Monday, April 01, 2013

Vuln assessment for PALADIN forensic tools free version

I went to the China Mac Forensic Conference last week. This was my 1st time I attended a security con about forensic. Some of security guys gave us a few free speech and it's all about forensic. In forenisc field, the only stuff I've know its Lynis which was written by Michael Boelen. They were talking about forensic stuff on Mac/iOS platforms in the morning. That made me a little boring. But what else can I blame about? This conference is called Mac-Forensic*. Fortunately, I found something very interesting at the afternoon. A company named SUMURI providing a forensic solution which based on GNU/Linux. This GNU/Linux distro is called "PALADIN". I got a free Live-DVD and booted it up in scene. Well, I was fuc* exicting because I got tens of shitloads of information about Mac/iOS in that day. Now I had something I'm familiar with: GNU/Linux. I found some potential risks for PALADIN GNU/Linux distro. I've already notified them. Hope they could spend more time on sec stuff.

OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI:



PALADIN provides a lot of open source forensic tools:

In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:

Then, I took a few mins to investigation on the binary. Firstly, the entry address:

And, it doesn't have any anti-debugging features( my examples) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time:

ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.

Lucky Thirteen Attack is a big issue recently. The current openssl version is affected.

Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field.

No comments: