Porting Watcher checks to ModSecurity rules!

January 10th, 2012 by

Earlier this year, Ryan Barnett at TrustWave’s Spiderlabs started porting some of Watcher’s checks to ModSecurity.   After we chatted about this, I decided to get involved.  We always liked the idea of a server-side scanner watching the Web traffic, and since ModSecurity sits right in the sweet spot it all made sense to focus some effort there.

So over the past few months we’ve been working to port more of Watcher’s passive Web scanning checks to theModSecurity open source Web Application Firewall.  It seems to be working out, as some of the rules have made it into the latest release of ModSecurity’s Core Rule Set v2.2.3 as well as some earlier rule sets.  There’s more to come.  Please send any feedback to me or Ryan, and look for more rules to be added very soon.

Tags: ,
Posted in Development, Security Testing, Tools | No Comments »

Microsoft “Roslyn” based REPL injection.

December 12th, 2011 by

Microsoft recently released their new Compiler API codename “Roslyn”. If you haven’t checked it out yet you should. Here’s the link: http://msdn.microsoft.com/en-us/roslyn/.

I wanted to get my hands a little dirty and play with the new API. I’ve been meaning to look into Managed DLL injection for a while to get code execution for process interrogation. There are times when we’re testing that we want to interrogate a process for framework level information. For whatever reasons we sometimes can’t compile the target with hooks. So it would be nice to have a way to execute code. Roslyn’s CSX files look like a great way to accomplish this so that’s what I’m trying to expose.

Currently this only works on 32 bit processes.

Let’s start by describing the architecture as there are 3 things going on. The major components are the Injector, Unmanaged Injectee and Managed Injectee. The injector is the controller in this scenario; he’s responsible for the injection into the managed process and communication between the components. Communication is handled via named pipes.

The injector uses a well-documented dll injection technique via CreateRemoteThread and LoadLibrary. This loads the unmanaged dll into the Managed process. The unmanaged DLL actually handles the Managed DLL injection. I wont go into unmanaged dll injection as it’s pretty well document technique. I assume the reader understands these concepts.

From this point I assume the unmanaged DLL has been injected into the managed process.

After the unmanaged DLL is injected I need to make sure the correct version of the CLR is loaded. To accomplish this use the CLR hosting API’s to determine the version of the CLR that is loaded by the process (Provided there is one loaded). The host process must be running .Net 4.0 to support the Roslyn API. Because the early versions of the hosting API’s are deprecated I need to check to see if the .net 4.0 mscoree is loaded “msvcr100_clr0400.dll”. I check via a GetModuleHandle. If it exists we know we are running .Net 4.0 and know the CLR is already running. Two birds down with a single stone. 

hMod = GetModuleHandle(L"msvcr100_clr0400.dll");

Once we know the CLR is loaded and it’s 4.0 we can get a handle to the CLSID_CLRMetaHost via:

hr = CLRCreateInstance( CLSID_CLRMetaHost,
IID_ICLRMetaHost,
(LPVOID*)&pMetaHost );

From the meta host we can get a handle to the running RunTimeHost via:

ICLRRuntimeHost *pClrHost = NULL;
runTimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID *)&pClrHost);

This will return a handle to the current RuntimeHost (Or load the runtime if it isn’t running). The next call is to load my Managed DLL plus call the entry method.

pClrHost->ExecuteInDefaultAppDomain(L"InjectedManagedDll_Net_4.dll", L"InjectedManagedDll_Net_4.InjectedClass", L"Test", L"TestArg" , &ret);

This loads the Managed DLL into the process. Once the Managed DLL’s Test method is called I create a managed thread.

public static int Test(string param)
{
new Thread(new ThreadStart(ThreadFunc)).Start();
return 666;
}

This thread then generates a few more threads and sets up the NamedPipe communication pipe and reports to the server things are setup.

static void ThreadFunc()
{
try
{
PipeClient.Instance.Start("CNIPipe");
}
catch (Exception e)
{
PipeClient.Instance.LogMessageToServer(e.Message);
}
}

I then expose some simple messages back and forth between the injector and injectee and expose a simple REPL loosely based on this guy’s implementation: http://visualstudiomagazine.com/articles/2011/11/16/the-roslyn-scripting-api.aspx.

private ScriptHost()
{

HashSetassemblys = new HashSet();
assemblys.Add(Assembly.GetCallingAssembly());
assemblys.Add(Assembly.GetEntryAssembly());
assemblys.Add(Assembly.GetExecutingAssembly());

Listnamespaces = new List() { "System", "System.Collections", "System.Collections.Generic" };

ScriptEngine = new ScriptEngine(assemblys.ToList(), namespaces);

Session = Session.Create(this);
}

public object Execute(string code)
{
return ScriptEngine.Execute(code, Session);
}

This gets you a basic REPL inside another process. Next steps include making sure the communication API between the host and injectee are more well formed and able to handle both 32 and 64 bit processes. Stay tuned!

