Category: Security

mjr && pentesters

From bugtraq:

So, as much as you may not like it, there are plenty of folks out there who understand that software security is a design and architecture issue – not a process of slapping band-aids on bad code until it’s, well, bad code covered with band-aids. What you’ll find is that engineers who understand engineering discipline find bug-hunting to be an utterly boring process; well-designed and implemented systems don’t need “pen testers” – they cross-check themselves. The only reason the industry is in the horrible condition it’s in today is because the vast majority of code that’s been fielded to date is crap. That will have to change. And when it does, “pen testers” will become peons in the quality assurance department.

I would say that most pentesters are failed security analysts who do not understand engineering discipline and have chosen to engage in the war of band-aids instead of learning how to build correct systems. And then there are the pentesters who really are cybertrespassers at heart, who have found a financial and moral justification for doing something for money that they’d otherwise do anyhow, for free, in the wee hours of the night.

Put differently: either way you slice it, pentesters aren’t worth a bucket of warm spit as far as I am concerned.

There would be so many things to say, that keeping my mouth shut is maybe the best thing to do.
Well, almost.

I’ve always felt part of the “quality assurance department” when I was asked to prod things that had or were being deployed, just to be sure that another pair of eyes would spot more security problems; never felt like a peon though. Damned self-esteem.

It looks like Marcus is not taking into consideration that even deploying perfectly secure “software units” there always can be unexpected/funny/dangerous problems glueing them all together.

Safari/Mail exploit

Ovvero “gli errori concettuali”.

*Update 15:00, mi sono reso conto che le informazioni non sono chiare per chi non ha chiaro come funziona il giochetto: ne ho aggiunte sperando di chiarire*

Heise.de nella persona di Michael Lehn ha trovato un efficace e divertente modo di mandare automaticamente in esecuzione uno shell script usando Safari (e anche Mail, pare).
Analisi del problema:

  • Safari trova un file .zip
  • Una volta scaricato, ha l’abitudine di scompattare automaticamente questo formato
  • Se e` spuntata l’opzione “Open Safe files after downloading”[1] Safari tenta di passare il file ad una applicazione adatta a gestire quel formato
  • Piu` nello specifico, se il file contiene la parte di metadata che specifica con quale applicazione gestire un file, Mac Os X la onora. (nello specifico, __MACOSX/._)

(Il workaround per ora e` togliere la spunta da quell’opzione).

Il problema e` che la decisione se il file sia “safe” e la scelta dell’applicazione con cui aprirlo evidentemente vengono prese secondo criteri diversi, con l’effetto che uno shell script (con l’estensione .jpg, ad esempio) che non contenga la shebang in testa

#!/bin/bash

viene considerato “safe” per via del .jpg e poi “aperto” con Terminal.app (come specificato nei metadati).

Le scelta giusta poteva essere una di queste:

  • una volta scompattato il file, guardare l’estensione e di conseguenza aprirlo con l’applicazione di default per quell’estensione. Brutto ma banale, e prono ad errori.
  • invece che basarsi sull’estensione, guardare il magic del file. Dopotutto siamo su un sistema Unix, quindi capire cosa c’e` veramente dentro un file non dovrebbe essere un grosso problema. Dopo di che, se il magic riporta un tipo di dato diverso dall’estensione, avvisare l’utente e chiedergli di prendere una decisione.
    Nel caso di un .jpg contenente uno shellscript a me piacerebbe una finestrella che dicesse:

    Attenzione:
    il formato di file (“ASCII Text”)[2] e` in conflitto con l’estensione (“.JPG”) per
    STRANOFILE.JPG.

    “Apri con Terminal”[3]/”Apri con Preview”/
    “Apri una finestra di Finder in quella directory”/”Annulla”

Sicuramente quello che non vorrei e` che qualcun altro decidesse con quale applicazione qualcosa viene aperto sulla mia macchina.
Ovviamente rimane il problema di avere degli utenti in grado di prendere delle decisioni, ma se l’highlight fosse su “Annulla” l’impatto sarebbe minimizzato.

