Saturday, December 18, 2010

PS3 Private keys leaked: Console Hacking

The 27th annual Chaos Communication Conference already hacked encrypted GSM calls with a $15 cellphone, but there was a second surprise in store this morn -- the souls who unlocked the Nintendo Wii's homebrew potential (and defended it time and again) claim to have broken into the PlayStation 3 as well. Last we left the black monolith, Sony had won a round, forcing the community to downgrade their firmware for any hope at hacking into the console. Well, the newly formed fail0verflow hacking squad says that won't be a problem any longer, because they've found a way to get the PS3 to reveal its own private cryptography key -- the magic password that could let the community sign its very own code.

Monday, December 13, 2010

Browser Fuzzing Tool: Cross_Fuzz

Browser Fuzzing Tool: Cross_Fuzz
Ref_fuzz and cross_fuzz are a pair of fuzzers developed to stress-test DOM bindings in popular browsers. Both of these tools turned out to be dead effective against WebKit, Firefox, and Opera.
Cross_Fuzz is an effective cros document DOM fuzzer tool enabling researchers to identify the vulnerabilities/bugs in the web browser. This tool is released by Micheal Zalewski on first day of Jan 2011, Micheal claims the fuzzer owes much of its  efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.
Fuzzing is basically means testing the browsers with various conditions/inputs to the program under test generated on random factors. Objective is to create unexpected conditions and see if the browser under test handles error conditions or handles the stress properly without revealing too much information.
Cross_Fuzz with its extended capability started revealing the potential 0-days.cross_fuzz dynamically generates extremely long interconnected sequences of DOM operations across multiple documents, inspects returned objects, recurses into them, and creates circular node references that stress-test garbage collection algorithms. It can also be easily extended to fuzz any DOM-enabled documents or browser plugins simply by providing new target documents.But, because of the design of the fuzzer, it is difficult to get clean, deterministic outputs.
Also the tool design is cruel to the point of torture of a browser's DOM engine. The fuaer has too much randomness in it that it often makes reproduction of error difficult.  Many of the reports to vendors from the use of this tool remain in a state of vagueness which makes them difficult to fix. Zalewski has released the tool in the hope that community involvement will help to make the tool more helpful to developers.
But the tool found several exploitable and fairly well-defined vulnerabilities in Internet Explorer which Zalewski reported to Microsoft in July. They acknowledged receipt, but did not reply further until just recently to ask that the release of the tool be delayed.
The following summarizes notification and patch status for all the affected vendors:
  • Internet Explorer: MSRC notified in July 2010. Fuzzer known to trigger several clearly exploitable crashes (example stack trace) and security-relevant GUI corruption issues (XP-only, example).Reproducible, exploitable faults still present in current versions of the browser. I have reasons to believe that one of these vulnerabilities is known to third parties.Comment: Vendor has acknowledged receiving the report in July (case 10205jr), but has not contacted me again until my final ping in December. Following that contact attempt, they were able to quickly reproduce multiple exploitable crashes, and asked for the release of this tool to be postponed indefinitely. Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused; see this timeline for more.
  • All WebKit browsers: WebKit project notified in July 2010. About two dozen crashes identified and addressed in bug 42959 and related efforts by several volunteers. Relevant patches generally released with attribution in security bulletins. Some extremely hard-to-debug memory corruption problems still occurring on trunk.
  • Firefox: Mozilla notified in July 2010. Around 10 crashes addressed in bug 581539, with attribution in security bulletins where appropriate. Fuzzing approach subsequently rolled into Jesse Ruderman'sfuzzing infrastructure under bug 594645 in September; from that point on, 50 additional bugs identified (generally with no specific attribution at patch time). Several elusive crashes still occurring on trunk. Bad read / write offset crashes in npswf32.dllcan also be observed if the plugin is installed.
  • Opera: vendor notified in July 2010. Update provided in December states that Opera 11 fixed all the frequent crashes, and that a proper security advisory will be released at a later date (release noteslist a placeholder statement: "fixed a high severity issue"). Several tricky crashes reportedly still waiting to be resolved.Note that with Opera, the fuzzer needs to be restarted frequently.
Zalewski has updated his timeline of work on this tool, the vulnerabilities found with it and his communications with Microsoft to indicate that the earlier version of the fuzzer provided to Microsoft in July did indeed produce the crashes.
Further Information:
Downloading the tool:  Click Here
IMPORTANT: You need to allow popups from for the fuzzer to work properly.

