Friday, November 2, 2012
"some considerations on Ettercap source code repository breach"
Another good entry was the BGPlay "movie" during the Egypt protest where Internet was obscured by the Egyptian authorities of that moment:
I still remember that "ugly" movie that I released, but was has been used by a lot of media agencies to show what happens when a country is isolated by the rest of the World from a Internet connectivity point of view.
Other posts have been mentioned in security advisories and so on. I would like just to say thank you to all the people that in that time have followed me and thanks to them I learned still more. This is the 100th post. The last one :-). Thank you very much to all.
Thursday, January 26, 2012
what remains of my blog:
Tuesday, September 6, 2011
DigiNotar CA compromise
Certificate hacker probably paid by Iran, say victimised firms
DigiNotar breach - the story so far
Iran-Backed Hackers Gained Access To Hundreds Of Giant Websites
Comodo Hacker Claims Credit for DigiNotar Attack
DigiNotar Hacker Comes Out
DigiNotar hacker: I have access to four other certificate authorities
Striking Back... Comodo Hacker paste
Fraudulently issued security certificate discovered
Protecting yourself from attacks that leverage fraudulent DigiNotar digital certificates
DigiNotar: Iranians – The Real Target
SSL certificates stolen for CIA, MI6, Mossad, and hundreds more by hackers in attack on DigiNotar
Operation Black Tulip: Fox-IT's report on the DigiNotar breach
DigiNotar investigators uncover woeful security
DigiNotar Attack Analysis
Why Diginotar may turn out more important than Stuxnet
Thursday, August 4, 2011
The code http://www.pudn.com/downloads119/sourcecode/windows/network/detail508294.html.
(appears also in the Secureworks analysis)
What follows it's an abstract of the code:
Monday, July 4, 2011
A couple of months ago I receive an interesting challenge for get the final (I think) step in the job selection path for a big company (not a well known exploit research company but probably if you are reading this post you are using once of their os). The challenge it consist in the writing an exploit for the CVE-2004-0194. Obviously, at the first step I did follow, was a good googling acrivity. With my surprise I didn't get anything. I did found only the original advisory in a lot of version . The original is at the following link http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0051.html that is an old NGSSoftware Insight Security Research Advisory:
This issue was detected in the 5.1 version of Adobe Reader (if you want try you cand find it here: http://www.oldversion.com/download/acrobat51.exe).This issue was related to a bug that it's triggered due a misuses of sprintf for format the OutputDebugString during the XFDF parsing. The origianl XFDF schema use the UTF-8 encoding. For fit well the unicode shell code via Metasploit module I have to choose another encoding like this one:
<?xml version="1.0" encoding="ISO-8859-1"?>
Anyway what follows is the proof of concept that launch calc.exe For this task I have used a SEH Overwriting technique using the code of not safeseh DLLs.
Also it’s possible download the poc from here: http://www.exploit-db.com/exploits/17488/. Anyay what did happens ? Well if I'm still updating this blog is because I haven't get this job although their compliments. Anyway what I did learn? I learn how to write up unicode shell code and that sometimes the encoding techniques are your best friends. What is sound strange is that the cve id is very near to my nightmare: cve-2010-4091.
So, why I decided to post just now this stuff ? I dunno why . Enjoy it!
Greeting to 0xff for open my mind to the bytes encoding landscape (http://whsbehind.blogspot.com)
Wednesday, June 22, 2011
Anoter interesting Google dork is "wsrv:=http://" that shown another Pastebin link with a WSRVs domain lists. The WSRVs are the handlers of results of the search provider activity on impacted systems.
Tuesday, June 7, 2011
One of the more interesting thing is that , at least the variant that I analyzed (md5 39D140511C18EBF7384A36113D48463D) use the method DoSearchReport notified using the well know Google Search gadget. Seems that this malware install as legacy app for grant persistence even after remove the rest of malicious packages from device. This is easily readable from the source code as shown in the following screen shots:
In the screenshot above is shown the begin of DoSearchReport method where is called a custom method named (updateInfo() ). While the following screenshot shown the place in the DoSeachReport method where all data , collected from impacted devices, are dropped via HTTP POST:
Other domains related to the 18.104.22.168 IP address:
Friday, March 18, 2011
Opening it with a disassembler (in this case IDA) is possible know that is a problem within the parser that handle the command line parameters:
This bug impact Adobe Flash Player Installer/Uninstaller 10.2 r152 distributed with the latest version of Adobe Flash Player..
Tuesday, March 15, 2011
RSA has release a blog post where is described that in the recently data-breach is been used this issue:
March 15, 2011:
A researcher has just added a very interesting analysis about this 0day:
bugix blog cve-2010-0609 analysis - by villys777
Adobe Security Advisory APSA11-01
Sunday, March 6, 2011
http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB)
The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file:
The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is not still known around. Anyway, what follows is just a quick analysis of the contents of this file. Open it with Java Decompiler appears like a canonical small JAR apps for mobiles devices (Midlet class):
The main class is named "b" and is extended from Canvas Java class:
As shown above is possible view some Cyrillic strings:
Is also show a reference to a stream (embedded in the JAR) named "info.dat". The code above use this file for decode the stream that as we'll see is the destination phone number of the data gathered from mobile devices. The "info.dat" contains the following string: 75;4x=1?==8:<95
I write a small Java app that use the code for decoding the stream:
The output revealed is the following:
In according with the countrycode.org web site (http://countrycode.org/russia) the number "+7 497 878542104" is a Russian phone number. Another detail is that the domain mmspicture.ru is attested on one IP (22.214.171.124) where is attested another interesting domain:
Wednesday, February 2, 2011
The time range is between the 29 of January 2011 00:00 and 2 of February 2011 08:00 PM (local time). For more info on bgplay see my previous post http://extraexploit.blogspot.com/2011/01/egypt-telecom-as-isolation-bgplay-show.html.
Friday, January 28, 2011
An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active
Egypt's malware activity post internet shutdownhttp://www.unveillance.com/latest-news/egypts-malware-activity-post-internet-shutdown/
Why One Egyptian ISP is Still Online
January 29, 2011 – Update:
I try to make the following video to shown what's happened. BGP Isolation "frame by frame":
January 28, 2011:
Following isolation of the Internet in Egypt, I tried to see if is possible see something with a good tool: BGPlay. As input data I inserted AS8452 (Egypt Telecom) prefix labeled as "all routers". This information I obtained via robtex as follows: http://www.robtex.com/as/as8452.html#bgp. So, the inserted data are the prefix 126.96.36.199/17 and the range date/time in latest 24h:
The result is interesting. For an animation could be better try to insert the value using BGPlay directly. (http://bgplay.routeviews.org/)
The BGP traffic situation at 27/01/2011:
After the BGP withdrawals sequence the situation, now, appear in this mode:
Saturday, January 22, 2011
A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878
February 2, 2011 - Update:
Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.
This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF
January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:
Sourceforge Attack: Full Report January 28, 2011 - Update:
On Hacker news is reported an update about and seem that the sourceforge server has been compromized:
Sourceforge servers compromised
The SourceForge response:
January 22, 2011:
just now I found a post from Imperva http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html. Intrigued by their results, similar to that published in my previous post approximately one month ago (http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html), I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:
With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html). The following screen shot is the well common form that expose sourceforge to this vulnerability:
The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.
Wednesday, December 29, 2010
Recently it’s been released a new issue of a zine called “owned and exposed” (http://www.exploit-db.com/papers/15823/). I have to admit I laughed a lot when I saw this picture.
I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot based botnet and that could be useful to understand how is possible find and use entry point in some very important web sites. As starting point I decided to focusing all the big picture on a generic bot source code. Given a bot is possible, Googling enough and with some scripting language knowledge, make the rest.
This mind map is not so obvious as well is not so clear what are the links with the title of this post. I will try to describe what I intend with this process represented by this mindmap . During a research of some months ago, I have try to identify 3 contexts where a researcher (color independent) could be found useful information for raise the level of details. In other words, starting from a bot source code analysis , you are on the first context (1 code analysis). In this context the analysis has generated information like authors (not so useful in this case), code snippet (useful for googling for other bot derived from the analyzed bot for example), crew (again not so useful), and c&c server (VERY USEFUL).
So with code snippet and c&c server is possible try to find many more information. Specifically with a c&c server that command web based bot, sometimes, is possible looking what happens in the c&c channel and coding and running, for example, a fake bot for catching them. The fake bot is linked to the c&c channel (usually an irc server) and start to log everything. The analysis process of what was logged put your mind in the 2nd context (named “intelligence”) . What could be founded is shown in the leafs of 2nd context. From the information gathered from a c&c is possible to known, for example, what are the web sites exposed to a particular Remote File Include. Collecting many of these web site your mind is leaded in the 3rd context.
Usually you have to decide only what do you want to do with the exposed website list obtained from the 2nd context and thanks to someone (bot admin) which launch , for example, bots specialized for scanning for checking if a web site is prone to a specific issue. What is the link with Ettercap (and other cases reported by the zine “owned and exposed” ? If you are the main coder of a project and you decide to put this code in a source repository that expose to the users, exploitable web apps (like for example some old release of e107 csm prone to a remote code execution condition) is possible choose once (or more) of the leafs of the 3rd context. In other words, logging the tons of c&c channels is possible found many other famous web site exposed to this problems.
The following little screenshot make all more clear (I hope). What you see is the result of a fake bot that I coded months ago. In particular, the result of this fake bot is a log file where are logged all message in a c&c channel. The grep command it was launched on this log file. How can see on sourceforge some users accounts offer access to a vulnerable version of the popular CMS e107 (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html).
One note: I decided to put the owning activities in the “counter measures” leaf beacuse "good and evil" is just a matter of who does things.
For the moment it’s all. Maybe that I will pubblish some more explanation for this process as soon as possible. Feedback and question are welcome.
Counter measures: don’t expose users with bugged web apps!.
Tuesday, December 14, 2010
The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the 188.8.131.52. A few more details related to the .NET exception:
Some important notes: I saw on twitter that someone has retweet this post adding "remote code execution". I never speak about a "remote code execution" condition for this issue.
Anyway IMHO this issue could be insert in the counter measures list for this kind of threats. Act from a client side perspective some times maybe useful.
Tuesday, November 30, 2010
Thursday, November 25, 2010
Trying to reversing the shell code contained within the PDF that seem exploit CVE-2010-4091, in according with the sample reported by MalwareTracker, it’s been founded the following URL:
The URL above at this time is down or not more available. Did really exploited for retrieve malware from womens-puzzle.com ? :) . Many Thanks to binjo for his support and tools. For the PDF check my previous post: http://extraexploit.blogspot.com/2010/11/cve-2010-4091-exploited.html
All this things continues to be weird and funny! (WOMENS-PUZZLE.COM :-) ). IMPORTANT: The PDF reported is not sure that exploit, really, the CVE-2010-4091
Friday, November 19, 2010
November 24, 2010 – Update:
Looking for other exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains: filepdf.php@v=zday
The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):
November 22 , 2010 – update:
Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:
Who’s looking for eggs in your PDF?
November 19, 2010:
This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:
feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue. My mistakes in this stage are very likely.
Thursday, November 11, 2010
November 26, 2010 – update:
This is a very useful presentation (from Immunity Sec) where is possible get some methods for approach the reversing of Java script engine in Adobe Reader context:
Attacking Embedded Languages
November 16, 2010 – update:
In previous post I didn’t report where is the place in the AcroRD32.dll where the memory corruption is triggered (as result of the use after free bug). The following screen shot is the leak screen shot:
At first view, the AcroRd32.dll offset 0094450, seem a zone involved with Acro Heap Manager, so this could confirm some of my doubts for the question like “where to play whit this bug ?”. So, IMHO, this bug is due from the double handling mechanism of the heap. In other words what the OS heap management has previously freed may be that the Adobe Heap Manager try to free again with the result as show. I hope to release a more detailed analysis as soon as possible.
November 11, 2010
In my previous post (http://extraexploit.blogspot.com/2010/11/full-disclosure-xplpdf-adober-reader-94.html) it’s been followed the timeline and what is called exposure time for this bug that seem have a bit strange history. After my initial analysis, only few details has been released about. But after play a bit with this flaw I can confirm once of the latest and most clear comments fromVUPEN via Twitter:
“exploiting the PDF printSeps was complicated. It involves allocating/freeing chained blocks before triggering the flaw”
After this tweet I started to looking for more informations about. So IMHO a good support for “allocating/freeing before trigger” the flaw may be get from” heaplib” as well documented in
Is possible fitting the heaplib.js for Adobe Reader and insert inside a crafted PDF for obtaining the heap handling ? For this goal code be usefull play with what is called Acro Managing Pool. A very interesting reference is from a Fortinet researcher:
The heaplib.js for Internet Explorer is here:
Anyway what I could say from my experience with this flaw is that the PDF posted on full disclosure seem leaks of something and using a debugger may lead you on the wrong way sometimes. Are only ideas which could be wrong as well right. Feedback are welcome.
Thursday, November 4, 2010
November 26,2010 – Update:
Thank you, Mario, but our printSeps() is in another castle !
November 22, 2010 – Update:
Who’s looking for eggs in your PDF? (reported also in cve-2010-4091 exploited ?)
November 16, 2010 – Update:
Security updates available for Adobe Reader and Acrobat – ABSP10-28
November 9, 2010 – Update:
Adobe PSIRT released - CVE-2010-4091
November 8, 2010 – Update 2:
VUPEN confirms the "remote code execution"
November 8, 2010 – Update 1:
Some screenshots of my brief analysis for this bug. The vtable where is referenced the PrintSeps() method:
November 5, 2010 – Update:
emerging threats Snort sign
eEye report as remote code execution
November 4, 2010:
The vulnerable method seem: printSeps():
The original xpl.pdf is retrived via