Didier Stevens

Monday 1 March 2010

Quickpost: NetworkMashup.xls

Filed under: My Software, Quickpost — Didier Stevens @ 6:11

NetworkMashup.xls is a spreadsheet with VBA macros I scraped from the Internet to execute pings and name/address resolution from within Excel with WIN32 API calls.

Not only is it handy when you need to do some network mapping in a restricted environment, but also if you’ve just a list of machines to monitor.

The spreadsheet contains several sheets. One sheet to perform a single ping:

One sheet to ping/resolve a list:

One sheet to list the IP addresses of the current machine:

And last, a sheet with settings:

Download here.

Quickpost info

Tuesday 2 February 2010

Quickpost: Quasi-Tautologies & SQL-Injection

Filed under: Hacking, Quickpost — Didier Stevens @ 9:54

Last OWASP/ISSA Belgian chapter meeting was the location of an interesting discussion. For a full report of the meeting, read Xavier’s excellent blogpost.

Many SQL-injection techniques rely on tautologies: adding an expression that is always true to the where-clause of a select statement. Like OR 1=1. 1=1 is a tautology, it’s an expression that always yields true.

So if SELECT * FROM USERS WHERE USERNAME = ‘ADMIN’ and PASSWORD = ‘UNKNOWN’ doesn’t select any rows because the password is not correct, injecting ‘ OR 1=1 – gives SQL statement SELECT * FROM USERS WHERE USERNAME = ‘ADMIN’ and PASSWORD = ” OR 1=1 –’ which will return all rows, because the where-clause is always true (OR 1=1).

There are several security applications (WAFs, SQL firewalls, …) designed to monitor the stream of SQL statements and reject statements with tautologies, i.e. the result of a SQL-injection. Some are very simple and just try to match pattern 1=1. Bypassing them is easy: 1>0 is also a tautology. Others are more sophisticated and try to find constant expressions in the where-clause. Constant expressions are expressions with operators, functions and constants, but without variables. If a constant expression is detected that always evaluates to true, the firewall assumes it’s the result of a SQL-injection and blocks the query.

This is all classic SQL-injection, but now comes the interesting part.

What if I use an expression that is not a tautology in it’s mathematical sense, but is almost one… Say I use expression RAND() > 0.01 ? The RAND function is a random number generator and returns a floating point value in the range [0.0, 1.0[. Expression RAND() > 0.01 is not a tautology, it’s not always true, but it is true about 99% percent of the time. I call this a quasi-tautology.

A firewall looking for tautologies will not detect this, because it is not a tautology. But when you use it in a SQL-injection, you stand a 99% chance of being succesful (provided the application is vulnerable to SQL-injection)!

There are other functions than RAND to create quasi-tautologies. An expression comparing the seconds of the current system time with 59 is also a quasi-tautology.

The GreenSQL firewall will detect SQL statements with quasi-tautologies, not because it looks for them, but because it builds a whitelist in training mode.

Quickpost info

Thursday 28 January 2010

Quickpost: Shellcode to Load a DLL From Memory

Filed under: Hacking, My Software, Quickpost — Didier Stevens @ 3:08

I finally took time to develop shellcode to load a DLL, not with LoadLibrary, but directly from memory. Not storing the DLL on disk prevents it from being detected by AV software; not using LoadLibrary bypasses HIPS software that monitors this system call.

My shellcode is based on Joachim’s code.

In previous posts, I showed how to load a DLL or shellcode with VBA in Excel. This is a combination of both techniques: a VBA macro loads and executes shellcode in Excel’s process space, and the shellcode loads a DLL from memory into Excel’s process memory.

With the code of the previous post, the DLL appears in the list of loaded DLLs:

With this shellcode, it doesn’t:

Quickpost info

Thursday 21 January 2010

Quickpost: PDF Header %!PS-Adobe-N.n PDF-M.m

Filed under: My Software, PDF, Quickpost — Didier Stevens @ 11:21

@Feliam has an interesting PDF library to create PDF files with an unconventional header (the generated document doesn’t start with %PDF-…, but %PDF appears somewhere in the first 1024 bytes of the document). As this trick is likely to be taken over by malware authors, I updated PDFiD to support this.

The PDF reference document also mentions %!PS-Adobe-N.n PDF-M.m as a valid header, however, the PDF documents I and @Feliam generated with this header are not rendered by Adobe Reader (neither Foxit or Sumatra PDF).

I was told Adobe did support this header in older versions. My tests show Adobe Reader version 3, 4, 5 and 6 will render PDF documents with header %!PS-Adobe-N.n PDF-M.m. Versions 7, 8 and 9 will not. Therefor I decided not to include support for this header to PDFiD.

pdf-parser doesn’t test the header, it analyzes PDF documents regardless of the header.

Wednesday 13 January 2010

Quickpost: New Versions of PDFiD and pdf-parser

Filed under: My Software, PDF, Quickpost — Didier Stevens @ 21:54

A new version of PDFiD (V0.0.10): to deal with PDF samples trying to evade detection by preceding the header with some random bytes, I use less stringent conditions to identify a PDF file. If PDFiD finds keyword %PDF in the first 1024 bytes of a file, it assumes it’s a PDF file and starts analyzing it.

