Archive

Archive for October, 2007

IE 7 Install on XP Potentially Confusing to End Users

October 31st, 2007 No comments

While building a fully patched Windows XP VM the other day, I decided to also install IE7, however for the sake of "snapshotting", I performed a full update (via Windows Updates) but unchecked IE7. After I rebooted and took a snapshot, I went back to install IE7. Windows Updates downloads the file and kicks off the installer, but then you're left with the IE7 standalone installer. I start clicking through the various options and get to a screen: "Would you like to download the latest updates for Internet Explorer 7?" I want this VM fully patched, so I check the box and the next screens I see say "Downloading Updates" and "Installing Updates". The install finishes (IE Version: 7.0.5730.13) and I figure I'm good to go, however I always do one last running of Windows Update to check the "Optional" updates to see if there's anything I need. I run Windows Update and, low and behold, I have a new critical update waiting for me... it's the patch for MS07-050. Apparently download and install updates, doesn't mean all updates to Microsoft, just the ones they want to give you. This leaves me slightly concerned; if, as a regular user, I go and use Windows Updates to obtain IE7, I could be vulnerable until I decide to visit the page again. So let's say I'm anti-Automatic Updates, but I still browse to Windows Update once a month, that's a potential 30 day window where the system is vulnerable. If I only check every couple of months, that window increases. Bottom line, if a piece of software tells you that it is checking for updates... it should obtain all updates, not a subset of them.

Categories: IT, Security Tags:

Sulley Fuzzing Framework

October 19th, 2007 1 comment

I installed the Sulley Fuzzing Framework ( pdf | download ) when it was first released... unfortunately lack of time kept me from playing with it... in fact... I downloaded it again tonight because I'd forgotten that I'd installed it. Tonight I noticed a post to the fuzzing mailing list and decided to play around for a few minutes to see if I could answer the question. After a few minutes to familiarize myself with the framework (read: browsing the sample "fuzzies"), I jumped into example giving in the mailing list post. After about 10 minutes I came up with

from sulley import *
s_initialize
s_initialize("HTTP")
s_group("verbs", values=['GET','HEAD','POST','TRACE'])
s_block_start("header", group="verbs")
s_delim(' ')
s_delim('/')
s_string('index.html')
s_delim(' ')
s_string('HTTP')
s_delim('/')
s_string('1')
s_delim('.')
s_string('1')
s_static('\r\n\r\n')
s_block_end()
sess = sessions.session(session_filename="tmp.log")
sess.add_target(sessions.target('shell',80))
sess.connect(s_get("HTTP"))
sess.fuzz()

and I even got back some output:


[02:52.53] fuzzed 0 of 18092 total cases
[02:52.53] fuzzing 2 of 18092
[02:52.53] xmitting: [1.1]
[02:52.55] fuzzing 3 of 18092
[02:52.55] xmitting: [1.2]

Wireshark also showed promising data:

POST /index.html HTTP/1.1\r\n
TRACE /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
GET /index.html HTTP/1.1\r\n
etc....

I can't wait to play around some more and find some interesting things to do with the framework... expect more blog posts on the subject as I start to investigate it.

Categories: IT, Security Tags:

Domain Name Addiction and How It Lead Me to a Domain Appraisal Scam

October 19th, 2007 1 comment

Hello, my name is Tyler and I have a problem... I'm a domain name addict.

Yes that's right... I buy domain names... stupid domain names that are completely useless... and I'm up to 35 of them. As a result I've decided that I might as well post all the ones I don't use on Sedo in an attempt to at least get back what they cost me. Basically I posted every domain I own (with one or two exceptions) figuring if I get a high enough offer, I'll see it anyways. Within a few hours of posting SecurityBloggers.net I had an email offer.... My conclusion is that the offer was an attempt to steal the domain, so I figured I'd share the email exchange...

First email - Tues, Oct 16 - 2:30AM

Hello,

We are interested in securitybloggers.net

Your name was listed in online auction. What is your price for the name?

Our company is involved in software development/support business.

Now domain invetsing/reselling is just an additional direction of our investment strategy.

Looking forward to do business with you.

Regards,
Anthony McQueary
President
TG Logitech

Notes on this email:

  • At the time, TG Logitech returned no relevant Google results (Since then, someone else has written about this scam)
  • The email came from a dialup account in Russia via smtp01.mtu.ru
  • The email domain was ToughGuy.net, which I can't seem to browse to now, but at the time was HotPop, a free POP/SMTP email provider.

I responded with:

Hello,

My prices are listed on SEDO and I am doing business via SEDO... I'm interested in $2000.

I have not been able to find any information related to your company online, what is the website?

Thank you,
Tyler.

2 hours later I received this:

Sorry for the delay. Members of family was celebrating newborn child of my sister.

Now let's talk about the deal.

