Wednesday, April 25, 2007

l33t haxxors

I dont usually post on nontechnical subjects, but I'm making an exception:

l33t haxxors - Episode 1
l33t haxxors - Episode 2
l33t haxxors - Episode 3

Excellent comic relief for a tough day. Enjoy :)

Tuesday, April 24, 2007

The Ellusive Negative Quantity Vulnerability

I guess I'm just going to pick up where I left off a few months back. Rather than backtracking over all the stuff thats happened between then and now, I'll just keep on posting as things come up.

So here's one that just sorta came to me as I was pen-testing a browser based php mmorpg with a friend. I expect this type of vulnerability exists in more problematic places: Banking systems, shopping cart systems, etc.

The vulnerability is a sort of logic error. Lets have a look at some psuedo code designed to allow customers to make purchases.

let $Customers_Money = 100
let $Object_Price = 10

let customer input value for $Quantity

let $Total_Price = $Object_Price * Quantity
if $Total_Price > $Customers_Money then tell customer its too much, and exit

else let $Customers_Money = $Customers_Money - $Total_Price

We give the customers $100 to start and we create an object worth 10$.
We ask the customer how many of the object they want to buy.
We calculate the total price for all the objects, and check whether or not the customer can afford it.
If they can we take the total price and subtract it from the customers money.

The subtraction operation is where the problem exists. What happens when we supply a negative quantity? Well lets run through it:

With a quantity of -10, the total price becomes -10 * 10 = -100
We check if the total price is more than I have in my wallet, ...its not, its less.
So we take that total price, and subtract it from the customers money: 1000 - -100 = 1100
WAIT, see that? using a negative quantity, we have actually GAINED money.

There's a simple solve. And its a solution thats repeated over and over again in web/all security. WHITELISTING. Only allow good input. Theres no need for a negative quantity, so don't allow them. I'm surprised I havn't seen more of this poor logic type vulnerability. Anyone else have similar stories?


RE: TAG or How I Got My Start.

Hi! Its been a LONG time since my last update but I'm making a resolution to start posting again. I got an email from Didier the other day prompting me to update my blog with a story on how I got my start in infosec. Well, here goes nothing :)

I guess it really all started waaaaaaaaaaaay back when I was a toddler. I was one of those kids who loved to fiddle with things. That smart kid cliche. Always breaking and fixing things. All of that stuff you'd expect, but I have a very vivid memory of one day that I'm convinced played a large role in my gravitating toward security rather than anywhere else in IT. I must have been 10 or 11 years old. My mom and a few of her friends showed me something sorta neat they could do with a telephone. They would call this number... I remember it clearly: 999 followed by my phone number, then they would hang up the phone and pick it up real quick. They'd get a busy signal and hang up again... seconds later the phone would ring and the caller id would show 123-456-7890. They had another trick too. If they dialed 759-9999 and hung up, all the phones in my house would go dead for about 5 minutes. To this day I don't know where my mom and her friends found those numbers, and she doesn't remember either. From that one moment, though, I was absolutely hooked.

All aspects of telephony became more interesting than most people could imagine. I wanted to learn everything there was to know about it. I learned, for instance, that the 999 number was called a ringback. You dial 999-your exchange/subscriber number (xxx-xxxx), flash the hook and hang up and that signals the switch at the central office to ring you back. Line techs use it for testing. The 759 number was to allow techs to safely work on a pair without getting shocked.

I modified an old radioshack miniature phone to be the stealthiest little toy you'd ever seen. Instead of having a hook switch, I replaced that button with a variable resistor. Using this I could pick up my phone slowly... if someone was on the line, they'd never hear the telltale click. Using a battery, I could pull enough current off the line to make any extension-in-use lights on other phones turn off so that I could talk on the phone with friends when I was supposed to be sleeping. I learned about the brilliant and intricate signalling systems. I learned about electronic signalling, like the circuit completion when you take your phone off hook, and the rise in current that causes your phone to ring... Audio signalling like DTMF, the tones that are played when you dial a number, dialtone, busy, and all about the signals transmitted elsewhere that I couldn't hear, but that were used to control the entire system. I became very... I guess 'in tune' with the phone system. Sometimes I could tell what numbers people were dialing just by listening. If I heard a click, I knew if it was someone in my house picking up the phone, or someone in the house of the person I was talking to. It sounds really nerdy, but I learned to just... listen to the lines.