Posted in Code Review, Debugging, Development, Reverse Engineering, Security Testing, Tools | 2 Comments »

XML Hell presentation at Blue Hat v11

October 24th, 2011 by

At Microsoft BlueHat v11 I’ll be delivering an internal-only briefing along with Matt Swann.  While I can’t go into the confidential details of the talk, there are some things I want to mention that are more general and already public information.  There’s significant attack surface when it comes to parsing XML documents, and processing contextual information in those documents.  The threats are not limited to any one tech stack, and can be found in most of the popular ones.  To name the main exploit scenarios we see and test for regarding XML:

  • Information Disclosure (file system access)
  • Logical Abuse
  • Injection and XSS
  • Denial of Service
  • Remote Code Execution

I might blog about each one of these in turn because they’re each a little different and unfortunately the mitigation is not as simple as “validate input”.

Tags:
Posted in Security Testing | No Comments »

New release of Microsoft Web Application Configuration Analyzer v2.0

May 18th, 2011 by

From: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=60585590-57df-4fc1-8f0c-05a286059406

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. It can be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at: http://msdn.microsoft.com/en-us/library/ms994921.aspx. It uses an agent-less scan that requires the user to have admin privileges on the target server, as well as any SQL Server instances running on that machine.

This release of WACA we included some new features. They include:

  • Suppressions – you can now suppress any rule you feel is not appropriate for your scan.
  • Saving of suppression files – once you set up a suppression list you want to use you can save it off for future uses.
  • You can change the suppressions and regenerate the report without needing to re-run the scan.
  • Reporting – Updated the reporting section to include suppression information so you know what passed, failed, was not applicable and what was suppressed.
  • Multiple reports – you can view multiple scans of the same machine or view a single machine’s scan and compare it to other machines.
  • Export to the Microsoft RED format.
  • Scan multiple systems and SQL instances in one bulk scan.
  • Additional rules – we’ve added in additional SQL rules.
  • And of course bug fixes that were missed in the last release.

 

Posted in Tools | No Comments »

SDL Requirements and Release Videos Now Online

February 17th, 2011 by

Not too long ago Chris, Jason, and myself did a handful of videos with the folks over in the Microsoft SDL and Azure teams on applying the SDL to various phases of the software development process.

Give them a watch!

Microsoft SDL Requirements Phase: Security Practices
http://technet.microsoft.com/en-us/edge/Gg520839

Applying Microsoft SDL Requirements Practices within Windows Azure
http://technet.microsoft.com/en-us/edge/Video/gg482149

Microsoft SDL Release Phase: Security Practices
http://technet.microsoft.com/en-us/edge/video/gg583895

Applying Microsoft SDL Release Practices within Windows Azure
http://technet.microsoft.com/en-US/edge/Gg583898

Tags: ,
Posted in SDL | No Comments »

Egyptians Use Low-Tech Gadgets to Get Around Communications Block

January 28th, 2011 by

Chris Weber discusses how “Egyptians Use Low-Tech Gadgets to Get Around Communications Block” with FoxNews.com

Posted in News | No Comments »

Is the Internet Running Out of Room?

January 27th, 2011 by

Samuel Bucholtz discusses the implications of IPv4 depletion and the IPv6 transition in “Is the Internet Running Out of Room?

Posted in News | No Comments »

What Would You Do If Your Computer Got Hacked?

January 25th, 2011 by

Chris Weber and Jason Glassberg on Seattle’s Q13 Fox News story “What Would You Do If Your Computer Got Hacked?

Posted in News | No Comments »

Microsoft SDL Release Phase: Security Practices

January 18th, 2011 by

Jason Glassberg, Co-Founder, Casaba, discusses the three security practices of the Microsoft SDL Release phase. Jason talks about the planning for post-release contingencies by creating a well thought-out incident response plan, then stresses the importance of the application of a Final Security Review, its outcomes and mitigation of any outstanding issues. Finally he discusses the archiving of all pertinent information and data to allow for post-release servicing of the software.

Posted in News | No Comments »

Which E-mail Service is Safest?

January 11th, 2011 by

Chris Weber’s article on “Which E-mail Service is Safest?” goes online. Explore the key differences between Hotmail, Gmail, Yahoo Mail, and Facebook and some of the alternatives such as Hushmail and Countermail.

Posted in News | No Comments »