December 28, 2012

Labyrinth, Noise Elimination, Circuit Engineering... Review of the Most Interesting Tasks of PHDays CTF Quals

PHDays CTF Quals, information security competition, ended last week. 493 teams from 30 countries competed in information hacking and protection. All the tasks were divided into five categories from Reverse Engineering to the tasks typical of the real world (the details and results of the competition are available in our previous post). Each category included five tasks of different challenge levels (from 100 to 500 points).

The majority of the tasks were solved by the teams, some of them caused troubles, and some were left unsolved. Moreover, for a part of the tasks the teams used such solutions, which were not even considered by the organizers. This time we want to review the most interesting (in our opinion) and difficult tasks of PHDays CTF Quals.

December 26, 2012

PHDays CTF Quals – BINARY 500 or Hiding Flag Six Feet Under (MBR Bootkit + Intel VT-x)

PHDays CTF Quals took place on December 15-17, 2012. More than 300 teams participated in this event and fought to become a part of PHDays III CTF, which is going to be held in May 2013. Our team had been developing the tasks for this competition for two months. And this article is devoted to the secrets of one of them – Binary 500. This task is very unusual and hard-to-solve, so nobody could find its flag.

This executable file is an MBR bootkit, which uses hardware virtualization (Intel VT-x). Due to the program’s specific features, we decided to warn users that this program should be executed on a virtual machine or an emulator only.

 Warning and license agreement

December 4, 2012

Windows 8 ASLR Internals

Authors: Artem Shishkin and Ilya Smith, Positive Research.

ASLR stands for Address Space Layout Randomization. It is a security mechanism which involves randomization of the virtual memory addresses of various data structures, which may be attacked. It is difficult to predict where the target structure is located in the memory, and thus an attacker has small chances to succeed.

ASLR implementation on Windows is closely related to the image relocation mechanism. In fact, relocation allows a PE file to be loaded not only at the fixed preferred image base. The PE file relocation section is a key structure for the relocating process. It describes how to modify certain code and data elements of the executable to ensure its proper functioning at another image base.

November 26, 2012

Attacking MongoDB

Mikhail Firstov, an expert at Positive Technologies, spoke at ZeroNights 2012, which lately took place in Moscow. The talk was about attacking a popular DBMS — MongoDB.

The presentation and attack video demo are under the cut.

Attacking MongoDB

I'm not going to describe the way a database is installed: developers make everything possible to ease this process even without using manuals. Let's focus on features that seem really interesting. The first thing is a REST interface. It is a web interface, which runs by default on port 28017 and allows an administrator to control their databases remotely via a browser. Working with this DBMS option, I found several vulnerabilities: two stored XSS vulnerabilities, undocumented SSJS (Server Side Java Script) code execution, and multiple CSRF.

November 22, 2012

Workshop «Random Numbers. Take Two» at ZeroNights 2012

Authors: Arseny Reutov, Timur Yunusov, Dmitry Nagibin


CUDA PHPSESSID Bruteforcer – a program to bruteforce PHPSESSID and predict pseudorandom numbers in PHP: 

CPU PHPSESSID Bruteforcer: CPU version that supports distributed computing: 

Relevant article: Not So Random Numbers. Take Two

Exploits will be published later.

November 6, 2012

SCADA Safety in Numbers

Nuclear power plants, hydroelectricity plants, oil and gas pipelines, transport systems (subway and high speed trains) and a great many other vital systems are managed through various computer technologies.

Industry systems’ security gained a great deal of interest after a series of incidents involving the computer viruses Flame and Stuxnet. This was the herald of the age of cyberwarfare. In Russia, there is another reason to consider the security of such systems: new requirements for controllers developed to improve industry systems safety.

To find proper security methods, it is necessary to understand what skills the attacker possesses and what method of attack is to be chosen. In order to answer these questions, the experts of Positive Technologies explored the ICS systems security (ICS/SCADA/PLC). The results are shown below.

October 31, 2012

Google Chrome for Android — UXSS and Credential Disclosure

Here we go.
In July 2011, Roee Hay and Yair Amit from the IBM Research Group found the UXSS vulnerability in the default Android browser. This bug allows a malicious application to insert JavaScript code in the context of an arbitrary domain and stole Cookies or to do some evil things. Anyway, this bug was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome for Android was released. I’ve found some interesting bugs there. Just have a look.

October 25, 2012

Random Number Security in Python

This is the second article devoted to the vulnerabilities of pseudorandom number generators (PRNG).
A series of publications describing the PRNG vulnerabilities from the basic ones ([1]) to vulnerabilities in various programming languages implemented in CMS and other software ([2],[3],[4]) have appeared recently.

These publications are popular because PRNG is the basis of web application security. Pseudorandom numbers/character sequences are used in web application security for:

  • Generation of different tokens (CSRF, password reset tokens, and etc.)
  • Generation of random passwords
  • Generation of a text in CAPTCHA
  • Generation of session identifiers

The previous article, relying on the research of George Argyros and Aggelos Kiayias ([3]), explained how to guess random numbers in PHP using PHPSESSID and taught various methods to reduce pseudorandom number entropy.

Now we are going to consider PRNG in web applications written in the Python language.

October 24, 2012

Your Flashlight Can Send SMS — One More Reason to Update up to iOS 6

Today I'm not going to tell you how the security system of iOS 5 is organized. We will not gather bits of information using undocumented features either. We'll just send an SMS from an application behind the user's back.

October 8, 2012

SIEM + scanner. Headache Pills?

Security systems are developed and adjusted to new threats all the time. The number of information resources, from which the data on the current security state is transferred, is getting bigger day by day. However, if you fail to detect and prevent threats timely, even hundreds of intrusion detection systems will be useless. And here the SIEM (Security Information and Event Management) systems come at help. These systems are in the focus of the article.

September 19, 2012

Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming

Authors: Artem Shishkin, Ilya Smit (Positive Research)

This article presents a way to bypass Intel SMEP security feature on x64 version of Windows 8. It is performed by using return-oriented programming. A way to build a suitable ROP chain is demonstrated below.

SMEP feature doesn’t allow executing a code from a user-mode page in supervisor mode (CPL = 0). Any attempt of executing a code under these circumstances on Windows 8 ends up with a blue screen of death with a bugcheck code “ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY”. For more details on how SMEP is implemented in Windows 8 please refer to [1].

September 17, 2012

Intel SMEP overview and partial bypass on Windows 8

Author: Artem Shishkin

English whitepaper (PDF): here
Russian whitepaper (PDF): here

1.    Introduction

        With a new generation of Intel processors based on the Ivy Bridge architecture a new security feature has been introduced. It is called SMEP which stands for “Supervisor Mode Execution Prevention”. Basically it prevents execution of a code located on a user-mode page at a CPL = 0. From an attacker’s point of view this feature significantly complicates an exploitation of kernel-mode vulnerabilities because there’s just no place for a shellcode to be stored. Usually while exploiting some kernel-mode vulnerability an attacker would allocate a special user-mode buffer with a shellcode and then trigger vulnerability gaining control of the execution flow and overriding it to execute prepared buffer contents.
        So if an attacker is unable to execute his shellcode, the whole attack is meaningless. Of course, there are some other techniques like return-oriented programming available to exploit vulnerabilities with effective payload. But there are also certain cases when the execution environment allows bypassing the security features when it is not properly configured. Let’s take a closer look to this technology and its software support by Windows 8 operating system which introduces SMEP support.

Vulnerabilities in Android Devices Allowed Stealing Money and Passwords

Artem Chaykin, an expert at the Positive Research Center, has discovered two critical vulnerabilities in Chrome for Google Android. The vulnerabilities threatened the security of the majority of new smartphones and tablets, since Chrome is the main web browser of the system starting from Android 4.1 (Jelly Bean).

By exploiting the first of the said vulnerabilities, an attacker could get access to user data stored in Google Chrome, including clickstream, cookies, web cashe, etc.

August 22, 2012

Not So Random Numbers. Take Two

George Argyros and Aggelos Kiayias have published recently an awesome research concerning attacks on pseudo random generator in PHP. However, it lacked practical tools implementing this attack. That is why we conducted our own research which led to the creation of a program to perform the bruteforce of PHPSESSID.

August 12, 2012

Practical Example of Code Review Implementation

Our previous post concerning a code review implemented by our company caused a particular interest of the IT community, so we decided to write an extra article on this theme. Today we'll consider this practice implementation in terms of a specific example.

August 10, 2012

Code Review Implemented into Development

Attention! This article is meant for those people, who have an idea of what a code review is and who want to implement this technology in their companies.

When we started implementing code reviews in our projects, we were disappointed by the lack of good materials related to the process organizing from the very beginning. One more aspect that has hardly ever been described is review scaling.

Filling this gap in, we want to share our experience in implementing this wonderful practice by our team. Constructive comments are welcome.

So let's get it started.

Positive Technologies Became Cisco’s Official Technology Partner

Cisco Systems has awarded Positive Technologies the status of Cisco Registered Developer. It’s notable that our company has become the first Russian company to be granted the status of Cisco Registered Developer. Now Positive Technologies has its own profile on the official web site of Cisco Systems.

August 2, 2012

SELinux in Practice: DVWA Test

Since the last article on SELinux came out, we’ve been receiving requests to prove the benefits of the security subsystem ‘in practice'. So, we decided to test it. We created infrastructure with three vulnerable machines with default configurations (Damn Vulnerable Web Application on CentOS 5.8). They differed only in SELinux configurations: it was disabled on the the first machine, while the other two had the out-of-box policies applied, namely, targeted and strict.

Composed this way, the site of the virtual machines was exposed to penetration testing. Let’s take a look at the results!

July 26, 2012

(Un)Safe Surfing?

Nowadays a lot of popular web browsers support auto update, but a very significant part of browser plug-ins should be updated individually. A huge number of users do it very rarely without having any idea that in majority of cases not only browsers but plug-ins also can be attacked.

Interesting statistics obtained as a result of browser and plug-in security testing by the online service SurfPatrol in 2011 is under the cut.

July 16, 2012

Recreational XenAPI, or The New Adventures of Citrix XenServer

Today, I would like to speak about certain aspects of using Citrix XenServer 5.6. The problem I had to deal with seemed to be rather solvable: command execution in dom0 without using SSH. While searching methods to fix the issue, I found some funny features of HTTP API of the operating system: ways to get /etc/passwd, remote execution of rsync and XenSource thin CLI protocol. Now I will tell you a kind of a story of a research.

July 12, 2012

Gaining Control Over Cloud Infrastructure. Easy as One, Two, Three

Several months ago the Positive Research Center analyzed security of Citrix XenServer. Among other things, we studied the security of administration interfaces, and web interfaces of various system components in particular. As a result, we managed to find several critical vulnerabilities, which allow obtaining control not only over these components but over the master server as well, that is over the whole cloud infrastructure. The Citrix company was immediately notified of the detected vulnerabilities. After the issues had been fixed ([1], [2], [3]), the results were disclosed at the Positive Hack Days forum as part of the FastTrack section.

July 6, 2012

Introduction to SELinux: Modification of the Targeted Policy for Third Party Web Applications

Many of us are engaged in configuring production servers for web projects. I’m not going to explain how to set up Apache or Nginx — perhaps, you know it even better than me. However, an important aspect of creating front-end servers still remains uncovered: that is security subsystems configuration. 'Disable SELinux,' – that is a standard recommendation of the majority of amateur manuals.

I think it’s a hasty decision as the process of configuring security subsystems in the mode of ‘mild’ policy is often rather trivial.

Today I’m going to tell you about several methods of configuring the SELinux security subsystem, applied to Red Hat (CentOS) OS family. As an example, we’ll configure a set of an Apache web server + mod_wsgi + Django + ZEO on CentOS v. 5.8.

July 3, 2012

Android: Overview of Hacking Applications

Hello, everyone!

Along with the article on MiTM attacks from iPhone, I got an idea of almost similar one about Android.

We already know what iPhone is capable of. Is Android any worse?

We have considered about 25 hacking applications. And now I'd like to present you the results of this small research. Some applications didn't start at all. Others froze the phone dead. But there were a few that worked quite OK!

All software solutions were tested on the LG Optimus smartphone under Android 2.3.

And here we go: a brief overview of hacking software for Android.

July 2, 2012

iPhone: MiTM attack out of a pocket

A laptop seems to be a typical device for Wi-Fi attacks. There are multiple reasons for it: applicability of specific Wi-Fi modules, availability of necessary software and sufficient computing power. So usually we imagine an attacker holding a laptop while sitting in a car with an antenna sticking out of the window. However, development of mobile platforms is moving forward, and a lot of operations can be performed out of a pocket now.

Many of us use Apple devices based on iOS. It is not a secret that iOS is actually a representative of the *nix family, and thus has all its advantages including availability of various classical pentest applications. This time I want to consider tools for conducting simple Man in the Middle attacks against Wi-Fi clients using the arp poisoning technique.

June 29, 2012

eBay. What Did Your Neighbor Buy?

I was browsing eBay and came across quite a striking lapse on the part of the ideologists.  They offer you this feature - feedback - which influence the buyer and  seller ratings. Once you close your deal and get your buy, you are strongly asked to rate the seller ("leave feedback").

You enter the page, rate the seller according to a number of criteria... and that's pretty much it. But! By doing so, you leave an entry on the seller's page, which contains your username, the name of the item you bought, its price, and the purchase date. Visit a page of any seller, and you'll see all information about their customers: names, purchases, prices, and dates of the purchases.

June 27, 2012

Web vulnerabilities. Unbelievable becomes obvious

In the course of penetration testing, security audit and other services rendered by Positive Technologies in 2010 and 2011, the company’s experts collected security statistics of more than a hundred corporate web applications. It was applications under consideration, not business card sites. E-Government websites, I-Bank systems, mobile operators' self-service portals, and other items became the objects of the research.

Having analyzed the results, we could finally answer the perennial questions of information security:

How many websites are infected with malware?
Which CMS is securer: commercial, open-source or a self-developed one?
Which is the securest among Java, PHP and ASP.NET?
Is it a myth or reality to comply with the PCI DSS requirements?

Some of the answers to these questions surprised us, we must say. See details under the cut.

June 26, 2012

Customizing Blue Screen of Death

It's Turned Blue! Is It OK?

BSOD is a response of the kernel to a non-recoverable exceptional situation. If you see it, something really unpleasant has happened.

Kernel environment sets numerous restrictions to a programmer's freedom of actions: consider IRQL, synchronize access to shared variables, don’t spend much time in an ISR, and verify any data from the "userland"... If any of the rules is broken, you'll get a real reproof filled with template phrases in a standard VGA mode with lousy coloring.

June 21, 2012

Peculiarities of a New Windows TCP/IP Stack

Starting with Windows Vista, Microsoft has switched its operating systems to a new network stack — Next Generation TCP/IP Stack. The stack is stuffed with various perks: Windows Filtering Platform, a scalable TCP window and other delicacies. But it’s not them we will be talking about, but a specific behavioral pattern of the new network stack.

Any self-respecting network scanner should be able to detect an operating system used on the host being scanned. The more parameters it uses for this purpose, the more accurate the result is. For example, Nmap employs a wide range of metrics: various TCP metrics (the timestamp values behavior, re-ordering TCP options), IP metrics (an algorithm for a packet order number calculation, processing of IP packet flags) and other metrics.

June 20, 2012

SCADA Security: How To Stay Alive

Hardly could have anyone imagined a couple of years ago that viruses would jump to the real world bringing power capable of attacking whole production systems and breaking down machines and industrial plants, let alone stealing data and interrupting software operations. It might seem inconceivable: networks on plants are usually separated from public and internal networks, software and hardware are distinct from those used in common networks; moreover, all processes are strictly regulated and closely controlled...

