Episode90

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

mp3

Tech Segment #1 Paul's Iphone

In our first round of iPhone security review we covered some of the default settings, and performed and Nmap scan with options for OS fingerprinting and TCP port scanning. This time we will start with some further Nmap scanning, but for UDP ports instead of TCP ports:

paimei:~/oshean root# nmap -sU -P0 -T4 -p1-65535 10.10.230.100

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-29 09:27 EST
Interesting ports on 10.10.230.100:
Not shown: 65523 closed ports
PORT      STATE         SERVICE
5353/udp  open|filtered zeroconf
5429/udp  open|filtered unknown
13244/udp open|filtered unknown
15509/udp open|filtered unknown
19725/udp open|filtered unknown
34787/udp open|filtered unknown
44617/udp open|filtered unknown
49709/udp open|filtered unknown
50767/udp open|filtered unknown
52068/udp open|filtered unknown
54577/udp open|filtered unknown
59528/udp open|filtered unknown
MAC Address: 00:1E:52:0B:FD:97 (Unknown)

Nmap finished: 1 IP address (1 host up) scanned in 10291.975 seconds

Port 5353 interests me the most, as on OS X systems and Windows systems running iTunes the mDNS service can reveal information about the system, such as patch level. The best way, that I know of, which will reveal mDNS informationa ccurately is to use Nessus. So, no better time than now to run Nessus against our iPhone! When I did, unfortunately it provided no information about mDNS or UDP port 5353. However, it produced a very interesting result with respects to plugin id 11197 which tests for Etherleak. Etherleak, in a nutshell, is when a network driver releases information about the system in padded ICMP payloads. For example, if I send an ICMP packet with a 1 byte payload to a system, the response should contain a payload with padded bytes:

paimei:~ root# tcpdump -X -s0 -i en1 -nn 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:57:01.617955 IP 10.10.230.163 > 10.10.230.1: ICMP echo request, id 8732, seq 0, length 9
        0x0000:  4500 001d 213a 0000 4001 78ed 0a0a e6a3  E...!:..@.x.....
        0x0010:  0a0a e601 0800 d5e3 221c 0000 00         ........"....
13:57:01.619402 IP 10.10.230.1 > 10.10.230.163: ICMP echo reply, id 8732, seq 0, length 9
        0x0000:  4500 001d 213a 0000 ff01 b9ec 0a0a e601  E...!:..........
        0x0010:  0a0a e6a3 0000 dde3 221c 0000 0000 0000  ........".......
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
13:57:02.618358 IP 10.10.230.163 > 10.10.230.1: ICMP echo request, id 8732, seq 1, length 9
        0x0000:  4500 001d 213b 0000 4001 78ec 0a0a e6a3  E...!;..@.x.....
        0x0010:  0a0a e601 0800 d5e2 221c 0001 00         ........"....
13:57:02.619992 IP 10.10.230.1 > 10.10.230.163: ICMP echo reply, id 8732, seq 1, length 9
        0x0000:  4500 001d 213b 0000 ff01 b9eb 0a0a e601  E...!;..........
        0x0010:  0a0a e6a3 0000 dde2 221c 0001 0000 0000  ........".......
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
13:57:03.618460 IP 10.10.230.163 > 10.10.230.1: ICMP echo request, id 8732, seq 2, length 9
        0x0000:  4500 001d 213c 0000 4001 78eb 0a0a e6a3  E...!<..@.x.....
        0x0010:  0a0a e601 0800 d5e1 221c 0002 00         ........"....
13:57:03.619891 IP 10.10.230.1 > 10.10.230.163: ICMP echo reply, id 8732, seq 2, length 9
        0x0000:  4500 001d 213c 0000 ff01 b9ea 0a0a e601  E...!<..........
        0x0010:  0a0a e6a3 0000 dde1 221c 0002 0000 0000  ........".......
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

The iPhone however seems to send a pad, but the last 4 bytes are always different:

