I really need to get back into the habit of writing on here, so maybe a few words on the new non-Patch-Tuesday vulnerability is in order.  I just got my MacBook back from warranty service yesterday, and was reading about this on Twitter as I was getting everything set back up.  I’ll give you a few links that I’ve seen in my feed reader, Twitter, and IRC (shouts to #pauldotcom and #securabit on freenode), and a little commentary:

• Microsoft’s Security Bulletin

If you’re lucky enough to be in Vegas these next few days for Defcon 16, you really should drop by Immunity’s booth to pick up another certification to put behind your name (apparently free).  The appropriately acronym’d NOP (Network Offense Professional) certification is more than a little tongue-in-cheek, however it’s basic enough to be a good “put up or shut up” for those who claim to have some skills and understanding of basic exploitation.

Here’s the announcement:

Immunity is proud to announce the launch of our new certification, the
Network Offense Professional (NOP) at Defcon. NOP will allow prospective
employers to know that you have the capabilities needed to understand
the complex issues at the heart of information security.

Specifically, to obtain the certification you will need to write a
buffer overflow from scratch within a certain time period. You will
first find the buffer overflow by reverse engineering a target program,
and then obtain a shell from it or execute a command. This is a hands-on
certification, not a paper test. Immunity Debugger, Immunity CANVAS, and
VisualSploit will be available to you during the certification process
to enable you to write the exploit quickly. The target process will be
running on a Windows 2000 SP4 machine.

Successfully completing the challenge will allow you to use the NOP
signifier after your name and will potentially allow you to obtain
discounts of Immunity products.

Taking the NOP certification is on a first come first serve basis. Come
to the Immunity Defcon booth and try your hand.

Any inquiries can be sent to admin_at_immunityinc.com.

Thanks,
Dave Aitel
VP Media Relations
Immunity, Inc.

It’s also meant as a way to show off just how easy Visual Sploit is to use.  I haven’t personally used it, but today, Dave posted a really great flash video demonstrating its use in developing a simple buffer overflow exploit:

• Visual Sploit Demo

Really easy stuff there.  If you understand the concepts of how buffer overflows work, then that video should show you how easy it is to throw an exploit together.  Very clean procedure:

• Demonstrates that the return pointer can be overwritten, by passing a large strings of A’s and seeing 0×41414141 in EIP
• Finds an exact offset for the return pointer by passing a string of AAAABBBBCCCC… and seeing what winds up in EIP
• Since the buffer is sitting at the stack pointer, an exact jump can be made to the shellcode by returning to a “jmp esp” that’s already in memory.
• Drops a “shellcode” of “int 3″ repeated, so the debugger will break and we can see that it worked.

Cool stuff!  Wish I was in Vegas to take the test ;)

On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server.  It seemed like an easy enough hack, so I’ve thrown this together.  I can see this being useful in some situations, and hopefully you will too.

Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address.  This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb.  It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify.  Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide.  This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

Let’s have a look at the “show info”:

HacBook:framework wesley$ sudo ./msfconsole
Password:

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|                   

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info

       Name: MITM DNS Service
    Version: 5540

Provided by:
  unknown <ddz>
  hdm <hdm@metasploit.com>
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME                   yes       File of ip,regex for filtering responses
  REALDNS                    yes       Ask this server for answers
  SRVHOST   0.0.0.0          yes       The local host to listen on.
  SRVPORT   53               yes       The local port to listen on.              

Description:
  This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
  server. Requests are passed through to a real DNS server, and the
  responses are modified before being returned to the client, if they
  match regular expressions set in FILENAME.

Once it's loaded, we can set our variables:

msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
[*] exec: cat /Users/wesley/hosts.txt

192.168.1.1,google.com
10.0.0.1,example.com
msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
FILENAME => /Users/wesley/hosts.txt
msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254
REALDNS => 192.168.1.254
msf auxiliary(mitm_fakedns) > run
[*] Auxiliary module running as background job
msf auxiliary(mitm_fakedns) >

The file you specify should have an IP address and a regular expression, one pair per line.  Once it’s running, you can test it out by pointing “dig” at it:

HacBook:~ wesley$ dig @127.0.0.1 example.com

; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		99270	IN	A	10.0.0.1

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug  4 22:59:01 2008
;; MSG SIZE  rcvd: 45

This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks.  Here’s the source:

• mitm_fakedns.rb

I wasn’t going to talk about this on here for a while, since the public disclosure and paper won’t be out for another six months, probably, but my major professor is so excited about it that he just had to put out a press release:

• MSU News: Computer science student uncovers software flaw

I’m going to clear up a few things on this, but I’m also going to have a bit of fun…

A Mississippi State graduate student working with the university’s Critical Infrastructure Protection Center could be nicknamed “Johnny-on-the spot.” (sic)

I feel like I’m in the Rat-Pack now.  “Hey Frank, I need a big-leaguer who can trace through this stuff in immdbg!”, “Call that kid up at MSU, he’s a real Johnny-on-the-spot.”

