Didier Stevens

Friday 17 April 2015

MS15-034 Detection: Some Observations

Filed under: Networking,Vulnerabilities — Didier Stevens @ 9:15

Several detection rules (SNORT, F5, …) are being published these days to detect exploitation of vulnerability MS15-034.

If you are making or modifying such detection rules, I want to share some observations with you.

MS15-034 can be exploited with a GET request with a specially crafted Range header.

Here is the example we’ll use: Range: bytes=2-18446744073709551615

Referring to RFC 2616 section 14.35.1, you can see that this is not the only way to specify a range. Here is the BNF:

ranges-specifier = byte-ranges-specifier
byte-ranges-specifier = bytes-unit “=” byte-range-set
byte-range-set  = 1#( byte-range-spec | suffix-byte-range-spec )
byte-range-spec = first-byte-pos “-” [last-byte-pos]
first-byte-pos  = 1*DIGIT
last-byte-pos   = 1*DIGIT

suffix-byte-range-spec = “-” suffix-length
suffix-length = 1*DIGIT

First of all, whitespace is allowed. So Range: bytes = 2 – 18446744073709551615 is valid (and also caused a BSOD on my test machine).

Second, numbers can have leading zeroes. So Range: bytes=2-018446744073709551615 is valid (and also caused a BSOD on my test machine).

Third, multiple ranges are allowed. So Range: bytes=2-3,4-18446744073709551615 is valid (this did not cause a BSOD on my test machine).

If you are using rules that don’t detect these cases properly, then attackers can easily evade detection. One space character could be all it takes to evade detection. If the rule looks for string “-18446744073709551615″, then using string “- 18446744073709551615″ in the attack (extra space character added) will evade detection.

Thursday 24 April 2014

ssl-hearbleed.nse mod

Filed under: Networking,Vulnerabilities — Didier Stevens @ 7:36

YAHP: Yet Another Heartbleed Post

Update: Daniel Miller told me this modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +. Like this: nmap -p443 –script +ssl-heartbleed cloudflarechallenge.com


I’ve read that some people are surprised by Nmap’s ssl-heartbleed.nse script behavior: that it will not test all ports.

The script is designed to test only ports with ssl. This is encoded in the portrule function:

portrule = function(host, port)
  return shortport.ssl(host, port) or sslcert.isPortSupported(port)

It’s explained here that you should do a service version detection scan (-sV) so that the script will test unusual ports.

If you don’t want to do a service version detection scan, you could change the portrule function to always return true, hence forcing a test on all open ports.

But this solution is not desired, it’s better to use a script argument to be able to force testing when really necessary.

I copied ssl-heartbleed.nse (SHA1 7540E31EF133226648616DF6534A8BD58C35A3D6) to ssl-heartbleed-force.nse and changed the portrule function like this:

<   return shortport.ssl(host, port) or sslcert.isPortSupported(port)
>   return stdnse.get_script_args(SCRIPT_NAME .. ".force") or shortport.ssl(host, port) or sslcert.isPortSupported(port)

With this change, ssl-heartbleed-force will behave exactly like ssl-heartbleed, unless you use script argument ssl-heartbleed-force.force, like this:

nmap --p443 --script ssl-heartbleed-force --script-args ssl-heartbleed-force.force cloudflarechallenge.com

This script argument will force the test on all open ports.

Friday 18 April 2014

Heartbleed: Testing From a Cisco IOS Router – ssltest.tcl

Filed under: My Software,Networking,Vulnerabilities — Didier Stevens @ 9:12

I wanted to know if I could exploit Heartbleed CVE-2014-0160 from a Cisco IOS router. So I wrote a Tcl script based on Jared Stafford’s Python program ssltest.py.

Turns out I can:

router#tclsh ssltest.tcl                         
Opening connection

Translating "cloudflarechallenge.com"...domain server ( [OK]
Sending handshake
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x02 Length: 66
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0b Length: 6113
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0c Length: 331
Received TLS record Type: 0x16 Version: 0x0301 First data byte: 0x0e Length: 4
Sending malformed heartbeat request
Heartbeat response received
Received TLS record Type: 0x18 Version: 0x0301 First data byte: 0x02 Length: 16384
Heartbeat response dump:
02 40 00 6b c1 f4 ab d9  47 45 54 20 2f 20 48 54  .@.kC^AC4B+C^Y GET / HT
54 50 2f 31 2e 31 0d 0a  48 6f 73 74 3a 20 63 6c  TP/1.1.. Host: cl
6f 75 64 66 6c 61 72 65  63 68 61 6c 6c 65 6e 67  oudflare challeng
65 2e 63 6f 6d 0d 0a 43  6f 6e 6e 65 63 74 69 6f  e.com..C onnectio
6e 3a 20 6b 65 65 70 2d  61 6c 69 76 65 0d 0a 0d  n: keep- alive...
0a 2b 14 0d 6a c0 13 32  44 c1 a9 0f bf 5d dc 57  .+..jC^@.2 DC^AB).B?]C^\W
19 18 03 03 00 1b 34 f3  65 6b c1 f4 ab d8 01 ff  ......4C3 ekC^AC4B+C^X.C?
ff a6 8b c5 e2 2a b0 d6  b3 ff bd fc 9c 67 a7 83  C?B&.C^EC"*B0C^V B3C?B=C<.gB'.
40 72 10 38 5e 01 ff ff  f1 ca d2 f6 be 81 23 41  @r.8^.C?C? C1C C^RC6B>.#A
fb 8d 53 15 42 aa 52 bd  9e 5f 61 0a 08 08 08 08  C;.S.BB*RB= ._a.....
08 08 08 08 08 00 19 00  0b 00 0c 00 18 00 09 00  ........ ........
0a 00 16 00 17 00 08 00  06 00 07 00 14 00 15 00  ........ ........
04 00 05 00 12 00 13 00  01 00 02 00 03 00 0f 00  ........ ........
10 00 11 00 23 00 00 00  0f 00 01 01 0e 00 0d 00  ....#... ........
19 00 0b 00 0c 00 18 00  09 00 0a 00 16 00 17 00  ........ ........
08 00 06 00 07 00 14 00  15 00 04 00 05 00 12 00  ........ ........
13 00 01 00 02 00 03 00  0f 00 10 00 11 00 23 00  ........ ......#.
00 00 0d 00 20 00 1e 06  01 06 02 06 03 05 01 05  .... ... ........
02 05 03 04 01 04 02 04  03 03 01 03 02 03 03 02  ........ ........
01 02 02 02 03 00 0f 00  01 01 00 15 00 c2 00 00  ........ .....C^B..
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........


00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
Closing connection


Tested on: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)

If you are interested, here is my Tcl PoC ssltest.tcl:
ssltest.zip (https)
MD5: 1B50D6A10637BB6472ED541733BBE68D
SHA256: DA744643CF06645DA9C27A7DD62853E15123D7481AE5D6776E6393A6312847E1

Thursday 10 April 2014

Heartbleed: Packet Capture – Full TLS

Filed under: Networking,Vulnerabilities — Didier Stevens @ 22:34

Yesterday I posted my heartbleed packet capture with an unencrypted heartbeat record.

Now I post a capture with full TLS session setup, hence here the heartbeat records are encrypted. I use heartbleed.c by HackerFantastic.

heartbleed_packet_capture_tls.zip (https)
MD5: 7D19146C2ACC28AFAD6E1FD217E908BB
SHA256: 7FDECDD05269731EDD57FFEE24323C672D620A533CD412089F055D6266C76164

Wednesday 9 April 2014

Heartbleed: Packet Capture

Filed under: Networking,Vulnerabilities — Didier Stevens @ 21:39

I could call this a cardiogram, but let’s not get carried away…

I took a packet capture of the heartbleed bug (CVE-2014-0160) in action: I have OpenSSL 1.0.1 14 March 2012 running on Apache2 (Ubuntu, VMware) and executed Jared Stafford’s ssltest.py script. One small modification to the script: I removed line 132 (the script transmits 2 heartbeat requests, I want only 1 request).

PS: as I expected, I didn’t find an entry in the Apache logs for this request.

heartbleed_packet_capture.zip (https)
MD5: 8302CDF315A91DD6FC32BB81AE0FB80D
SHA256: 7029CF9C2AF3CE7649501D15AD58439513F02B1B9ECD23343F6C6A6B2D87D344

Wednesday 31 October 2012

“Please Buy Our Competitor’s Products”

Filed under: Hacking,Vulnerabilities — Didier Stevens @ 19:55

I had a very good Samurai WTF training at Brucon by Raul Siles.

When Raul discussed the fact that clients are not worried about cross-site scripting when you demonstrate it with an alert box, I got the following idea:

Let’s redirect the customer to the competitor’s website. So instead of alert(“XSS”); let’s do window.location = “www.competitor.com”;. This will demonstrate that a cross-site script can cost your client money.

BTW, our training took place in a church:

Wednesday 8 August 2012

Video: Hardening Windows processes

Filed under: My Software,Vulnerabilities — Didier Stevens @ 8:04

Help Net Security recorded a video with me speaking about EMET and HeapLocker at Hack In The Box Amsterdam 2012.

Sunday 23 October 2011

HeapLocker 64-bit

Filed under: My Software,Vulnerabilities — Didier Stevens @ 19:40

I’m releasing my first 64-bit version of my HeapLocker tool.

I had to change many pointer calculations, and had to replace 32-bit shellcode with 64-bit shellcode.

This 64-bit version gets configured via the registry, exactly like the 32-bit version of HeapLocker. The only difference is when you want to protect specific addresses, you need to use a QWORD registry value in stead of a DWORD (QWORD is 64-bit wide, DWORD is 32-bit wide).

And there is a new feature: Bottom Up Randomization. To enable it, create a DWORD registry value with name BottomUpRandomization and value 1.

I will be adding this feature to HeapLocker 32-bit too, but I want to do this from the same code base. The next release of HeapLocker 32-bit will be compiled from Visual Studio 2010 and not from Borland C++ anymore.

HeapLocker64_V0_0_1_0.zip (https)
MD5: F3D43A29CE64F9418AA154C66B0B06A4
SHA256: 7EFF1D9EA20B522D76034DC4CB66E2FD7AC43E585987FC9ABF7EF8EB801FBC6C

Tuesday 18 October 2011

HeapLocker: Preventing Heapsprays

Filed under: My Software,Vulnerabilities — Didier Stevens @ 8:34

I’ve been using my HeapLocker tool for almost a year now, and I’ve encountered no issues, except for the NOP sled detection. When used with Adobe Reader, HeapLocker will generate too many false positives when looking for NOP sleds. So I’ve disabled NOP sled detection for Adobe Reader.

The last feature I want to talk about is heap spray mitigation.

Like EMET, HeapLocker can pre-allocate memory pages so that they can’t be used by the heap. And this renders a heap spray useless, as it will not be able to inject shellcode at the addresses HeapLocker protects. But unlike EMET, HeapLocker has 2 modes of pre-allocating memory pages. The first mode is just like EMET, while the second mode will write special shellcode to the pre-allocated pages. When this shellcode is hit due to an exploit, it will callback to HeapLocker which will suspend all threads and display a warning dialog. This is what you see in the video. There are 2 advantages to this mode: the user is warned that she opened a malicious document, and you can also use this in a malware lab to find out which address the exploit is hitting.

To prevent the HeapLocker shellcode from being used for ROP exploits, I randomized the injected NOP sled and shellcode. But if you still find this too risky, just use the standard mode for pre-allocating pages.

For more details about the exact way to configure this, read the documentation found in the HeapLocker download.

FYI: I’m also working on a 64-bit version of HeapLocker.

Thursday 29 September 2011

Add Bottom Up Randomization To (Your Own) Source Code

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 19:14

EMET’s new Bottom Up Randomization spectacularly increased the entropy of DLL’s base addresses loaded into my test program. Instead of 15 different addresses, I had more than 200.

Matt Miller told me how he implemented Bottom Up Randomization:

“It works by reserving a random number (between [0,256]) of 64K regions via VirtualAlloc. This has the effect of consuming a small portion of the bottom part of the address space. Since the Windows kernel assigns base addresses for collided DLLs by searching for a free region starting at the bottom of the address space, bottom up randomization ensures that a random base address will be assigned. Without bottom up randomization the bottom part of the address space remains fairly static (with some exceptions, such as due to heap, stack, and EXE randomization).”

So I decided to add this algorithm at the start of my test program:

int iIter;
int iRand;

iRand = rand() % 256 + 1;
for (iIter = 0; iIter < iRand; iIter++)

Again, the result is spectacular. In stead of 15 base addresses, with the most frequent address being using 30% of the time, my Bottom Up Randomization implementation gives me more than 300 addresses after 150.000 runs. And there’s no single address being used more than 0,5% of the time.

From now on, I’m going to include this in my programs, and I advise you to do the same with your programs. Or to open source programs you use.

Next Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 274 other followers