paimei:~ root# tcpdump -X -s0 -i en1 -nn 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:56:01.524037 IP 10.10.230.163 > 10.10.230.100: ICMP echo request, id 7708, seq 0, length 9
        0x0000:  4500 001d 210b 0000 4001 78b9 0a0a e6a3  E...!...@.x.....
        0x0010:  0a0a e664 0800 d9e3 1e1c 0000 00         ...d.........
13:56:01.553933 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 7708, seq 0, length 9
        0x0000:  4500 001d cc58 0000 4001 cd6b 0a0a e664  E....X..@..k...d
        0x0010:  0a0a e6a3 0000 e1e3 1e1c 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 8f57 d576       ...........W.v
13:56:02.524257 IP 10.10.230.163 > 10.10.230.100: ICMP echo request, id 7708, seq 1, length 9
        0x0000:  4500 001d 210c 0000 4001 78b8 0a0a e6a3  E...!...@.x.....
        0x0010:  0a0a e664 0800 d9e2 1e1c 0001 00         ...d.........
13:56:02.577921 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 7708, seq 1, length 9
        0x0000:  4500 001d cc59 0000 4001 cd6a 0a0a e664  E....Y..@..j...d
        0x0010:  0a0a e6a3 0000 e1e2 1e1c 0001 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 f1f3 db96       ..............
13:56:03.524402 IP 10.10.230.163 > 10.10.230.100: ICMP echo request, id 7708, seq 2, length 9
        0x0000:  4500 001d 210d 0000 4001 78b7 0a0a e6a3  E...!...@.x.....
        0x0010:  0a0a e664 0800 d9e1 1e1c 0002 00         ...d.........
13:56:03.601994 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 7708, seq 2, length 9
        0x0000:  4500 001d cc5a 0000 4001 cd69 0a0a e664  E....Z..@..i...d
        0x0010:  0a0a e6a3 0000 e1e1 1e1c 0002 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 3219 b96d       ..........2..m

Okay, so then, just when I was excited, I connected to the EDGE network, then back to the wireless network, and now I get this:

14:47:34.713475 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 1114, seq 42, length 9
        0x0000:  4500 001d d0e8 0000 4001 c8db 0a0a e664  E.......@......d
        0x0010:  0a0a e6a3 0000 fb7b 045a 002a 00         .......{.Z.*.
14:47:35.711038 IP 10.10.230.163 > 10.10.230.100: ICMP echo request, id 1114, seq 43, length 9
        0x0000:  4500 001d 8b5a 0000 4001 0e6a 0a0a e6a3  E....Z..@..j....
        0x0010:  0a0a e664 0800 f37a 045a 002b 00         ...d...z.Z.+.
14:47:35.715278 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 1114, seq 43, length 9
        0x0000:  4500 001d d0f9 0000 4001 c8ca 0a0a e664  E.......@......d
        0x0010:  0a0a e6a3 0000 fb7a 045a 002b 00         .......z.Z.+.
14:47:36.712334 IP 10.10.230.163 > 10.10.230.100: ICMP echo request, id 1114, seq 44, length 9
        0x0000:  4500 001d 8b5b 0000 4001 0e69 0a0a e6a3  E....[..@..i....
        0x0010:  0a0a e664 0800 f379 045a 002c 00         ...d...y.Z.,.
14:47:36.714465 IP 10.10.230.100 > 10.10.230.163: ICMP echo reply, id 1114, seq 44, length 9
        0x0000:  4500 001d d108 0000 4001 c8bb 0a0a e664  E.......@......d
        0x0010:  0a0a e6a3 0000 fb79 045a 002c 00         .......y.Z.,.

"This is not the iPhone ICMP payload you are looking for...." So, after all the Nmap scanning, Nessus scanning, and ICMP traffic I sent to my phone, I plugged it into my MacBook and got this:


Picture 23.png

Mini-tech segment #2 - Apple Quicktime RTSP Vulnerability

Submitted by byte-bucket

Apple QuickTime RTSP Content-Type header stack buffer overflow [byte_bucket] - "By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream". David Maynor (Erratasec) has provided an analysis that includes information on how/why ASLR on both Vista and OS X (Leopard) did not protect against this flaw. Maynor also provides follow-up information on refinements made to the initial POC here and here.

Apple Quicktime RTSP Vulnerability (reported by Krystian Kloskowski), Facts and Resources:

1) Exploits for this vulnerability are known to work against Quicktime 7.3 running on Windows XP, Windows Vista, and OS X (Tiger and Lepard). All major browsers can be used as an attack vector, including Firefox, Internet Explorer (6.x and 7.x), and Opera. iTunes (which uses Quicktime) is also affected.

2) The ASLR in Vista and OS X Leopard are ineffective in stopping exploits on both platforms.

3) Apple could do a far better job with security of Quicktime, there have been TONS of exploits released for Quicktime. Some examples include this one from 2002, MOAB #1 (Which was another problem with the rtsp URL handler), and many others.

4) RTSP can be sent over any port (defaults are 554/TCP and 6970-6999/udp). Blocking these ports does not offer full protection (See http://www.kb.cert.org/vuls/id/659761).

5) Traditional recommendations that state "do not click links from untrusted sources" just plain don't work. Drive-By downloads, i.e. the propagation of malware via banner ads on popular sites, is too common.

6) There is no patch for this vulnerability. David Maynor shows us how you can use a hex editor and modify the Quicktime binaries and DLLs to utilize the Vista ASLR, but this only works for Vista, and is well, hairy :)

7) Little Snitch on Mac OS X can be used to raise an alert whenever Quicktime attempts to initiate an outbound connection. If the user has initiated the connection and trusts the website/server, then they can choose to allow once or permanently (which adds that server to the safe list). However, in the situation where a malicious website contains a quicktime object which tries to get Quicktime to connect to the attacker's server, Little Snitch will warn the user, and the user can deny the connection. A temporary solution for those who are paranoid and do not use quicktime for streaming of any kind, little snitch can be instructed to deny Quicktime from making any outbound connections. Securethoughts post

8) Exploit Available With Internet Explorer versions 6 and 7, and the Safari 3 beta, the attack appeared to be prevented, however the exploit listed here proved that wrong as Quicktime was not linked with ASLR protection in Windows. With Firefox, the QuickTime RTSP response is unmoderated. As a result, the exploit works against pretty much anything and everything.

Stories Of Interest

IDA Pro 5.2 released [byte_bucket] - new features include native iPhone binary support [PaulDotCom] - Its interesting how the most popular tool for reverse engineering and find vulnerabilities has just added iPhone support. Goes to show you what an impact the iPhone is having on the security community and vice versa.... [Larry] Reverse Engineering is bad. "Design Recovery" or "Detailed Analysys" is good.

APC Management vuln - [Larry] Only tested with one specific Rackmount PDUs. Either way, a lame (for the vendor) hack. Login on PC #1. Try to login on PC #2, and get "someone logged in error". Log off with PC #1. Refresh browser on PC #2, and resubmit form data - You're in.

EEPC - A Security Look - [PaulDotCom] - EEPC is kinda a neat little toy, like a mini laptop. However, the default Linux install allows attackers to access RPC and NetBIOS ports (111, 139, and 445). Yikes! Given that Samba has just recently had a a buffer overflow (okay, Japanese versions only), this is bad. POLP People! POLP! [Larry] - Some circuit hackers have even managed to add an internal USB bluetooth module!

Schneier's Laptop security - [Larry] - Really good, simple advise - use whole disk encryption, preferably from boot. We've said this time and time again, for the quote of the week: "As long as you don't write your own algorithm, secure encryption is easy."

Google Hacking For Penetration Testers Volume 2 Released - [PaulDotCom] - Get the sample chapter too!. I read through the sample chapter and really liked the google query: "password | passcode | “your password is”". It will not display passwords, but give insight as to how users can reset their passwords, which is almost better. Oh, you need the usernames, and/or how to retrieve them? Try "username | userid | employee.ID | “your username is”". Google Hacking for Penetration Testers, Volume 2 [byte_bucket] - Johnny Long is back with with a newly revised version of his bestseller. Topics include basic and advanced search techniques, basic and advanced hacking techniques, multi-engine attack query morphing, and zero-packet target foot printing and recon techniques. [Larry] - I <3 Johnny Long.

The inventor of the internet get Pwned - [Larry] The attackers could have done something cooler, but still..; They added hidden fields on the site for "An Inconvenient Truth" pointing to ads on other sites for Vigra, Cialis and so on. Due to the high page ranking of the movie website, the ads get higher billing as well.

SubRosaSoft FileDefense Released - [SJ/securethoughts] - FileDefense is a new Mac OS X local security application which alerts the user whenever a program attempts to access a file on the disk. If the user trusts the app, he can add it to the safe list and allow it to access any file on the system. If an unknown program suddenly tries to access files, the user will be warned and can kill the process. If the user downloads an app from the internet, he can allow file access one-by-one to make sure it doesn't attempt to access any sensitive files. Whereas Little Snitch restricts access to network resources, FileDefense restricts access to filesystem resources.

An analysis of the SANS top 20 - [Larry] - Before I forget, the SANS Top 20 list is here. Client side attacks and web applications top the list. I'm in agreement with those assessments! The article also states that VOIP, Mobile and IP V6 didn't make a big showing. I'd be inclined to say that we'll see an insurgence in some of those attacks in the future.

Anonymous data not so Anonymous? - [Larry] - Some researchers have taken the Netflix data released for their contest, and been able to compare the Netflix reviews against iMDB reviews for unusual films, and were able to determine much about individuals using educated guessing on their viewing habits - including religious beliefs, political views, and sexual preferences. Hmm, how anonymous is your data?

Other Stories Of Interest

Funny Comic - [PaulDotCom] - "Who's a good virus? You are! Yes you are!"

What Paul Wants For Christmas

Listener Submitted Stories

Apple Mail Vulnerability [mmiller] - old (and supposedly patched) flaw in Apple Mail has resurfaced in Leopard. [SJ/securethoughts] - This vuln allows an attacker to send you a terminal script disguised as a media file (eg jpeg), and when you click on it, the terminal opens and runs the script. Solution: use the "Save" button to save to disk before opening (Leopard will warn that Terminal is trying to be opened). Or use Quick Look button to try and view the image, and you will see that no image appears.

