victims demo
@ 2010-05-09 00:39:40
Filed under: Code Tech Security
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Bad Java, BAD! No More Jars! @ 2010-03-27 23:26:42
Filed under: Code Tech Security Frustration Python
A big frustration for me is the sprawl of Jar's (java "packages") which are everywhere. These special zip files tend to be copied into other applications and then left alone. Many of these Jar's have newer releases to fix security issues, but the bundled version isn't updated. It's even worse that many Jar's don't provide enough meta information that you can be sure of who owns it. Yes, you could keep SHA1SUM's in a database like maven does, and that is better than nothing, but it's not really a fix, it's a hack.
Here is an example of metadata that came with one Jar:
How helpful! Well, we can at least see what it is by the name of the file: sqlitejdbc.jar. It still doesn't tell us what version. Let's look at another:
Better, but still isn't that helpful. In this case we get lucky as some of the info is in the file name: gettext-commons-0.9.6.jar.
It really seems like the whole 'keep metadata in your Jar' is more of an inside joke which requires a hack to try to track what jars to include (as maven does). Welcome to Jar hell. How fun. Anyway, here is another hack ...
For the heck of it I decided to write a very simple scanner. It reads the metadata from the Jar file and then tries to match it up against an online database. If it gets no results back it keeps it as 'either safe or not enough information'. If there isn't even enough data to make a call out to the database it's assumed bad and tells you the user to bother about it if that is listed, and if the database confirms vulnerabilities it's known bad. It needs a lot of work to better guess information not provided by the metadata but here is an example run (with some changes to protect the guilty)
I'm tired. I'm going to bed. I'll throw the code up somewhere tomorrow.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Patch For python-nmap @ 2010-03-24 16:01:12
Filed under: Code Tech Security Python
I discovered python-nmap but noted that it blocks. I threw together a quick wrapper for scanning for using in my own stuff and figured I might as well post it :-). Let's see if it goes upstream!
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Nmap Script To Look For Arugizer @ 2010-03-08 16:50:50
Filed under: Code Tech Security
After seeing this fun that is Energizer exploiting their user's systems I decided to try writing an Nmap script to detect an infection. I wasn't able to test it as I don't have an infected system. If you have access to an infected system give it a shot and let me know (I'm ashcrow on Twitter and Identi.ca). Patches welcome of course! I had to use binary data files as I couldn't quickly find a good way to move from hex to binary data.
Note: A matchline has already been committed to nmap. See this post by Skill Security for information on how to update.
Files:
Script: http://www.stevemilner.org/images/arugizer.nse
Binary Send Data: http://www.stevemilner.org/images/arugizer_ping.data
Binary Response Data: http://www.stevemilner.org/images/arugizer_yes.data
The data files need to be placed in /usr/share/nmap/nselib/data/ or wherever your nselib's data is placed.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
SonicWall Is Silly @ 2010-01-20 11:59:23
Filed under: Tech Security Frustration
Ever hear of SonicWall? Sure you have! More than likely you have been a user in a coffee shop or at a restaurant (though you may have not known). The idea is to protect both the user and the local network from accessing content that is undesirable. Thankfully they tell you why the content has been blocked. Sadly, they block users from resources to help block scams. Why? Becuase they may not be smart enough to tell the difference. For instance, I had gone up to Phishtank to post up a phish email to warn others and SonicWall blocked me from accessing the site all the while allowing access to the VirusTotal which is a similar type of service but for file scans. You are probably saying "Ashcrow! It's obviously a mistake! Go, tell them to fix it!" and let me stop you there, because I did try. Two times actually and both times I received the same response:
At first I thought maybe they kept the same rating but opened access. Many people (and companies) don't know the difference between hacking, cracking, phishing and fraud. The next time I was out at the restaurant I tried hitting PhishTank. No dice.
So what does this mean? That is a hard one. It could mean a lot of things but the way I take it is that the folks making decisions on blocking content are nor proficient enough to tell the difference between a hostile site and one that helps protect users --- and that is NOT a good quality to have in a security content filtering vendor of any kind.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Filed under: Code Tech Security
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Bad Java, BAD! No More Jars! @ 2010-03-27 23:26:42
Filed under: Code Tech Security Frustration Python
A big frustration for me is the sprawl of Jar's (java "packages") which are everywhere. These special zip files tend to be copied into other applications and then left alone. Many of these Jar's have newer releases to fix security issues, but the bundled version isn't updated. It's even worse that many Jar's don't provide enough meta information that you can be sure of who owns it. Yes, you could keep SHA1SUM's in a database like maven does, and that is better than nothing, but it's not really a fix, it's a hack.
Here is an example of metadata that came with one Jar:
Manifest-Version: 1.0 Created-By: 1.6.0_10 (Sun Microsystems Inc.)
How helpful! Well, we can at least see what it is by the name of the file: sqlitejdbc.jar. It still doesn't tell us what version. Let's look at another:
Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven Built-By: fberger Build-Jdk: 1.6.0_06
Better, but still isn't that helpful. In this case we get lucky as some of the info is in the file name: gettext-commons-0.9.6.jar.
It really seems like the whole 'keep metadata in your Jar' is more of an inside joke which requires a hack to try to track what jars to include (as maven does). Welcome to Jar hell. How fun. Anyway, here is another hack ...
For the heck of it I decided to write a very simple scanner. It reads the metadata from the Jar file and then tries to match it up against an online database. If it gets no results back it keeps it as 'either safe or not enough information'. If there isn't even enough data to make a call out to the database it's assumed bad and tells you the user to bother about it if that is listed, and if the database confirms vulnerabilities it's known bad. It needs a lot of work to better guess information not provided by the metadata but here is an example run (with some changes to protect the guilty)
$ python jarscanner.py *jar
WARNING:root:apache-mime4j-0.6.jar is the latest secure version or not enough info
WARNING:root:commons-codec-1.3.jar is the latest secure version or not enough info
WARNING:root:commons-logging-1.1.1.jar is the latest secure version or not enough info
WARNING:root:hsqldb.jar is the latest secure version or not enough info
WARNING:root:httpclient-4.0.jar is the latest secure version or not enough info
WARNING:root:httpcore-4.0.1.jar is the latest secure version or not enough info
WARNING:root:httpmime-4.0.jar is the latest secure version or not enough info
INFO:root:jetty-6.1.7.jar found 15 vulns
INFO:root:jetty-util-6.1.7.jar found 15 vulns
WARNING:root:servlet-api-2.5-6.1.7.jar is the latest secure version or not enough info
WARNING:root:The following jars are known to be bad ...
WARNING:root:jetty-6.1.7.jar
WARNING:root:jetty-util-6.1.7.jar
CRITICAL:root:Sorry, but a number of jars are crap and don't provide enough information.
These should be assumed bad!!!
CRITICAL:root:bdiff.jar
CRITICAL:root:fast-md5.jar (go bug dragonlz about it)
CRITICAL:root:gettext-commons-0.9.6.jar (go bug fberger about it)
CRITICAL:root:jcip-annotations.jar
CRITICAL:root:linuxfolderwatcher.jar
CRITICAL:root:messages.jar
CRITICAL:root:snakeyaml-1.5.jar (go bug somov about it)
CRITICAL:root:sqlitejdbc.jar
CRITICAL:root:stringtree-json-2.0.9.jar
CRITICAL:root:swt.jar
CRITICAL:root:unixapi.jar
CRITICAL:root:XXXXXXXXXX.jar
CRITICAL:root:XXXXXXXXXX.jar
I'm tired. I'm going to bed. I'll throw the code up somewhere tomorrow.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Patch For python-nmap @ 2010-03-24 16:01:12
Filed under: Code Tech Security Python
I discovered python-nmap but noted that it blocks. I threw together a quick wrapper for scanning for using in my own stuff and figured I might as well post it :-). Let's see if it goes upstream!
#!/usr/bin/env python
# By Steve 'Ashcrow' Milner
import nmap
try:
from multiprocessing import Process, Queue
except ImportError:
# For pre 2.6 releases
from threading import Thread as Process
from Queue import Queue
class NmapProcess(object):
"""
Process scans in a non-blocking way.
"""
def __init__(self, host):
"""
Creates an instance.
:Parameters:
- `host`: host to scan
"""
self.__host = host
self.__queue = Queue()
self.__nm = nmap.PortScanner()
self.__process = None
def scan(self, ports=None, arguments='-sV', callback=None):
"""
Starts the scan taking the same input as nmap scan except the host.
:Parameters:
- `ports`: ports to scan
- `arguments` arguments for nmap
- `callback`: optional callback to execute when results are available
"""
def scan_process(ports, arguments, callback=None):
self.__nm.scan(self.__host, ports, arguments)
self.__queue.put(self.__nm)
if callback and callable(callback):
callback(self.__nm)
self.__process = Process(
target=scan_process, args=(ports, arguments, callback))
self.__process.daemon = True
self.__process.start()
def __get_results(self):
"""
Returns results if they are available, else None.
"""
if self.__queue.empty():
return None
return self.__queue.get()[self.__host]
def __del__(self):
"""
Clean up.