A new version of pdf-parser (v0.3.7):

  • added support for filters /LZWDecode and /RunLengthDecode
  • added a –dump option to extract the unfiltered data of a stream object (useful when the data is not actually compressed, but a payload)
  • testing the Python version before execution

Both can be downloaded on the PDF Tools page.

Quickpost info

Sunday 20 December 2009

Quickpost: Read-Only USB Stick

Filed under: Forensics, Hardware, Quickpost — Didier Stevens @ 20:52

When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.

But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.

Quickpost info

Friday 4 December 2009

Quickpost: New EICARgen Version

Filed under: My Software, Quickpost — Didier Stevens @ 14:58

I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false positives.

The new version contains the EICAR string an XOR-encode string (key 0xFF). It has only a couple of detections. Kaspersky and VBA32 shouldn’t actually detect this. EICAR clearly specifies that the presence of the EICAR test string inside a file (like an executable) shouldn’t be detected. As to why AVG needs to detect EICAR test file droppers, I have no idea…

Quickpost info

Monday 9 November 2009

Quickpost: “Hiding” a PDF Document

Filed under: Entertainment, My Software, PDF, Quickpost — Didier Stevens @ 15:00

Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.

20091107-172245

#!/usr/bin/python

__description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07'

"""
Source code put in public domain by Didier Stevens, no Copyright

https://DidierStevens.com

Use at your own risk

History:
 2009/11/07: start

Todo:

"""

import mPDF
import time
import zlib
import optparse

def Main():
    oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__)
    oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World')
    (options, args) = oParser.parse_args()

    if len(args) != 1:
        oParser.print_help()
        print ''
        print '  %s' % __description__
        print '  Source code put in the public domain by Didier Stevens, no Copyright'
        print '  Use at your own risk'
        print '  https://DidierStevens.com'

    else:
        pdffile = args[0]
        oPDF = mPDF.cPDF(pdffile)
        oPDF.template1()
        oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line)
        oPDF.xrefAndTrailer('1 0 R')

if __name__ == '__main__':
   Main()
Quickpost info

 

Monday 28 September 2009

Quickpost: SAFER and Malicious Documents

Filed under: My Software, Quickpost — Didier Stevens @ 17:50

I wasn’t going to mention SAFER to restrict the rights of an application, because Software Restriction Policies can be bypassed. But a Tweet by Edi Strosar made me review my viewpoint. In this particular case, bypassing SRP is a non-issue, because the user is already local admin!

Software Restriction Policies allow you to force specific applications to run with a restricted token. As Michael explained it with AD GPOs, I’ll show it with local policies.

Enable SAFER policies for SRPs by adding DWORD registry key Levels (value 0×31000) to HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers:

20090928-184852

Start the Local Security Policy administration tool and go to the Software Restriction Policies. You’ll have to create new policies if this is the first time you configure SRPs.

20090928-180154

Create a new rule in Additional Rules. We’ll identify the application to restrict by its path and name, so create a Path Rule:

20090928-185739

For the security level, select Basic User:

20090928-184938

If you have no Basic User option, you forgot to update the registry before launching the administration tool:

20090928-184657

Select the application to restrict:

20090928-185830

This rule will force Adobe Reader to run with a restricted token:

20090928-180534

Writing to SYSTEM32 is denied:

20090928-180742

Quickpost info

Wednesday 9 September 2009

QuickPost: Arduino + Alcohol Gas Sensor + WiShield + LCD

Filed under: Arduino, Hardware, Quickpost — Didier Stevens @ 20:07

This is a little project I’m working on for Brucon:

20090909-212457

This is an Arduino with a WiFi adapter (WiShield), an LCD and a gas sensor (senses gases like ethanol).

What it does: the Arduino reads the sensor (uncalibrated for the moment), displays its value on line 1 of the LCD and also servers it on a web page (with an embedded webserver connecting to the WiFi network via the WiShield).
If the sensor read-out is 900 or more, a LED is turned on.
And I can send a message via the webserver to line 2 of the LCD.

The problem I had to solve: the LCD didn’t work when the WiShield was operating.

The cause: the WiShield library and the LCD library use some common pins.

Solution: change the pin assignment in the LCD library code (LCD4Bit.cpp):

// --------- PINS -------------------------------------
//is the RW pin of the LCD under our control?  If we're only ever going to write to the LCD, we can use one less microcontroller pin, and just tie the LCD pin to the necessary signal, high or low.
//this stops us sending signals to the RW pin if it isn't being used.
int USING_RW = false;

//RS, RW and Enable can be set to whatever you like
int RS = 1;
int RW = 11;
int Enable = 0;
//DB should be an unseparated group of pins  - because of lazy coding in pushNibble()
int DB[] = {3, 4, 5, 6};  //wire these to DB4~7 on LCD.

//--------------------------------------------------------

And don’t forget to delete LCD4Bit.o before recompiling the code. The Arduino IDE doesn’t check dependencies of libraries when compiling.

And yes, once calibrated, you should be able to use this alcohol gas sensor to prevent drunk e-mailing ;-) But you’ll need to add a sensor to verify you’re actually blowing into the alcohol gas sensor. For example a gas pressure sensor.

Quickpost info

Next Page »

Blog at WordPress.com.