Mobile phone spyware [byte_bucket] - Mikko Hyppönen (F-secure) demonstrates mobile spyware at USENIX (video)

Apple QuickTime RTSP Content-Type header stack buffer overflow [byte_bucket] - "By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream". David Maynor (Erratasec) has provided an analysis that includes information on how/why ASLR on both Vista and OS X (Leopard) did not protect against this flaw. Maynor also provides follow-up information on refinements made to the initial POC here and here.

Google Plans Service to Store Users' Data Online [byte_bucket] - will people be as careless with their data as they are with their Google calendars?

Hackvertor [byte_bucket] - tool for de-obfuscating JavaScript (among other things)

Firefox Memory corruption vulnerabilities [byte_bucket] - new version available

Caffe Latte (from Toorcon) [byte_bucket] - Interesting attack on isolated wireless clients outside the RF vicinity of the authorized network

TOR exit-node doing MITM attacks [byte_bucket] - Tor, its not just for anonymity any more

Oracle 11g password cracker [byte_bucket] - takes advantage of a weakness in the Oracle's password storage strategy

Verizon Any Apps, Any Device’ Option [mmiller] - "Verizon Wireless To Open Network" Will this clear the way for Android and unlocked phones in the United States? Will this open the door for cloning CDMA/3G cell phones?

Off-the-Record Messaging: Useful Security and Privacy for IM [byte_bucket] - Ian Goldberg (Zero-Knowledge Systems/Radialpoint) gives a presentation on OTR to the University of Waterloo computer science club (video)

What to do when your computer randomly plays classical music [byte_bucket] - see what Microsoft has to say about your computer randomly playing "Fur Elise" or "It's a Small, Small World"

SnoopSpy2 [byte_bucket] - a "packet capturing network security tool" in the same vein as Cain and Able

Lotus Notes buffer overflow [byte_bucket] - remote/locally exploitable vulnerability in the Lotus WorkSheet file processor

PayPal’s Vulnerability Disclosure Policy includes researcher protection [byte_bucket] - this is good stuff ... “To encourage responsible disclosure, we commit that – if we conclude that a disclosure respects and meets all the guidelines outlined below - we will not bring a private action or refer a matter for public inquiry.

2600 Autum issue [byte_bucket] - get/renew your subscription now with special holiday pricing

Anti-rootkit Windows Tools [byte_bucket] - Raul Siles (Radajo) has compiled a list of free Window anti-rootkit/rootkit detection utilities

Chaosreader [byte_bucket] - from the website ... "A open source tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 or VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode - where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them."

IDA Pro 5.2 released [byte_bucket] - new features include native iPhone binary support

Cisco vpnclient password decoder [byte_bucket] - excelent for decrypring encrypted group passwords

A brief analysis of 40,000 leaked MySpace passwords [byte_bucket] - analysis by Sebastian Porst (PeLib)

Book Review: The Web Application Hacker’s Handbook [byte_bucket] - reviewed by Robert McGrew (McGrew Security)

Hacker Uses Sony PlayStation 3 to Crack Passwords [] - from the article ... "By implementing common ciphers and hash functions using vector computing, Breese has pushed the current upper limit of 10--15 million cycles per second -- in Intel-based architecture -- up to 1.4 billion cycles per second."

How to Harvest Passwords [byte_bucket] - Security guru Bruce Schneier tells us how.

Treacherous malware: the story of Advatrix [byte_bucket] - BHO woes ... from the article ... "While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer."

Beer Review: Hacker-Pschorr Weisse [byte_bucket] - couldn't resist a review about a beer named "Hacker"

Google expunges malware sites from search results (in response to the largest "SEO poisoning" seen to date) [byte_bucket] - this attack resulted in tens of thousands of Web pages hosting exploits showing up on the first page of Google searches for thousands of common terms

Verizon Picks LTE for 4G Wireless Broadband [byte_bucket] - from the article ... "LTE allows download rates of 100 Mbps and upload speeds of 50 Mbps for every 20 MHz of spectrum. It can handle 200 connections per 5 MHz. However, it is said to be spectrally more efficient and can better handle IP connections." ... Verizon's press release

Do Not Call List—R.I.P. [byte_bucket] - Dan Ingevaldson (Internet Security Systems / X-Force) blogs about a hybrid SPIT (Spam over Internet Telephony) and Phishing scam

Conferences / Presentations

Presentations from POC 2007 [byte_bucket] - conference held November 15 - 16 in Seoul, Korea

Presentations from SecTor 2007 [byte_bucket] - conference held November 20 - 21 in Toronto, ON, Canada

Presentations from DeepSec 2007 [byte_bucket] - conference held November 20 – 23 in Vienna, Austria {need a link for the presentations}

Presentations from H2HC 2007 [byte_bucket] - conference held November 2007 in Brazil