October 31st, 2014


OVAL (Open Vulnerability and Assessment Language) is an XML language introduced by MITRE and sponsored by US-CERT and Homeland Security. On the most basic level it provides different schemas to represent latest vulnerabilities posted on MITRE’s CVE. However, it goes one step further by defining not only vulnerabilities themselves but also logical aggregation structure of how to test for those vulnerabilities. This of course opens a possibility of designing a security assessment tool that takes advantage of OVAL language and continuously updated OVAL repository which tells you both which new vulnerabilities are available and how to test for them. You can learn more about the language here, look at definitions provided by MITRE here. Although MITRE provides a proof of concept OVAL Interpreter at its site, there is a much more usable open source project called Sussen which can get you up to speed with OVAL.

eEye research page

eEye just announced a new research page that covers various whitepapers, advisories and some previously unreleased tools.

From Marc Maiffret on the Full-disclosure list:

I am happy to announce to the first incarnation of
http://research.eEye.com. On this site you can find everything from our previously released advisories to our previously unreleased research tools. A lot of these tools are seeing daylight for the first time outside of eEye so we do expect there to be bugs we have not noticed before. We definitely encourage your feedback. You can provide such feedback directly to research via skunkworks@eeye.com.

A couple of the new tools are:
o eEye Binary Diffing Suite
o Duster — Duster is the Dead/Uninitialized Stack Eraser

And they also have updates to BootRoot, and a related project called PiXiE which is a proof-of-concept network boot virus, for those of you moving to thin clients, you might want to double check the security of said systems. Looks interesting.

Digital Forensic Research Workshop Challenge

From joat:

For all of you digital forensics types, the Digital Forensic Research Workshop has a File Carving Challenge for you. The object is to extract as many complete files from the 50MB target data set as possible. Deadline for submissions is 17 July.

Looks like fun, =)

fun with skype

Whilst poking about in my inbox for things related to skype, I found this presentation on skype internals given by Philippe Biondi (who wrote the awesome tool Scapy) and Fabrice Desclaux at BlackHat Europe this year. Being a proprietary VOIP tool, I expected skype to have some levels of obfuscation built in so that you can’t easily build a replacement client, but after reading through this presentation I was pretty amazed at everything they found and were able to subvert under the hood. Here are some of the points I found interesting:

  • o Most of the skype binary is encrypted, and it provides its own unpacker which erases the original import table as it’s loaded.
  • o Polymorphic code integrity checksums, executed randomly, and obfuscated with random lengths and random operators. They came up with a scheme with debuggers on two independent copies of skype, and relays the correct checksums back to the original modified binary. Hacktacular. They also tried binary patching and removing the entire loop, which actually increased the speed of skype, :)
  • o Anti-debuggers that attempt to identify breakpoints and trap the debugger. It also targets specific debuggers by checking for certain loaded drivers.
  • o General code obfuscation with fake error handlers that directly tweak memory and registers. After identification they were able to bypass most of this by injecting shellcode directly.
  • o Skype uses an obfuscated rc4 function for network obfuscation, not for privacy. They were able to get around this with more shellcode injection.
  • o They wrote a scapy wrapper called skypy to reassemble and decode obfuscated TCP streams and “speak skype”.
  • o They have an interesting analysis of the authentication procedure and general skype communication.
  • o They also show how to cleanly firewall off skype, which isn’t as simple as you’d think.
  • o They cover how to secede from the main skype network and put up your own.
  • o A skype botnet with the heap overflow they mention would be pretty scary as most people won’t know how to block this type of opaque network traffic

Some Biondi’s incidental tools used in the presentation are also very cool:

  • o Shellforge — This is a tool for creating #include’able shellcode from original C statements
  • o PytStop — A new (alpha) debugging engine written in python
  • o Siringe — ptrace based process injector

Makers Faire

Saturday and Sunday are Maker’s Faire in San Mateo. It should be a good time, there are lots of interesting things going on (electronics hacks, Sci-Fi Rock and roll, robotics, RFID implants (do it yourself implants nonetheless), Exploding Fire Trucks and even a technology fashion show, =)

See you there! (I should have some MRL stickers on me if you’re interested, let me know)

banana lock picks

Since you can pick locks with a pen or even a aluminum can why not a banana? Here’s a link (via hackaday.com) of someone doing just that. As a bonus feature, here is a video on how to make lockpicks cheaply and easily with the blades of a hack-saw.

hippies and hackers

While trolling about the intar-web, I stumbled on this video on the dutch group hippies from hell. This group is known for writing the magazine Hack-Tic, and for founding the dutch ISP xs4all. The video covers the group as they talk and work on all sorts of things from hardware and computer hacking, a nudist lockpicking contest, the HAL2001 conference and other activities ranging from nefarious to just plain partying. While the group is largely resident on mailing lists only these days, they’ve existed in one shape or form for better than 20 years.

Graphical Passwords

The Graphical Passwords Project is an interesting alternative to the “typed” passwords we are all used to. “The idea of graphical passwords is to let the user click (with a mouse or a stylus) on a few chosen regions in an image that appears on the screen“. So if you click on the right regions, your are in! I have to agree that clicking on Pamela Anderson’s photo for the password is a lot more exciting compared to typing long strings of ascii. However, Graphical Passwords are still vulnerable to shoulder-surfing, bruteforce, and dictionary attacks (well not exactly dictionary, but we all know that selecting images of nipples for passwords will soon be on top10 commonly used graphical passwords). This paper offers a few solutions to this problem like the use of randomly generated images or numbers and the use of image selection techniques not easily registered by malicious code (like dragging icons on the screen). If you would like to mess around with graphical passwords, then there is a .NET Graphical Password Simulation application to experiment and learn about this password scheme.

perl published advisory

Here is the actual advisory from Dyad on the perl format string exploit issue I posted about yesterday. A patch has been proposed, but isn’t official yet. They also mention that there are several other exploitable programs that they know about today. Hopefully anyone using webmin is smart enough to keep it firewalled off in the first place. Someone needs to audit SlashCode for this, =), they don’t look very active.

update: Here is a paper with more details, examples, and a few more vulnerable programs.

perl format strings and webmin

This could get nasty real fast. There is supposedly an advisory coming out for perl itself from dyadsecurity that could have far-reaching effects. While this was recently triggered from just a webmin advisory, if it turns out to be true, it could affect scads of other things written in perl. As alluded to in the Full-Disclosure list posts, this could be a “new” type of format-string exploit for perl. Beware.

Update: Looks like this has been confirmed by others

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS