XSS Cheat Sheet Calculators Revived

I’m dusting this blog off to write up some of my side projects from the past few years, and I notice I still have a link to to RSnake’s now-dead “XSS Cheat Sheet” page.  To this day, I still try to bring that site up just to use the little Javascript calculators at the bottom of the page.

There is still mirror of the original site on archive.org, but I’ve ripped out just the Javascript calculators and put them here as a single file:

https://www.awgh.org/pxsscs.html

Use it from the site, or download it and use it locally.  You can even add the list of XSS string suggestions back in if you want to, although the maintained version now lives at OWASP (although the OWASP version is missing the calculators).

How To Win At Java Code Audit

Reviewing Java source code can pose a challenge for a security auditor, as methods used to exploit programs in C or C++, namely memory corruption bugs, are mitigated by Java itself, which hides the details of memory management from the programmer.  This same tendency to hide implementation details with a layer of abstraction leads to an entire class of common Java programming errors which can have a critical impact on the security of the application.

Java vulnerabilities are most commonly found in places where unsanitized user input is passed, directly or indirectly, on to an underlying library or service.  To put it another way, vulnerabilities aren’t found in the Java code itself, they are found by following user input through the Java source and out the other side.

The tendency of Java to hide implementation details from the developer actually creates these vulnerabilities in places where it might not otherwise exist.  Java developers use wrapper libraries for backend services, such as SQL or LDAP, and assume that they automatically sanitize their inputs, when usually they do not.  In most cases, Java wrapper libraries themselves are simply classes that store and manipulate strings which are just passed directly on to the wrapped service.  In many of these implementations, such as the ORM library Hibernate, there are architectural reasons why this behavior can not be changed.

In this post, I will describe a class of extremely common Java vulnerabilities, specifically these “pass-through” bugs, characterized by user input passing directly through Java unexamined.

Continue reading “How To Win At Java Code Audit”

Dehydra-GCC: Static Analysis for Poor People

Over the past few months, I’ve been playing with a new static analysis tool from Mozilla called Dehydra.

Dehydra is a GCC plugin that allows you to write Javascript that can perform queries on the Abstract Syntax Tree (AST) that GCC generates from source files.  This lets you write a script that can notify you when it sees any type of code construct that you can describe in script.

There are a number of code constructs that might be interesting to a code auditor, for example:

  • Calls to asnprintf, malloc, or calloc with unchecked return values.
  • Assignment operations where the datatype of the Left Hand Side is signed and the Right Hand Side is unsigned, or vice versa.
  • Assignment operations where the datatypes of both sides have different bit-lengths.

The possibilities are much greater than my short list of examples!

I will be the first to admit that static analysis has its faults.  For one thing, it has been proven that static analysis cannot discover all possible bugs in any given program.  Commercial static analysis tools, such as Coverity, are expensive and have not proven to be a particularly effective method of finding bugs by themselves.  I have heard many accounts of nasty bugs discovered by code auditors when looking through source code routinely scanned by Coverity.

That said, on Day One of a code audit, 4 out of 5 code auditors find themselves reaching for Grep.

Grep is great, it lets you search for regular expressions across many files very quickly, but Grep has no awareness of the syntax of the C++ programming language.  I’m really more interested in searching for specific code constructs and less interested in searching for substrings, which is Grep’s purpose.

When looking for vulnerabilities, I’m not interested in searching for the string “malloc”.  What I really want to know is more along the lines of “Where are all the calls to malloc where the return value is not checked”.  I don’t want to know all the locations of the string “int” as much as I want to know every location that a variable of type int is implicitly cast to an unsigned int when passed in as a function argument.

This is the great thing about Dehydra.  It lets you query the parsed syntax tree of C++ source code and ask the kinds of questions that can’t be easily answered by Grep.

Scripts for Dehydra are written in Javascript by way of the SpiderMonkey engine.  Javascript is a nice, small language that is good for operations on tree-like data structures.  In a browser, this would mean the DOM, but in GCC this means the AST!

Dehydra is still in development, but the developers have been extremely responsive to feature requests from security auditors ( well, mine anyway… *grin* ).

It would be great to see a bunch of people contribute scripts and build a big set of security scanning scripts to replace the venerable regular-expression-based FlawFinder as the king of no-budget security-oriented static analysis.

Try it out and get back to me.

Setup and Installation Instructions for Dehydra on Linux or OSX

I’ve included a sample Dehydra script below that logs a message anytime it sees certain assignment operations.