2,000 USD. Ok.

Do you sell domain with a web site or just name?

If just name it's ok. Web site is not necessary.

Have you had your domains appraised already? Can you show me your valuation certificates? As fas I know it's a common practice to show appraisal of domain name (even without traffic and web site) before doing business.

Without appraisal I risk to overpay. In other words I won't be able to make a profit on reselling this name. It's very important for you and me to know the current market value of your domains.

Of course, we must be sure that you are engaging an appraisal company with REAL manual service. I heard many appraisal companies often made inaccurate auto-generated appraisals. I will only accept appraisals from independent sources I trust. To avoid mistakes I asked domain experts about reputable appraisal companies in a forum

http://domaintalk.ourplace.com/Archive/972846.htm

Just check this posting.

If the appraisal comes higher you can adjust your asking price accordingly.
I also hope you can give me 10% - 15% discount of the appraised value.

After I get an appraisal from you we'll continue our negotiations.

How do you prefer to get paid: www.escrow.com, www.PayPal.com check or wire?

Hope we can come to an agreement fast.

Looking forward to your reply.

A couple of changes this time:

  • smtp03.mtu.ru was the SMTP server used
  • The display name changed from TG Logitech to McQueary

I responded the following morning with:

I'm sorry but it seems that the page you listed wasn't available...

As for the price, it is not based on appraisal... While I have posted the site for sale, I am intent on keeping the site, unless someone offers me the price mentioned ($2000)... so I'm unconcerned with the results of an appraisal.

Less then an hour later I received a response, again with McQueary as the display name but this time from smtp01.mtu.ru:

This is a regular practice to provide buyers or resellers with professional and independent valuation. Serious investors must be sure in your price.
Without it they risk to overpay.

Anyway, you won't be able to sell without professional appraisal.

Of course, serious investors cannot accept auto-generated services. They need an accurate valuation made by humans not scripts.

My response:

That's ok.. as I said... I'm not interested in serious investors.

After that the emails magically stopped and I haven't heard anything else... I couldn't find anything a couple days ago, and now I've seen my blog post and the one linked above... obviously this scam is just start (although the premise of the scam isn't exactly new)... so keep an eye out for overly agreeable domain buyers.

UPDATE: More information here.

Categories: IT Tags:

Winner: Lame Vuln of the Year Award

October 18th, 2007 No comments

I saw a blog post over at McAfee Avert Labs (normally their blog is one of my favourite reads) and I'm not really sure what to think. At first I thought it was a joke... but apparently they are serious. The bug that they are reporting is this:

  1. Connect a Windows Mobile device to your computer via USB.
  2. Sniff the USB Connection
  3. Convince the user to enter their password
  4. Capture the decryption key + encrypted characters
  5. Decrypt the password

Now here's my thought... if you've got the ability to sniff the USB connection... why not put a key logger on the keyboard, it's probably a heck of a lot easier. Now this blog post serves as an introduction to a White Paper that McAfee has released, "Mobile Malware: Threats and Prevention." The white paper is actually interesting, while written at a very high level... the discussion on SMS blocking via the API was interesting and made everything worthwhile. It is, however, unfortunate, that they chose to introduce the paper with this blog post. I'm hoping we'll see more follow-up on the paper, including a much lower level discussion on SMS Blocking and utilizing the API.

Categories: IT, Security Tags:

1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa

October 16th, 2007 12 comments

Earlier a colleague pasted me an entry from his DNS Server logs, a very odd request was being made from a machine on his local network, the request was: 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa: type PTR, class IN. We both did some quick Googling and found an interesting patent from Apple, "A Method and apparatus for detecting incorrect responses to network queries." This was about the only interesting link and claim 7 of the patent was: The method of claim 6, wherein the format for the exploratory query is for the name "1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa.".

Another link pointed to an old mailing list post from the Unsuppoted OS X mailing list. An OS X user, upon upgrading from 10.4.3 to 10.4.4 noticed that his "old school" MacDNS server was crashing then the above request was made. More specifically the request was accepted, not resolved and passed on to the ISP DNS server, the failure response was the actual cause of the crash.

I decided to do some digging and found a very brief mention of Bonjour, so I decided to browse over to the Apple website and download and install Bonjour for Windows. I also opened Wireshark, filtered to capture DNS only, to watch for any odd traffic. One of the last steps in the install was, "Setting up Bonjour Service". This service is set to automatic and starts the file: "C:\Program Files\Bonjour\mDNSResponder.exe". Within seconds of seeing that message, I noticed the above DNS request go by in Wireshark.

Now if anyone sees this strange request in their DNS logs and Googles for an answer, hopefully they'll find this... and for anyone interested... here's the packet:


0000 00 00 24 c2 74 51 00 1a 92 2f df 91 08 00 45 00 ..$.tQ.../....E.
0010 00 59 6f 40 00 00 ff 11 c8 9c c0 a8 01 65 c0 a8 .Yo@.........e..
0020 01 01 db 12 00 35 00 45 8b 30 79 b9 01 00 00 01 .....5.E.0y.....
0030 00 00 00 00 00 00 01 31 01 30 01 30 03 31 32 37 .......1.0.0.127
0040 0a 64 6e 73 62 75 67 74 65 73 74 01 31 01 30 01 .dnsbugtest.1.0.
0050 30 03 31 32 37 07 69 6e 2d 61 64 64 72 04 61 72 0.127.in-addr.ar
0060 70 61 00 00 0c 00 01 pa.....

Categories: IT Tags:

Interesting Issue with Silc

October 5th, 2007 3 comments

I decided to buy a hosted VPS the other day and I'm still in the process of setting everything up and ironing out the kinks. I finally got around to installing some software, which included silc. For those of you that don't know, silc is like encrypted IRC.

So when you get a VPS they give you root access and it's up to you to configure / lockdown the system however you want. So the first thing I did was create a user account. I created the account htregz (some of you may remember it's what I originally posted under here, and it's a name I generally use)... I setup silc (which involves providing a passphrase so that a keypair can be generated) . It worked without a hitch and I connected to a few of the silc networks I occasionally visit. However, I decided that I'd use ht instead of htregz, so I created a new account, removed the htregz account and connected as ht. Again I went to run silc, so that I could provide a passphrase... however this time errors were generated. I tried a couple of things but nothing was successful, so I removed the ht account and recreated the htregz account. Again with the htregz login I was able to get silc up and running without a hitch. At this point I was intrigued so I created a dummy account with a two letter username (te for test). The te account was created exactly the same as the htregz account.

 [root@XXX/]# useradd -G wheel -m -s /bin/bash htregz
[root@XXX /]# passwd htregz
Changing password for user htregz.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@XXX /]# useradd -G wheel -m -s /bin/bash te
[root@XXX /]# passwd te
Changing password for user te.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@XXX /]#

I logged in as te and once again, I couldn't get silc up and running... the error message was:

 [te@XXX ~]$ silc
Could not create public key identifier: Success
Could not create public key identifier: Success
Wrong permissions in your private key file `/home/te/.silc/private_key.prv'!
Trying to change them ... Failed to change permissions for private key file!
Permissions for your private key file must be 0600.

Apparently silc cannot successfully handle two-character usernames.

For those that are wondering about my version of silc, it is:

SILC Client 1.1.2 (Irssi base: 0.8.11+ - SILC base: SILC 1.1.2) (20070704 20070704)

Categories: IT, Tools Tags:

Microsoft BlueHat Talks Online

October 5th, 2007 No comments

Michael Howard has posted links to the audio from the presentations made at this years BlueHat conference.

Download Links:

DanKaminsky.wma

HalvarFlake.wma

JeffForristal.wma

LureneGrenier.wma

MarkRussinovich.wma

MattMiller.wma

OllieWhitehouse.wma

PedramAmini.wma

PetrMatoucek.wma

RobertoPreatoni.wma

ShaneMacauley.wma

 

Categories: IT, Security Tags:

Scientific Atlanta Explorer 8300

October 1st, 2007 No comments

After a week of headaches and hassles, I've got a PVR... actually I'm on my third PVR since Friday. The first one had NIC-related issues (it couldn't get an IP Address), the second one had HDD-related issues (it couldn't record anything), so let's hope this third one works. So now I've got a Rogers branded Explorer 8300 sitting in my living room, it's sitting on top of my Symphonic CSHP80G [manual].

So now to share a few things about the Explorer 8300 (and I invite everyone to post comments or fire me emails with additional notes... we'll grow this into the ultimate resource). Please note that some of this will be Rogers specific.

Information:

Rogers Specific:
IP Address: 47.15.X.X [ARIN Search: Bell-Northen Research (Nortel Networks)]
Subnet Mask: 255.255.192.0
Rogers OnDemand App: bfs://apps/HW/Smilp.ptv [Version: 4.1.1.7; AppID:101; EID=0x01A3; Size=415K]

HardDrive Info:
Model: WesternDigial Caviar [WDC WD800BB]
Size: 80GB
Partition Information:
Partition 1
FS: ITFS
Size: 1GB
Free: 995MB
Partition 2
FS: AVFS
Size: 72GB
Free: 66GB
Partition 3
FS: Reserved
Size: 1GB
Free: 0K

Other:
OS Version: 6.14.79.1
Files with Errors: config.c; CHDDCacheFiller.cpp
Accessing Diagnostic Menu: Hold Select until the message light appears -> Press Info -> Navigate with volume keys (all on device, not remote)

Enjoy!

Categories: Interesting Stuff Tags: