Sunday, February 15, 2004

An exploit a day keeps the doctor away

Or something.

Ok, what the heck. I just can't seem to find the time to blog anymore. One would think that I'd have much more free time because, well, I'm not driving to/from Boston all the time to see Rachel. I think I just have to organize my life a bit more and I'll find that I have free time.

Since last I blogged, quite a bit has happened. Lets see here...

Many weeks back I drove up to NH to meet Pete and Rachel. They had gone snowboarding on saturday, so I drove up to meet them that night. It was quite cold and had been for some time, so conditions that day were really really icey. Fortunately it warmed up quite a bit by the next morning, so things melted slightly and the snow they were making stuck. Still it hurt like a bastard when you fell, and I did plenty of that. We ended up calling it quits in 2-3 hours because it was just too sucky. It was fun, but my knees and elbows hurt bad.

It was about that time I had been toying with BOOTP and DHCP, and I noticed that Linksys boxes don't properly handle BOOTP requests. For whatever reason I wanted to configure my laptop's network using BOOTP instead of DHCP. Afterall, any DHCP server is really just a jazzed-up BOOTP server, so it should work. Well, I found that I couldn't get a proper lease from either of the Linksys boxes I have access too (a BEFSR41 and BEFW11S4). Some quick tcpdump'ing showed the BOOTP replies coming back, but the data contained in the reply was totally bogus. It seemed like random garbage. I tried a few more times and started seeing human readable text in there. This immediately got my attention, and I started spraying BOOTP requests at the Linksys and looked at the replies. Then I saw bits and pieces of HTTP, AIM and other traffic. And it wasn't my traffic, it was bits of traffic from other machines using the Linksys. OWNED. So, none of the Linksys boxes know how to handle BOOTP requests. Instead of replying with a proper BOOTP response, they fill in the entire data portion of the UDP packet with bits and pieces of memory. This memory is all from traffic that has previously appeared on the interfaces of the Linksys. Thats great. Within a day or so I had some initial POC code, which later turned into full-fledged exploit code. Actually, the current linksys bootp/dhcp exploit code is just some simple Libnet/pcap code that forges BOOTP requests and then captures the responses. Last week after work I worked with Linksys and Cisco (PSIRT) to get this bug fixed. Linksys' fix was to just ignore BOOTP packets, which isn't the best way, but it works. They'll be releasing an updated firmware sometime soon, but haven't been very helpful regarding an advisory. I'm gonna give them until tuesday to respond, then I'm just gonna post it everywhere. The exploit code is up and available, so that might help. Feel free to email me with any comments or suggestions.

On February 4th, I gave a presenation on "InfoSec Blunders" at Northeastern's ACM. The room was packed full of people and the talk went ok. It could've been much better if I had slept more, but oh well. I only left myself a few days to prepare for the talk, so I didn't sleep much at all. I ended up going too fast and the talk ended 15-20 minutes early. Anyway, the slides are up if you want to see them.

Two Friday's ago we went and saw Henry Rollins at the Berklee performance center. He is soooo my idol. Quite possibly the most angry man I know, yet he can be so peaceful and can actually hold a great conversation. Did you know he is only like 5'2"? In all his videos, movies and pictures he is made to look tall, but he is really short. Not that height has anything to do with anything, because he'd crush your skull without even breaking a sweat.

Last week some time the word hit the news that the Windows 2000 and Windows NT source code had been leaked. Some rumors and reports said it was mainsoft, but it really could've happened a number of ways. Any idea how many Unversities or corporations have access to Microsoft's source code? Tons, and you and I both know how juicy .edu land can be. So anyone that really wanted the source code could've knocked over a bunch of boxen in academia and gotten the source that way. I haven't downloaded the code because not only do I have no real interest in seeing it, but its also illegal. But, I've seen portions of it posted in various places, and the code is UGLY. Its no wonder there are soo many ways to own a windows box. I give it no more than two weeks and we'll see at least 5 remote exploits for most Windows OSs. Have fun.

Last night was valentines, so a bunch of us went out to eat, and then we met up with some other friends at the Purple Shamrock. We saw two guys get their ass beat by the bouncers on the sidewalk while we were waiting to get in. It was a great time.

This week will be a busy one and I'm headin to Chicago on Friday. Never been there before. Anyway, I'm out.