Blogs

SSH Man-in-the-Middle Attack and Public-Key Authentication Method

SSH is a protocol for secure remote login and other secure network services over insecure networks. To detect man-in-the-middle attacks SSH clients are supposed to check the host key of the server, for example by comparing it with a known good key.

Windows vs Linux vs MacOS vs OpenBSD

Or Quality Vs. Quantity

It seems to be an unsolvable puzzle for programmers: why would users prefer a buggy and awkward operating system, like Windows, to an elegant and slim one, like Mac OS X? Or prefer a patchy and dirty Linux to clean and secure OpenBSD? Obviously a program that does a few tasks very well is better than a program that does a lot of things badly?

VMWare NATD Silent TTL Overwrite

Bloody (excuse my French) VMware NAT daemon silently overwrites TTL of DNS records! It sets TTL of 0-TTL records it proxies to 5 seconds. Right, normally it is not something to complain about. But it suddenly becomes a big deal if you are busy checking how different browsers respond to DNS rebinding attack... Uhhrr...

Apparently I'm not the first one who has noticed this, somebody else http://communities.vmware.com/thread/236511 had the same experience with Fusion.

DNS Rebinding Checklist

Recently I have done a couple of tests which made me consider DNS rebinding attack in details. Considering relatively large number of "moving parts" involved into the attack, I figured it worth making a checklist which can be used to do this kind of evaluation. Below is the draft which I am working on. In particular I intend to add references and explanations/testing guidelines to the checklist. Not sure about PoC exploits.

Build NetExpect on Ubuntu 10

I came across a nice tool, potentially useful for pen testing: TCP/IP-aware version of TCL expect. Written by Eloy Paris from Cisco Systems it is currently distributed in sources only. I didn't have much time to play with it yet, but it looks very promising. Tomorrow will try to use it for SIP REGISTER flooding, currently done with sipp. (In a way, SIPP is similar to NetExpect, can execute send-expect scenarios, but seems to be focused on SIP protocol.)

Exploiting cross-site scripting in Referer header

The application that echoes the Referer header is vulnerable to cross-site scripting. And it is perfectly exploitable. Here is how:

Tags: 

Windows Detours library for the people

Microsoft Detours library can be used to attach a hook to system functions invoked by Windows programs. You can write an arbitrary code which will get invoked when a program tries, for example, send something over SSL, or get a current timestamp, and handle it as it pleases you instead of (or in addition to) passing it to standard Windows libraries.

Hopefully notes below will be useful for fellas who, like myself, are not skilled Windows developers, but occasionally get thrown into the Windows world and need to intercept a function call or two.

Linux Routing Quirks

Recently I have spent some time trying to mess up a routing table of Linux appliance to trick it into leaking out certain network traffic I was interested in. In theory it looked reasonably simple, but not quite so in practice. While trying to screw up the appliance I have learned a couple of new things about Linux networking:

CSRF protection also fixes reflected XSS

An application I have recently tested had cross-site request forgery protection implemented throughout - every single form or link with parameters had an additional parameter with a value derived from the session id. When the form is submitted or the link is clicked, before any other processing, this parameter value is checked.

And guess what - that also makes all reflected cross-site scripting bugs not exploitable. How?

Tags: 

Porting MagicTree to Mac OS X

Well, MagicTree is written in Java, so in theory we shouldn't need to port anywhere. But, as they say, "In theory, theory and practice are the same. In practice, they are not." Actually most things worked without any porting, which is a good thing. Still, a few things had to be done.

To get more Mac OS-like look and feel we had to make MagicTree show the menu bar on top of the screen, rather than in the main frame, respond to application menu items, such as "About" and "Quit" (and remove those menu items from File and Help respectively) and to get the application icon look pretty.

Tags: 

Pages

Subscribe to RSS - blogs