Didier Stevens

Due to the current media attention, I’m updating and posting this old draft about secret questions.

First, let’s get a pedantic observation out of the way: Secret Question is a misnomer. If you think about it, it’s the answer that is secret, not the question.

The problem with secret questions is that they are often a backdoor to your account. When you use a strong password, the answer to your secret question will be easier to guess than your password. So you are actually using weak credentials.
If the sole purpose of the secret question is to reset your password (or e-mail it to you), then don’t use it, just type some random characters for an answer and forget about it. You won’t be able to get into your account using the secret question backdoor, but so won’t attackers.
If you’re afraid that you might forget your password, write it down and keep it safe (I recommend KeePass if you need a password manager).

Now if you definitely want a backdoor because you don’t want to write anything down and don’t trust your memory, there are a couple of options open to you.
If you’re not able to make up your own secret question, but have to choose one from a predefined list, then provide an answer that you can derive from the question only (think about it, your secret answer doesn’t have to make sense, it just has to be secret). An example:
Q: Name of first pet?
A: Four
Why four? Because the question is a sentence of 4 words. This way you don’t have to remember your secret answer, just the rule to derive the answer from the question. You can reuse the same rule for different accounts, it will generate different secret answers for different secret questions.

If you can provide your own secret question, then I recommend to use math. An example:
Q: How much is 3 + 7?
A: 20
Why 20? Because your secret rule is to double the result to obtain the correct answer. 3 + 7 equals 10, 10 times 2 equels 20.

Secret answer rules can be as hard as you want, but complex rules are more likely to be forgotten…

To summarize: disable secret questions, and store and protect your credentials.

This post comes with a complementary cartoon.

No breaking news in this post, but I’ve found enough applications vulnerable to XML-bombs and not enough awareness around it, that I feel it justifies another web page documenting the principles behind it, together with suggestions to protect your applications from it.

The XML-bomb is a small XML document designed to expand to a gigantic size when parsed by an (unprotected) XML-parser. The huge amount of resources (memory) consumed when parsing the XML-bomb can cause a DoS or BoF.

Take this simple XML document:

And take this Document Type Declaration defining an entity e0 with value A:

Including this DOCTYPE in our simple XML document enables us to reference entity e0 in our document, for example like this:

When this document is parsed by an XML-parser supporting DTDs, the entity reference is replaced by its value. Here is Internet Explorer rendering our XML document:

Notice that &e0; has been replaced by A.

This entity definition and referral mechanism is one essential ingredient of an XML-bomb.

The second ingredient is an expression that will grow exponentially and consume huge amounts of resources when evaluated.

We define a second entity, e1, referring twice to our first entity e0:

Include this definition in our XML document:

And this is how it is parsed:

e0 evaluates to A

e1 evaluates to AA

Now define e2 referencing e1, e3 referencing e2, …, and then we get

e2 evaluates to AAAA

e3 evaluates to AAAAAAAA

…

We have achieved exponential growth! An XML-bomb with 31 entities is less than 1K in size, but entity e30 is 1GB  (2^30 bytes) in size when it gets evaluated by the XML-parser!

How do you protect your application from an exploding XML-bomb?

If you don’t need support for DTDs, just disable DTDs or use a parser without DTD support.

If you need support for DTDs, try to prevent XML-bombs from entering your XML-parser by known-pattern scanning (like classic antivirus software does, for example an application firewall) or limit the impact of an expanding XML-bomb by hardening your XML-parser by restricting its consumption of resources.

You’re aware of the limitations of known-pattern scanning. This is a text-book XML-bomb, with exponential growth finding its origin in the binary tree structure. But there are many other data type structures …

Last Sunday, we had federal elections here in Belgium. I’m glad to see that the electronic voting system I used is designed to minimize voter coercion.

The secret ballot prevents coercion (being forced to vote for a certain person or party): if the voter can’t produce evidence of how he voted, he can lie to the coercer about his vote without risk. Some political parties want to change the process of the secret electronic ballot and include a paper trail. This is not a good idea, it will make coercion much more effective, as the voter will have an official paper with his vote.

The ubiquitousness of mobile phones equiped with a camera gives coercers a new opportunity to require proof from the persons they are coercing. The coercer just has to instruct his victim to take a picture of his ballot. The Belgian electronic ballot is designed to prevent this. When you’ve casted your vote, you’ll see a screen like this one:

The 2 buttons at the bottom of the screen allow you to:

• left button: go back a screen and change your vote
• right button: confirm your vote

Once you have confirmed your vote, the next screen doesn’t display how you voted. So if one is coerced and has to deliver proof, one just has to take a picture of the vote one was coerced into, and then back out from the screen and change ones vote. The only workaround I see is for the coercer to demand a video of the complete voting process, in stead of a picture of the ballot.

I’ve made a video of my voting last Sunday, and it turned out to be rather difficult to do. First of all, I was standing very close to the screen and I clumsily managed to film only the bottom of the screen. Secondly, the brightness of the CRT screen (black letters on a white background) makes it very hard to read my ballot on the video. This could also be an anti-coercion mechanism, taking legible pictures of a white screen is very hard.

This is an advantage that our electronic ballot has over our paper ballot, it is more effective against voter coercion.

