I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness.
So, WinGate proxy includes a remote management agent which is accessed via a client utility called GateKeeper. This allows one to configure the WinGate server across the network. However, its not enabled to listen on the network by default, and only listens on 127.0.0.1:808. From my perusal of the documentation, the remote administrative facility should only be available to enterprise and professional license holders, and those firms using standard edition licenses will have to configure their proxy software locally.
In any case, WinGate proxy supports using CONNECT methods to negotiate connections for SSL-based web-sites etc, but no access control is in place to prevent users using this method to connect to 127.0.0.1:808. This, along with some python-fu, makes it a trivial task to access the remote administration service across the network. This is illustrated in the following images.
Naturally, after knocking together a little proxy tunnel script, I remembered an idea Gareth had a number of years ago for scanning networks and port ranges via badly configured proxies, and decided to incorporate them into the original tunnel script. An example is illustrated in the following image...
So, enter MonSoen.py. A cute (and probably entirely unnecessary) python-based script for tunnelling connections through proxy servers, scanning networks using GET or CONNECT and otherwise being miserable to others (nods at Gareth).
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).
I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega's new book had received and felt i had to chime in.
I picked up "the myths of security" (what the computer industry doesn't want you to know) with hope, because O'Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that "at least, it wont take up space on my bookshelf".
Advertising++ The Foreword alone uses the word McAfee 14 times, and over the 48 chapters, the word McAfee goes on to appear about 65 times. This is acceptable on a blog, in a book i just paid for its slightly annoying.
Target Audience I agree with Bejtlich who cant figure the books target audience. One chapter might give explanations in crayon (presumably for the less sophisticated user) while the next chapter might give advice for how to label the security technology you plan to sell.
Consistency There are a number of times in the book where the author takes opposite sides of an argument (in different chapters). This is useful if coherently positioned as 2 sides of an argument, but if this is used on different arguments on different pages, it seems more like the author is merely choosing the position thats convenient to support his view at the time...
It's slightly odd when compared with his take on security spend to hear the author say this about the TSA and their "Security Theater": "But there's some hidden value here—it makes people feel safer. Whether it works well or poorly, it is better than nothing and it makes people feel better."
General whining (by me). The author dedicates a chapter to Mobile Phones titled "OK, Your Mobile Phone Is Insecure; Should You Care?". He concludes with: "Sure, there will always be the occasional virus for smartphones, but I don't see an epidemic emerging. At the end of the day, there is still lower-hanging fruit for the bad guys. It is still far easier for them to make money attacking traditional PCs and laptops then going after mobile phones. That may eventually change, but I'm not going to hold my breath."
I think the view that you only need to be worried about the ability of your device to withstand an attack "epidemic" is wrong on so many levels. Im far less worried about my iPhone becoming part of a botnet than i am of the fact that these days huge parts of my life are on it, and can be grabbed by Charlie Miller if he is willing to pay the $0.20 to send me a few SMS'es.
In his Epilogue, he writes: "But instead of preaching that the customer is hosed, I'm preaching that the security industry is hosed—I don't think customers are hosed at all." which is an interesting contrast to his chapter on PKI that ends with "That leaves the Internet fundamentally broken."..
Of course the lines that most bothered me were in the chapters on Privacy and Anonymity. Privacy gets just under 200 words but includes the classic line: "privacy is nice in theory, but if you don't have anything to hide, what's the big deal?"
Hmm.. OK.. lets see the take on anonymity before responding.
Anonymity gets 166 words (wow - 100 words more than the word McAfee!) and once more ends with the classic: "Oh, and I've got nothing to hide anyway…."
The author cites the example of Zero-Knowledge, who built a paid service to surf anonymously which "worked pretty well, but nobody cared".
Once more, i think there is so much wrong here, that im not sure where to start. Having to convince someone that Privacy is important even if you cant sell it seems like a pretty old argument to be having..
In general, i think its safe to say that the book left me disappointed, and a little bit afraid that somewhere decision makers could be forming an opinion on an entire industry based on ~250 words dedicated to a topic that deserves much more thought..
Performing authentication on a massive userbase with whom there is zero offline interaction is hard, especially when it comes down to the degraded authentication required by password reset processes. Considering that web interfaces appear to be the dominant channel by which cloud services are managed (we touch on the implications here), a flawed password reset process can mean that attackers gain access to more that simply your mail.
In August last year, TechCrunch published a way to enumerate usernames on MobileMe. We abused this further to target a specific user on MobileMe in order to reset his password. As the video shows, the process only requires a birthdate (which is generally obtainable either through FaceBook, Wikipedia, Amazon wishlists or the like) and a secret question. Again, with enough digging the answer to the secret question is often guessable. In the video above we show a toy example of the password reset working against a SensePoster.
Apple has since patched this bug.
Finally, we demonstrate the password reset attack against Woz's MobileMe account. We stopped before actually resetting his password, but in his own words he stores mail, calendaring info and other information that is sensitive to him on MobileMe, and the ability to XSS the page would mean that the continued compromise of the account was possible.