The full sample script, along with a test file, is available here.

function assignVisitor(node) {
   for(var i in node.statements) {
      var loc = node.loc
      var lhs = node.statements[i].type
      var rhs = node.statements[i].assign

      if( rhs && lhs ) {
         if( lhs.unsigned ) {
            if(parseInt(rhs[0].value) > 0) {
               print( "ASSIGN: negative to unsigned at:"+loc+"\n" )
            }
            else if(rhs[0].type && !rhs[0].type.unsigned) {
               print( "ASSIGN: signed to unsigned at:"+loc+"\n" )
            }
         }
         else if(rhs[0].type) {// lhs is signed
            if( rhs[0].type.unsigned ) {
               print( "ASSIGN: unsigned to signed at:"+loc+"\n" );
            }
         }
      }
   }
}

function process_function(decl,body) {
   iter(assignVisitor, body)
}

Groo: Fully Automated WEP Cracking

Updates Below!

I don’t know about the rest of you, but I have an entire room of my house which is simply a huge pile of electronics scrap.  A hacked Tivo, some chipped XBoxes, an old VCR, a pile of PCI video cards, a full shoebox of 64MB Compact Flash cards…  You get the idea.

One day, I decided to put some of this junk to good use and I wandered into the scrap heap looking for inspiration.

Inspiration came in the form of an Atheros wireless card and an old ITX barebones system that had been picked up from a junk table at DefCon for $60 the year before.  The ITX box has a single PCI slot, perfect for a decent Atheros wireless card with an external SMC antenna connector.  It also runs on 12V DC power, so I can run it off the car battery.

Over the next few weeks, I built a small embedded Linux system for the sole purpose of cracking WEP keys.

First, I added a USB wireless network card to use as a control interface that I could access from my iPhone.

I also built a small web service that completely automates the process using the Python web framework TurboGears, aircrack-ng, and screen.

The web interface is incredibly simple – it uses only a single combo box.  This makes it ideal for using from the iPhone.

Now, instead of being the sketchy guy sitting in my car with a laptop, I’m just another Seattle-ite staring into my iPhone while the computer doing the WEP cracking is running off my car battery halfway down the block.

Everything in the web interface is fire-and-forget.  You can view a list of available networks, select one for cracking, and it will automatically:

  1. Reconfigure the wireless interface to the correct channel
  2. Begin dumping packets with airodump-ng in a screen session
  3. Begin an ARP replay attack with aireplay-ng in a screen session
  4. Automatically kick off the actual WEP cracking by starting aircrack-ng in a screen session
  5. Once the crack has succeeded, save the ESSID, BSSID, and cracked WEP key in a SQLite database

Since each of the aircrack-ng tools are running in a separate screen session, you can disconnect from the control interface as soon as the crack starts.  You can also reconnect at any time during the crack and view each screen session separately.

When close enough to a target for the ARP replay attack to work, this script averages only 3 minutes to crack a WEP key.  This is on an ITX box with a wimpy Cyrix C3 processor with only 256MB of RAM!

My scripts and installation instructions available here.

Update:

I have ported these scripts to the EEE pc (I use Ubuntu Netbook Remix on a 900A), available here.

However, I can’t get airodump-ng to actually capture any packets!  I believe this is a problem with my madwifi driver, but I haven’t sorted it out yet.  Hopefully, if I post the scripts one of you can help me out 🙂

Another Update (October 2010):

Hello Hackaday!  Since writing this initial version, I’ve since learned a lot about Python job control.  Check out the Jabbercracky project, also on this site.  I’m planning on a much-improved version of Groo, using what I’ve learned from Jabbercracky, which will also add some new tricks, including some available WPA cracks.  I’d also like to improve the installer, and to also provide builds for Ubiquiti networks hardware.  If anyone is interested in helping out, please email me at awgh at awgh dot org.

Stay tuned…

XSS Vulnerability in Internet Explorer HTML Attachment Download

Update: MS fixed this issue in the IE8 6/9/09 security update.  Now IE8 behaves like Firefox (unclear on whether ‘X-Download-Options: noopen’ still exists at all).

I have noticed a Cross-Site Scripting vulnerability in the way Internet Explorer handles the downloading and opening of HTML files when they are downloaded as an attachment, rather than opened normally. This vulnerability exists in all versions of Internet Explorer, including the latest patch level of IE7 as of 12/23/08.

