WarVOX 1.0.0

March 6, 2009

I’ve been working on adding some wardialing and dialup hacking modules to the  Metasploit project for a while, which initially spawned this entire other project that HD went nuts on.  Hopefully we’ll get some of the tech that this project produced merged back into the Metasploit wardialling stuff, but for now it’s a separate entity.  Here’s the result:

Read the rest of this entry »

Exploits for Kaminsky’s DNS Cache Poisoning Flaw

July 23, 2008

I patched the second Kaminsky told us all to ~15 days ago… did you?

CAU-EX-2008-0002

CAU-EX-2008-0003

Metasploit blog post about these exploits.

Proof Hashes

June 17, 2008

As the field of security research becomes more and more crowded, it’s inevitable that people will begin to step on each other’s toes. Last year when I began my context-keyed payload encoding research, someone else that I know began extremely similar research at almost exactly the same time. Because I intended to present my research at ToorCon, I only discussed it with a very few select people, so neither of us had any idea the other was working on nearly the same thing. I apparently finished my work first, because when I presented the results at ToorCon 9 later that year, and subsequently published the research in Uninformed Journal vol. 9, I was told by a number of people that the other researcher, whom I consider a friend, was a little upset that I had beat him to the punch, as it were.

Just last month, I circulated among some small communities a draft version of a CFP for a project that I was working on for this year’s DEFCON called “Cirque du 0day”. It was in no way ready for public consumption, in fact, I hadn’t even heard back from the DEFCON staff if something like what I was planning would even be accepted for the conference. I was simply looking for initial feedback on the idea from the people I showed it to. I apparently gave the draft CFP to a group of people that I shouldn’t have, because not more than a couple days later a Full-Disclosure Troll going by the name of Michael Chatner (before he added the “Professor” to his nym) changed the email addresses in the CFP text and posted the CFP nearly verbatim to Full Disclosure as his own. If only there were some way to more convincingly dispute such claims other than to simply reply to it

Of course, things being as they are in this industry, people in such situations have very little recourse. These kinds of things happen all the time, and will only increase in frequency as this industry grows.

Enter “proof hashes”. For a short time now, people in this industry with information that they both want to keep confidential, as well as be able to prove prior-art for, have hashed some form of the information in question and sent the hash(es) to a public email list like Full Disclosure for posterity (and an irrefutable time-stamp at which point the hashes existed). I have done this myself on occasion, but unfortunately failed to do so when I had the idea to create and bring the Cirque du 0day event to DEFCON. Of course the first few times that this happened, some people on Full-Disclosure cried foul, that the list was no place for such things, and even a few conspiracy theories blossomed surrounding some of the more ambiguous or non-descriptive posts containing hashes. Some even began discussing the validity of an email time-stamp on a message distributed by a public mailing list, since most lists honor the original time-stamp on the message and forward it unchanged. The real indication to the date and time it was posted to the list comes from the surrounding messages delivered alongside it.

Even though there have currently been no reported cases of anyone publicly cross-referencing a proof hash posted to a list like Full-Disclosure in order to prove prior-art, idea ownership, or anything else, I do believe there is value in such a mechanism, and as such, I’ve created the Proof Hashes email list via Google Groups. This list lives at the Google Groups site to ensure that the hosting of the list remains with a 3rd party unmotivated to be involved in any time-stamp forgery scheme. The Group description really says it all:

This group allows establishment of confidential prior-art by posting a cryptographically hashed summary, proof-of-concept, schematic, or detailed description. Prior-art can then be proven by disclosing the original content with it’s hashes and cross-reference the date of the original post.

Subscription is not allowed and not required to post to this list. It is recommended that the poster include the result of multiple hash algorithms of the same content in a single message to eliminate the chance of calculating content which produces a hash collision in a single algorithm. It is also recommended that the poster cryptographically sign their message as this will not only both prove ownership of the hashes, but also provide a second, corroborating time-stamp.

I’m apparently not the only person who finds value in this type of thing, as I was recently directed to the PGP Digital Timestamping Service, to which you can send your original message containing your proof hashes. The service will then sign the message itself, essentially time-stamping it, and in “post” mode, forward the message to any number of recipients, including such destinations as public mailing lists.

EDIT: I’ve also recently come across PublicTimestamp.org, which is now using the Proof Hashes Google group as an additional archive for it’s timestamp blocks.

CAU-EX-2008-0001: Solaris ypupdated Command Execution

April 4, 2008

Metasploitized version of a recent Solaris rpc.ypupdated exploit from milw0rm:

http://www.caughq.org/exploits/CAU-EX-2008-0001.txt

CAU-2008-0001: Slowly Closing Door Race Condition

April 1, 2008

Today we have a new advisory for you, CAU-2008-0001, the Slowly Closing Door Race Condition:

http://www.caughq.org/advisories/CAU-2008-0001.txt

EDIT (04/02/2008):  April Fools!!!

Context-keyed Payload Encoding Whitepaper

January 28, 2008

Today, my research paper entitled “Context-keyed Payload Encoding” was published in Uninformed Journal vol. 9. If you’re into exploitation technology, you should check it out. This is the research I presented at ToorCon 9 last October.

CAU-2006-0001: Myspace.com Trojaned Navigation Menu

November 16, 2007

http://www.caughq.org/advisories/CAU-2006-0001.txt

Real-time Steganography with RTP Whitepaper

September 18, 2007

My paper detailing the research I presented last month at DEFCON 15 was published today in Uninformed Journal Vol. 8. The paper is entitled “Real-time Steganography with RTP” and details using steganographic techniques to establish a covert channel within the protocol commonly used for the media channel in VoIP calls as well as a reference implementation.

Real-time Steganography with RTP

August 9, 2007

Last weekend I gave my presentation at DEFCON 15 entitled Real-time Steganography with RTP. At the same time, I released my reference implementation for the research which is called SteganRTP.

First, let me say that I hate computers. I hate them, hate them, hate them. Upon booting up my laptop in the speaker green room prior to my talk it decided to have all kinds of problems with my live demo setup. The audio was choppy, the endpoints didn’t want to sync up, basically mass chaos all contained within my laptop. Luckily I had gotten to the green room fairly early so after some quick debugging and a reboot everything was operating fine. It was a close call though, as the very minute I got it all back to normal it was time to walk down to the room I was scheduled to speak in.

My talk was essentially about a research project I’ve been working on for the past couple months in what little spare time I’ve had at home involving hiding a data communications protocol inside a VoIP call’s audio. My talk went well, although I did rush through it a bit hoping to end close to my allotted 50 minutes but I actually ended up finishing about 10 minutes early. Since I finished early I went ahead and took questions there in addition to later in the Q&A room for my track. I had some fairly good questions and one stupid question from intropy & co. at the back of the room (: I then went over to my Q&A room where this one guy proceeded to ask me questions for almost the entire next hour.

Anyhow, my presentation went really well, and you can check out the slides and the tool at the links above.

Underground Scene Dying?

July 5, 2007

A few days ago I was reading an article from the recently released Phrack 64 entitled A brief history of the Underground scene by Duvel. In his article, he suggests that the “Underground scene” is dying, and a large part of that is being contributed to by the commercialization of information security and hacking. He also suggests that what it means to be an elite hacker or security expert now is to come up with something novel like a new way to encode shellcode or deliver an exploit payload, and then go on the “conference circuit”:

Another incredible thing about these security conferences is what I would call the “conference circuit”. Nowadays, if you are a security expert, the trend is to give the same talk at different security conferences around the world. More than 50% of all security experts are doing this. They go in America at BlackHat, Defcon and CanSecWest, after they move in Europe and they finish in Asia or Australia. They can even do BlackHat America, BlackHat Europe and BlackHat Asia! Like Roger Federer or Tiger Woods, they try to do the Grand Slam! So you can find a conference given in 2007 which is more or less the same than one in 2005. Thus it seems we have now a new profession in our wonderful security world: “conferences runner” !

In a sense, I tend to agree with him about speakers and conferences. In fact, I maintain a Google Calendar of just such conferences, and believe me there are a lot of them, and many of them present the same material to different geographic regions. However, I don’t necessarily agree with him that the Underground scene is “dying”… Read the rest of this entry »