Episode289

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 289 for Thursday May 24th, 2012

  • Episode 300 of PaulDotCom Security Weekly will be recorded and streamed live on August 31st in support of something. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!

Episode Media

MP3

Guest Technical Segment: Zach Lanier

Introduction

Zach Lanier is a Security Researcher with Veracode. Prior to joining Veracode, Zach served as Principal Consultant with the Intrepidus Group, Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. Zach likes Android, vegan food, and cats (but not as food).

Zach lanier.jpg

Questions

  1. How did you get your start in information security?
  2. Has Android security improved with Ice Cream Sandwich?
  3. How do you expect security to be affected with the recent acquisition of Motorola?
  4. Should users be concerned with the various marketplaces for Android, such as Amazon's?
  5. How fundamentally more secure is Blackberry than Android?
  6. Can you comment on the privacy expectations companies have regarding data being funneled thru Blackberr's servers?

Tech Segment:

Teasers & Plugs

  • Be sure to tune in to next week's show featuring a tutorial on SQL injection by hand to be presented by Allison Nixon and a special Network Forensics Contest announcement for BlackHat being put on by the good folks at Lake Missoula Group. That's Thursday May 31, 2012 at 6PM EDT. You can watch us live at http://pauldotcom.com/live or watch the recorded episodes on Ustream or Blip.tv

Firmware Analysis

In earlier versions of TabletOS (1.0.1 - 1.0.3), X.509 certificate checks weren't enforced, facilitating interception of the system update process. Upon first boot, or during a scheduled or manual update check, the PlayBook polls a BlackBerry update server (https://playbook.websl.blackberry.com) for available updates, or "bundles" (which, mind you, are signed):

Zach1.png

A list of available bundles, which in turn list firmware/OS updates and system applications, is returned. Next, the tablet requests information for the path to a specific bundle (over HTTPS), and is returned an HTTP URL containing the requested bundle:

Zach2.png

After capturing a few update requests/responses and getting enough information, a Python script was developed to list and retrieve bundles directly, sending the update server the appropriate information about the target tablet (PIN, hardware ID, etc.):

Zach3.png

Once a target bundle is selected with package_get.py, we can use the very same script to retrieve all of the files in that target bundle. In particular, qcfm-os-factory-<VER>.bwrap.signed.bar (which is the BAR or ZIP file containing the OS partitions themselves, where <VER> is the target version, such as 1.0.9).

Unzipping the aforementioned file yields a binary blob starting with 6D 66 63 71 (or "mfcq" in ASCII):

Zach4.png

To get a better grasp on what was actually in this file, we looked at known-good QNX6 partitions, thanks to the QNX Software Development Platform (SDP). The magic bytes for the QNX partitions are:

Zach5.png

Of which we found a few occurrences in the blob:

Zach6.png

Running the chkqnx6fs command (in the QNX SDP) on the target file to snag superblock information reveals a bit more:

Zach7.png

As it turns out, the layout of the filesystem blob doesn't appear to match the length and layout reported by chkqnx6fs. So, we investigated another appropriately named tool, this one provided by the PlayBook simulator, called qcfp. We fed it the binary blob, along with an argument to provide information about the first (or zeroth) partition:


Zach8.png

The offsets of blocks reported by the qcfp tool revealed the proper layout of this partition, showing the starting offset and length of each segment of the partition:

Zach9.png

Revisiting the firmware header itself, we see this layout appear a total of five times, representing five distinct partitions in this blob:

Zach10.png
Zach10.png

This is a QCFM "envelope", and each QCFP header therein represents a distinct partition, including:

  • 0: a "dummy" or seemingly unused partition
  • 1: a partition containing a signature cookie
  • 2: the IFS or system bootstrap image
  • 3: the OS/root filesystem itself
  • 4: another seemingly unused/dummy partition

As the block offsets and counts in the QCFP headers didn't match the apparent length of the file, it turns out that the space in between each chunk is just padded with null bytes. Knowing this, another Python script was written to extract and "expand" the partitions correctly (qcfm_parse.py). From here, the system partition could simply be mounted in the QNX SDP, and the IFS image analyzed for interesting information (system utility: ifsdump, or the created wrapper, ifs_parse.py).