Robert W. “Wes” McGrew

This is the part where we abbreviate my middle name, Wesley (which I go by among people I know), put it in quotes as a nickname, and then place it after my middle initial, which is what it stands for anyw… damnit now even I’m confused.

OK, now for some clarifications:

…discovered what is being called “a significant software vulnerability” that could allow hackers the ability to gain entry to computer control systems of numerous industries and potentially threaten national security.

…

“We know that this software exists in very critical infrastructures in the U.S.,” said Vaughn. “Through his research, Wes demonstrated how it was possible to obtain unauthorized access to the control system in just a few seconds.

The vulnerabilties that I have found (I’m not even disclosing the software’s name yet) are very serious, however they’re not remote-access-granting by themselves.  Once you have any sort of access, remote or local, you can pretty much run all over the access controls and other security/auditing mechanisms.  It’s still troubling, as many installations of these systems have hacked-together remote access over rdp or software packages like PCAnywhere.  We’ve heard several first-hand accounts of the poor physical security of these systems as well.

There’s been a lot of instances in the past of computers on SCADA networks being compromised by worms, botnet herders, and other attackers that didn’t even realize they were on a SCADA system.  These are the sort of vulnerabilities that can turn a normal attack that happens to be on a SCADA system into an actual control systems attack.

I promise you’ll get all the juicy details you can eat in the paper.

The National Security Agency was notified immediately of McGrew’s discovery. Shortly thereafter, the Department of Homeland Security broadcast an alert that included information on how to rectify the problem.

Too bad you didn’t have your shortwave radio tuned to the right frequency or you would have caught some zero day.  Seriously though, I do think some important installations have been given some heads-up and mitigation strategies.

That’s really about all (or more than) I want say about it at this point :)

Edit: Never going to live this down on IRC:

14:05 < jgk> Robert W. "Wes" McGrew of Collinsville recently discovered
             what is being called "a tiramisu" that could allow hackers
             the ability to gain satiety of numerous industries and
             potentially threaten a toilet.

…and I couldn’t be happier.  I’m going to start writing “weaponized code” instead of “exploits”.  This will totally make up for having to give up “reverse-engineering” for “deep analysis” for “legal reasons” ;).

However you feel about people publishing exploits for the DNS flaw already, there’s a selection of them out there now, and you might as well have a look at the code if you’re a penetration tester.  Now, I’m going to give out some links to these, so if you happen to be a blackhat that relies only on this site for your exploit needs, I’m going to have to ask you to go ahead and close your browser:

• I)ruid and H D Moore’s metasploit module (and in the context of the trunk version of metasploit) - This one’s pretty nice.  Like a good metasploit module, it has functionality built in to test a server for vulnerability.  It can’t spoof if there’s already a cached entry for the domain you’re trying to spoof, however it is smart enough to check for this ahead of time and sleep until it can try again.  This one also randomizes the domain names it’s using while it tries to guess the transaction ID.
• Julien Desfossez’s standalone exploit - Less frills than the metasploit modules, but it gets points for being written in python with the excellent Scapy .  From the code, it looks like the domain names it’s using while guessing the transaction ID are pretty predictable:  a3.victim.com, a4.victim.com, a5.victim.com, etc. etc. etc.

I’ll talk about other exploits when I see them, if I think they’re interesting.  I’m honestly surprised it’s taken as long as it has for exploits to come out, as it’s a pretty easy vulnerability to wrap your head around, and pretty straightfoward to generate the packets.

This’ll give you something to play with in the lab whilethe Internet crumbles around you.

Edit:

This about sums up my thoughts:

I guarantee that |)ruid/hdm’s exploit was not the first. Who would you prefer poisons your cache: discreet pros or kiddies with metasploit?

Thanks Dino.

The folks who put on the excellent Securabit podcast have decided to put together a quick and dirty episode-between-episodes on the recent DNS vulnerability.  They’ve decided to call these spontaneous episodes “Securabytes”, and this is the first one:

• Securabyte Episode 1: DNS Haiku

Since Dan Kaminsky doesn’t leap around the apartment to find his headset in order to podcast on a 10 minute notice at 10PM, I was grabbed off IRC to discuss the details of the vulnerability and its impact.  I had a blast recording this episode with Rob, Joel, and Martin McKeay (of the great Network Security podcast and blog).  Being able to bounce it off these guys really helped to convey not only the vulnerability itself, but what it means for admins, end users, and even penetration testers.

