Archive for the ‘Development’ Category

« Older Entries

Wipe cookies with a custom Fiddler rule (and menu item)

January 11th, 2013 by

Sometimes there’s a need to simply wipe all the cookies from an HTTP request.  Maybe you want to re-issue a request without cookies, or maybe you want to browse a list of URLs to test that authentication is being required on all of them.  The following FiddlerScript will create a new menu item, under Rules, in Fiddler.  It can be enabled or disabled easily from there.

There’s two parts to creating a new rule with a menu item, but as you can see there’s not a lot to it.  First off, add the following at the beginning of the “Handlers” class.  These two lines will name your rule “Wipe Cookies”, disable it by default, and set it up to show up under the Rules menu item.

public static RulesOption("Wipe Cookies")
var m_WipeCookies: boolean = false;

Then, enter the following into the “OnBeforeRequest” function.  This will ensure that when you enable this rule, but simply clicking it from the Rules menu, the Cookie header will be removed from the HTTP request.

if (m_WipeCookies) {
  if (oSession.oRequest.headers.Exists("Cookie")) {
    oSession.oRequest.headers.Remove("Cookie");
  }
}

As you can see adding custom rules via FiddlerScript is rather simple.  Happy bug hunting!

 

Tags:
Posted in Development, Security Testing | No Comments »

Quick HTTP data extraction with Fiddler

January 7th, 2013 by

FiddlerScript provides a good mechanism for quick n dirty tasks.  Sometimes you just need to grep a pattern from a Web application and log it while you’re moving through the site.  There are a number of ways to do this but if I have Fiddler running I’ll usually add a quick script to do this.  For example, let’s say the application you’re testing uses LDAP under the covers, and you would like to extract all of the static LDAP URLs as you navigate the site.  A look at RFC  4516 shows us what some LDAP URLs might look like:

ldap://ldap1.example.net/o=University%20of%20Michigan,c=US

I’m going to keep the regex simple, and assume that you’re looking for static LDAP URLs that are always contained in single quotes U+0027.  So you normally see something like this:

var query = 'ldap://ldap1.example.net/o=University%20of%20Michigan,c=US'

To extract just the LDAP URL and log it, just open up the FiddlerScript tab, enter the OnBeforeResponse function, and add the following:

var bodyString = oSession.GetResponseBodyAsString();
if (oSession.oResponse.MIMEType.Contains("html")) {
  if (bodyString.Contains("ldap://")) {
    var regex = /.*\'(ldap://.*)\'/;
    if (regex.test(bodyString)) {
      var matches = bodyString.match(regex);
      if (matches != null) {
        FiddlerObject.log(matches[1]);
      }
    }
  }
}

Fiddler includes a “log” tab.  And the call to FiddlerObject.log writes data there.  That’s it, happy data-extracting!

 

Tags:
Posted in Development, Security Testing | 2 Comments »

Customizing (and hacking) Nessus auditing with Powershell

December 5th, 2012 by

A common scenario:  You have tens of thousands of hosts deployed across your datacenters and use Nessus to scan them regularly for patch compliance or other vulns. But you want to look at more stuff, after all you’re running a scanner on each and every host, why can’t you audit for policy or configuration-related data? Well you can - Nessus has this compliance auditing functionality built in, which makes customized checks easier than writing NASL files. Instead, you can write these “.audit” files and simply certain tasks such as looking for files, content, users and groups, registry keys, and more. In the case of Windows machines, the compliance checking gives you an extra edge – access to Powershell. Powershell comes with certain restrictions though, namely that you can’t simply call your own scripts, rather you have to pass cmdlets in as args. However, read on…  You can run checks that either PASS or FAIL, or you can dump output back into Nessus for later retrieval and post-processing. Take a look at what a custom Nessus compliance check called “find-private-certs.audit” might look like.

<check_type: "Windows" version:"2">
<group_policy: "Windows file system audits">

 type             : AUDIT_POWERSHELL
 description      : "Search the file system for private certificate files."
 value_type	  : POLICY_TEXT
 value_data       : "" 
 powershell_args  : 'Get-WmiObject -query \\"Select Name From CIM_DataFile Where Extension = \'pfx\' or Extension = \'p12\' or Extension = \'p7b\'\\" | select -ExpandProperty Name'
 check_type       : CHECK_EQUAL
 severity         : LOW
</group_policy> 
</check_type>

Pretty simple, you just pass a Powershell cmdlet with arguments in like “Get-WmiObject” and get your data back. Now, I wouldn’t actually run this in production because searching the file system can be really slow and delay scan completion. But that’s besides the point. Once you realize you have access to Powershell you might be motivated to do more, and get more data. That’s what happened to me, and I simply had to find a way to run Powershell scripts.

