I recently catch upon Cenzic having a pretty interesting patent, which basically covers any code that baselines a web page and then injects faulty code into parameters to verify vulnerabilities. Yes you read correctly, this patent awarded in 2007 covers all web scanners and even powerful fuzzers into the patent, why it was granted? beats me I presume whoever checked it out didn’t really find prior art (there is) or really understand what was being patented (go lawyer+techie talk) the result? an overlapping patent.

Now a patent should ALWAYS be used defensively, which means “I protect myself from other people coming and breaking my stuff, asking me for money for something I developed or saying I didn’t create it” the problem is, Cenzic is NOT using the patent defensively, they are using it to get money out of web scanner companies.

IBM/HP already did a cross licensing deal with them, (probably giving them their crawler technology) and now they went and asked NTObjectives an insane amount of money, result? NTObjectives is fighting back, the filed a suit which will then break the patent and stop this company from basically extorting money out of other companies for a very generic and broken patent.

It makes me sad, why? because one of the patent owners is someone I really respect: Greg Hoglund, the founder of rootkit.com, his books are great and I love them, but this patent, this is wrong. It saddens me the fact that someone on the security environment (I hate using the industry word, because grayhats and blackhats are not on the industry but are still on the environment) would do this and let it go.

I created then the website www.stop232patent.com you can follow an in depth detail of the analysis of the patent, trial, prior art, etc.

As the release of trapper was getting closer I started thinking what good would the complete release of the software will do, and I came up with this answers:
- Nothing, nobody would use it
- Some people would use it for kicks, mostly to hack their own networks or hack work
- It could be used to crack something large and big
- Other people would use it on their audits, call me I’m finished and keep on using my research and work.
- Man in black would seize my server (since it’s on the US) and force the app to be erased after magically appearing with a copy of it.

While the last one appears definitely far fetched the third one got me thinking seriously, not only because of the nature of my research has gone definitely into Hydras and AI / Neural Networks / Expert Systems but because potentially sooner or later it could be pushed into the light and someone will do something that would compromise the years I’ve work on the security field.

I’m not calling that a reporter, as the ones I know they have been always fair to me in developing at story, but today as I unleashed the third rewrite of trapper (yes I had to rewrite 2 times already due to redesign of the objects) someone at the starbucks checked their email via pop, in less than 5 minutes all his email was parsed, loged into facebook, found, friends found, had his avatar picture and was searching who he was talking to in MSN. At that second I realized I stupidly left the domain into * and not localhost, definitely my mistake but … it suddenly hit me, am I making stuff secure or insecure releasing this?

The answer was “You are making stuff completely insecure, people won’t understand what is going on, it will be just pure blood and your point across will be lost” so my decision is to open trapper only to a few people without hard modules and keep it for Yaguarete as part of the internal tools, not because I don’t want to, believe me with the design I made a proficient coder will have no trouble to create it’s own little hydra, but it won’t me mine, it won’t be code breaking hard into stuff I seriously do not want to even ping.

YES I’ve become soft, YES I’m not the guy who used to rampage like 10 years ago in G-Con, but then again who would be? are you really a sane person holding into something that happened or said 10 years ago? is your life THAT pathetic?

I’ve seen people come from total “n00bs” into amazing hackers, like HKM I remember him messaging me saying he got hist first overflow after reading a paper then all the sudden he is destroying 2Wire with amazing research, people evolve, everything evolves, why wouldn’t I just evolve?

As I was reading the leaks that might break spies and complete networks of the CIA on Afganistan because of a leak I said “well sure government did stuff they shouldn’t have done? most probably but then again should documents leak THAT harshly?” I’m not condemning or applauding the act I just wondered “what if code I wrote ever is used for that?”

You might not have met me in my “worst” years, when I tough I was invincible, when nobody was smarter than me, more connected than me, etc. but I realize that those years I did more damage than help, I turn around and I smile when people tell me they look up to me and they have shaped cons in the sense of G-Con or stuff like that (I have to say that having someone name his kid after you felt great, thank you Pedro Navarro -byteStriker-)

Anyway I’m still alive, am I the same? no, is my research the same? probably is it still agressive? As much as I need to, because at the end, my research is only for me now, I don’t want any more fame, I don’t want the spotlight anymore, I’ve had my 15 minutes of fame, I want to do what I like, what I want and just be happy (breaking stuff sure why not)

Will trapper ever be public? to be honest it might, just not right now I’d like to keep the advantage before other companies use it and call my company inferior, anyway it will have a mixed license so too bad for ppl that will use it for commercial.

If you are interested in a copy of it, contact me and we can chat but I don’t promise anything.