Anyways, as all this was happening, I also got my first computer. It was a tandy2000. The only harddrive was large enough to fit only the necesarry os stuffs and was writeprotected. Everything had to be done from disks. I taught myself qbasic. I got myself a modem (2400bps) and started frequenting local bbs's. It was a whole new world. I remember wishing I had better hardware, (tandys and 2400bps were already obsolete at this time) but I'm glad I didn't. I pushed that machine. If all I had was a modem and a dot matrix printer, I'd use it. I learned the hayes command set and programmed a terminal application in qbasic capable of connecting to bbs's when I was 12. I wrote programs that could use the dot matrix printer protocol to communicate with the printer and make it spit out cool designs.

This is where things took a bit of a turn. Most of the bbs's in my area at the time were running on wildcat. There was one, though, that looked totally different. I learned later that it was a purely custom design. Most of the security systems built into these bbs's were standard login/password forms and sometimes callback verification during your registration. This custom one did things a little differently. When you sign up it asks for your phone number, just like regular callback verification. But rather than only using it once, it uses it everytime you log on. You call this BBS, it asks for your username and password. The bbs looks in its database of users and finds the phone number you registered with. It spits out a msg

"Calling you back. BYE! "

It then hangs up on you and calls the number it has stored. This means that even if someone steals your username/password... they can't use your account unless they're calling from your line. Now, this seems relatively secure but my geeky obsession with telephones made me think about it a little differently. You know when you pick up your phone to make a call and someone is already there? Well, you know they're there because you dont here a dialtone. I tought to myself, does the computer on the other end know to wait for a dialtone? So I made some quick modifications to my qb terminal software. I called up the bbs and entered a friends login/password.

"Calling you back. BYE! "

I quickly call the number back before it gets a chance. I hear over the modem it picks up the line. I hear it dial my friends number. IT DIDNT WAIT FOR DIALTONE! I have my modem pick up the call as though it was just answering the phone and tada, I broke his system. I quickly pressed C to (C)hat with the sysop and told him what I found. He was surprised to find out how young I was.

I became very interested with hacker culture. I began getting in trouble for messing around with the computers at school. Eventually I got the internet and began to submerge myself in the hacker underground. I was surrounded by people who might have been breaking the law, but I was always more interested in just learning. Thats not to say I never got my hands dirty... I just knew where to draw the line. Scanning out different routers, guessing there passwords and poking around in them, things like that. I wrote for an ezine for a time. Articles on network recon methodology, how to map out rulesets of a firewall, problems with tcp, even an article on xss before I even knew what xss was. It was all very romanticised. Like a movie, almost. Most of my learning took place during this time. A span of about 6 years. eventually, people I knew, people I talked to on IRC or teleconferences began getting in trouble and I quickly realized that wasn't where I wanted to be.

It sort of all came to a head when I got in some real trouble for a hack. Not legal trouble, but probably not far off. I was in highschool and I had this teacher who was a real hard ass. She was teaching us "Computer Programming with Turing". I asked her one day why we were learning to program in a language we'd never be able to apply rather than a real language like c/cpp (I think I even mentioned qbasic lol). She said and I quote "I suggested turing to the board because you cant mess up the system in turing".

I was a bratty, confrontational kid. No denying it. I took it as a challenge. "The system" was a really weird one. The network was a LAN and the security system was based on a slew of mashed together batch files/exe's and profile data. I don't remember it in too much detail, but I remember finding the exe that was called to load your profile after you successfully logged in. Something like loadprofile.exe f:\staff\teachers\smithj for teachers. Me and some friends had already written a little qbasic application that mimicked the login screen, stored the usernames/passwords and logged the user in seemlessly, but for one of my assignments in that programming class I presented something that caught Ms Devos off guard. Using the system() command to call loadprofile.exe I could load up ms devos's profile without even having her credentials. She was walking around checking everyones work, she reaches over and presses f2 to execute my program and it logs her directly into her profile. On my screen is access to student marks, report cards, things I should never see. I was suspended.

I really learned my lesson though, I went off to study computer engineering technology and computer sciences at algonquin college in Ottawa Ontario canada, met some great people, learned all kinds of things. To this day I sometimes see hacker handles that I remember clearly from the scene show up in the news. Mostly botnets. I'm glad to have left that all behind. I've kept some friends from that scene, and I hope that will never change. Media made us want to be hackers and eventually life and common sense made us realize that we can be without ending up in prison. Its really too bad for those that don't figure that out.

I've since worked as an administrator, as a freelance security auditor for smalltime e-tax filers and other small sized business networks, as a pentester for countless internet systems. Living in a small town has really limited my ability to gain field experience... but what I lack there I make up in sheer learning momentum. I never stop reading. I never stop learning. I annoy the heck out of my gf with all the reading I do.

Anyways, thats my history. As always, all comments are appreciated.