Wednesday, December 29, 2010

some considerations on Ettercap source code repository breach

Recently it’s been released a new issue of a zine called “owned and exposed” (http://www.exploit-db.com/papers/15823/). I have to admit I laughed a lot when I saw this picture.

ownedandexposed

I think that the picture above is the truth of what the security field is today. Anyway , ending my personal considerations, I would show you a mind map that I made during a past research on web bot based botnet and that could be useful to understand how is possible find and use entry point in some very important web sites. As starting point I decided to focusing all the big picture on a generic bot source code. Given a bot is possible,  Googling enough and with some scripting language knowledge, make the rest.

mindmap

This mind map is not so obvious as well is not so clear what are the links with the title of this post. I will try to describe what I intend with this process represented by this mindmap . During a research of some months ago, I have try to identify 3 contexts where a researcher (color independent)  could be found useful information for raise the level of details. In other words, starting from a bot source code analysis , you are on the first context (1 code analysis). In this context the analysis has generated information like authors (not so useful in this case), code snippet (useful for googling for other bot derived from the analyzed bot for example), crew (again not so useful), and c&c server (VERY USEFUL).

So with code snippet and c&c server is possible try to find many more information. Specifically with a c&c server that command web based bot, sometimes, is possible looking what happens in the c&c channel and coding and running, for example, a fake bot for catching them. The fake bot is linked to the c&c channel (usually an irc server) and start to log everything. The analysis process of what was logged put your mind in the 2nd context (named “intelligence”) . What could be founded is shown in the leafs of 2nd context. From the information gathered from a c&c  is possible to  known, for example, what are the web sites exposed  to a particular Remote File Include. Collecting many of these web site your mind is leaded in the 3rd context.

Usually you have to decide only what do you want to do with the exposed website list obtained from the 2nd context and thanks to someone (bot admin) which launch , for example, bots specialized for scanning for checking if a web site is prone to a specific issue. What is the link with Ettercap (and other cases reported by the zine “owned and exposed” ? If you are the main coder of a project and you decide to put this code in a source repository that expose to the users, exploitable web apps (like for example some old release of e107 csm prone to a remote code execution condition) is possible choose once (or more) of the leafs of the 3rd context. In other words, logging the tons of c&c channels is possible found many other famous web site exposed to this problems.

The following little screenshot make all more clear (I hope). What you see is the result of a fake bot that I coded months ago. In particular, the result of this fake bot is a log file where are logged all message in a c&c channel. The grep command it was launched on this log file. How can see on sourceforge some users accounts offer access to a vulnerable version of the popular CMS e107 (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html).

sourceforge

One note: I decided to put the owning activities in the “counter measures” leaf beacuse  "good and evil" is just a matter of who does things.

For the moment it’s all. Maybe that I will pubblish some more explanation for this process as soon as possible.  Feedback and question are welcome.

Counter measures: don’t expose users with bugged web apps!.

Tuesday, December 14, 2010

LOIC 1.1.1.15 - Crafted C&C Channel Topic Could Lead A Crash

Following the trend of these days I played (locally) with one of the latest release of LOIC (Low Orbit Ion Cannon DDOS Tool). Inserting a long (not so) string on the topic of a C&C irc channel, there seems to be a memory corruption condition.

 The screen shot above show a crafted topic that trigger the issue. The impacted tested released is the 1.1.1.15. A few more details related to the .NET exception:


Some important notes: I saw on twitter that someone has retweet this post adding "remote code execution".  I never speak about a "remote code execution" condition for this issue.  

Anyway IMHO this issue could be insert in the counter measures list for this kind of threats. Act from a client side perspective some times maybe useful.