Difference between revisions of "Episode119"

From Security Weekly Wiki
Jump to navigationJump to search
Line 43: Line 43:
  
 
Kevin is always looking for feedback, tool suggestions and feature requests, so feel free to download, USE it, and offer kevin some feedback.  His contact info can be found at the project site samurai.intelguardians.com
 
Kevin is always looking for feedback, tool suggestions and feature requests, so feel free to download, USE it, and offer kevin some feedback.  His contact info can be found at the project site samurai.intelguardians.com
 +
 +
= Tech Segment: Software Update Security with derek Callaway =
 +
 +
- Intro -
 +
 +
Derek Callaway is a security consultant with Security Objectives Corporation. His company is currently developing a dynamic binary analysis debugger. More information and demos are available at security-objectives.com.
 +
 +
Typical advice for keeping a system secure includes keeping your software up-to-date; however, updating software
 +
actually has the potential to make your system less secure. Derek has published a number of advisories
 +
through his company (Security Objectives) pertaining to software update vulnerabilities of various vendors
 +
including Lenovo, PartyGaming, and Cygwin.
 +
 +
evilgrade is a tool for exploiting software update vulnerabilities that was first presented (but not released)
 +
at EkoParty 2007, an Argentinian security conference. evilgrade was released  by Francisco Amato of InfoByte
 +
Security Research in late July, 2008. This event seems to have officially brought software update security to the
 +
attention of the vulnerability research community. evilgrade is particularly useful with when used in conjuction
 +
with KARMetaSploit and/or Dan Kaminsky's DNS Cache Poisoning attack although other Man-in-the-Middle techniques
 +
such as ARP redirection are sufficient. There is talk of integrating evilgrade into the Metasploit project.
 +
ISR-evilgrade is currently at version 1.0. Currently it has exploit modules for: Java, WinZip, Winzmp, MacOS, OpenOffice, iTunes, LinkedIn Toolbar, DAP (Download Accelerator), Notepad++, and Speedbit. Look for a new version of evilgrade with more exploit modules in the not too distant future.
 +
 +
 +
- History -
 +
 +
Before updates were delivered over the network, they were usually delivered on tape by private courier. At one of the HOPE conference's social engineering panels, Kevin Mitnick spoke about an analog man-in-the-middle attack where he dressed up as a UPS delivery guy and delivered a trojanned tape himself. In 1983, Digital Equipment Corporation (DEC) created the first remote delivery of software updates at their Colorado Springs facility for their OpenVMS operating system. Once the Internet became ubiquitous software starting allowing the user to update their software over the Internet.
 +
 +
 +
- Attacks -
 +
 +
Different types of software updating:
 +
 +
Automatic (software automatically downloaded and installed)
 +
Semi-Automatic (software notifies user update is available, but must take action to intsall)
 +
Manual (user must take action to determine if an update is available)
 +
 +
Clearly, the fully automatic type is impacted the most when it comes to updater vulnerabilities. Most updaters use HTTP(S) so it's just a matter of creating a web server that looks like the real update server but pushes out trojans with the updates. Some updaters will download the patch from within the program, others will open up a browser window with a URL to the vendor's site which usually isn't HTTP(S).
 +
 +
Just because SSL is in use, doesn't mean the updater is secure. The update client must properly verify the server's certificate. An example of improper certificate verification in a software Updater is the Lenovo advisory Derek published (CVE-2008-3249.)
 +
 +
Creating digital signatures for packages does not always prevent attacks either, especially if the integrity of the update server itself is not validated. An old package's hash is valid because it was signed with the real vendor's key. A rogue update server could cause a downgrade to an old vulnerable version and then exploit it.
 +
 +
These attacks can also affect entire operating systems. Take for example Linux distributions that have mirrored servers for their package systems. On August 14, the Fedora project leader told users to not update their software as a precaution because of a mysterious Fedora Project server outage.
 +
 +
 +
- Prevention -
 +
 +
Cryptographically verify the update server with PKI (Public Key Infrastructure.)
 +
 +
 +
- References -
 +
 +
Security Objectives Advisories
 +
http://www.security-objectives.com/advisories.html
 +
 +
Updating the Updater: System of Systems (Security Objectives' Blog)
 +
http://systemofsystems.wordpress.com/2008/05/25/updating-the-updater/
 +
 +
ISR-evilgrade, InfoByte Security Research
 +
http://www.infobyte.com.ar/developments.html
 +
 +
Karmetasploit
 +
http://www.metasploit.com/dev/trac/wiki/Karmetasploit
 +
 +
Thinkvantage SystemUpdate Missing SSL Certificate Chain Verification
 +
http://secunia.com/advisories/30379
 +
 +
Mystery Fedora Disruption Prompts Security Fears
 +
http://www.theregister.co.uk/2008/08/19/fedora_outage/
 +
  
 
= Stories For Discussion =
 
= Stories For Discussion =

Revision as of 19:46, 21 August 2008


Sponsors

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 119 for August 21st, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
    • Larry and I will each lead a team, names to be announced
    • Attendance and participation is FREE, come join one of our teams!
    • 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
    • Looking for food/drink sponsor
    • Featuring wireless, voip, and SCADA!
  • Help support pauldotcom with your donations. Visit http://pauldotcom.com and press the DONATE button.Note: Thanks to listener Ken for the donation!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast!
  • Check out the new beer listing.

Mini-tech Segment - SamuraiWTF

Kevin Johnson has done an awesome service to the community here. SamuraiWTF, as we've talked about briefly is a live CD full of Web app testing tools. Right now it is development "alpha', so there are still a few issues that are being resolved. They've even gone far enough to configure Wine to include some of the windows tools.

Note on logging in: (which will be better documented) The user to login as is "samurai" with the password of "samurai"

Some of the tools that we've talked about on the show in the past are included on the CD - HTTPrint, Nikto, Paros Proxy, the Burp Suite, Maltego CE and Gooscan.

I was real happy to see Grendel included as well, which was released right about DEFCON time. Grendel is pretty easy to use, and even provides a local proxy for additional manual testing, a la burp and Paros.

DirBuster (from OWASP) will brute force directories on a webserver to see if they exist. It likes a file to pre-populate (aka a "rainbow table"), but I wasn't able to locate a list on the CD in a few seconds, so I elected to do a brute force. It found some stuff right off on the site I tested (with permission), however with the default thread count, it would take 62254470 Days to complete! As you can see from the screen shots, I have at least one directory to follow up on.

I was hoping for some good bookmarks in the browser. I was happy to find the local install of BeEF, Ajax Shell, PHP Shell, and the local wiki - great for documenting your findings!

Of course, they also included w3af- the Web application Attack and Audit Framework, including the nice gui. w3af is similar in concept to Nessus, in that you define a host, and pick tests to run against it. It also adds the features of Metasploit, in that it can exploit its findings and deploy connection methods.

I must say the guys have done a fantastic job at the "first pass" development release to include some awesome, helpful tools all in one place. You can be sure that I'll be keeping this one around!

Kevin is always looking for feedback, tool suggestions and feature requests, so feel free to download, USE it, and offer kevin some feedback. His contact info can be found at the project site samurai.intelguardians.com

Tech Segment: Software Update Security with derek Callaway

- Intro -

Derek Callaway is a security consultant with Security Objectives Corporation. His company is currently developing a dynamic binary analysis debugger. More information and demos are available at security-objectives.com.

Typical advice for keeping a system secure includes keeping your software up-to-date; however, updating software actually has the potential to make your system less secure. Derek has published a number of advisories through his company (Security Objectives) pertaining to software update vulnerabilities of various vendors including Lenovo, PartyGaming, and Cygwin.

evilgrade is a tool for exploiting software update vulnerabilities that was first presented (but not released) at EkoParty 2007, an Argentinian security conference. evilgrade was released by Francisco Amato of InfoByte Security Research in late July, 2008. This event seems to have officially brought software update security to the attention of the vulnerability research community. evilgrade is particularly useful with when used in conjuction with KARMetaSploit and/or Dan Kaminsky's DNS Cache Poisoning attack although other Man-in-the-Middle techniques such as ARP redirection are sufficient. There is talk of integrating evilgrade into the Metasploit project. ISR-evilgrade is currently at version 1.0. Currently it has exploit modules for: Java, WinZip, Winzmp, MacOS, OpenOffice, iTunes, LinkedIn Toolbar, DAP (Download Accelerator), Notepad++, and Speedbit. Look for a new version of evilgrade with more exploit modules in the not too distant future.