"""
self.__process.join()
# Properties
results = property(__get_results)
results_available = property(lambda s: not s.__process.is_alive())
if __name__ == '__main__':
n = NmapProcess('127.0.0.1')
def p(s):
print("From Callback: " + str(s['127.0.0.1']))
n.scan(arguments="-sV -T4 -A", callback=p)
# Do stuff here ...
from time import sleep
while not n.results_available:
print("Waiting ...")
sleep(3)
print("From property: " + str(n.results))
Comments: 0
Nmap Script To Look For Arugizer @ 2010-03-08 16:50:50
Filed under: Code Tech Security
After seeing this fun that is Energizer exploiting their user's systems I decided to try writing an Nmap script to detect an infection. I wasn't able to test it as I don't have an infected system. If you have access to an infected system give it a shot and let me know (I'm ashcrow on Twitter and Identi.ca). Patches welcome of course! I had to use binary data files as I couldn't quickly find a good way to move from hex to binary data.
Note: A matchline has already been committed to nmap. See this post by Skill Security for information on how to update.
Files:
Script: http://www.stevemilner.org/images/arugizer.nse
Binary Send Data: http://www.stevemilner.org/images/arugizer_ping.data
Binary Response Data: http://www.stevemilner.org/images/arugizer_yes.data
The data files need to be placed in /usr/share/nmap/nselib/data/ or wherever your nselib's data is placed.
description = [[
Checks systems for Arugizer, the energizer bunny trojan.
]]
---
-- @usage
-- nmap --script arugizer.nse <target>
-- @output
-- Host script results:
-- |_ arugizer: Infected
author = "Steve Milner"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe", "discovery"}
require("nmap")
-- File that holds the following as found by ron@skullsecurity.net
-- Hex: \xC2\xE5\xE5\xE5\x9E\xA0\xD7\xA4\xA6\xD0\xD5\xDD\xDC\xC8\xD6\xDD\xD7\xD5\xC8\xD1\xD6\x83\x80\xC8\xDD\xA4\xD1\xA1\xC8\xA4\xD2\xD5\xD7\xDD\xA3\xA4\xA1\xDD\xA6\xD7\xDD\x98\xE5
-- ASCII: {E2AC5089-3820-43fe-8A4D-A7028FAD8C28}
f = assert(io.open(nmap.fetchfile('nselib/data/arugizer_ping.data'), "rb"))
ping = f:read("*all")
f:close()
-- File that holds the following as found by ron@skullsecurity.net
-- Hex: \xbc\xa0\xb6
-- ASCII: YES
f = assert(io.open(nmap.fetchfile('nselib/data/arugizer_yes.data'), "rb"))
yes = f:read("*all")
f:close()
--- Rule to decide if the action should take place.
-- We only trigger if the port is 7777
-- @param host The host table from nmap.
-- @param port The port info from nmap.
portrule = function(host, port)
if port.state == "open" and
port.protocol == "tcp" and
port.number == 7777 then
return true
end
return false
end
--- Takes action if the host rule is triggered.
-- Checks if port 7777 responds to known string
-- @param host The host table from nmap.
-- @param port The port info from nmap.
action = function(host, port)
local socket = nmap.new_socket()
socket:set_timeout(1000)
socket:connect(host.ip, 7777)
socket:send(ping)
local status, response = socket:receive()
socket:close()
if (string.sub(response, 0, 3) == yes) then
return "Infected"
end
return "Seems OK ..."
end
Comments: 0
SonicWall Is Silly @ 2010-01-20 11:59:23
Filed under: Tech Security Frustration
Ever hear of SonicWall? Sure you have! More than likely you have been a user in a coffee shop or at a restaurant (though you may have not known). The idea is to protect both the user and the local network from accessing content that is undesirable. Thankfully they tell you why the content has been blocked. Sadly, they block users from resources to help block scams. Why? Becuase they may not be smart enough to tell the difference. For instance, I had gone up to Phishtank to post up a phish email to warn others and SonicWall blocked me from accessing the site all the while allowing access to the VirusTotal which is a similar type of service but for file scans. You are probably saying "Ashcrow! It's obviously a mistake! Go, tell them to fix it!" and let me stop you there, because I did try. Two times actually and both times I received the same response:
Dear Customer:
You submitted the following rating request to SonicWALL CFS Support:
Rate phishtank.com as "27.Information Tech/Computers" at 2010-01-12 17:25:02.167
The request has been reviewed and rated as:
"28.Hacking/Proxy Avoidance" at 2010-01-20 03:35:03.190
You should see this rating change reflected within 1 to 3 business days.
Thank you for your request,
SonicWALL CFS Support
At first I thought maybe they kept the same rating but opened access. Many people (and companies) don't know the difference between hacking, cracking, phishing and fraud. The next time I was out at the restaurant I tried hitting PhishTank. No dice.
So what does this mean? That is a hard one. It could mean a lot of things but the way I take it is that the folks making decisions on blocking content are nor proficient enough to tell the difference between a hostile site and one that helps protect users --- and that is NOT a good quality to have in a security content filtering vendor of any kind.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