This vulnerability related to sites serving user-submitted HTML files with “Content-Disposition: attachment”.

When directly opening a downloaded HTML file, Internet Explorer violates the Same Origin Policy by allowing any script inside the downloaded file to access the cookies of the site the file was downloaded from. This script should be restricted to running in a local context, not a domain context.

Firefox exhibits better behavior by first downloading the HTML attachment and then opening it with a file:// URL. When scripts in the downloaded HTML file are executed, they are treated as if run from a local file, not as if run from the domain the file was downloaded from, and they cannot access the source domain’s cookies.

This vulnerability would allow an attacker to execute a Cross-Site Scripting attack on a site that allowed uploading file attachments. An HTML file could be uploaded containing malicious script that could steal user credentials or forge user actions on the site (if downloaded and opened by an IE user).

I have created a screencast reproducing the incorrect behavior in Internet Explorer as well as the correct behavior in Firefox. Additionally, I’ve set up a downloadable HTML file that you can use to reproduce the issue yourself!

The screencast and example are available at: https://www.awgh.org/iebug

Microsoft has addressed this issue in IE8, but their solution leaves me with some questions.  The write-up in their development blog is here, skip down to the section titled “MIME-Handling: Force Save”.  This section acknowledges that this is a potential vector for script injection in IE and describes the solution as implemented in IE8.

The solution in IE8:

The web server can set the response header “X-Download-Options” to the value “noopen”.  This will tell Internet Explorer to only offer the option to save the file or cancel.  It simply removes the “Open” option when this option is set.

I see two problems with this solution.  First, call me a pessimist, but I can see someone actually disabling “noopen” simply to bring back the “Open” dialog option.

Second, I doubt that most web server admins are going to be worried enough about this issue to remember to set this header, or even know they should do it.  It’s a bit of an esoteric bug – it only affects sites that serve untrusted HTML with “Content-Disposition: attachment”.  Even if Microsoft web servers set “noopen” by default, I doubt that most LAMP admins will bother adding this to their server options.

Why force the server to fix this problem?  Why not treat the “Open” option the same way Firefox does, by first downloading the file, then opening it with only a local script context?

This method of script injection will continue to work in Internet Explorer 8, as long as the site has not set the “X-Download-Options” header to “noopen”.

So the moral of the story:  If you are the admin of a site that serves untrusted HTML files with “Content-Disposition: attachment” set, please make sure the “X-Download-Options” header is set to “noopen”.

Weaponizing Mailinator

There has always been something deeply unsettling to me about the ‘Forgot Password’ functionality on many web sites.

The ‘Forgot Password’ page exists solely to help unauthenticated users bypass the usual means of authentication.

For whatever reason, many developers overlook the importance of locking this down, even after the issue of too-easily-guessable questions in Yahoo’s ‘Forgot Password’ procedure got a lot of media attention during the US presidential campaign after Gov. Palin’s webmail was hacked.

Even if the questions were based on specific preferences and more difficult to guess, very few sites will check for brute-force attempts on the ‘Forgot Password’ page, even though protections against brute-forcing have often been implemented in the more prestigious login page.

One other recommendation I usually make is the banning of email addresses from Mailinator, Slopsbox, and similar anonymous email services in registration.

If you’re not familiar with Mailinator, it’s an email server which displays ALL received emails to anyone who visits their web site.  Say you were registering for some web site and they asked for an address to send the validation email to.  You can just enter any email address at Mailinator, for example asdf@mailinator.com, and then go to www.mailinator.com and read the response.  This is great for not having to give out your real email.

What this means, however, is that I can simply go to the ‘Forgot Password’ page, which usually requires only an email address, enter asdf@mailinator.com, and a password reset email will be sent to Mailinator where I can collect it anonymously.  Any user account on any web service which was registered to a Mailinator email address can be compromised simply by guessing the email address.

Here’s where the brute-forcing comes in.  Since most sites let you make as many guesses on the ‘Forgot Password’ page as you’d like, there is nothing stopping an attacker from simply guessing email addresses at full tilt.

To demonstrate the effectiveness of this technique, I’ve written two example scripts, called the Mailinator-nator, which are available here.

The first script is called forgot-pwd-force.py, this script does the following:
1) Brute forces “Forgot Password” forms that only require email addresses on a hardcoded list of sites, using a wordlist of usernames.
2) For each username, tries each of the Mailinator domain aliases (Mailinator has a number of different domain names that point to the same place).

The second script is called mailinator-scan.py, this script does the following:
1) Reads a wordlist of usernames from a file.
2) For each username, connects to Mailinator and logs all emails to that user which contain the word “password”.

To use these two together, first add your target sites to forgot-pwd-force.py.  You can use one of my included wordlists or make your own, just be sure to use the same wordlist for both scripts.

Next, run the first script to force the target site to generate password reset emails to Mailinator addresses.

Wait a few minutes, and then run the second script to collect all of the return emails from the Mailinator server.

The second script can also be run as a cron job, which lets you troll Mailinator for password reset emails that you did not trigger yourself!  Mailinator deletes all received emails within an hour or two, so you may have to tinker with it to find a good interval.

I love Mailinator, so I checked and this doesn’t seem to violate their terms of service.  Looking at their site, they don’t seem to have terms of service!  This makes some kind of sense, since all users to the site are anonymous.  That said, actually logging in to a web site with a password recovered in this way is probably illegal in most jurisdictions so don’t do it.

As a site developer, what can you do to prevent these kinds of problems?

1) Ban registration emails to Mailinator and all of its domain aliases.

2) After 10 or so failed attempts to guess an answer on the ‘Forgot Password’ page, ban the IP for 5-15 minutes.

3) Require more than just the email address to send a password reset email.  Consider at least two factors: email address AND one security question.

These three measures will protect your ‘Forgot Password’ page from brute-forcing and dictionary attacks, as well as protecting your users from having their accounts stolen.

As a user of Mailinator, you can reduce your exposure to this risk by making use of the ‘Delete This Email’ feature of Mailinator and by using a long, difficult to guess user name.

EFI and Evil

There is a legend you may have heard of a lowly system administrator who notices a bunch of extra network traffic coming from one of his workstations.  It appears that every packet sent from the workstation is copied and forwarded to an IP address in a country with no extradition treaty.  The admin figures that some kind of rootkit is installed, so he completely reformats the hard drive and re-installs everything.  Fires the thing up anew, and sure enough all packets are still being forwarded overseas!  He can’t wrap his brain around that, so he tries completely removing the hard drive and starting with a new one.  When he gets through the second re-install, all sent packets are STILL being sent overseas.

The admin in this story made the same mistake that many people do when thinking about their computer – he assumed that all user-modifiable executable code is only stored on the hard drive.

This story is at least 10 years old, and I’ve heard it in various different forms, but the technological culprit was certainly a BIOS-based rootkit.  A BIOS-based rootkit can hide in one of two places: either embedded in the BIOS itself or in a PCI Option ROM.  As part of BIOS start-up, it will load executable code from a special ROM chip on each PCI device and execute this code with Ring 0 privileges, meaning the code can control absolutely anything the computer can do.  PCI Option ROMs are intended to let peripheral developers include some driver code that it wants to be run at BIOS execution time.  This code needs Ring 0 access, because it might need to interact directly with the ICs on the PCI device itself.  This is a feature, not a bug.

Delivering a BIOS-based rootkit is a bit more complicated than a traditional rootkit.  There are two methods for this.  The first involves gaining root privileges on the target machine by some means and flashing a new BIOS using SPI or tools provided by the motherboard manufacturer.  If your rootkit goes on a PCI Option ROM, you can also flash those with root access.  Many devices can also be reflashed over the network via PXE.  Most PCI cards have read-only Option ROMs, so this will only work for high-end network cards, video cards, or any other kind of PCI device that touts upgradeable firmware.

The second method is more interesting, and involves physically accessing the hardware, installing the rootkit, and then selling or giving the modified hardware to the intended victim.  A variation on this would be perhaps simply leaving a stack of shrink-wrapped network cards in the hallway outside a system administrators office with a Post-It saying “For IT”.  An advantage of this method is that you can flash the Option ROMs using a proper EEPROM programmer, so you can alter PCI cards that could not be altered using a software tool.  There can be several different Option ROM data segments on one physical chip, so you don’t necessarily have to stomp the existing driver code – you can just add another segment.

In the old BIOS standard, now referred to as Legacy BIOS, doing anything useful in a BIOS-based rootkit took an insane amount of time and skill.  Since BIOS runs before the operating system comes up, a rootkit developer would have no access to system libraries, filesystem drivers, or a network stack.  If the rootkit needed any of these features, the developer would have to write everything from scratch and interact with all of the involved chips at the lowest level (try to do TCP with only peeks and pokes using numbers gleaned from blueprints of chips, in short: HARD-FREAKING-CORE).