I hope you give it a listen, and subscribe to Securabit in your iTunes or RSS!

First, a post went up on Matasano and promptly disappeared, and now Kaminsky has posted on Doxpara:

Patch.  Today.  Now. Yes, stay late.  Yes, forward to OpenDNS if you have to.  (They’re ready for your traffic.)  Thank you to the many of you who already have.

From what I can tell, it’s out of the bag.  I haven’t done any testing to make sure, but what I’ve read makes sense.  If you’re not entirely sure about your DNS, set yourself up on OpenDNS now.

Edit: Ah to heck with it, looks like everyone knows where to find it now anyways.  Here ya go, on Halvar Flake’s blog.

Edit Edit: Actually that’s not quite right, I think, but Matasano was, and I think you can figure it out from there.

Edit Edit Edit: Well, seeing as you can find out from comments on a Slashdot post, and other blogs, here’s the juicy part of the Matasano post:

Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.

Patch patch patch (then play with it in your test environment).

Whenever a new sure-fire blockbuster movie sequel comes out, there’s always the attempt to wring some more cash out of the previous entries.  There’ll be a DVD box set that runs about $10 a disc, with all the previous films in one nice looking collection.  These sell well, both to people new to a series wanting to catch up, as well as long-time fans.

Dan Kaminsky’s talk at this year’s Black Hat USA conference on August 6th where he drops the new DNS 0-day will undoubtedly be the sure-fire blockbuster talk of the conference.  Kaminsky has given excellent talks on various network security topics for years now, so in the spirit of a cash-in box set, I’ve spent a little time today collecting up links to previous talks he’s given.

Most of these are in his recurring theme of “TCP/IP Black Ops”, and I have learned a lot over the years, listening to these talks.  The recent ones were fairly easy to find on Google Video, however some of the older ones required digging around a bit (mostly on the EasyNews mirror).  I’ve embedded or linked video, where available.  Some talks I could only find in mp3 format.  Some of the older Defcon talks may be available in realmedia video format on the defcon site, but I really prefer to stick to non-realmedia formats.

If you need slides to go along with the audio-only talks, it looks like most of them are available on Kaminsky’s bio page.

As I said, I’ve learned a lot from these talks, and highly recommend them to anyone else interested in getting elbows-deep into network security.  Enjoy!

If you’re handy with Gimp and create box art for a Dan Kaminsky box set, leave a comment ;-)

Defcon 9 (2001): Gateway Cryptography: Hacking Impossible Tunnels Through Improbable Networks with OpenSSH

• MP3

Defcon 10 (2002): Black Ops of TCP/IP

• MP3 Part 1
• MP3 Part 2

Defcon 11 (2003): Stack Black Ops

• MP3

Blackhat 2004: Black Ops of DNS

• MP3

22C3: Black Ops Of TCP/IP 2005.5

Toorcon 2006 - Black Ops Of TCP-IP 2006

Shmoocon 2007 - Weaponizing Noam Chomsky (or Hacking with Pattern Languages)

• MP4 Video

Defcon 15 - Black Ops 2007: Design Reviewing The Web

Regarding “Homer Simpson and the Kimya Botnet“, a new away message for Chunkylover53 (Homer Simpson’s AOL account, revealed in one of the episodes, and since hijacked) drops some names:

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

I was just going to del.icio.us this, write a snippet on it, and let it post on the daily links update, but I don’t think I could quite squeeze what I have to say about this into the size limitation there.  Read this, then come back here:

• Attempt at Exploiting Latest GDI Vulnerability Found in the Wild - brought to my attention by Jason via Twitter

Regarding this:

Although the exploits that we have seen so far do not yet appear to be functional, they appear to have the right general idea in their exploitation.

Why would you test an non-public that’s not “functional” in the wild?  Reasons given:

It is possible that these exploits either have been leaked and are “in-work”, or that they are functional on some platform that we have not tested.

Again, even if I’m not that bright and I’ve managed to get ahold of leaked private stuff, I can’t imagine being dumb enough to start using it before I’ve verified that it works at least on some percentage of the targets.  The the latter reason seems to me like the only one that makes sense.  There’s a very good chance this works on something.

Kudos to Symantec for the information.  I’m not questioning their take on the situation or anything, I just think that people should think about it for a moment and evaluate what the most likely situation is here.