Security only at layer 7 and above?

I recently had a friend who works for an unamed evil empire disclose to me that he and his colleagues are under the assumption that security is no longer an issue in any layer below 7. I'm going to keep this vaque, but I'm interested to hear the various thoughts from others on this matter. I don't think the day of the network attack will ever subside completely, but are the days of Layer 3 attack detection long gone?

Vulnerability Auction Services

Lately, it seems, Vulnerability auctions are capturing a lot of news. As a researcher, I'm not quite sure how I feel about them. There are a lot of items to consider. In the past I've been involved with ZDI, iDefense and others with regards to vulnerabilities being sold. Vendor based solutions generally handle the responsible disclosure aspect of the issue, including dealing with the vulnerable vendor. In an auction based scenario, the seller may not have the opportunity to understand who may be purchaing his or her vulnerability. For some researchers knowing the endpoint of the vulnerability may not be an issue. For others ethics may play a part. It's really an interesting area.. what are the thoughts of the crew out there?

I would like to point out...

That security through obscurity works well when....... the mother %$#^^^$%## logic board in your powerbook dies!!!


/grumble.. grumble...

Preparing for Vegas!

The majority of the Bastard Labs Crew is confirmed and will be in Las Vegas this year for Blackhat and Defcon. So if your going to be in town and want to talk exploitation or anything else random drop us a line.


See ya there!


ri0t

You are the weakest Link... goodbye!

It's pretty apparent that no matter how well you patch a system, or how well you think you've patched a system, passwords are the weakest link for the most part. Also it's interesting how there always seems to be that ONE host that is left sitting on in the darkest corners of the epic corporate empire, which is still vulnerable to that 1999 exploit lovin.

What I find truly interesting is the number of "security" professionals I run across who have some of the lamest passwords I've ever seen. While I understand how much of a pain the arse it can be to remember complex passwords, to simply use the name of your company followed by a number is irresponsible.

there is no real point to this point other than the griping you're reading, it's just something humorous I seem to run across time and time again as I am called in to assess the security posture of different organizations.

*NOTE* I know it's incredibly easy to use rainbowcrack and/or other tools of the trade, but this is made so much easier when accessing the box to pwdump or cachedumpe is made 10x easier by a weak passwords or some 1999 exploit lovin

Can I take your syscall for you?

It seems that for a bit of time now, HIPS products are taking off and being installed in organizations. HIPS is still a relatively young technology with the way technology goes. There are some mature products out on the market, and the features and abilities are ever changing. Lately we here at the BL have been working on HIPS evasion techniques, lots of interesting things to think of, and lots of interesting techniques to try out. Since most HIPS are utilizing hooking techniques, it's fun to see exactly where they hook and what they leave out. Hidden or little utilizes APIS, and/or calls can be fun vectors to look at.

We'll be posting more here when we finalize our research. Perhaps a neat evasion tool, hrmm, I'll have to check with the ninja monkies on that one..

[commonly hooked dll]

ntdll.dll
kernel32.dll
core.dll
ADVAPI32.dll
RPCRT4.dll
NETAPI32.dll
msvcrt.dll
PSAPI.dll
SHLWAPI.dll
GDI32.dll
USER32.dll
MSVCR71.dll
WININET.dll
CRYPT32.dll
MSASN1.dll
OLEAUT32.dll
ol32.dll
msi.dll
urlmon.dll
SHELL32.dll
------ and the list goes on!

Smashing SEH

Ok so recently i have been working on a couple of Buffer Overflows where EIP is gained through smashing SEH so here is a quick mini primer on smashing SEH for fun and profit

So here is the short definition when a win32 program runs it sets on the stack and address of the SEH the program will jmp to this address if there is ever an exception that causes the program to die Thus the reason it is called the Standard Exception Handler.

So on occasion you will have a program that you can overflow the buffer thus overwriting data on the stack but and exception fires during the copy or something else in the data stream causes an exception causing the program to fire the SEH before you get code execution (thats overly simplified but you get the point) So what is a researcher to do? how bout overwrite the address that SEH is pointing to

So if we overwrite the buffer we will eventualy get to 2 address on the stack the first is the “Pointer to the Next SEH” and then the next address after that is the current SEH so coceptualy our buffer looks somewhat like this

so if we send a buffer and fill the top buffer space with A’s then set the Pointer to the Next SEH to BBBB set the SEH to CCCC and the second buffer space to DDDD our buffer will look something like this (again this is just an example)

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDDDDDDDDDDD

now remember this is just an example in the real world the buffers hopefully will be much bigger

so when the exception fires what you will see is eip set to CCCC and then 2 addresses down from EBP (stack base pointer) you will see a address that contains this

BBBBCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

now thats kinda interesting thats our buffer but how do we get to it?

Bring on the pop pop ret . If we can set the SEH to an opcode that contains a Pop Pop Ret when it fires it should pop 2 addresses off the stack and return into our buffer. ok so now we can get into the buffer but how do we get to shellcode from here? after all the buffer doesnt just contain our shellcode of DDDDDD it also contains BBBB and CCCC so what are we to do? Well up until this point we havnt used the Pointer To the Next SEH address for anything (the BBBB space) so what we do is we set BBBB to \xEB\x06\xFF\xFF what is \xEB\x06? in assembly it is Jmp Short 6 bytes so when we pop pop ret into this space the execution flow will hit this jump over our CCCC return address directly into our DDDDDDDD shellcode YaY!!!!

so now we have code execution by Busting the SEH on win32 programs

Some things to think about….

The buffer space after the return address may be to small for a full payload which means we may have to use a staged payload that jumps back into our main buffer

In windows XP sp2 microsoft introduced SafeSEH which limits where the SEH can point to. this can be overcome by pointing back into the binary itself for a pop pop ret provided the binary hasnt also been compiled with /SafeSEH

Just some things to think about and mabey get the brain juices flowing

Welcome to the Bastard Labs Security Research Blog

Fear the Bastards got a blog :P more to come