That was the past.

In 2009, AMD will start shipping EFI-compatable chipsets by default.  Intel, the main proponent of EFI, has been using it in the Itanium series, but will be using it in just about everything by the end of 2009.  Apple has already been using EFI in all of their Intel Macs since 2006.

This will spell the end of Legacy BIOS.  Most will say good riddance.

EFI has a couple of shiny new advantages.  The main reason that EFI was developed in the first place was to overcome several limitations of Legacy BIOS, including the use of 16-bit processor mode and having only one megabyte of addressable space.

As EFI has been developed over the years, it’s turned into something slightly different.  Intel has open-sourced almost all of a firmware development kit called the EFI Developer Kit or EDK, available here.

The EDK includes a large amount of sample code as well as a large set of utility libraries, all written in straight C.  The utility libraries include a variety of networking functions, including an optional full TCP/IP stack, as well as filesystem access libraries for FAT and NTFS.

Although the EDK doesn’t come with everything required to build a complete firmware, it does come with enough to build the two items of interest to an attacker: PCI Option ROMs and EFI Modules.  EFI Modules are distinct modules of firmware code that can be easily combined with each other to produce a firmware.  If you’ve ever installed the rEFIt boot menu for Intel Macs, you’ve flashed an EFI module into your BIOS.

All of these new features are designed to make life easier for firmware developers, and they do.  They also make life easier for attackers who wish to use EFI for evil.  Now, you can write a rootkit in C instead of assembler, and you can make use of pre-made network and file system libraries.

The only trick remaining is how to keep your rootkit running once BIOS execution has ended and the operating system is running.  There are a few methods available.  The easiest, and lamest, method is to simply write rootkit code out to the hard drive at every boot.  Cooler than that is using Intel’s System Management Mode (SMM) or ACPI event handlers to stash code to log keystrokes and then send it out on the network.  I have yet to see a working demo of this, and I’m told that a successful implementation requires specific knowledge of the Southbridge chip on a specifically targeted motherboard.

Update:  From talking to people at 25c3, I’ve learned that setting up a keystroke logger for just PS2 keyboards is pretty easy.  According to Peter Stuge of coreboot, to capture PS2 keystrokes you can use SMM to trap reads from io port 60, which is guaranteed to be the same on all platforms.  When the SMM trap triggers, it can run code you set up from, say, an Option ROM earlier.  There are examples of the use of SMM in the coreboot source!

There is also a common misconception that TPMs somehow prevent malicious PCI Option ROMs, but this isn’t so.

Apparently capturing USB keyboard keystrokes would be quite a bit more difficult.  Once I get PS2 working maybe… 😉

Replace Your Face Just Like The Laughing Man

Updates below!

I’d like to share two things with all of you.  The first is a dark, personal secret.  The second is a toy I made.

The secret is that for the past few months I have been harboring an unhealthy obsession with the Japanese television series ‘Ghost in the Shell: Standalone Complex.’

What I love about this show the most is one of the recurring bad guys, an impossibly-skilled hacker called the Laughing Man who exhibits a number of extremely bad-ass qualities.

First and foremost, he can hack in to people’s minds and control them.  In the show, he uses this to carry out a series of political assassinations.

During these attacks, he also simultaneously hacks in to all security cameras and news feeds in the surrounding area, and blocks out the face of the person he’s currently controlling with a custom graphic.

This graphic is a smiley face with a baseball cap and a quote from Catcher in the Rye: “I thought what I’d do was, I’d pretend I was one of those deaf-mutes…”

Watching this show the other day, I suddenly realized that I could write a program that did face detection and substitution quite easily.  Once I realized I could do it, I had to.

So I quickly whipped up a program in Processing that does the following:

1)  Opens up a video camera (for example, the web cam in your MacBook).

2) Finds all faces in the frame using the OpenCV library for Processing (installation instructions here).

3) Replaces all faces with the Laughing Man graphic, borrowed from elmex over at ta-sa.org.

Try it out yourself!  It’s minutes of fun for the whole family.  Also, it could be useful in case you ever find yourself in control of some kind of video feed.

The hack-in-to-your-mind thing will have to wait for the time being…

Once you’ve got Processing and OpenCV for Processing installed, download laugh-0.2.tgz.

Update: I’ve merged in changes from the comments!  Text now rotates and the image scales!  Thanks to Josh, Brett, and Deltadesu!