Thursday, November 18, 2010

Open source Book: PKI Implementation

A guide to PKIs and Open–source Implementations
Symeon (Simos) Xenitellis
OpenCA Team
Copyright © 1999, 2000 by Symeon (Simos) Xenitellis
This document describes Public Key Infrastructures, the PKIX standards, practical PKI functionality and gives an overview of available open–source PKI implementations. Its aim is foster the creation of viable open–source PKI implementatations.
The latest version of this document can be found at the OSPKI Book WWW site at
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being the chapters Chapter 13("Contributions") and the Colophon ("About this document"), with Front-Cover Texts being the text "The Open–source PKI Book, A guide to PKIs and Open–source Implementations" and with Back-Cover Texts being the text "The author's studies are funded by State's Scholarship Foundation (SSF) of Greece". A copy of the license is included in Appendix Eentitled "GNU Free Documentation License".
Table of Contents
List of Tables
List of Figures

Thursday, November 11, 2010

Black hat 2010

Two researchers at the Black Hat conference in Las Vegas on Thursday exposed 24 ways hackers can hijack seemingly secure browser sessions.
Robert Hansen and Josh Sokol demonstrated methods attackers can use to take over users' accounts or assume control of a website without the need for any exploits, due to the way browsers implement "HTTPS." HTTPS, a combination of the Hypertext Transfer Protocol with the SSL/TLS Protocol, allows a website owner to encrypt a session using a digital certificate.
For any of the two dozen attacks to work, however, a criminal would have to have assumed control of a user's computer via a man-in-the-middle (MITM) exploit, by which an attacker intercepts communications between two systems.
But the researchers wanted to show that HTTPS protection alone won't stop bad things from happening.

Monday, October 18, 2010

httpry: Packet sniffer

httpry is a tool specialized for the analysis of web traffic. The tool itself can be used to capture traffic (httpry -o file) but other other tools are better suited for that such as tcpdump, Snort, Sguil. When it comes to finding out if certain types of files were downloaded via http, this tool does a super job. It can be used in combination with regular expressions (Regex) to find if a file, a script or a malware was downloaded from site or by a host and will ignore everything else. Whether the http traffic is using port 80, 443, 8080, etc, it will parse and display all the web traffic using this simple command
httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.
What can you do with it? Here's a few ideas:
  • See what users on your network are requesting online
  • Check for proper server configuration (or improper, as the case may be)
  • Research patterns in HTTP usage
  • Watch for dangerous downloaded files
  • Verify the enforcement of HTTP policy on your network
  • Extract HTTP statistics out of saved capture files
  • It's just plain fun to watch in realtime
download link: click here

Saturday, October 2, 2010

XSS hack on Twitter

A security researcher from Indonesia had discovered a persistent XSS vulnerability also called script injection on twitter dot com. With this hack, a malicious individual could exploit user account or infect them with spyware, malware and adware..Soon this is been reported to twitter secuirity team and corrected..
This hack is majorly due to lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.
this interesting paper walks you through the attack scenario in steps...
As demonstrated in the past, XSS vulnerabilities in Twitter have been successfully used to take over accounts and create worms (Mikeyy, StalkDaily). Infection (account takeover) can be accomplished simply by visiting a profile with an include of a malicious Javascript, making a true self propagating web site worm possible as opposed to other more recent attacks based on phishing a user’s credentials with a fake Twitter login screen.This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days.

Saturday, September 18, 2010

Stack buffer over flow vulnerability in LibTIFF 3.9.2

Remote exploitation of a stack buffer overflow vulnerability in version 3.9.2 of LibTIFF, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code with the privileges of the current user.
This vulnerability is due to insufficient bounds checking when copying data into a stack allocated buffer. During the processing of a certain EXIF tag a fixed sized stack buffer is used as a destination location for a memory copy. This memory copy can cause the bounds of a stack buffer to be overflown and this condition may lead to arbitrary code execution...
click here to read further..

Saturday, September 11, 2010

invalid SSL certificates

Security research firm Qualys is attempting to paint a detailed picture of SSL deployments and their shortcomings with a new, still under-development study that aims to deliver a deeper degree of information on the state of the SSL marketplace than what is currently known. Most industry intelligence on the subject thus far has come from Netcraft research reports and from vendor reports.
In its study, Qualys scanned 119 million domain names, but found that only 92 million were active. Approximately 12.4 million domains failed to resolve properly and 14.6 million failed to respond. Of the active domains that did respond, nearly 34 million responded to the Qualys scan on both port 80 and port 443. Port 80 is typically used for HTTP while port 443 is typically used for HTTPS-, SSL-secured Websites.
Digging a layer deeper into the active sites on Port 443, Ivan Ristic, director of engineering at Qualys, said in a Webcast that he found that only about 23 million of the sites were actually running SSL.
SSL certificates can be generated for any domain name. It is considered to be a best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used, though Ristic's research shows that's not always the case.
"Only about 3.17 percent of the domain names matched," Ristic said. "So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside."

Detecting invalid SSL certificates

In a preview of a talk set to be delivered at this summer's Black Hat USA conference, Ristic explained that his company has had an SSL security-checking service available publicly for some time. However, the Qualys SSL checker required that users came to the site to check their own SSL status. With the new research conducted by Ristic, Qualys set about scanning the Internet to collect information on how sites are implementing SSL.
"For us, the question is: How exactly is SSL used on the Internet as a whole?" Ristic said during the Webcast. "Interestingly enough, as popular as SSL is, no one had made public the information about how it is used."
According to VeriSign, there are currently approximately 193 million domain names. In terms of SSL, Netcraft reports that there are 1.5 million SSL certificates. Ristic decided to focus his research on the total number of .com, .net, .org, .biz, .us and .info domains, which total 119 million domain names in total.
Ristic explained that he built a virtual machine that was able to run 2,000 threads in parallel to scan those millions of domain names. The process took him two days at a speed of 1,000 servers scanned per second.

Wednesday, August 11, 2010

I saw this interesting article from Wired, regarding the ATM reprogramming hacking. Its apparent how tempting are these cash machines for under world people hackers. Story is
A North Carolina grocery worker is being held without bail in Houston on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper. Thor Alexander Morris, 19, was arrested at a Houston flea market last month after trying a default administrative passcode on a Tranax Mini-Bank ATM there, according to the FBI. Morris, who was wearing a wig to disguise his appearance, allegedly hoped to reprogram the machine to think it was loaded with $1 bills instead of $20 bills. That would let him pull $8,000 in cash with $400 in withdrawals from a prepaid debit card.
Cash-machine–reprogramming scams were first noticed in the financial industry in 2005, and surfaced publicly in 2006 when a cyber thief was caught on video looting an ATM at a Virginia gas station. Threat Level later confirmed that default administrative passcodes for retail ATMs manufactured by Tranax and Triton were printed in owner’s manuals easily found online.
On the drive to his first cash machine, Morris bragged to the undercover agent that he’d already conducted ATM hacking trips to Tennessee, Florida, South Carolina and Virginia, and hit machines in his home town of Jacksonville. He also boasted about other supposed exploits as a “hacker”, claiming he’d stolen credit card information from  the Food Lion where he worked, and had targeted the Navy Federal Credit Union and Walmart in a manner unspecified in the criminal complaint.
When he was through gabbing, Morris donned a long, black curly hair hairpiece he called his “Rick James” wig and walked with the agent to an ATM at the Mercado 6 flea market, where managers had previously agreed to cooperate in the investigation. The agent watched as Morris entered the key sequence that brings up the “Enter Password” screen, and then keyed in the default passcode for the Tranax Mini-Bank.
The code, though, had been changed on this machine, and Morris was thwarted. He allegedly tried two more times, then tried a completely different code before the FBI agents surveilling the scene got impatient and arrested him.
ATM hacking being a interesting topic, i did further research and astonished to find out the some facts on how easy is to hack the ATM and make it dispense more money than it ideally should. Please read it for information purpose and do not try to hack ATM if this vulnerability still exist/left unpatched.
Its unlikely common ATM tricks uses various high tech devices to capture identity of your ATM card and Pin number. Hackers are first trying to identify the ATM maker and model from the video like one on news about ATM reprogramming scam fraud at at a gas station on Lynnhaven Parkway in Virginia Beach.
ATM brand  model number Tranax Mini Bank 1500 series is uncovered to be of serious issues with possibilities of hacking. Hackers managed to find the default pass code and back door sequence for that particular machine and tried reprogramming the machine to dispense more money with the help of  Tranax Mini Bank 1500 Series (MB1500) operator manual or installation manual, which contains a lot of security sensitive information includes:
  • Instructions on how to enter the diagnostic mode or operator function menu.
  • Default Master, Service or Operator passwords.
  • Default Combinations For the Safe.
Inside the Tranax Mini-Bank 1500 user guide manual, you can also learn how to set the denomination of the type of bill (the value of the cash notes i.e $1, $5, $10, $20, $50 or $100) that the ATM’s cassettes will be dispensing. That’s all you probably need to trick the ATM to think that the $20 bills it dispensed are actually of the $5 or $1 bill, possibly earning you a hefty profit. So, the only thing left now if you trying your luck to find an ATM cash machine that haven’t been changed its factory default passcodes and passwords. Tranax has shipped 70,000 ATMs, self-service terminals and transactional kiosks around US, where majority of those shipments are of the flagship Mini-Bank 1500 machine that was rigged in the Virginia Beach heist, according to eWeek.
The ATM scammer in Virginia Beach case successfully to re-program and trick the Tranax MB1500 series ATM to act as if it had $5 bills in its dispensing tray instead of $20 bills, and the withdraw cash using a pre-paid debit card with a 300% profit. However, he forgot to reprogram back the ATM to correct denomination, and the ATM was left misprogrammed for next 9 days before somebody reported the misconfiguration, and hence revealed the fraud.
ATM hacking becomes common in all places including checking gas station pumps,  food world, supermarkets, hotels. Any unattended card reader, not just feral ATMs. But skimmers are pocket-sized or smaller, so even attended readers are at risk. Another card trick, detected at a fast food joint, had the cashier dip the card beneath the counter, just for an instant, where it was skimmed before coming back up and run through the real card reader.
Further reading:
Kerbs on Security blog had more information on previous ATM attacks and worth reading. click here