So I did… Consider this technet script Get-SharePermissions.ps1 by Bigteddy at Technet. It basically dumps all the shares along with permissions on a Windows host. Now the Nessus interface with Powershell wasn’t designed to load scripts as I mentioned, and the documentation won’t help you figure out how to do it. But there is a way. A slightly modified version of Bigteddy’s script appears below, hacked into a Nessus .audit file. I’m leaving out the other components of the script, and just showing the “powershell_args” field:

powershell_args   : 'get-variable null | invoke-command -scriptblock { $shares = Get-WmiObject -Class win32_share | select -ExpandProperty Name ; foreach ($share in $shares) { $acl = $null; Write-Host $share; Write-Host \\"==============================\\"; $objShareSec = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter \\"name=\\"\\"$share\\"\\"\\" ; try { $SD = $objShareSec.GetSecurityDescriptor().Descriptor; foreach($ace in $SD.DACL){$UserName=$ace.Trustee.Name;If($ace.Trustee.Domain -ne $Null){$UserName = \\"$UserName\\"}; If ($ace.Trustee.Name -eq $Null) {$UserName = $ace.Trustee.SIDString } ; [Array]$ACL += New-Object Security.AccessControl.FileSystemAccessRule($UserName, $ace.AccessMask, $ace.AceType) } }  catch { Write-Host \\"Unable to obtain permissions for $share\\" } $ACL; Write-Host \\"=====================\\"  } } '

And there you have it. Sure, it’s not the prettiest thing, given the escaping required, but it works. Basically, the trick is to start the powershell_args off with a get-variable cmdlet, since Nessus only allows get-* cmdlets to start. Pass in null as the arg, and pipe your way to the invoke-command cmdlet, since the pipeline at least is allowed. Using the scriptblock argument there, you can shove your script in and escape special characters as needed until you get the output desired.

Until next time, happy scanning!

Tags: , , ,
Posted in Development, Tools | No Comments »

Porting Watcher checks to ModSecurity rules!

January 10th, 2012 by

Earlier this year, Ryan Barnett at TrustWave’s Spiderlabs started porting some of Watcher’s checks to ModSecurity.   After we chatted about this, I decided to get involved.  We always liked the idea of a server-side scanner watching the Web traffic, and since ModSecurity sits right in the sweet spot it all made sense to focus some effort there.

So over the past few months we’ve been working to port more of Watcher’s passive Web scanning checks to theModSecurity open source Web Application Firewall.  It seems to be working out, as some of the rules have made it into the latest release of ModSecurity’s Core Rule Set v2.2.3 as well as some earlier rule sets.  There’s more to come.  Please send any feedback to me or Ryan, and look for more rules to be added very soon.

Tags: ,
Posted in Development, Security Testing, Tools | No Comments »

Microsoft “Roslyn” based REPL injection.

December 12th, 2011 by

Microsoft recently released their new Compiler API codename “Roslyn”. If you haven’t checked it out yet you should. Here’s the link: http://msdn.microsoft.com/en-us/roslyn/.

I wanted to get my hands a little dirty and play with the new API. I’ve been meaning to look into Managed DLL injection for a while to get code execution for process interrogation. There are times when we’re testing that we want to interrogate a process for framework level information. For whatever reasons we sometimes can’t compile the target with hooks. So it would be nice to have a way to execute code. Roslyn’s CSX files look like a great way to accomplish this so that’s what I’m trying to expose.

Currently this only works on 32 bit processes.

Let’s start by describing the architecture as there are 3 things going on. The major components are the Injector, Unmanaged Injectee and Managed Injectee. The injector is the controller in this scenario; he’s responsible for the injection into the managed process and communication between the components. Communication is handled via named pipes.

The injector uses a well-documented dll injection technique via CreateRemoteThread and LoadLibrary. This loads the unmanaged dll into the Managed process. The unmanaged DLL actually handles the Managed DLL injection. I wont go into unmanaged dll injection as it’s pretty well document technique. I assume the reader understands these concepts.

From this point I assume the unmanaged DLL has been injected into the managed process.