(The QCFM scripts are available at https://github.com/intrepidusgroup/pbtools)

Stories

Teasers & Plugs

  • DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
  • Security BSides everywhere: Pittsburgh, Detroit, Cleveland, Las Vegas, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

  1. Inquiry is told of 64 complaints against Secret Service agents; Colombia scandal not isolated - In terms of security, this is bad. One of the primary reasons for "clearance" is that you don't have stuff that people can bribe you with. In the context of the Secret Service, soliciting a hooker is just the worst case scenario. This could be used as a weapon to obtain information about the security of the President. Bad, bad, and more bad.
  2. Web Application Penetration testing with Google Chrome Browser - Nice list of plugins to use on your next web app pen test.
  3. Gaining Administrative Shell Access Via Command Injection - Great tutorial on how web applications can lead to so much more. Use this example to show how web application vulnerabilities carry weight when it comes to risk. I believe thats one of the reasons that we don't give a high enough priority to web app vulns, we can't immediately see the reprocussions. The fix is not always as easy as applying a patch (and even that is complicated) and requires educating developers, giving QA training and tools, etc...
  4. Anatomy of a security hole – the break that broke sudo | Naked Security - This has to be one of the best descriptions of a vulnerability I've read in some time. It boils down to programming 101, and forgetting the break statement in a switch statement. The break statement between the IPv4 checking and the IPv6 checking was left out. So if the IPv4 checks failed, the IPv6 checks - inappropriate in the circumstances - were tried instead. With nothing to match against nothing, the checks succeeded, even though they had already failed in the IPv4 code above. Which leads to people with sudo access who shouldn't have it. Nice (or not).
  5. Security you won't hate - Focus Group - YouTube - Very funny video describing security (sudo make me a fucking shit sandwich!).
  6. Free Wi-Fi: Friend or Foe? Infographic - The defensive recommendations are far beyond most users. We need to make Wifi security simple, maybe some layer 2 protections might help? This graphic will not, and just futher confuse people.
  7. Dissecting A Hacktivist Attack
  8. Nmap Port Scanner 6.00 - IPv6 support is amoungst the list of cool stuff. What I really want to see happen is automatically downloading new NSE scripts rather than having to do a full upgrade to get them...
  9. Defend your phone against loose networks? There’s an app for that - The vulnerability, “off-path TCP sequence number inference”, can allow hijacking of Web pages users are trying to visit. The researchers say that some types of stateful firewalls, designed to drop packets without valid TCP sequence numbers, can be attacked by an insider that’s able to guess TCP sequence numbers of other users, and use this as the basis of a redirection. Back to basic TCP hijacking, made possible by mobile devices. I have to say, we're doomed for failure if we don't learn from the past in terms of security and mobile phones. Check out one of the references in the paper: CERT Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections. http://www.cert.org/ advisories/CA- 1995- 01.html Yea, hacking like its 1995!
  10. Indian SMBs Facing Advanced Attack Threats - "Lack of awareness and low adoption of security measures makes these cities susceptible to cyber threats and warrants greater vigilance in protecting information assets." Comments on emerging growth of technology in countries and its impact on security?

Larry's Stories

  1. Anatomy of a Hole - [Larry] - Intersting analysys and coments of the recent sudo hole. It is interesting (to me) to see how such a simple coding mistake can cause such large issues.
  2. Porn Filter? - [Larry] - Grr, ISP required to filter porn? One, that's a tragedy! Two, when they base it on some flawed technology, this really grinds my gears.
  3. Incoming Yahooligans! - [Larry] - No not the kids website. Yahoo forays into the browser market (Uh, why?), and rushes out a product. They forget the terms of service, and leave a bug in the initial release that allows for the spoofing of browser plugins. *sigh*
  4. NMAP 6.00 released - [Larry] - 4x the NSE scripts, full IPv6 support and more SPEED! Thanks Fyodor and team! Of course on my Mac with Homebrew the build fails and I have to
  5. Searching virus total - [Larry] - Neat, no items needed for submission, but you can search with all sorts of options with a Virus total API key. Might be interesting to see how may others are submitting the same encoded metasploit payload.
  6. Yahoo peed... - [Larry] - Oops. Axis Chrome plugin includes the private yahoo extension key allowing anyone to sign chrome plugins.

Jack's Lonely Little Stories

  1. TrueCrack an Open Source brute force tool for TrueCrypt encrypted volumes. No need to panic, it is (at least for now) pretty limited in capability.