Matt Neely, one of the Northeast Ohio Information Security Forum board members, will be giving free wireless security training on March 12, 2008. Seating is extremely limited and only open to forum members, so please register ASAP.
If you are not a member, don't worry! Membership is free. Go here to register for the forum.
Friday, February 29, 2008
Thursday, February 28, 2008
The Hack without a Hack - Part 2
The XStart file was a configuration file used to login and start the trading application (located on another server). The file kept the user ID, password and method of entry into the server, and with it, Bill could log in as Louis. A plan started to formulate in his mind.
Bill knew that the traders remotely logged in to the server to run their trading application. All traders went through this server to a third party service. He didn't know much more than that, other than that was the application the traders were constantly in - exchanging money on their clients behalf. Bill began to ponder how much money actually went through that server on a daily basis. It had to be in the millions.
If he could get on that server and set up some type of sniffer, there was a good chance he could start pulling down account numbers and such. From there, who knows what type of money he could get? Bill had long ago decided that if he found a way to make some quick money at the bank he would. He had every indication that he would have no problem getting away with it. Besides, even if it was noticed it would be under Louis' ID and he would get fired.
With his plan in mind, he downloaded the file to his computer and unmounted the drive. Already having Exceed loaded on his computer, he started the XStart program and loaded the trader's file.
Immediately, the window which popped up in front of him told him the server's address, the trader's user ID and the protocol used to log in. Unsurprisingly, TELNET was used. For a bank, Bill thought, they sure skimped on security where they could.
Bill wanted to log on to the server to see what was on there but he knew that he couldn't just run the XStart file. If he did, it would launch the trading application and Louis would get kicked off as it only allowed one of the same login at a time to be on. That would alert him something was wrong and things could go down from there. If only he could get the password from the file.
Opening up the XStart file proved un-fruitful. It was some kind of binary format and didn't appear to store any type of clear-text password anywhere in the file. There had to be another way, Bill thought. Within a few minutes of searching Google, he had his answer.
Anyone want to venture a guess as to what Bill found?
Bill knew that the traders remotely logged in to the server to run their trading application. All traders went through this server to a third party service. He didn't know much more than that, other than that was the application the traders were constantly in - exchanging money on their clients behalf. Bill began to ponder how much money actually went through that server on a daily basis. It had to be in the millions.
If he could get on that server and set up some type of sniffer, there was a good chance he could start pulling down account numbers and such. From there, who knows what type of money he could get? Bill had long ago decided that if he found a way to make some quick money at the bank he would. He had every indication that he would have no problem getting away with it. Besides, even if it was noticed it would be under Louis' ID and he would get fired.
With his plan in mind, he downloaded the file to his computer and unmounted the drive. Already having Exceed loaded on his computer, he started the XStart program and loaded the trader's file.
Immediately, the window which popped up in front of him told him the server's address, the trader's user ID and the protocol used to log in. Unsurprisingly, TELNET was used. For a bank, Bill thought, they sure skimped on security where they could.
Bill wanted to log on to the server to see what was on there but he knew that he couldn't just run the XStart file. If he did, it would launch the trading application and Louis would get kicked off as it only allowed one of the same login at a time to be on. That would alert him something was wrong and things could go down from there. If only he could get the password from the file.
Opening up the XStart file proved un-fruitful. It was some kind of binary format and didn't appear to store any type of clear-text password anywhere in the file. There had to be another way, Bill thought. Within a few minutes of searching Google, he had his answer.
Anyone want to venture a guess as to what Bill found?
Tuesday, February 26, 2008
The Hack without a Hack - Part 1
As a tribute to Security Monkey I am going to start publishing my own "case" files. However, instead of looking through the eyes of an investigator I am going to look through the eyes of an attacker. My goal is to give a different perspective to attacks in order to help understand why some attacks occur as well as how they occur. This first one is called "The Hack without a Hack".
Bill sat at his computer and cursed his job once more. To say he was unhappy was an understatement. Just three months ago he had been the head of the helpdesk of a large transportation corporation. Now, due to "cutbacks", he was the one-man personal help desk for a bunch of whiny traders at a national bank...and making $30,000 less a year. It couldn't get any worse.
His phone rang. He realized it just did.
------------------
Twenty minutes later Bill came back to his desk, swearing under his breath. Stupid traders, he thought. Bill hated the traders but this one, Louis, was the worst. Always having idiotic problems with his computer which wouldn't happen if he didn't download so much crap. This time was no exception.
Louis' computer had frozen and after a reboot he only let Bill look at the computer for five minutes before he had to get back "to the market". Kid was probably 10 years younger than him and made triple his salary. Man, how he would love to do something to him.
Bill had figured out the problem after seeing an icon in the desktop that wasn't supposed to be there. Louis had once again downloaded some new application to stream market reports to him. The problem was it was written poorly and had crashed the machine. Of course, due to the "market being open" Bill was only allowed to get the PC back up and running (a reboot) and then had to leave.
Unbeknownst to Louis, however, Bill had gotten the local administrator password to his machine. It wasn't hard - the company had the same administrator password on every computer. With the password, he could mount Louis' drive remotely to see what else the he had installed. Maybe he could even find something he could anonymously send to internal security to get Louis fired. He smiled at the thought as he began looking around.
Within minutes, Bill found something that piqued his interest. Within the trader's home directory on the system he found the trader's Hummingbird XStart file to the remote trading server.
So, any thoughts as to what Bill could be planning?
Bill sat at his computer and cursed his job once more. To say he was unhappy was an understatement. Just three months ago he had been the head of the helpdesk of a large transportation corporation. Now, due to "cutbacks", he was the one-man personal help desk for a bunch of whiny traders at a national bank...and making $30,000 less a year. It couldn't get any worse.
His phone rang. He realized it just did.
------------------
Twenty minutes later Bill came back to his desk, swearing under his breath. Stupid traders, he thought. Bill hated the traders but this one, Louis, was the worst. Always having idiotic problems with his computer which wouldn't happen if he didn't download so much crap. This time was no exception.
Louis' computer had frozen and after a reboot he only let Bill look at the computer for five minutes before he had to get back "to the market". Kid was probably 10 years younger than him and made triple his salary. Man, how he would love to do something to him.
Bill had figured out the problem after seeing an icon in the desktop that wasn't supposed to be there. Louis had once again downloaded some new application to stream market reports to him. The problem was it was written poorly and had crashed the machine. Of course, due to the "market being open" Bill was only allowed to get the PC back up and running (a reboot) and then had to leave.
Unbeknownst to Louis, however, Bill had gotten the local administrator password to his machine. It wasn't hard - the company had the same administrator password on every computer. With the password, he could mount Louis' drive remotely to see what else the he had installed. Maybe he could even find something he could anonymously send to internal security to get Louis fired. He smiled at the thought as he began looking around.
Within minutes, Bill found something that piqued his interest. Within the trader's home directory on the system he found the trader's Hummingbird XStart file to the remote trading server.
So, any thoughts as to what Bill could be planning?
Monday, February 25, 2008
Critical VMWare Vulnerabililty
Well, it finally happened. A critical vulnerability in VMWare that allows someone to break into the host operating system was announced today. It was only a matter of time.
Virtual machines, such as VMWare, have two levels:
1) the host operating system which runs the actual virtual machine software (the physical machine)
2) the guest operating system(s) which run within the virtual machine software (the virtual machines)
For the most part, the host and guest operating systems are separate and the guest operating system is not able to access anything on the host OS, unless specifically allowed through services offered on the host OS. Commonly, access to files on the VMWare host OS is given through "Shared Folders" - essentially the same thing that you see when you share a folder within Windows.
Up until now, the majority of attacks against virtual machines have been to detect them. This is useful for malware to do because many analysts examine malware within a virtual machine. If the malware detects a VM, it can alter its execution path or stop running altogether. (You have to wonder when malware authors are going to realize corporations are beginning to use virtualization more and they are missing a huge target base by doing this.)
The only publicly-announced success of breaking out of a virtual machine (that I am aware of) is from a presentation given by Tom Liston and Ed Skoudis on some work they performed. While they showed their programs working they did not reveal details on how they were able to break out of the guest OS.
This latest VMWare vulnerability appears to be from Core Security. There aren't many details available at this time. However, it looks like if you are running VMWare with a Windows host OS and you have Shared Folders enabled, then a directory traversal attack is possible which would allow an attacker to read or write arbitrary files on your host OS. Not good.
While these circumstances may seem unlikely, they really aren't. Shared Folders is enabled by default in many versions of VMWare, and while you still need to have at least one shared folder mapped, many VM installations do.
This could allow an attacker to arbitrarily read or write files on the host OS (although I am unsure right now if execution is possible). With this ability, an attacker could trojan or infect system executables, rewrite the VM configuration file, read the SAM database, etc. Fortunately, the workaround is to just disable Shared Folders until you patch.
VMWare Advisory
ISC SANS Diary Entry
CVE Entry - CVE-2007-1744
Core Security Advisory including Proof of Concept Exploit
Virtual machines, such as VMWare, have two levels:
1) the host operating system which runs the actual virtual machine software (the physical machine)
2) the guest operating system(s) which run within the virtual machine software (the virtual machines)
For the most part, the host and guest operating systems are separate and the guest operating system is not able to access anything on the host OS, unless specifically allowed through services offered on the host OS. Commonly, access to files on the VMWare host OS is given through "Shared Folders" - essentially the same thing that you see when you share a folder within Windows.
Up until now, the majority of attacks against virtual machines have been to detect them. This is useful for malware to do because many analysts examine malware within a virtual machine. If the malware detects a VM, it can alter its execution path or stop running altogether. (You have to wonder when malware authors are going to realize corporations are beginning to use virtualization more and they are missing a huge target base by doing this.)
The only publicly-announced success of breaking out of a virtual machine (that I am aware of) is from a presentation given by Tom Liston and Ed Skoudis on some work they performed. While they showed their programs working they did not reveal details on how they were able to break out of the guest OS.
This latest VMWare vulnerability appears to be from Core Security. There aren't many details available at this time. However, it looks like if you are running VMWare with a Windows host OS and you have Shared Folders enabled, then a directory traversal attack is possible which would allow an attacker to read or write arbitrary files on your host OS. Not good.
While these circumstances may seem unlikely, they really aren't. Shared Folders is enabled by default in many versions of VMWare, and while you still need to have at least one shared folder mapped, many VM installations do.
This could allow an attacker to arbitrarily read or write files on the host OS (although I am unsure right now if execution is possible). With this ability, an attacker could trojan or infect system executables, rewrite the VM configuration file, read the SAM database, etc. Fortunately, the workaround is to just disable Shared Folders until you patch.
VMWare Advisory
ISC SANS Diary Entry
CVE Entry - CVE-2007-1744
Core Security Advisory including Proof of Concept Exploit
Thursday, February 21, 2008
A preview of things to come...
Things have finally died down and I'm going to start posting soon. There are a couple of things I plan on posting, but if anyone has any suggestions I'm always open.
I plan on posting "case files", similar to SecurityMonkey's case files. However, instead of being from the point of view of the investigator it will be from the attacker's point of view. Kinda like how Law and Order: Criminal Intent started off as.
Anyone who knows me knows I love to do malware analysis and often come across interesting "critters" (as a friend would put it). I have a couple of interesting sites I'm going to document and post about.
Of course, anything else that comes across my mind will probably get thrown up here. Take it for what its worth.
I plan on posting "case files", similar to SecurityMonkey's case files. However, instead of being from the point of view of the investigator it will be from the attacker's point of view. Kinda like how Law and Order: Criminal Intent started off as.
Anyone who knows me knows I love to do malware analysis and often come across interesting "critters" (as a friend would put it). I have a couple of interesting sites I'm going to document and post about.
Of course, anything else that comes across my mind will probably get thrown up here. Take it for what its worth.
Friday, February 8, 2008
Welcome!
After many times thinking (and saying) I need to start a blog, I have decided to finally do it. Like most, I am doing this to talk about my thoughts on current security trends, security tools, malware I have analyzed as well as any cool hacks I perform.
Let the games begin!
Let the games begin!
Subscribe to:
Posts (Atom)