Theft of resources is the red-headed step-child of attack classes and doesn't get much attention, but on cloud platforms where resources are shared amongst many users these attacks can have a very real impact. With this in mind, we wanted to show how EC2 was vulnerable to a number of resource theft attacks and the videos below demonstrate three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs.
For this video we wanted to consider a DoS on the EC2 from within, by running as many AMIs concurrently as possible.
Since sign-up for the sevice occurred in a browser, it was possible to script this process (using Twill for the most part). The first attack would be to boot hundreds or thousands of instances under one Amazon account, however an upper bound of 20 running machines per account is enforced by Amazon. Our approach was one step removed from this; we created multiple accounts and then ran the 20 machines. Each new account would also create multiple accounts and then run 20 machines. One iteration of the create-accounts-and-boot-AMIs cycle took three minutes; by the ninth iteration the projected number of running instances is ridiculous. It's apparent that this recursive registering of accounts and booting machines means that the number of running machines grows exponentially and this could continue until the system can't handle the machine load.
Our approach was effective because the registration process took no steps to prevent automated sign-up. In testing a single credit card was used to create our accounts which is an immediate anomaly however a malicious attacker would use stolen CC data to ensure that CC checks did not prevent new account registration.
As has been mentioned, users can choose AMIs from a list of machines that is mostly user-generated (out of 2700 odd machines, 47 were built by Amazon and the remainder by other users.) It is easy to add a machine to this list; simply create a new AMI and in its properties mark it as 'public'.
Our idea was to create a malicious AMI and add it to the public listing, with the goal being to show that users will run AMIs without any consideration for who built it or whether nasties were included. We quickly created an AMI, uploaded it and... nothing. No one ran the image and it seemed that people weren't so easily fooled.
Digging a little deeper, however, revealed that when our image was created, it was dumped on the second last page of the AMI listings and so users would have to surf through more than 50 pages of images before coming across our AMI. If Google has taught us anything, it's that ranking counts and so we needed to boost our machine up the AMI listing.
It turns out that the AMI listing is ordered by the AMI ID, which is a random id string that is generated when the AMI is created. Our process was then slightly modified as follows: we scripted the AMI registration process so that it was trivial to register an image. We then looped the registration script to create and register an AMI, and tested to see whether the randomly assigned AMI ID was low enough such that our AMI was listed on the first page.
Our first attempt took about 4000 iterations and landed us a top 5 spot in under 12 hours. A subsequent attempt took less than 4 hours to land a top 5 spot.
This was great, but our image was unattractively named 'qscanImage' runing on the 'Other Linux' platform, which didn't say much about it.
It turned out that we had a great degree of freedom in naming images. Images were stored in Amazon S3 buckets and the buckets had globally unique names. We tried buckets with names such as 'fedora', 'fedora_core' and 'redhat', but all these were taken, however with a small degree of evilness the bucket 'fedora_core_11' was available and so registered. The registration race was repeated with the better named machine, and after a little while we landed the AMI on the front page as shown in the screnshot below:
What's funny is that the machine was the highest listed 'Fedora' AMI, so a user who was specifically looking for a Fedora image would come across our evil image first.
In reality our image did not have anything malicious except a call-home line in '/etc/rc.local' that would 'wget' a file on our webserver, to show the image had been booted. The screenshot below shows the logline from our webserver which proved the image had been booted; this occurred in a little under four hours after the instance had been made public.
Our final Amazon video shows how it is possible to remove ancestry information from AMIs. When a paid-for machine is created, Amazon stores information about the owner of the machine in its manifest (which is an XML document) in order to pay the creator of the image. Our attack works as follows:
We aim to circumvent some of these controls in order to access more resources than should be allowed, and we demonstrate this on the Force.com platform which supports the ability for a developer to upload and execute custom code. Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto.
In order to write applications on Force.com, a developer account is required (this is freely available). Applications are coded in the Apex language, a Java-like language for business logic, and is proprietary to the Force.com platform. This platform supports datastore operations through built-in language constructs and the API enables a developer to make HTTP callouts, tie Apex code to WS endpoints within Force.com, send emails as well as tie Apex code to an email endpoint within Force.com. The datastore is useful for maintaining state between multiple iterations of the event loop (described shortly) as well as providing a way to send emails for free via update triggers (emails sent from within Apex count against the daily limit).
With all this in mind, we focused on creating event loops the were initiated by a single user action, to show how significant free computing resources were available if one is prepared to put in the legwork of learning new languages and platforms.
The event loop method shown in video 1 was still subject to unpublished limits, and so instead of scaling by extending the number of iterations of the event loop, we decided to try and scale by registering many accounts. This was useful since accounts had zero cost. All that remained was to automate the registration process (see the slides for more details on this), and we accomplished this as shown in video 2, where a shell script automatically registered a bunch of accounts. The trick that allowed us to bypass the CAPTCHA in the registration page was a bug in the CAPTCHA script that also provided the image's text in ASCII-text (look for the lines "captcha captured:" in the video).
Of minor interest was that each account was registered in a different country. Since SalesForce assign accounts to instances (or geographically dispersed clusters) according to the customer's claimed location, we were able to register accounts on both the NA6 and AP1 instance, or North America and Asia Pacific respectively.