Per ora l’analisi del problema migliore che ho visto e` quella del SANS:
http://www.incidents.org/diary.php?date=2006-02-21

note:
[1] abbiate pieta`, ho Os X in inglese
[2] Uno shellscript senza header viene visto cosi`, invece che come “xxx shell script executable”
[3] Ancora meglio, “Apri con un editor

OsX Virus/Trojan/that’s-not-the-relevant-thing

Alas, “Much ado about nothing”. Or not?

So, if in the last 24 hours you were not buried somewhere you have heard that a some sort of malware for OsX has surfaced. Oh my! “It’s the end of the world as we know it!”.
C’mon. ** Reality check. **
Nothing is collapsing.
Instead, many things are getting better. More on this later on.

Let’s look into the facts (please note that I’m referring to the analysis done by Andrew, which could be wrong, but sounds reasonable)

  • On Feb, 14th a file named latestpics.tgz was linked on a popular Mac-oriented forum, claiming to contain pictures interesting for the Mac community (a sneak preview of 10.5). By itself, this alone should have looked odd: why on earth are you supposed to share a .tgz — packaged, compressed — file for sharing an handful of jpg? Myself, I’d have tried something more stealth, like a self-extracting ppc executable. Unusual format: BAD.
  • Some users report that after opening the file and double clicking on the expanded version one thing, unexpected to say the least, did start happening: the same file was sent to all iChat users present in the buddy list without user intervention. User Intervention: BAD. Anyway, it looks smart using resource forks to hide the real payload of the object. Standard OS Resources: GOOD. Knowledge of the OS: GOOD.
  • By that moment, our little piece of software had been busy rebuilding a good copy of itself, and adding a small apphook.bundle into /Library/InputManagers/ depending if you are an administrative user (read, the nearest to root a user can get under OsX) or in your $HOME/Library/InputManagers/ otherwise. Given that the first user that gets created installing OsX is given administrative rights, I safely assume that around 90% of the clicking users were demi-gods on their machines.Based on common practices: GOOD. Using standard OS application to spread: GOOD. Faking a known buddy, thus bypassing some diffidence: GOOD.
  • And then? Any application (located in your $HOME or under the /) run in the last month (found using SpotLight) would get replaced by an “infected” executable, with the original moved to a resource fork. Almost untouched executables: GOOD.
  • “And then?” you’ll be asking, used to I Love You, Slammer, Blaster, Welchia. Nothing. That’s all. Pretty boring, uh?

    Coitus interruptus

    Very,very, VERY BAD.

Now, I see two possibilities:

  • All in all, the stuff we’re talking about is something more a “pre-beta-proof-of-concept” than one of those shiny and deadly effective Win32 viruses/worms. This POC fails or does not (still) implement many things still in the mind of his writer, like the e-mail part Andrew is talking about

    • OR

  • Andrew’s analysis falls short, and this entity is doing things still undiscovered. Time will tell.

    • OR

  • it’s just a sort of heads-up POC. It is not intended to do any harm. (I can’t count, did you notice?)

All this looks strange to me: you’re on a full-fledged UNIX machine, you have demonstrated a fairly good knowledge of the underlying OS, you can do (or at least try) so much things to 0wn it from the kernel up and you do none?
You’re not a 13 year old boy who wants to go bragging with your friends in IRC, so why stopping there? Why “obfuscating” part of your code using XOR? OMG…
You could start opening connections to somewhere to obtain a backshell, getting command files from the Internet and then executing them… you cold push your code inside executables, you may even have a full compiler and you don’t even look if it’s there?
Neither you try a small kernel module to hide your files and/or your processes? Adore dates back to six years ago…
Too many things don’t fit.

Anyway: at least now Mac users know they may get “infected”, and this is EXTREMELY GOOD, as most security is in the hands of the end users and we simply have no technical solution to human stupidity.

I expect many more “real” viruses and trojans coming for Mac OsX in the next 12-16 months, starting to exploit local buffer overflows, escalating privileges, and doing all the stuff we’re accustomed to. Even in Universal Binary form. :)

So, let’s turn the brain on and click on that Apple again.

I see this post is much longer than I intended it to be: please bear with me :)

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close