- History -

Before updates were delivered over the network, they were usually delivered on tape by private courier. At one of the HOPE conference's social engineering panels, Kevin Mitnick spoke about an analog man-in-the-middle attack where he dressed up as a UPS delivery guy and delivered a trojanned tape himself. In 1983, Digital Equipment Corporation (DEC) created the first remote delivery of software updates at their Colorado Springs facility for their OpenVMS operating system. Once the Internet became ubiquitous software starting allowing the user to update their software over the Internet.


- Attacks -

Different types of software updating:

Automatic (software automatically downloaded and installed) Semi-Automatic (software notifies user update is available, but must take action to intsall) Manual (user must take action to determine if an update is available)

Clearly, the fully automatic type is impacted the most when it comes to updater vulnerabilities. Most updaters use HTTP(S) so it's just a matter of creating a web server that looks like the real update server but pushes out trojans with the updates. Some updaters will download the patch from within the program, others will open up a browser window with a URL to the vendor's site which usually isn't HTTP(S).

Just because SSL is in use, doesn't mean the updater is secure. The update client must properly verify the server's certificate. An example of improper certificate verification in a software Updater is the Lenovo advisory Derek published (CVE-2008-3249.)

Creating digital signatures for packages does not always prevent attacks either, especially if the integrity of the update server itself is not validated. An old package's hash is valid because it was signed with the real vendor's key. A rogue update server could cause a downgrade to an old vulnerable version and then exploit it.

These attacks can also affect entire operating systems. Take for example Linux distributions that have mirrored servers for their package systems. On August 14, the Fedora project leader told users to not update their software as a precaution because of a mysterious Fedora Project server outage.


- Prevention -

Cryptographically verify the update server with PKI (Public Key Infrastructure.)


- References -

Security Objectives Advisories http://www.security-objectives.com/advisories.html

Updating the Updater: System of Systems (Security Objectives' Blog) http://systemofsystems.wordpress.com/2008/05/25/updating-the-updater/

ISR-evilgrade, InfoByte Security Research http://www.infobyte.com.ar/developments.html

Karmetasploit http://www.metasploit.com/dev/trac/wiki/Karmetasploit

Thinkvantage SystemUpdate Missing SSL Certificate Chain Verification http://secunia.com/advisories/30379

Mystery Fedora Disruption Prompts Security Fears http://www.theregister.co.uk/2008/08/19/fedora_outage/


Stories For Discussion

FEMA phones hacked for toll calls - [Larry] - Yep, hackers broke in to the phone system and were able to place $12k in calls to Europe and Asia. The security consultant claims that the hack is "old school". Certainly, but we all know when there is money to be saved or made, the attack is certainly one attackers look for. Now, the method in which the hack was conducted? Even more old school - they attacker apparently utilized the default administrative password. FEMA blames the contractor that set up the system for leaving this open. Time for someone to start examining that contract... And yes, FEMA is a division of DHS, the same folks who are ultimately responsible for the TSA fun cavity searches at US airports. It gets better - allegedly DHS put out a notice for this type of system vulnerability in 2003...

Combatting Stego - [Larry] - I thought that this was an interesting approach - just add your own stego over top on systems where you can automate.

Search engines uncover potential Olympics "fraud" - [Larry] - Note, not a political commentary on China, the Olympics or the IOC. Stryde Hax (and apparently the AP as well) used Google.cn and Baidu so search for information about the age of China's star, gold winning gymnast He Kexin. From Excel documents found from "official" Chinese sources (Like the state run Chinese Gymnastics Association) list her birth-date as 1994, in contrary to her passport, which lists 1992. After access, the documents disappeared, but remained in search cache, then not in Google's but still in Baidu's. An important pont to be careful about what gets put on the internet - expand here!

Cisco Shell codes - [Larry] - Neat. Yay or full disclosure. Some patches for IOS to enable backdoor VTY/TTY sessions with a priv of 15 with no password.

DEFCON r ful ov hackrz - [Larry] - Wow, I love it when lawyers get it wrong.

Helpful tools for malware removal - [Larry] I know we all get calls form family to fix computers, usually for malware. Here's a great tool to gather all of the applicable tools in a jiffy. We of course know that the only way to totally remove the problem is a format and install Linux. :-)