And still, when it comes not to a single hacker but a group of professionals in SCADA, skilled hackers and engineers, most probably endorsed by a state, everything gets possible.

June 9, 2012

MaxPatrol Supports Skybox® Security Risk Control

Skybox Security is the leading provider of proactive security management solutions for global enterprises.

The integration of Skybox Security Risk Control and the MaxPatrol Vulnerability and Compliance Management System is based on the popularity of these products with corporate network customers.

June 8, 2012

Vulnerability in Nginx Eliminated

Vladimir Kochetkov, a Positive Research expert, has detected severe vulnerability in Nginx under Windows.

When it comes to Windows platforms, there are many ways of gaining access to one and the same file, some of which were not considered by nginx developers. Nginx versions for Windows (from 0.7.52 to 1.2.0 and 1.3.0 included) proved vulnerable to bypassing security restrictions. The vulnerability enabled an attacker to redirect HTTP requests to certain URL bypassing the rules set in the location directives of the web server configuration.

May 24, 2012

Positive Technologies Joins OVAL Community

For quite a long time there wasn’t any unified standard in the world that would allow information security experts to formally describe information systems vulnerabilities, configuration errors and missing security updates. OVAL, an open language for description and assessment of vulnerabilities, has become a very simple and universal method of IS content sharing.

Open Vulnerability and Assessment Language (OVAL) is a specialized language based on XML intended for automated assessment of security systems, which provides means for description of a system under research, for analysis of its state and reporting on the check results.

May 18, 2012

SAP Eliminates Vulnerabilities Detected by Positive Research

At the end of 2011, SAP products proved to contain a whole number of vulnerabilities (one, two, and three - in Russian) that would have allowed conducting a DoS attack. The vulnerabilities were detected by Vladimir Zarichny, a specialist of Positive Research.

The details of the vulnerabilities were provided to the vendor, and in May, 2012, SAP released a patch that fixes these and some other security flaws. The specialist’s work has been acknowledged by the SAP Product Security Response team: Vladimir’s name has been placed on SAP’s wall of fame (Acknowledgements Page).

Writing Linux Security Module

Linux Security Modules (LSM) is a framework allowing Linux to support various security models. LSM has been a part of the kernel starting with Linux v. 2.6. Currently, the official kernel hosts such security modules as SELinux, AppArmor, Tomoyo, and Smack.

The modules run simultaneously with the native Linux security model Discretionary Access Control (DAC). LSM checks are triggered by the actions allowed by DAC.

The LSM mechanism can be implemented in various ways. Generally, it is adding mandatory access control (as, for example, in SELinux case). Besides you can invent your own security model and implement it as a module using the framework. As an example let's consider implementation of a module that will grant privileges on system actions if a specific USB device is connected.

Google Again Pays for a Discovered Vulnerability

Not so long ago a vulnerability was discovered in one of Google’s services, which would have allowed an attacker to perform a remote command execution on the target system; for example, download and run programs, read and modify files, or retrieve data from the DBMS. This vulnerability was discovered by an expert of Positive Research, Dmitry Serebryannikov, and was eliminated by the joint efforts of experts of the research center and the Google Security Team. The work done has been featured by the Google team as part of their Vulnerability Reward Program, and rewarded by a prize due for such significant discoveries.

May 17, 2012

Finish up with SAP. From a user's password to a top manager's salary


Sometimes, obtaining access to SAP, a security analysis specialist has no idea what to do next and how to demonstrate possible consequences of the detected vulnerabilities.

This article covers methods of obtaining access to the production system and data of the SAP HCM module.

May 15, 2012

Online Battling at PHDays 2012

If by any reason you do not get into the participant list of Positive Hack Days 2012 or cannot visit Digital October Center, the forum’s platform, on May 30 and 31, you still have an opportunity to participate in this event. Join the online battle with competitors from all over the world at Positive Hack Days 2012! Description and participation terms are under the cut.

April 23, 2012

Popular Network Equipment and Vulnerability Statistics

According to analytical agencies, Cisco Systems is a manufacturer of the most popular switching and routing equipment for medium-sized and large-scale enterprises (about 64% of the global market). HP Networking holds the second place (approximately 9%). Then follow Alcatel-Lucent (3%), Juniper Networks and Brocade (each 2.3%), Huawei (1.8%) and other manufacturers less outstanding in comparison with the giants but still holding together almost 17.6% of the market.

There is a specific situation in Russia. Besides the products of the abovementioned manufacturers, Nortel and Allied Telesis switches are widely spread in this country. Moreover, devices of such manufacturers as D-Link and NetGear offering equipment to small and medium-sized enterprises are quite frequent. Brocade is still a rare bird in the territory of Russia.

April 16, 2012

Trendy APT — Struggling with Carelessness

Companies can be divided into two categories: those that know they've been compromised and those that still have no idea.

The term APT (Advanced Persistent Threat) was introduced by the US air forces in 2006 to describe a new type of attacks. For the first time they attempted to analyze an attack that had been conducted, make conclusions, and resist the new threat. APT is neither a sophisticated exploit nor a new-fashioned Trojan. APT is an attack paradigm.

Its general principles are well known. For instance, social engineering provokes users to open a link or an attached file; or exploitation of vulnerabilities is used to access the system under attack. Why is the APT so scary? Let's try to sort it out.

April 11, 2012

Introduction to XCCDF

XCCDF (The Extensible Configuration Checklist Description Format) is a specification language based on XML for description of security configuration checklists and other similar documents. XCCDF is one of the languages of Security Content Automation Protocol (SCAP) and an important instrument for specialists engaged in automation of information security processes. This language, for instance, is used to describe configuration requirements for the USA federal agencies’ and their contractors’ workstations (FDCC/USGCB program).

This article considers the way of describing security configuration checklists in the XCCDF language in terms of USGCB content for RedHat Enterprise Linux.

March 1, 2012

Vulnerable by Definition

A lot of people, somehow related to security, want to try pentesting from time to time. Most often they start with web applications. The barriers to entry are rather low (the simplest SQL Injection vulnerability can be detected by adding a quotation mark in a parameter and its exploitation is almost as simple), but still there are difficult tasks that require several days of thorough work.

However, where can theoretical knowledge be implemented without any fear of being prosecuted by law-enforcement authorities? There is an overview of ‘proving grounds’ for pentest experiments under the cut.

February 17, 2012

IBM DB2 Security Model

IBM DB2 database management system was developed back in the 70s and has taken a foothold on the market of industrial DBMSs, meeting the highest requirements to its performance, reliability, security and scalability. However, in the private sector, the system hasn’t gained that wide acceptance even with its free IBM DB2 Express version. This might be the reason, why there are rather few articles on the DB2 use and configuration on the Internet.

January 27, 2012

VIEWSTATE Vulnerabilities

1. ViewState Overview
"View state is a method that the ASP.NET page framework uses to preserve page and control values between round trips. When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields."

"What does ViewState do?
- Stores values per control by key name, like a Hashtable
- Tracks changes to a ViewState value's initial state
- Serializes and deserializes saved data into a hidden form field on the client
- Automatically restores ViewState data on postbacks"

From an article on the ViewState mechanisms by an ASP.NET developer

January 23, 2012

A Backdoor in the Next Generation Active Directory

At the beginning of the last year, I already raised the issue of post-exploitation in a Microsoft Active Directory domain. The brought forward approach addressed the variant aimed mostly at the case of the loss of admin privileges rather than their exploitation. Additionally, the action of regaining the privileges itself involved conspicuous events and visually evident manipulations in the directory. In other words, to regain admin privileges one had to become a member of the appropriate security group, such as Domain Admins.

It should be mentioned that administrators get very nervous when suddenly they realize there is someone else in the system. Some of them rush to address the security incident horse and foot, sometimes taking most unpredictable steps;))