iSecPartners – Auditing high-value applications cheat-sheet

July 22, 2014 Leave a comment

iSecPartners has released on GitHub a “cheat-sheet” for auditing high-value applications. It’s well worth a read.

This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

It is an advanced list – meaning entry level issues such as application logic bypasses, common web vulnerabilities such as XSS and SQLi, or lower level vulnerabilities such as memory corruption are explicitly not covered. It is assumed that the reader is aware of these and similar vulnerabilities and is well trained in their search, exploitation, and remediation.

A good example of the type of analysis to strive for can be shown in Jacob Appelbaum’s analysis of UltraSurf:https://media.torproject.org/misc/2012-04-16-ultrasurf-analysis.pdf

Advertisement

Free Online CTF and Penetration Testing Course

June 14, 2014 1 comment

From Trail of Bits, they are offering a free online CTF and penetration testing course. Lots of great material from a well respected organization.

 

Google Chrome 35+ and EMET 4.1 Compatability

May 17, 2014 Leave a comment

Chromium engineers have provided excellent clarification on compatibility issues between Google Chrome v35+ and EMET 4.1

The specific issue we have encountered with Chromium compiled using VS 2013 relates to tail-call optimizations in wrapper functions for Windows APIs. By using jmp to enter the Windows API call from the wrapper, the Visual Studio compiler avoids an additional call/ret pair, and the API would return directly into the wrapper function’s caller rather than the wrapper function itself.

However, EMET protects various ‘critical’ Windows APIs against an exploit technique known as Return-Oriented Programming (ROP), and one of these protections is incompatible with tail-call optimization. EMET’s code checks that the return address from the API call is immediately preceded by a call to that API, since in ROP exploits this will typically not be the case but in normal function calls it will.

The tail-call optimization violates EMET’s assumption and causes a false positive result for exploit detection.

[..]

The Chrome security team does not generally recommend the use of EMET with Chromium because it has negative performance impact and adds little security benefit in most situations. The most effective anti-exploit techniques that EMET provides are already built into Chromium or superseded by stronger mitigations.

 

Categories: OS Internals, Tech, Windows

PsExec now encrypts all communication

May 1, 2014 Leave a comment

As of March 7, 2014, PsExec now encrypts all communication between systems, including any username/password info! This is great news.

http://blogs.technet.com/b/sysinternals/archive/2014/03/07/updates-process-explorer-v16-02-process-monitor-v3-1-psexec-v2-1-sigcheck-v2-03.aspx

PSExec v2.1: This update to PsExec, a command-line utility that enables you to execute programs on remote systems without preinstalling an agent, encrypts all communication between local and remote systems, including the transmission of command information such as the user name and password under which the remote program executes.

Categories: Tech, Windows

Avoid unsafe functions with Microsoft’s ‘banned.h’

March 27, 2014 Leave a comment

banned.h is an import header file to include in your Windows C++ projects to help avoid introducing security flaws into your application.

The banned.h header file is a sanitizing resource that is designed to help developers avoid using and help identify and remove banned functions from code that may lead to vulnerabilities. Banned functions are those calls in code that have been deemed dangerous by making it relatively easy to introduce vulnerabilities into code during development.  For example, if a developer decided to use the strcpy function in his/her code, using banned.h in the same application will generate error(s) when its recompiled telling the developer that strcpy has been deprecated.  When the developer investigates why the error is being generated, they will likely figure out that strcpy has been replaced with a more secure version called strcpy_s, that makes it more difficult to make mistakes that lead to simple buffer overflows.

 

Categories: C/C++, Programming, Tech

Debugger Detection in Windows

March 15, 2014 Leave a comment

Some thorough documentation on anti-debugging techniques in Windows:

Categories: Disassembly, Programming, Tech

injdmp: dumping injected processes and dumping process memory that is marked as RWX

January 24, 2014 Leave a comment

This is awesome.

http://hooked-on-mnemonics.blogspot.com/p/injdmp.html

injdmp is a tool for dumping injected processes and dumping process memory that is marked as RWX. The tool can detect most malware that uses process injection. As of this writing it can dump processes related to Zeus/Citadel, Cridex, Ramnit, Poison Ivy  and a number of other families of malware.

Categories: Disassembly, Tech, Windows

[link] Layman’s Guide to Integrated Circuit RE

January 15, 2014 Leave a comment

Great website.

The Layman’s Guide to IC Reverse Engineering has been created to teach you the very basics of what it takes to reverse engineer integrated circuits. Not too much particular focus is given to the physics and math, just the bare essentials for a layman to turn images into logic. And chips into images. Kudos to academia, security researchers, and chip enthusiasts from around the world for all their papers and presentations that this effort draws inspiration from.

Categories: Disassembly, Tech

Graphical Network Simulator

January 10, 2014 Leave a comment

GNS3 (Graphical Network Simulator) is an awesome, awesome open-source project:

What is GNS3 ?

GNS3 is an open source software that simulate complex networks while being as close as possible to the way real networks perform. All of this without having dedicated network hardware such as routers and switches.

Our software provides an intuitive graphical user interface to design and configure virtual networks, it runs on traditional PC hardware and may be used on multiple operating systems, including Windows, Linux, and MacOS X.

In order to provide complete and accurate simulations, GNS3 actually uses the following emulators to run the very same operating systems as in real networks:

  • Dynamips, the well known Cisco IOS emulator.
  • VirtualBox, runs desktop and server operating systems as well as Juniper JunOS.
  • Qemu, a generic open source machine emulator, it runs Cisco ASA, PIX and IPS.
Categories: Network, Tech, Uncategorized

[link] “iOS Assembly Tutorial: Understanding ARM”

January 8, 2014 Leave a comment

Here’s a very well written post by Matt Galloway…this one is about ARM assembly.

When you write Objective-C code, it eventually turns into machine code – the raw 1s and 0s that the ARM CPU understands. In between Objective-C code and machine code, though, is the still human-readable assembly language.

Understanding assembly gives you insight into your code for debugging and optimizing, helps you decipher the Objective-C runtime, and also satisfies that inner nerd curiosity.

In this iOS assembly tutorial, you’ll learn:

  • What assembly is – and why you should care about it.
  • How to read assembly – in particular, the assembly generated for Objective-C methods.
  • How to use the assembly view while debugging – useful to see what is going on and why a bug or crash has occurred.
Categories: Apple, Disassembly, Tech