After the unmanaged DLL is injected I need to make sure the correct version of the CLR is loaded. To accomplish this use the CLR hosting API’s to determine the version of the CLR that is loaded by the process (Provided there is one loaded). The host process must be running .Net 4.0 to support the Roslyn API. Because the early versions of the hosting API’s are deprecated I need to check to see if the .net 4.0 mscoree is loaded “msvcr100_clr0400.dll”. I check via a GetModuleHandle. If it exists we know we are running .Net 4.0 and know the CLR is already running. Two birds down with a single stone. 

hMod = GetModuleHandle(L"msvcr100_clr0400.dll");

Once we know the CLR is loaded and it’s 4.0 we can get a handle to the CLSID_CLRMetaHost via:

hr = CLRCreateInstance( CLSID_CLRMetaHost,
IID_ICLRMetaHost,
(LPVOID*)&pMetaHost );

From the meta host we can get a handle to the running RunTimeHost via:

ICLRRuntimeHost *pClrHost = NULL;
runTimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID *)&pClrHost);

This will return a handle to the current RuntimeHost (Or load the runtime if it isn’t running). The next call is to load my Managed DLL plus call the entry method.

pClrHost->ExecuteInDefaultAppDomain(L"InjectedManagedDll_Net_4.dll", L"InjectedManagedDll_Net_4.InjectedClass", L"Test", L"TestArg" , &ret);

This loads the Managed DLL into the process. Once the Managed DLL’s Test method is called I create a managed thread.

public static int Test(string param)
{
new Thread(new ThreadStart(ThreadFunc)).Start();
return 666;
}

This thread then generates a few more threads and sets up the NamedPipe communication pipe and reports to the server things are setup.

static void ThreadFunc()
{
try
{
PipeClient.Instance.Start("CNIPipe");
}
catch (Exception e)
{
PipeClient.Instance.LogMessageToServer(e.Message);
}
}

I then expose some simple messages back and forth between the injector and injectee and expose a simple REPL loosely based on this guy’s implementation: http://visualstudiomagazine.com/articles/2011/11/16/the-roslyn-scripting-api.aspx.

private ScriptHost()
{

HashSetassemblys = new HashSet();
assemblys.Add(Assembly.GetCallingAssembly());
assemblys.Add(Assembly.GetEntryAssembly());
assemblys.Add(Assembly.GetExecutingAssembly());

Listnamespaces = new List() { "System", "System.Collections", "System.Collections.Generic" };

ScriptEngine = new ScriptEngine(assemblys.ToList(), namespaces);

Session = Session.Create(this);
}

public object Execute(string code)
{
return ScriptEngine.Execute(code, Session);
}

This gets you a basic REPL inside another process. Next steps include making sure the communication API between the host and injectee are more well formed and able to handle both 32 and 64 bit processes. Stay tuned!

Posted in Code Review, Debugging, Development, Reverse Engineering, Security Testing, Tools | 3 Comments »

X5S V2.0…. its coming!

January 3rd, 2011 by

So, It’s been awhile since we’ve done any public updates to X5S. Over the last year, I’ve improved the algorithm and process significantly. Be on the look out, it should be released within the next couple of weeks (Sometime in Jan. 11).

Some of the improvements include:
* Better Algorithms for doing checks
* Better output format .. Now uses a tree view.. Going to add better support for reporting too..
* Cleaner UI (Easier to use)
* Re-factored the code to be cleaner/make more sense and easier to maintain. It’s much easier to understand/work with.. before was mostly prototyped code/ Alpha code.
* Changed how test cases are defined for more control over the types of injects
* Added a fuzzing mode that will take data from a file and inject it where canaries would normally be injected. (This can be slow with lots of injections)
* Added a replay from Fiddler capture.. (Replays the capture while fuzzing/injecting on the requests).

* many many more minor/significant changes.. =)

Check back soon for a release date!

Posted in Code Review, Development, Nebulous, Security Testing, Tools, Unicode | 5 Comments »

Microsoft CCI Framework for Deobfuscating .Net binaries. (Part 3)

February 18th, 2010 by

Renaming parts of the assembly.

So I promised this last week, but I’ve been busy on a new project. Below is some code that shows renaming of methods. This is a solution to renaming classes within namespaces. It iterates over each namespace renaming classes from class1 -> classN. This is more useful for human readability and tracing logic. I leave it as an exercise to the reader to figure out how to rename other parts of the assembly. But hey if you really need it an get stuck, let me know!

I’ll be posting a tool at some point that does all these different actions for you. Hopefully I’ll have a early release out by mid next month. I’m currently learning WPF well enough to build in visulalizations of the control flow graph. That way after a mutator is applied you can visually see the results.

There is a dictionary in the mutator class that uses the namespace string as a key in order to know which class # i left off at. I test on the string length < 2 because the obfuscators I’ve seen that do this trick tend to just rename everything to some obscure unicode code point of length 1. Just a easy stop condition. You can use any stop condition that suits your needs.

View Code CSHARP
public override NamespaceTypeDefinition Visit(NamespaceTypeDefinition namespaceTypeDefinition)
{
  string key = namespaceTypeDefinition.ContainingUnitNamespace.Name.Value;
  if (!classDict.ContainsKey(key))
  {
     classDict.Add(key, 0);
  }
  if (namespaceTypeDefinition.Name.Value.Length < 2)
  {
     int i = classDict[key];
     namespaceTypeDefinition.Name = this.host.NameTable.GetNameFor(String.Format("Class{0}", i));
     i++;
     classDict[key] = i;
  }
  return base.Visit(namespaceTypeDefinition);
}

Tags: , , ,
Posted in Code Review, Debugging, Development, Malware, Nebulous, Reverse Engineering | 1 Comment »

Microsoft CCI Framework for Deobfuscating .Net binaries.

February 3rd, 2010 by

We had an issue recently crop up with an obfuscated .Net binary. I’ve been meaning to spend more time reversing .Net protected binaries so I start looking in it. Unfortunately everything I was reading on the forums and internet seemed difficult. Having recently read a little about Microsoft’s CCI framework, I thought this might be the best solution to the problem. Using a hex editor and looking for patterns seems hokey and a bit impractical.

So the first thing I decided to try was removing the SuppressIldasmAttribute attribute.  Below is some example code doing just that using CCI and rewriting the file. This produces an executable that works and doesn’t require just hex editing out the attribute leaving an executable that doesn’t run.

View Code CSHARP
static void Main(string[] args)
{
     var host = new PeReader.DefaultHost();
     var module = host.LoadUnitFrom(args[0]) as IModule;
     var attributeRemover = new AttributeRemover(host);
     module = attributeRemover.Visit(module);
     Stream peStream = File.Create(module.Location ".fixed");
     PeWriter.WritePeToStream(module, host, peStream);
     Console.Out.WriteLine("Finished");
}
 
/*
* Removes the static attribute atm SuppressIldasmAttribute.. can be modified to remove any attribute.
*/
 
public class AttributeRemover : MetadataMutator
{
 
     PlatformType pt;
 
     public AttributeRemover(IMetadataHost host)
                              : base(host)
     {
         pt = new PlatformType(host);
     }
 
     public override List<ICustomAttribute> Visit(List<ICustomAttribute> customAttributes)
     {
          for (int i = 0; i < customAttributes.Count; i++  )
          {
               if (customAttributes[i].Type.ToString() == "System.Runtime.CompilerServices.SuppressIldasmAttribute")
               {
                    customAttributes.RemoveAt(i);
                    break;
               }
          }
          return base.Visit(customAttributes);
     }
}

As you can see it requires very little code. Anyways that’s enough for this post. I also have some more code I’ll be posting that uses CCI to rename methods/class/methods from their “mangled names” and code that removes invalid OpCodes so reflector works at the IL level. I’m still working on code that goes through creates a optimized methods to remove the invalid jumps such that C# code can hopefully be reconstructed. We’ll see how that goes.

Tags: , , ,
Posted in Debugging, Development, Malware, Reverse Engineering | 4 Comments »

Getting Around Conditionally Banned APIs When Using Microsoft’s banned.h Header File

December 8th, 2009 by

This code sample makes use of banned.h, a Microsoft-supplied header file that deprecates dangerous CRT functions. Microsoft also poisons these functions on UNIX if you include banned.h there. This is a Good Thing, but what about the fact that they banned strlen? The banned API page states:

For critical functions, such as those accepting anonymous Internet connections, strlen must also be replaced.

That’s good advice for cases where you want to operate on untrusted data. In those cases they tell you that you should use strnlen_s. The problem is, banned.h straight out bans strlen. There is no way to tell it that hey, this particular invocation is safe because I control the buffer in all aspects. Nope, sorry. You can’t use strlen. Or can you?

