Wednesday, September 2, 2009

Another SQL Injection Variant

Here is another variation of conducting successful SQL Injection attack, Truncation-Based SQL Injection, by Varun Sharma of Microsoft ACE team.

http://msdn.microsoft.com/hi-in/security/ee216344%28en-us%29.aspx

It is not a new vulnerability or something that defies existing security best practices against SQL Injection - use SQL Parameters, input validation, least privilege principle, but just highlights another way to break weak code.

Thursday, August 20, 2009

Linux NULL Pointer Dereference CVE-2009-2692

Refer here for a quick read on what a NULL Pointer Dereference vulnerability is.

Over the past week, the latest Linux NULL Pointer Dereference exploit has rendered millions of servers world-wide vulnerable to root compromise. Here's the CVE reference CVE-2009-2692.

Several local exploits have been released so far, the ones I tried and worked like magic are at:
- The shorter one http://www.securityfocus.com/data/vulnerabilities/exploits/36038-4.tgz
- The longer one http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium.tgz

Here's how simply I get root on my box using the former exploit

To understand the exploit in detail a good explanation can be found here.

In summary - the exploit does a NULL pointer dereference that lands on page zero that is filled with bytes in your control. The exploit leverages pulseaudio, a setuid binary, to load your code.

Thursday, August 13, 2009

Statefull/Authenticated/Deep Protocol Fuzzing with Sulley

Okay so Sulley works, but creating a basic HTTP fuzzer was nothing so cool. It just scratched the protocol surface. How about statefull or in-state protocol with authentication? How but fuzzing the methods/functions and it's arguments deep within?

Here is a proof-of-concept dig at leveraging Sulley to do just that for FTP. Same would be possible to achieve for various other protocols like SMTP, POP3.

from sulley import *

import socket
import ftplib


s_initialize("ftp-cmds")

if s_block_start("site"):
s_string("status")
s_static("\r\n")
s_block_end()


def ftpcon(target):

ftp = ftplib.FTP('localhost','cloner','cloner')

def do_fuzz():
sess = sessions.session(session_filename="ftptest.log")
target = sessions.target('localhost', 21)
sess.add_target(target)
sess.pre_send=ftpcon
sess.connect(s_get("ftp-cmds"))
sess.fuzz()

if 1:
do_fuzz()

Firing this generates 1076 test cases for fuzzing (ofcourse you could add to the existing Sulley attack library to generate more test cases) one ftp command post authentication.


This code can be extended to fuzz all the ftp commands/methods and its arguments that are available post authentication in a statefull manner.

Let's see what it really took to get this done. It was FTPLIB that made it possible for us to take establish an authenticated session with the target Pure-FTPd server. The default python installation comes with libraries for several other protocols like SMTP, HTTP and POP3 as well.

For encrypted protocols SSL python library is available in case you do not wish to use proto=ssl option from Sulley.

How difficult is it to write something like FTPLIB or the authentication/statefull piece for your target protocol? The short answer is - it depends - on protocol specifications (if at all you have) and your mileage. Good skill set at Python socket programming can boost your mileage considerably!

Let's look at a snippet of FTPLIB and see what does it take.

def connect(self, host='', port=0, timeout=-999):
self.sock = socket.create_connection((self.host, self.port), self.timeout)
self.af = self.sock.family
self.file = self.sock.makefile('rb')
self.welcome = self.getresp()
return self.welcome

No wonder why hackers love Python!

Monday, August 10, 2009

Network Protocol Fuzzing

Arguably fuzzing is one leading technique hackers have leveraged over a decade to discover scores of software security issues.

For a detailed look into techniques, tools, pros & cons a look at Charlie Miller paper is worth a read.

There are two well-known fuzzing frameworks Sulley & Peach - that could be leveraged to create your own fuzzers. I haven't had had a dig at Peach as I haven't yet exhausted Sulley yet or run into major road blocks. The author of Sulley - Pedram has been quite considerate to answer my queries and the tool looks promising so far.

It is fairly straight forward to crank up your first fuzzer if your protocol is as simple as HTTP.

Following code is what I needed to write to get a basic fuzzer ready to torture an HTTP server. The intention was just to have a feel of Sulley. The real goal otherwise is to do some really complex things. But yeah - the things below had to respond to get my confidence & investment.

from sulley import *

s_initialize("HTTP VERBS BASIC")
s_group("verbs", values=["GET", "HEAD"])
if s_block_start("body", group="verbs"):
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
s_static("\r\n\r\n")
s_block_end()

def do_http_fuzz() :
sess = sessions.session(session_filename="audits/http_session_test.txt")
target = sessions.target("127.0.0.1", 80)
sess.add_target(target)
sess.connect(s_get("HTTP VERBS BASIC"))

sess.fuzz()

print "test completed"

do_http_fuzz()

Firing this script on a latest Apache web server results in 9062 test cases and the wireshark screenshot shows some of the attack patterns that are sent to Apache.



This was simple. But then this is HTTP. How about session oriented or stateful protocols like FTP or even better with encryption SSH? And how about fuzzing deep within a protocol? Fuzzing FTP methods or the protocol methods that are reachable only after a valid secure authenticated session is created? The answer is yes, a framework that can facilitate all this would be a great asset for many security testers.

In my next post we will look at fuzzing a stateful protocol. Precisely we will look at fuzzing deep within a stateful protocol post authentication.

Monday, June 1, 2009

SIP Protocol Fuzz Testing

Fuzzing is a black-box testing technique heavily leveraged to discover flaws in software and protocol implementations. There are several tools that exist today to help a security tester automate or allow crafting fuzz test cases.

I have used open-source tools like WebScarab, some commercial ones and the proprietary ones for several years for testing web applications. In between had chance to fuzz test standalone applications and Internet browser clients as well.

Recently I had an opportunity to fuzz test VoIP applications and servers. This is when I came across this interesting project called PROTOS. It provides test suites for testing several protocol implementations. The ones that I found interesting due to my subject knowledge were SIP, HTTP-REPLY and LDAP. Nevertheless it provides test suite for DNS and several others.

PROTOS Test-Suite: c07-sip
has been accredited for discovering flaws in several open-source and commercial SIP protocol implementations ranging from Cisco, Alcatel, Nortel to IPTel. It contains 4527 tests. I used this test suite to test SIP Express Router (SER) and Asterisk both open-source SIP proxy implementations. I could successfully reproduce the CERT advisory CA-2003-06 for SER’s vulnerable SIP implementation version. The c07-sip test suite crashed SER within the first 10 tests leveraging a format string attack. The screenshots below highlight the status of SER before and after the attack.






Tests conducted on the latest version of SER and Asterisk did not bring up any security issues. Nevertheless great but this test suite should not be considered comprehensive in itself as it only tests a subset of SIP methods, namely INVITE messages. For a comprehensive test some commercial solution like Codenomicon or MuDynamics probably would be a better bet. I haven’t used both of these thus far so I can’t really ascertain their value. Codenomicon had sponsored the PROTOS project with their testing framework so quite likely they would be good as well.

At the end of the day, lack of coverage doesn’t undermine the importance of PROTOS suite in any manner. It is base minimum that a related protocol implementation must pass!