1. They are slow
2. They don’t have a sense of “weight” on the exploits
3. They miss half of the complex stuff

Couple of weeks ago we lost a bid based on the fact that the client tought we did everything automatic (Errr LoL! apparently they don’t read the blog, didn’t read my resume and didn’t reaaaaally understood some facts but then again who can blame the girl that was in charge?) this was hilarious but posed a very good question:

Why all scanners SUCK ARE BAD?

I’m not saying I’m way better than all of them, but given enough time I can find even more stuff than them on simple and way more on complex privilege escalation ones, I find myself writting my own tools for jobs and trying to make them as smart as I can, this is really a fun but slow job.

You would really think that since ALL webscanners have sites to try your scanner against they would make sure they would get most of the bugs even on those sites right? .. WROOOOOOOOONG most scanners found 50% of the bugs, God that makes you feel such a nice feeling, knowing you just got a very expensive web scanner to find .. HALF OF YOUR BUGS!

Anyway most of people know I usually get get software and products to break them up and then just either keep them (like my cisco routers) or give them back (like the Tipping Points … I never get to keep one! -_- ), this time I got the “pepsi challenge” from NT Objectives couple of weeks ago, and I was pleasantly surprised when I managed to hack into my intranet test sites before it, with a nice smile waited untill it finished saw the report, then passed the next 2 days trying to figure out 30% of the bugs it found.

I contacted them and chatted to them, I showed them my results and they showed me how to reproduce it raw and on HTML and I finally figured those out, I didn’t even know my sites had those bugs, I started o read up on their site and chat with their engineers and realized they have JavaScript Machines not to only parse the code but to actually run it, so they actually try different variations to bypass the javascript, try referer SQL injections, save web pages to actually find and differentiate from Blind SQL Injection AND (And this got me in love with the damn scanner) they actually find the COMPLETE injection, not just like “ok this breaks thank you for using our scanner now go make the exploit work yourself” kind of deal, noooo nooo noooo I mean this dudes find the entire SQL string you can just click on “verify” and you can check the exploit and get the URL to push it into your favorite injection tool if you want, figuring that out usually takes a while and is annoying (on this specific site the bug was inside a procedure so most of the scanners just broke the stuff but never really exploited and they found the ) and made the “foo’) or (1=1” to gather how bad or good was the injection.

I’m really not going to go into detail in the results and how good it is, all I can say is .. I went and bought it for myself, dropping all the other web scanners, don’t need them anymore at all, I still run everthing by hand anyway, but I feel confident than the low hanging fruit will be covered by this thing and hasn’t failed me yet.

I’ll leave you with the links so you can read up on the report, I found it very interesting!

Slashdot link covering the report
Original report
PDF of the report

Tomando el ejemplo de Sandino, daremos nosotros lo que se debe de hacer para
contrarrestar a “Tu Peor Enemigo”.

“Yo no he cambiado Nada” — Tu Peor Enemigo: El Otro Administrador.

Esta frase la he oido de clientes, administradores, estudiantes y hasta familiares: “Yo no he cambiado nada”, “Solo dejo de funcionar”, “De la nada ya no jala”,etc.

Esta frase es la peor frase que se puede oir sobre todo a altas horas de la noche o muy muy temprano en un dia de trabajo, ya que sabemos que habran cientos de llamadas de usuarios que no podran usar este servicio. Tuve yo un encuentro con el peor enemigo en una compañia a la que le daba servicio, siendo rarisimo que dejaran de usarse los servicios tuve que obviamente
ponerme a trabajar para detener a uno de los peores enemigos: “El Otro Administrador”

Obviamente restriccion de privilegios no funcionara ya que el tambien es administrador y el debe de tener privilegios para reiniciar servicios, hacer cambios requeridos, etc.

El problema entonces se refiere tanto a saber que se cambio, como a mantener una función que inhabilite los cambios en servicios que son criticos.

¿Cuales son los servicios criticos? En este caso era:

• Servidor de Correo (Postfix)
• Servidor de Web (Apache)
• Servidor de base de datos (MySQL)

Ok entonces tenemos varios archivos que tienen la posibilidad de ser cambiados, teniendo asi un problema serio en los servicios, asi como el reinicio de los mismos y los logs.

Podemos tener aqui varias soluciones, la mas facil:

• Instalar AIDE o algo parecido

El problema es que entonces el otro administrador va a querer administrar también nuestra base de datos de seguridad, lo cual nos deja no nada mas igual, si no peor.

Podemos crear rápidamente una base de datos con firmas md5 y tener un simple chequeo de cambios y que mande un correo con los cambios, ¿Como podemos crear una base de datos de ese tipo?

En una simple linea de comando:

find  -print | xargs md5sum > archivo_de_firmas.md5

Es decir, en nuestro ejemplo tenemos postfix:

find /etc/postfix -print | xargs md5sum > postfix_signatures.md5

Para Apache:

find /etc/apache2 -print | xargs md5sum > apache2_signatures.md5

En caso de que fuese apache.1.X.X:

find /etc/apache -print | xargs md5sum > apache_signatures.md5

o

find /etc/httpd -print | xargs md5sum > apache_signatures.md5

Teniendo ya esto podemos simplemente verificar las firmas dando el siguiente comando:

md5sum -c postfix_signatures.md5

lo cual nos daria un resultado de OK en caso de que las firmas fueran las
mismas.

¿Para que nos ayuda esto?, siendo md5 una firma del archivo cualquier cambio
que se le haga, aunque sea de una letra, un byte, cambiaria la firma dando asi
una veruficacion del cambio y nos puede dar una pista de donde estuvo el
cambio que genero el problema en realidad.

Un ejemplo con un directorio simple:

Obviamente esto puede ser incrementado hasta para un sistema operativo completo PERO hay que tomar en cuenta que cosas como los logs, utmp, wtmp, etc. cambian con el uso del servidor.Esto puede agregarse al crontab para que corra cada hora (o hasta cada 10 minutos si de verdad el enemigo es agil, rapido y con presteza para romper las cosas). Un ejemplo de crontab que corre cada 15 minutos y manda un correo con el output es:

#Poner SHELL y mandar correo con MAILTO
SHELL=/bin/sh
MAILTO=enrique.sanchez@security-dojo.com
#
# corre cada 15 minutos
*/15 * * * *       md5sum -c $HOME/fingerprints/apache2_fingerprints.md5

Podemos decir que hemos derrotado a nuestro enemigo, sin embargo tenemos otro problema, este es un remedio reactivo, el daño ya fue hecho y ahora tenemos que limpiar el problema. ¿Qué podemos hacer entonces?

El siguiente paso de defensa sobre nuestro peor enemigo: chattr

Este paso me sirvio muchisimo en una empresa donde todo el mundo movia cosas y “no movi nada” era la respuesta mas importante, sobre todo porque “el backend es tu problema no el mio”, en cuanto aplique la siguiente técnica el director
general supo rapidamente quienes movian las configuraciones, ya que se quejaron de que no podian hacerlo mas, siendo que “Nunca antes lo habian hecho” como ellos mismos dijeron.

chattr es una herramienta indispensable, que desgraciadamente no funciona en el sistema resiserfs (ya que reiser usa cosas mas complejas que ext2 y ext3) pero en ext2 y ext3 (que la mayoria de la gente usa) son excelentes.

La herramienta lsattr nos deja ver los atributos del archivo, el atributo que veremos por el momento es inmutable (i) si damos rapidamente un lsattr a httpd.conf podemos ver lo siguiente:

firebolt apache2 # lsattr httpd.conf
-------------- httpd.conf
firebolt apache2 #

Lo cual nos dice que no tiene ningun atributo por lo cual podemos editarlo de la siguiente manera:

firebolt apache2 # echo cambio >> httpd.conf
firebolt apache2 # tail -3 httpd.conf

# vim: ts=4 filetype=apache
cambio
firebolt apache2 #

Ahora hagamos el archivo inmutable, esto quiere decir que este atributo le
dice al sistema queu aun siendo root no puede modificarse, ni borrarse:

firebolt apache2 # chattr +i httpd.conf
firebolt apache2 # echo cambio >> httpd.conf
-bash: httpd.conf: Permission denied
firebolt apache2 # lsattr httpd.conf
----i--------- httpd.conf
firebolt apache2 #

¡EXCELENTE!

Ahora si queremo editarlo simplemente podemos remover el atributo de inmutable al archivo y podremos editarlo:

firebolt apache2 # chattr -i httpd.conf
firebolt apache2 # echo cambio2 >> httpd.conf
firebolt apache2 # lsattr httpd.conf
-------------- httpd.conf
firebolt apache2 # tail -3 httpd.conf
# vim: ts=4 filetype=apache
cambio
cambio2
firebolt apache2 #

El siguiente es un ejemplo de como usar chattr:

Estas dos técnicas son básicas para comenzar a detener al otro admin, la educación asi como la experiencia iran ayudando al otro admin para poder tener mejor control sobre su servidor (si es que quiere tener control de su servidor)Espero que con esto este peor enemigo pueda ser detenido al menos un poco.