Here is a code sample that uses banned.h to deprecate unsafe APIs, yet still manages to invoke strlen when necessary. The sample works in both Visual Studio on Windows and GCC on UNIX.

View Code C
 
//
 
//  banned_test.c
//  20091208 ramsey@casabasecurity.com
//
//  A sample program that illustrates how to "grandfather in" banned APIs
//  for use when they are marked deprecated (Windows) or poisoned (UNIX)
//  by the compiler.
//
//  to compile on Windows:
//  cl /GS /W4 /WX banned_test.c
//
//  to compile on UNIX:
//  gcc -Wall -Werror banned_test.c
 
#if defined _WIN32
 
#include <windows.h>
#endif    // _WIN32
 
#include <stdio.h>
#include <string.h>
#if defined _WIN32
 
size_t my_strlen(const char *string)
{
  size_t len;
  #pragma warning(push)
  #pragma warning(disable:4995)
  len = strlen(string);
  #pragma warning(pop)
  return len;
}
 
#else
#define my_strlen strlen
#endif    // _WIN32
 
#include "banned.h"
 
int main(int ac, char **av)
{
  char *str = "foo";
  #if defined _WIN32
  UNREFERENCED_PARAMETER(ac);
  UNREFERENCED_PARAMETER(av);
  #endif    // _WIN32
  #if defined _WIN32
  (void)printf("len is %Id\n", strlen(str));
  #else
  (void)printf("len is %zd\n", strlen(str));
  #endif    // _WIN32
  return 0;
}

Note that this code requires the use of Microsoft’s banned.h header file, which can be downloaded here. Stick it in the same directory as the above source file.

To compile the sample in Windows from a Visual Studio Command Prompt:


cl banned_test.c /GS /W4 /WX

As expected, this program will generate an error when run:


banned_test.c

banned_test.c(50) : error C2220: warning treated as error - no 'object' file generated

banned_test.c(50) : warning C4995: 'strlen': name was marked as #pragma deprecated

Now edit banned_test.c and change the strlen on line 50 to my_strlen and recompile:


cl banned_test.c /GS /W4 /WX

It should compile without error. Now run it and you should see:


len is 3

Nifty.

The same code works without change on UNIX (tested on NetBSD):


gcc -Wall -Werror banned_test.c

As with the Windows example, running the program will generate an error, as expected:


banned_test.c:52:31: error: attempt to use poisoned "strlen"

Again, change the occurrence of strlen (this time on line 52) to my_strlen and recompile. It will work and when run, it will say:


len is 3

What’s going on here is simple. While we are banning use of the strlen function, we are still allowing its use selectively through a wrapper that we have “grandfathered in.” This is easy to accomplish in UNIX: we simply 

#define my_strlen strlen

prior to including banned.h and use that function call entry point instead. Problem solved. This is not as easy to accomplish with Windows, however, as cl.exe has no notion of “grandfathering in” deprecated APIs. So what we do is wrap strlen in another function. We ignore the deprecation warning that occurs where we make the call to strlen through the judicious application of some Visual Studio-specific pragma instructions. Now all need to do is call in to our new function entry point. We’re good to go. The Windows solution requires a little more work up front, but turns out to be not so hard to accomplish after all.

Tags: ,
Posted in Development, SDL | No Comments »

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC

November 23rd, 2009 by

Casaba had the opportunity to contribute to a new Microsoft paper regarding ASP.NET MVC security. It's online through the SDL pages, and here's the paper's direct link. A short summary of the paper follows.

The SDL preaches 'secure by default'. When Windows Live moved to ASP.Net MVC, they used that opportunity to build mitigations into the framework that prevent developers from making accidental errors which result in security flaws. Specifically, they targeted these three security issues – XSRF, Open redirects and JSON hijacking.

For XSRF, the mitigation was that all HTTP requests are checked for a canary by default except for HTTP GET requests. Developers can also opt-out specific pages or functionality. This automatic ‘on-by-default’ canary checking prevents accidental errors which lead to XSRF.

For Open redirects, Windows Live added a wrapper around the Redirect result in ASP.Net MVC which checks a list of approved domains. This way when a developer called Redirect and forgot to ensure it was safe, the wrapper would cover them automatically.

For JSON hijacking, they ensure that the JSON result included a canary check by default. This prevented developers from being able to return JSON without a canary, thus preventing JSON hijacking.

Tags: ,
Posted in Code Review, Development | No Comments »

« Older Entries