" begins and ends with a prison sentence, that a sentence of probation is little more than a strong warning, and that the period of probation that usually follows incarceration is something like a fast-scrolling trailer at the end of a two hour movie: a formality of a coda that can be easily dismissed.

Similarly, anybody who's grown up watching detective and courtroom dramas on TV can be forgiven for assuming that only a strong cache of incontrovertible evidence can seal a conviction. We're so used to hearing stories of criminals evading the law through technicalities like botched Miranda Rights readings and search warrants that we might expect any prosecutor must have an airtight case to prevent a sharp defense attorney from poking holes in it.

Unfortunately for the real-life defendant, these are often little more than legal myths. Lost in these assumptions is the understanding that a prison sentence of any length is sandwiched between a very costly pre-trial period and term of supervised release. Pre-trial is often characterized by a combination of unemployment and impossibly high legal expenses (going with the "free services" of a public defender is usually folly if not done as a last resort). The post-trial period can be remarkably restrictive, ensuring that a return to a former standard of living is nearly impossible until completion, all the while encouraging recidivism or re-incarceration for petty probation violations.

If all that sounds pretty daunting, imagine that you decide to take the road less traveled and be the rare defendant that does NOT cooperate with federal authorities (who by some tallies have a near-99% conviction rate), and rat out their friends. Confident in the fact that there can't possibly be a shred of hard forensic evidence showing you to be involved in any illegal activity, you remain scared and apprehensive, but reasonably certain of your ability to prevail in the face of any manufactured legal adversity...

... But. You're naive because you're not some career criminal and this is your first scrape with the law. Hell, you've never even had a lawyer before. A crash course in reality ensues. First, you learn about the government's favorite criminal fishing net: conspiracy. You learn that highly circumstantial evidence that merely links yourself to other co-defendants in close personal relationships can be used as "convincing" evidence of criminal involvement. You learn that as a member of a conspiracy, once you have engaged in the slightest possible activity to further that conspiracy, you are immediately and fully legally responsible for all the actions of every single other participant in the conspiracy.

You learn how charges in white collar criminal cases can easily be compounded so that now, as a first time offender, you're looking at a federal sentencing guideline of life in prison. You get a plea offer. It's capped at 5 years. You know you won't die in a cell if you go to trial and lose, but you have no idea what the intermediate compromise between 5 years and life might be. Could a guilty verdict mean 7 years? 10? How long will the trial take? How much money will it cost? If there's international co-defendants, will your trial be delayed until they're extradited?

Is a jury really a jury of your peers? Can they be trusted to decide your fate based on highly technical evidence that is beyond the understanding of the average person? A judge might be more intellectually capable of absorbing the facts, but is it worth risking a bias towards guilt that typically accompanies a lengthy career in jurisprudence? If IRC or instant messenger logs are part of the evidence, is there a possibility that sarcastic or jocular comments in no way related to criminal wrongdoing might poison judge or jury against the defendant? What is the likelihood that dark or sarcastic humor will be used against the criminal defendant to shore up the case? Or exaggeration of the implications or maliciousness of specific technical actions? Spoiler alert: It's very high, especially when the prosecutor assigned to your case is a notoriously dirty fighter with a body count attached to his name.

Fuck it. You're going to get locked up. It might take you a couple of years to get from the day federal law enforcement raided your home with riot gear and automatic weapons to the point where  you pass through a prison metal detector at intake. During that time, you will be fired, and you won't work. You won't be allowed to use a computer to work, and you won't even be allowed to use one to update your resume. But prison should be relaxed right? It's just a camp for white collar criminals.
Maybe. Maybe not. It's not impossible that you could end up 3,000 miles away from home in a concrete bunker with no windows to the outside world, or physical access outdoors. Or to a library. Or any educational services. Oh, and knee deep in child pornographers.

Even so, prison might be the most relaxing bit of your entire journey. At least in prison you know that there's nothing you can do to increase your net worth or help your family solve its generous share of personal problems. You couldn't begin the frustrating search for employment as a convicted felon even if you wanted to. So you kick back, gnaw on BOP-issued corn dogs, and read the Clive Cussler novels on the book cart.

It seems that by probation you should feel like you've made it to to the top of a giant hill, exhausted and relieved to be near exiting The System and going back to being an inconspicuous member of society. Now remember that because you didn't snitch on anybody, you've incurred the wrath of every authority figure involved in this entire process. A line of communication has been established from the investigators and prosecutors through the Bureau of Prisons and  all the way to the probation department. And your life will be made that much more difficult because you refused to compromise your integrity in order to make things "easier" for all parties involved.

Just like any other convicted felon, you'll find out what it's like to be treated like a pariah. If you're a skilled professional, your unsavory background will make you even less appealing to prospective employers. If you have a fine or restitution to pay back, you will start to do so while earning wages that are likely a fraction of your former level of compensation. And then there will be the question of technology. Wanna take videos of your cat to upload to Youtube? That might be difficult, depending on if and what kind of smartphone you're permitted to use. Very likely, you'll have government-selected malware installed on your laptop. It'll bring your system to a crawl, and you'll be forced to pay monthly fees for that privilege. You'll be using Windows only and since the nature of state-sponsored surveillance on probationers is completely opaque, what software you are or are not permitted to run is completely arbitrary. For the course of supervised release, you will struggle not only against a presumptive and unforgiving society, but a law enforcement agency that will not actively facilitate your reintegration into it.

This is my story, and in several ways it is the story of many others.

Perhaps more unique to my circumstances is how for 10 profitless hours of work helping a friend, I ended up indebted to the sum of almost $200 million, locked away from the light of day in federal prison for nearly two years.

I underwent court-advised psychiatric evaluation for suspected sociopathy because I liked quoting Fight Club. And a chunk of my life was flushed away because, in the words of my judge , I was to be made an example due to the high visibility of my case. Had I deliberately fashioned myself as a more sympathetic victim, perhaps my case would have prompted more public outrage. As we saw recently with Aaron Swartz, when the actions of litigators are left unchecked over the course of a career, the most aggressive legal measures will be undertaken lightly and with impunity, and can sometimes have tragic consequences.

There is an unspoken camaraderie that bonds all people who have seen themselves the targets of federal indictment. That realization first struck me when I saw my name listed as the adversary of my own country in the infamous "United States v." heading that graces the top of so many legal documents. Unfortunately, that rivalry neither begins nor ends in a court of law, and the case title itself is a scarlet letter that brands a convict until his dying days. Some have chosen the most final means possible to avoid this distinction. I wear this badge without shame, and stand to share my experience with others.

-- Stephen Watt