I have been doing some research and i needed to reply to certain requests for specific domains in a constant and certain way,What I normally did was use ZAP or fiddler to MitM the requests and reply with my own self modified requests but i quickly got tired of the manual sisyphic work and decided to look for a simple thin and limber proxy i can modify to my own use.
And so i googled and came across this: Simple python http proxy post by Mitko Haralanov, in the post it mentions that it is based on Suzuki Hisao's Tiny HTTP Proxy. ( I hope i didn't miss anyone, they deserve credit).
Anyway, as I was saying, I found this piece of python code and hacked it to deliver specific responses to specific requests.
And then i thought: "Well, I can make this a little bit more generic for others to use"
and so I did :)
Here is the python script: TinyHTTPProxy.py
And here is the config file: Config.xml
How to use:
(It is extremely simple to use, so just run it and you will figure it out.)
- First: edit the config.xml file (needs to be in the same dir as the .py file), now the only thing i need to say is that the response part of the xml is the response, so you need to place it there with "\r\n" as needed
Example XML:
<attack lookInRequestForThis="www.google.co.il" replyWithThis="\r\nKAKA\r\n"/>
What this means is that the proxy will look for the "www.google.co.il" string in all of the requests headers (if it appears more than once than the first occurrence will be identified), once found the proxy will reply with the response given in the "replyWithThis" attribute.
After you configured the XML, you can run the proxy with the command line below as an example, but note, for performance reasons the XML will load when the proxy starts and not per request so if you want to change the data on the fly you will need to stop+start the proxy.
command line to run it:
python TinyHTTPProxy.py -l proxy.log -i 10.0.0.1 -p 2222
Enjoy :)
Monday, May 7, 2012
Friday, March 9, 2012
MSRC patch Tuesday March 2012
Hi all,
In March 2012 Microsoft patched 2 vulnerabilities i discovered, one in visual studio and the other in Microsoft expression blend.
Now before I begin diving into the technical side of things, let me give you some background of why did I take a look into MS products.
it is actually quite funny and childish, but it makes me smile so I'll share it any way :)
last august I had the fortune of attending Black-hat and defcon, during my touring of the booths at Black-hat I stumbled upon the Microsoft booth and had a very nice chat with the nice folks over there, during which I learned that Microsoft has an annual party that they throw at Black-hat, so I was thinking => I want to go to that party, after all I am a nice guy and I like parties so I'll ask for a ticket.
but I didn't get an invite... turns out you need to find a security vulnerability in one of Microsoft's products to get in to that party.
Challenge accepted :)
Now let us dive a bit into the technical, shall we? :)
(I will be talking about http://technet.microsoft.com/en-us/security/bulletin/ms12-mar )
I will start with Bulletin 5
(Microsoft Expression Design) which I personally aren't too proud of finding, since it was way too easy to find, total effort was like 30 minutes late at night including the email to Microsoft.
back on topic than, this Bulletin is classified as "Remote Code Execution" , a more low level description will be "DLL Hijacking",
For those who don't know what "DLL Hijacking" is, here is a quick intro:
Sometimes an application needs to load libraries to handle the opening of a file, for example: a file that has a file association set in the Windows operating system will opened with a predefined application whether it is on a local folder on the user hard drive or on a network location.
These libraries are sometimes libraries that are installed in the operating system when the user first installs a program, now if the developer of that app did not follow Microsoft guidelines and did not follow the steps at:http://technet.microsoft.com/en-us/security/advisory/2269637 the application is vulnerable for remote code execution attacks via DLL Hijacking.
Now back to the bulletin:
When opening specific files with Microsoft Expression Blend from a network location, a certain DLL is called first at the network location, allowing an attacker to do what they want on the user machine.
(I wanted to specify the DLL name but it is late and I am too lazy to dig for the original mail I sent to MS)
Now to my favorite: Bulletin 4
MSRC has this under "Elevation of Privilege"
(I will be talking about VS2008, VS2010 does not have this vulnerability manifesting the same way)
This is similar to the concept of a DLL Hijacking only this time the thing being "Highjacked" is a visual studio Add-in.
Yes, a Malicious Add-in for your visual studio! (me thinks it is cool)
How does this happen?
Simple, when a developer opens specific files associated with visual studio (there are plenty) the visual studio will load first and then after the development environment has loaded will it load the specified file.
The magic happens when the Visual studio loads, because when it does it will load it's add-ins from that network location, Yes... every time a VS2008 instance opens a file from a network location it looks for add ins in that location first before rolling back to the default location on the user's hard drive.
under VS2008 you can just put any add in you like and the development environment will load it and list it as one of the add ins, this does not affect VS2010.
in VS2010 there is a predefined list of add ins, I did not research this any further simply because I still have a day job and all this was done on my own time. and yes, I do have a life, so research_time--;
Conclusion:
To sum things up, I am not proud of finding the DLL Hijacking vulnerability simply because any kid with a windows box and a sysinternals procmon could find it and exploit it.
The one I am really proud of is the VS vulnerability, not because of "how" i found it, but simply because I had to sit down and code a VS add in that will pop a "PWND" message-box, it was a quick and interesting challenge :)
P.S.
When I say "Proud" I don't mean "first born proud", just proud of a completion of a challenge :)
In March 2012 Microsoft patched 2 vulnerabilities i discovered, one in visual studio and the other in Microsoft expression blend.
Now before I begin diving into the technical side of things, let me give you some background of why did I take a look into MS products.
it is actually quite funny and childish, but it makes me smile so I'll share it any way :)
last august I had the fortune of attending Black-hat and defcon, during my touring of the booths at Black-hat I stumbled upon the Microsoft booth and had a very nice chat with the nice folks over there, during which I learned that Microsoft has an annual party that they throw at Black-hat, so I was thinking => I want to go to that party, after all I am a nice guy and I like parties so I'll ask for a ticket.
but I didn't get an invite... turns out you need to find a security vulnerability in one of Microsoft's products to get in to that party.
Challenge accepted :)
Now let us dive a bit into the technical, shall we? :)
(I will be talking about http://technet.microsoft.com/en-us/security/bulletin/ms12-mar )
I will start with Bulletin 5
(Microsoft Expression Design) which I personally aren't too proud of finding, since it was way too easy to find, total effort was like 30 minutes late at night including the email to Microsoft.
back on topic than, this Bulletin is classified as "Remote Code Execution" , a more low level description will be "DLL Hijacking",
For those who don't know what "DLL Hijacking" is, here is a quick intro:
Sometimes an application needs to load libraries to handle the opening of a file, for example: a file that has a file association set in the Windows operating system will opened with a predefined application whether it is on a local folder on the user hard drive or on a network location.
These libraries are sometimes libraries that are installed in the operating system when the user first installs a program, now if the developer of that app did not follow Microsoft guidelines and did not follow the steps at:http://technet.microsoft.com/en-us/security/advisory/2269637 the application is vulnerable for remote code execution attacks via DLL Hijacking.
Now back to the bulletin:
When opening specific files with Microsoft Expression Blend from a network location, a certain DLL is called first at the network location, allowing an attacker to do what they want on the user machine.
(I wanted to specify the DLL name but it is late and I am too lazy to dig for the original mail I sent to MS)
Now to my favorite: Bulletin 4
MSRC has this under "Elevation of Privilege"
(I will be talking about VS2008, VS2010 does not have this vulnerability manifesting the same way)
This is similar to the concept of a DLL Hijacking only this time the thing being "Highjacked" is a visual studio Add-in.
Yes, a Malicious Add-in for your visual studio! (me thinks it is cool)
How does this happen?
Simple, when a developer opens specific files associated with visual studio (there are plenty) the visual studio will load first and then after the development environment has loaded will it load the specified file.
The magic happens when the Visual studio loads, because when it does it will load it's add-ins from that network location, Yes... every time a VS2008 instance opens a file from a network location it looks for add ins in that location first before rolling back to the default location on the user's hard drive.
under VS2008 you can just put any add in you like and the development environment will load it and list it as one of the add ins, this does not affect VS2010.
in VS2010 there is a predefined list of add ins, I did not research this any further simply because I still have a day job and all this was done on my own time. and yes, I do have a life, so research_time--;
Conclusion:
To sum things up, I am not proud of finding the DLL Hijacking vulnerability simply because any kid with a windows box and a sysinternals procmon could find it and exploit it.
The one I am really proud of is the VS vulnerability, not because of "how" i found it, but simply because I had to sit down and code a VS add in that will pop a "PWND" message-box, it was a quick and interesting challenge :)
P.S.
When I say "Proud" I don't mean "first born proud", just proud of a completion of a challenge :)
Monday, November 7, 2011
chrome decode file names
If you browse with chrome be aware that it might decode the file name and save it as something different, for example, if you see a file named :
calc.txt.%65%78%65
it will be saved as
calc.txt.exe
on your hard drive.
will not be fixed.
Added:
response from the server when downloading a file:
calc.txt.%65%78%65
it will be saved as
calc.txt.exe
on your hard drive.
will not be fixed.
Added:
response from the server when downloading a file:
HTTP/1.1 200 OK Content-Type: application/octet-stream Cache-Control: private, max-age=86400 Expires: Mon, 07 Nov 2011 20:07:17 GMT Date: Mon, 07 Nov 2011 20:07:17 GMT X-XSS-Protection: 0 Content-Disposition: attachment; filename="calc.ex%65" Content-Length: 776192 X-Content-Type-Options: nosniff Server: GSE
The file will be saved as "calc.exe". Maybe just a content-disposition header issue, but hey, that header is optional! (cynicism intended)
beware of malicous google calendar invites - food for thought
It would appear that it is completly possible and with ease to send meeting invites which contain executables using gmail and google calendar.
example:
example:
This is how it will appear in the inbox of an unsuspecting human:
Now the attachment is hosted on Google docs, from which you would need to download and run it.
I know, I know, It isn't really an "evil attachment" it is just a link to an executable...
but, it is a google calendar invite hosting a link to an executable file on google docs.
now I know a few people who aren't as paranoid as me and would trust google hosted files more then just a random hosted file on some unknown server, but then again, that is just me :)
Food for thought.
Monday, October 17, 2011
Integer overflow in Microsoft C++ SizeOf operator
I was reviewing some code in C++ and came up to a line in the code that was performing calculations using "SizeOf" ,something in the lines of:
value = sizeof(A)+sizeof(B)+sizeof(D)
At this point a thought came to me and I needed a break anyway, so I've decided to do a little test, I decided to write a small program that will edge case test the SizeOf operator.
The SizeOf operator in C++ is a unary operator that is being calculated during compile time, meaning the compiler replaces the result value with constant values in the final assembly code.
So a SizeOf(int) would be 4 in the final assembly.
The SizeOf function return a result of type size_t which is defined by Microsoft like this:(From crtdefs.h)
#ifndef _SIZE_T_DEFINED
#ifdef _WIN64
typedef unsigned __int64 size_t;
#else /* _WIN64 */
typedef _W64 unsigned int size_t;
#endif /* _WIN64 */
#define _SIZE_T_DEFINED
#endif /* _SIZE_T_DEFINED */
/*__int64 nHuge; // Declares 64-bit integer*/
So far so good, everything looks to be in order, right?
Not quite…
Now, back to the test:
I started a new C++ console project in VS2010 and I defined a 4Gig struct in it like so:
typedef struct {
char bytes1[1073741824]; //1 GIGA
char bytes2[1073741824]; //1 GIGA
char bytes3[1073741824]; //1 GIGA
char bytes4[1073741824]; //1 GIGA
} DATA;
Then later in the main function I calculated it's size into an unsigned 64 bit variable,
unsigned long long d = sizeof(DATA);
I added a printf to the variable to see what turns out, Then I compiled the code in Visual Studio 2010 under a 64bit configuration (i.e. with the _WIN64 define set) successfuly with no errors or warnings.
Any guesses on what is the output?
Is it "4294967296"? Or is it "0"? Or "1"?
Drum roll please!
The result is "1"! Que the "WTF?!?"
When looking into the output assembly it looks more odd:
mov edx, 1
Que the second "WTF?!?"
Wait... Didn't I just compile this in x64? with all x64 flags set?, yes I did... so why in the hell is the edx register being used?
In short - Yes.
This is a bug in the Microsoft C++ compiler. I have submitted it to Microsoft and they confirmed it as an issue,
However... it is not a security issue. just a bug :)
Thursday, October 13, 2011
My experiment on the life cycle of reporting security flaws
Prolog:
As I am not doing security research externally to my place of employment, I just wanted to understand how do independent security researchers feel like, how do they report vulnerabilities responsibly and how do they deal with vendors.
I must say, at first I did not think that security researchers have too much trouble with vendors, I mean, my guess was that vendors appreciate vulnerabilities in their products being reported to them first so they will fix them, and not be… how to put it lightly… Dicks about it.
Story:
So this is the tale of me trying to report a vulnerability. But first a vulnerability must be found. So I went by the way of the Hacker, from the easy way to the hard way (after all, who has time to dig into stuff when you have a day job). What can be more easy than to Man-In-The-Middle my iPhone and see what goodies can I find on my installed apps. After trying the obvious ones (Facebook, Skype, 4Sq etc. ) I moved to my final app, The app is called "MyOrange".
In Israel we have several cellular providers, one of the biggest is a provider called "Orange", this provider decided it would graciously provide it's iPhone users with an application to view their current cellular bill and text messages total cost, including among other thing a past 5 months graph representation of their bills.
So far so good… While I was Mitm the app I noticed that it was authenticating to it's backend by SOAP messages in the clear (bad idea) but that’s not the jewel, the app was using the iPhone unique hardware identifier AKA UDID, sent in plain text to authenticate the device.
So what's the risk?
Someone sniffing traffic over an unsecure or secure Wi-Fi network can easily impersonate a device in front of the provider backend web service and extract billing information and a few more personal details.
At this point I thought, OK, now I have something, not a crazy 0day, but something that will allow me to approach the cellular provider and start a responsible disclosure process.
Contacting the vendor:
I started by sending emails asking for an application security staff member to contact me because I have found a security vulnerability in the iPhone app, I sent that email to two emails:
- The generic support email - I know it is a lame thing to do, but I still wanted to try that approach
- A "Contact us" email address I extracted from the iPhone app.
The first email I sent was replied to a week later with "We do not know what you are talking about, bye".
The second email was replied to a day later by the development team leader, asking me for my phone number so we could chat over the phone and I could provide him more details.
Once we had that pleasant conversation and I explained the vuln to him, he said he will investigate and come back to me, I also sent a detailed description on how to reproduce the issue, which was annoyingly simple.
A month has gone by…
So I sent a reminder email basically requesting an update.
A week after that I get a response saying that this is not an issue (WTF?!?) and that for a malicious user to get hold of the UDID he would need physical access to the device or the assistance of the device owner. (WTF No.2)
At this point I was thinking to my self: "OK, take a deep breath... they must have misunderstood you", and once I calmed my self down I replied to them with an email saying that this is an issue and if that was not enough their app is sending data in the clear.
I waited another week before I lost patience again, what pissed me off this time was that the app was updated in the app store but was still vulnerable (!), this time I sent a real life capture of the authenticating SOAP message, and again explaining what the risk was.
I was busy with my day job so this time I waited about a month and a half before I sent another reminder email to the team leader and another contact he CC'd during our previous email exchange, now here comes the funny bit, a week after my reminder I get an email in my inbox from that other contact addressing the team leader saying "We should probably answer this guy, it would be rude to keep ignoring him". So I after I ROTFL I replied to that contact he should probably send the email to the team leader and not me :)
Two more weeks have passed… Total time since discovery is now 4 months.
I decided that enough is enough, I found out the Company CSO email and sent him a direct email explaining the vulnerability. I got a response from him that same day telling me that the issue will be explored and investigated, this time it felt like something is going to happen and I will not be ignored, so I went on and focused on my day job duties and forgot about this for a while.
Until almost three weeks later I received a response from the CSO saying that the issue has been explored and there are several ways to mitigate the issue and he will inform me of the selected method the next day. After my experience with these guys I thought… "Next day" right, you are going to ignore me for another few weeks, so Imagine my surprise when I got a response from the CSO less then 24hours later telling me that they will mitigate the issue with SSL over Wi-Fi.
And that is all that was needed, freaking SSL over Wi-Fi and around 5 months of emails and ignorance.
I was so excited this thing was over I sent a hearty "thank you" email to the CSO, he literally mad my day :)
So what my take?
So, this entire effort was to get an idea as to what it is like to be a security researcher out there, trying to help vendors secure their products. And I can say without a doubt that is it hard work! And I am not referring to the vuln finding process, I am talking about dealing with the companies/vendors, trying to explain to them that they are vulnerable or they put their clients at risk! But they just won't listen.
So if you are reading this and you are a researcher who has encountered a case similar to this in the past, I take my hat off in respect, and I want to add: Keep up the good work! :)
Subscribe to:
Posts (Atom)