Computer Academic Underground

WarVOX 1.0.0

I)ruid — Fri, 06 Mar 2009 16:39:11 +0000

I’ve been working on adding some wardialing and dialup hacking modules to the Metasploit project for a while, which initially spawned this entire other project that HD went nuts on. Hopefully we’ll get some of the tech that this project produced merged back into the Metasploit wardialling stuff, but for now it’s a separate entity. Here’s the result:

WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.

WarVOX requires no telephony hardware and is massively scalable by leveraging Internet-based VoIP providers. A single instance of WarVOX on a residential broadband connection, with a typical VoIP account, can scan over 1,000 numbers per hour. The speed of WarVOX is limited only by downstream bandwidth and the limitations of the VoIP service. Using two providers with over 40 concurrent lines we have been able to scan entire 10,000 number prefixes within 3 hours.

The resulting call audio can be used to extract a list of modems that can be fed into a standard modem-based wardialing application for fingerprinting and banner collection. One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed. The current release of WarVOX (1.0.0) is able to automatically detect modems, faxes, silence, voice mail boxes, dial tones, and voices.

Presentation: http://warvox.org/media/warvox-1.0.0.pdf

Gallery: http://warvox.org/gallery.html

Code: http://warvox.org/install.html

Exploits for Kaminsky’s DNS Cache Poisoning Flaw

I)ruid — Thu, 24 Jul 2008 04:10:04 +0000

I patched the second Kaminsky told us all to ~15 days ago… did you?

CAU-EX-2008-0002

CAU-EX-2008-0003

Metasploit blog post about these exploits.

Proof Hashes

I)ruid — Tue, 17 Jun 2008 23:34:56 +0000

As the field of security research becomes more and more crowded, it’s inevitable that people will begin to step on each other’s toes. Last year when I began my context-keyed payload encoding research, someone else that I know began extremely similar research at almost exactly the same time. Because I intended to present my research at ToorCon, I only discussed it with a very few select people, so neither of us had any idea the other was working on nearly the same thing. I apparently finished my work first, because when I presented the results at ToorCon 9 later that year, and subsequently published the research in Uninformed Journal vol. 9, I was told by a number of people that the other researcher, whom I consider a friend, was a little upset that I had beat him to the punch, as it were.

Just last month, I circulated among some small communities a draft version of a CFP for a project that I was working on for this year’s DEFCON called “Cirque du 0day”. It was in no way ready for public consumption, in fact, I hadn’t even heard back from the DEFCON staff if something like what I was planning would even be accepted for the conference. I was simply looking for initial feedback on the idea from the people I showed it to. I apparently gave the draft CFP to a group of people that I shouldn’t have, because not more than a couple days later a Full-Disclosure Troll going by the name of Michael Chatner (before he added the “Professor” to his nym) changed the email addresses in the CFP text and posted the CFP nearly verbatim to Full Disclosure as his own. If only there were some way to more convincingly dispute such claims other than to simply reply to it…

Of course, things being as they are in this industry, people in such situations have very little recourse. These kinds of things happen all the time, and will only increase in frequency as this industry grows.

Enter “proof hashes”. For a short time now, people in this industry with information that they both want to keep confidential, as well as be able to prove prior-art for, have hashed some form of the information in question and sent the hash(es) to a public email list like Full Disclosure for posterity (and an irrefutable time-stamp at which point the hashes existed). I have done this myself on occasion, but unfortunately failed to do so when I had the idea to create and bring the Cirque du 0day event to DEFCON. Of course the first few times that this happened, some people on Full-Disclosure cried foul, that the list was no place for such things, and even a few conspiracy theories blossomed surrounding some of the more ambiguous or non-descriptive posts containing hashes. Some even began discussing the validity of an email time-stamp on a message distributed by a public mailing list, since most lists honor the original time-stamp on the message and forward it unchanged. The real indication to the date and time it was posted to the list comes from the surrounding messages delivered alongside it.

Even though there have currently been no reported cases of anyone publicly cross-referencing a proof hash posted to a list like Full-Disclosure in order to prove prior-art, idea ownership, or anything else, I do believe there is value in such a mechanism, and as such, I’ve created the Proof Hashes email list via Google Groups. This list lives at the Google Groups site to ensure that the hosting of the list remains with a 3rd party unmotivated to be involved in any time-stamp forgery scheme. The Group description really says it all:

This group allows establishment of confidential prior-art by posting a cryptographically hashed summary, proof-of-concept, schematic, or detailed description. Prior-art can then be proven by disclosing the original content with it’s hashes and cross-reference the date of the original post.

Subscription is not allowed and not required to post to this list. It is recommended that the poster include the result of multiple hash algorithms of the same content in a single message to eliminate the chance of calculating content which produces a hash collision in a single algorithm. It is also recommended that the poster cryptographically sign their message as this will not only both prove ownership of the hashes, but also provide a second, corroborating time-stamp.

I’m apparently not the only person who finds value in this type of thing, as I was recently directed to the PGP Digital Timestamping Service, to which you can send your original message containing your proof hashes. The service will then sign the message itself, essentially time-stamping it, and in “post” mode, forward the message to any number of recipients, including such destinations as public mailing lists.

EDIT: I’ve also recently come across PublicTimestamp.org, which is now using the Proof Hashes Google group as an additional archive for it’s timestamp blocks.

CAU-EX-2008-0001: Solaris ypupdated Command Execution

I)ruid — Sat, 05 Apr 2008 02:11:55 +0000

Metasploitized version of a recent Solaris rpc.ypupdated exploit from milw0rm:

http://www.caughq.org/exploits/CAU-EX-2008-0001.txt

CAU-2008-0001: Slowly Closing Door Race Condition

I)ruid — Tue, 01 Apr 2008 06:01:33 +0000

Today we have a new advisory for you, CAU-2008-0001, the Slowly Closing Door Race Condition:

http://www.caughq.org/advisories/CAU-2008-0001.txt

EDIT (04/02/2008): April Fools!!!