Want to find PHP remote file include bugs? Plug the below value into Google code search.

file:\.(php|inc) include.+(\$|\(\)).+$

No news there, php remote file include bugs are easy to find, easy to exploit, and there seams to be no shortage of them. It’s a lot easier to develop a working exploit for a web vulnerability than exploit some memory bug. Which is part of the reason we’re seeing so many of these bugs.

Maybe its just me, but I no longer feel safe about running PHP applications. Sure web applications built on any technology have their problems. However there seams to be more attacks against PHP apps that yield arbitrary code execution than on say perhaps your average JSP/servlet applications. It love the fact that I can find a php script to do just about anything I need, but every time I turn around I have to deal with the latest security problem in some php app. If that wasn’t bad enough, March reminded us how buggy the PHP engine itself really is. It seams we saw the spectrum of bugs this time. There were double freed memory to bugs, register_globals problems, XSS, memory corruption, an interger overflow, an underflow, file permission problems, and good old fashion input validation flaws in the mail() function.

What’s that in my inbox? Looks like its time for me to me to update the web server yet again… *sigh*

  xkcd

I often wonder why the Japan never cracked our Navajo code.   By cryptographic standards, is not very complex.

I recently stumbled upon an article written by Joshua Bloch. After decades of code reviews and formal proofs even “simple” sorting algorithms still have bugs.Nearly All Binary Searches and Mergesorts are Broken

I did a quick search on Krugle and Google code search and was able to quickly confirm that indeed most every implementation of this algorithm was broken. Joshua dosn’t go into the security problems with this bug, so I thought I’d give it a stab. Some of these the bad sorting implementations written in C/C++ could lead to memory disclosure bugs. The integer overflows bug in sorting code allows one to read off the end of an array. Imagine a web application that allows one to upload large amounts of data that will be stored in an a array which a binary search will operate on. (Yes, its a contrived example.) One might exploit this problem by brute forcing each byte of memory until the algorithm “finds” the value at a given address. In this manor it would be possible to dump the memory of a vulnerable program.

What is the underlying problem here? Are all of us coders mindless cut-and-paste zombies? Or is it that given the same problem we all tend to make the same mistakes. Maybe there is no such thing as a “simple” problem.

This animated cursor exploit has me perplexed. This problem was discovered at least by Dec. 2006. But most of us just learned about the problem on Friday. This is a simple stack overflow, right? Why aren’t the protections in Vista able to defend against this exploit? At least that’s what I’ve been asking myself. I’ve been doing some research. I don’t have all the answers yet, but here is what I’ve gathered from reading the Cyber-Inter-web-nets.

• Why isn’t the /GS flag protecting us?

http://www.determina.com/security.research/vulnerabilities/ani-header.html

“It is a stack overflow and should be detected by the /GS security check. Unfortunately, the Visual Studio compiler adds the /GS check only to functions that contain certain types of arrays, assuming that most buffer overflows are a result of out-of-bounds array access. The LoadAniIcon function uses a structure as a destination buffer for the data it reads and as a result its return address is not protected by the /GS stack check. This allows an attacker to overwrite the return address and take control of the program execution on Windows XP SP2, 2003 and Vista in the same way as on Windows 2000.”

• Memory randomization (ASLR)?

http://www.determina.com/security.research/vulnerabilities/ani-header.html

“In addition to the missing /GS check, the vulnerable code in USER32.DLL is wrapped in an exception handler that can recover from access violations. If the exploit is unsuccessful, for example due to the Vista ASLR, the process will not terminate and the attacker can simply try again. This gives the attacker an easy way to bypass the ASLR protection and increase the reliability of the exploit.”

As I understand it, an attacker on average only requires 128 tries to brute-force the the return address.

• UAC?

UAC does not stop code execution.

• DEP? Ok, what about DEP? Surely DEP will save us…

Well DEP can be bypassed via the “return-to-licb” method. But, an attacker may not have to resort to such means. DEP issues are complicated, but there are reports of exploits working against Outlook using Vista’s default DEP settings. DEP is disabled by default for Internet Explorer and Windows Explorer on 32-bit Windows Vista.

All of this comes on the heals of Michael Howard calling for buffer-related security vulnerabilities found in Windows Vista to be downgraded because of back-up mitigations built into the operating system.

This is an awesome video covering multiple missile defense technologies.Now if only it was that easy…

Every once in a while I stumble upon a project so useful I find myself asking, “Why didn’t I think of that?”

Damn Vulnerable Linux is a bootable Linux distro with a twist, its full security holes. It’s designed to be a hands-on learning tool. There are a number of tutorials/challenges out there that to teach the basics of exploiting software bugs (and writing secure code). Exercises like those at Insecure Programming by example are very helpful, but the hardest part about some of these exercises is setting up the environment. The more esoteric vulnerabilities may only be exploitable in very few narrowly defined circumstances. That’s where Damn Vulnerable Linux comes in. This project allows one to boot up the CD (preferably in vmware) and learn the basics of software insecurities, while removing some of the configuration work.

One just has to wonder if Microsoft’s next TCO Comparison will count the “bugs” in this distro against Linux as a whole.

I use a wireless network camera as my baby monitor. I have the camera mounted over my son’s crib. The Axis 207w has audio capabilities, streams MJPEG and MPEG4, runs Linux and has a solid API which allows me to integrate it into my home automation system. The only problem with is this camera is that is can’t see in the dark. However, the camera does have a GPIO port on the back.  And I can use the camera’s API to control the GPIO port.

So I mounted an infrared LED to the side of the camera. The results are pretty good. I decided against removing the IR filter. Removing the IR filter would increase visibility in the dark, however I use this camera during day time hours as well, remove the IR filter would wash out the picture.

Read the rest of this entry »

Quite frankly most stego software does a pretty poor job at withstanding Steganalysis. Most tools tend to leave some sort of signature in the cover file, and are therefore detectable. More often than not the authors of these tools don’t fully grasp some cryptographic concepts. Some tools even store the decryption key in the cover file.

Not so long ago, I was doing some analysis of S-tools version 4. S-Tools (272k) is a Windows based steganography tool that encrypts, then hides files in BMP, GIF, and WAV files. Many papers and literature dealing with stego cover this tool. S-tools works by first encrypting a file then uses a random number generator to scatter the cipher-text throughout the cover file, by modifying the least significant bits of an image. Because it’s using standard cryptographic algorithm, I believe that while the stego isn’t exactly undetectable, the encryption is based on a sound design (the author didn’t try to reinvent the wheel).

I found that detecting the presence of a file hidden by S-tool was not too difficult. There are at least two tale-tale signs S-tools leaves on an image. First, by promoting the least significant bit to the most significant bit, a recognizable dot pattern can be seen. Second, S-tools distorts compression artifact created by lossy compression algorithms (such as jpeg). Even if a file is converted from a compressed format to 24-bit bitmap, these artifacts may still be visible (depending on the graphics software and settings). I wrote a small program which enhances the artifacts so they can be easily seen.

This is an example of artifacts that often get created by jpeg compression (or perhaps its caused by dithering):

Read the rest of this entry »

I don’t like the term Cross-Site Scripting. We’re in need of better terminology for the kind of attacks were seeing against Acrobat reader and Google Dessktop. I think Amit Klein did a good job point out the terminology problem. But I’m not happy with any of the suggested terms I’ve heard.

XSS typically refers to scripting across domain boundaries. Instead of scripting across domain boundaries; we’re seeing vulnerabilities that allow for scripting on the local host. This type of vulnerability allows an attacker to read files and manipulate the local system. Web-apps have come of age. Web-apps are everywhere, even in applications that run locally on your system. I’m seeing a greater number of applications going this route. I see the advantages. It’s a quick way to build cross platform applications. Not only that, you can use your existing web programs to get the job done.

The other day I came across an application that uses HTML documents for scripting. The app basically uses an MSHTML control to load “script” files. These script files are really nothing more than HTML docs being run in the context of the local system. The uses VBScript to script a local ActiveX control. It’s easy to find people who can write JavaScript/VBScript code; so it would appear to be a good platform for scripting. The trouble is that it only takes one Cross-Site Scripting vulnerability to sink the system.

The Five-in-One Admin’s cable is a very handy cable. It was featured in the premiere edition of Make. The five-in-one cable is an Ethernet cable, a crossover Ethernet cable, a modem cable, a null modem cable, a serial/Ethernet loop-back cable, and a Cisco console cable. That’s a lot of functionally in just one cable. The elegant thing about this cable is that its components are dual use. For example, the cross-over cable doubles as a null-modem cable.

Recently, I’ve been working on projects that require an Ethernet tap and an RS232 tap. A tap is an in-line device which allows one to passively sniff a connection. Taps can be used to debug problems which would other wise be tricky to debug. Taps also have applications in security monitoring systems like Snort. I could have bought a RS232 tap and an ethernet tap, but after looking over the circuit diagrams I noticed something. The circuit diagrams for the Passive Ethernet Tap and the Full duplex RS232 sniffer cable are very similar. In fact the only difference between the two cables is that the handshake signals on the RS232 sniffer cable have been looped back.

So in the spirit of the 5-in-1 cable, I built a system of connectors to allow me to tap both Ethernet and serial communications (not at the same time, of course).

The construction wasn’t too hard. Basically I just built the five-in-one cable described here. Then built the Passive Ethernet Tap described here. The only thing left to do was to build two of my own custom loopback cables.

Here’s instruction to make your own