Monday, September 22, 2003

The State Of Security sucks.

I know I would've come to this conclusion eventually anyway, but I think my focus lately has hatched this conclusion a bit prematurely. Oh well.

So, here it is. The State Of Security (SOS) sucks. And no, before you ask, I'm not talking about a "security state" or any particular state in the US of A. I mean "state" as in the first definition in Webster's. There is too much information. Too much information drastically increases the chances of misinformation and missing information, and this is a bad thing.

What am I talking about, you ask? I'm talking about the hundreds and hundreds of sites who are attempting to take on the task of spreading information concerning computer, network and information security. Hundreds and hundreds? Yes. I'm talking about the dozens and dozens of mailing lists attempting to spread information concerning computer, network and information security. Dozens and dozens? Yes. I'm talking about the countless IRC channels, message boards, and remote corners of the web run by someone who thinks their idea is new and revolutionary, when in fact it is anything but.

Where do you get your 24/7/365 stream of data to feed your security addiction? Huh? The Securityfocus lists? Full-disclosure? Vuln-watch? #security? #snort? How about any number of other venues? Thats what I thought. You best be careful, because unless you choose your dealer carefully and only after much research, you'll become another (not-so) innocent victim of the FUD-virus, which is typically spread by the bottom feaders of the security arena. These are the people that steal information and ideas from other, more established and respected dealers and reformat/repackage it and put it out as if it were their own. Oftentimes, this information is either incorrect from the beginning, or is merely a snapshot of the information at single point early on in the discovery and exploration of an issue. What results is more useless crap polluting the sea of information.

Actually, wait. What am I talking about? Misinformation is a good thing. Its misinformation and general stupidity that keeps researchers like myself busy and security companies like yours in business. And hell, I like that.

Anyway, I've been up to quite a bit lately, both in the job search world and the research world. Here is a peak at a bug in Sun Solaris' SMC webserver that is pretty ugly, and is likely only to get worse. As an exmaple of why, try this on for size. Just because your language protects against it, why should you still do blatantly stupid things like following in your webserver code:

private void serveStreamAsStream {
       (InputStream inputstream, OutputStream outputstream)
       throws IOException {
       byte[] is = new byte[1024];
       boolean bool = false;
       int i0;
       while ((i = != -1)
           outputstream.write(is, 0, i);

In most other languages, this would be a buffer overflow. But not in Java. Sun merely catches the exception and tries the same thing AGAIN. Must...resist...fist...of...death!

Ok, </rant>

Despite my initial resistance, we went camping this weekend at Pawtuckaway in New Hampshire. It was a great time, and a great way to spend what might have been my last real weekend before I head off into the work force. Highlights include hours and hours of card games, lots of fire, and me making phone calls from 20 feet out in the water. Hey, a guy has gotta get service somehow, right?

And, finally, I wrote two tools. uri-encode and uri-decode are some trivial perl scripts that will encode/decode a string to/from its equivalent hexadecimal form.

Tuesday, September 16, 2003

Hi ho, hi ho, its off to crack I go.

Not suprisingly, I've been pretty busy the last week or so.

Damn near all of my time recently has been taken up by my job hunt and just all around hacking. I'm very happy with that, though. The job search is going well. I've had one phone interview, a follow-up interview tommorow, and another phone interview on friday.

In preparation for past and upcoming interviews, I've been putting myself through quite the brain-exercise routine. From reading to coding and pentesting, its been great.

The morning of my first interview, I challenged myself to cracking a box that I have an account on and is owned by some friends. I didn't know if I'd be able to do it or not, but despite the fact that it was fully updated, I still cracked this Redhat 9 box in an hour or so. How'd I do it? See the details of the hack. Following that hack, I helped the guys lock things down a bit more. Although it was much tighter, I still walked right through the front door again a day or so later. This time it was through some poorly written PHP code. Once inside, I took advantage of the misconfigured LDAP server and stole the entire database. This contains everything from email addresses to passwords (hashed, of course). John the Ripper has been going for 4 days now, but hasn't gotten anything yet. As part of this attack, I updated termite. Its now faster, checks more files/directories, and gives you a handy progress meter:

$  echo admin help host interface login logout replication role service status backup backups local  | https://yourhost
GET https://yourhost/ -> 200 OK
GET https://yourhost/help -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/ -> 200 OK
GET https://yourhost/status -> 403 Forbidden
GET https://yourhost/ -> 200 OK
GET https://yourhost/backups -> 200 OK
GET https://yourhost/local -> 200 OK
/ 95%

This morning I was faced with a situation where I wanted to prove that a mysql database that still has the 'test' database available can easily be used as a warez server or as a file upload/download vector on possibly heavily fortified hosts. I tossed together mtp, or the mysql transfer protocol, and now I'm currently storing my favorite mp3s in your database. nanananananah!

My disappointment with Bluesocket continues. I wrote a Snort signature to detect when the Bluesocket tech support folks connect to my bluesocket box using the ssh server on port 2335. I've also further enumerated existing files and directories on the box, and I've even got one of the scripts to now crash and throw and 500 error.

Anyway, I'm off to go riding before it gets dark.

Happy hacking!

Sunday, September 7, 2003

Real-ly owned.

Heres another little exploit I've been sitting on for some time. Version 9 of's UNIX realplayer, by default, installs its config files group writable. Unforunately (depending on how you look at it ;)), these files contain, among other things, pointers to directories that realplayer uses to load shared libraries from. So, a malicious user simply modifies the config files to his liking, writes some hostile shared libraries and off he goes with the victim's account. For more details, see the exploit.

In other news, there is no news. I've gotten one denial so far from job land because I don't have any clearance. Bah. Oh well. This next week should prove interesting. Happy hacking, -jon