You can find a simulation of the Belgian electronic ballot here:

I’m back from Black Hat Europe 2007. Black Hat’s theme is “Digital Self Defence”, and that is just what I did. Because I took a reverse engineering training by Halvar Flake, I had to take my Windows laptop with me. I explain how I protected my Windows laptop when accessing an insecure wireless network at the conference.

The threats I faced when enabling my wireless connection at the conference were:

• someone compromising the integrity of my system
• confidential data theft
• credentials theft

In a normal situation I protect my OS and data with these procedures and tools:

• keeping my OS and software patched
• running McAfee Anti-Virus and update it
• running Kerio’s free Personal Firewall
• connecting to the Internet with a NAT router
• using a WPA secured WiFi connection
• using FireFox with NoScript and CookieSafe for web browsing
• storing all my data in a TrueCrypt volume
• making regular system backups with Acronis TrueImage on a dedicated USB hard disk
• using a non-admin account

At home, before I left for the conference, I took a full backup of my laptop.

In the hotel, there was unencrypted, free WiFi available in the rooms and on the conference floor. My laptop has a (hardware) switch to disable WiFi. I would only switch it on when I really needed to access the Internet. And by preference in my hotel room on the 16th floor, not on the conference floor.

Each time I enabled WiFi access, I unmounted the TrueCrypt volume with all my data.

Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).

For the training, I installed a new virtual machine (with VMware), and installed all the software Halvar gave us and did all the exercises on this machine.

My hotel room had a laptop safe, and I would always store my laptop in it whenever I didn’t need it.

I didn’t notice an incident on my laptop when I was at Black Hat. But back home, I decided to restore my laptop, not because I feared my laptop was compromised, but mainly as an exercise to test my backup procedure.

Here is how I did it:

1. make a new backup of my laptop, just in case the restore goes wrong
2. copy my TrueCrypt volume with data and the training virtual machine to an USB hard disk, because I need to keep this
3. restore the backup from before the conference
4. copy my TrueCrypt volume with data from the USB hard disk back to the laptop

It took a long time, but the procedure is simple and everything went fine. I learned that the Acronis True Image’s progress bar during the restore is confusing. The time remaining would increase, not decrease. At the end, it was 5 hours, and then Acronis True Image rebooted my laptop. Windows was running normal, and connected immediately to my WiFi network at home. All traces of the WiFi network at Black Hat were gone.

My laptop has forgotten it was at Black Hat Europe 2007.

The key ingredients of the restore procedure are:

• a full system backup
• a clear separation of system files and data files

Microsoft announced that there are no patches planned for next week’s patch Tuesday.

It will be interesting to see if new zero-days will appear in the coming days. We often see new zero-days just after patch Tuesday. There’s a theory that states that exploit writers do this to maximize the life-time of the exploit. If this theory is correct, we should already see new zero-days appearing between now and Tuesday, because exploit writers won’t have to wait for Tuesday to maximize the life-time of the exploits.

Tuesday July 11th, second Tuesday of the month. IT professionals working for a Microsoft shop know the drill: patch Tuesday.

MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution. One vulnerability fixed by this patch is the “Mailslot Heap Overflow Vulnerability - CVE-2006-1314″. According to the Microsoft Security Bulletin, a mitigating factor for this vulnerability is “Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003 Service Pack 1 do not have services listening on Mailslots in default configurations“. Good, but what about non-default configurations? When do you have mailslots on your machine?

Maislots are an Inter-Process Communication (IPC) protocol. It can be used by processes (running programs) to communicate with each other.

It’s easy to create programs using mailslots.
Your server program listens to a mailslot by creating a file starting with \\.\mailslot followed by the name of the mailslot (e.g. \\.\mailslot\listener) and starts reading from that file.
Your client program talks to a mailslot by creating a file starting with \\server\mailslot followed by the name of the mailslot (e.g. \\MyServer\mailslot\listener) and writing a message to it. The Server Service will transport your message from your client program to your server program.

More details can be found on MSDN and sample code is available on The Code Project.

Hence any program designed to use mailslots can open a mailslot on your Windows PC, making your Windows XP SP2 machine vulnerable. You can list the mailslots opened on a machine by enumerating the files in the \\.\mailslot directory.

I wrote a simple C# 2.0 console application to do this:

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;

namespace ListMailSlots
{
    class ListMailSlots
    {
        static void Main(string[] args)
        {
            foreach (string file in Directory.GetFiles

(@".mailslot", "*.*", SearchOption.AllDirectories))
            {
                Console.WriteLine(file);
            }
        }
    }
}

Mail me or post a comment if you want the compiled program.

Running this program on a fresh Windows XP SP2 install shows nothing: as stated by Microsoft, a default install has no mailslots.

But on a Windows Server 2000 SP4, the result is different:

messngr
Alerter
53cb31a0UnimodemNotifyTSP

The mailslot \\.\mailslot\messngr is used by the Messenger service (the service that displays a popup when you issue a NET SEND command).
Alerter is used by the Alerter service to display administrative alerts.

These services are disabled on Windows XP SP2 and Windows 2003 SP1. In fact, when you enable and start these services on a default install, the mailslots will be created and my program will list them.

53cb31a0\UnimodemNotifyTSP is used by the Telephony service.

There is another way to list mailslots using Process Explorer by Sysinternals: start PE and search (File Handle or DLL…) for \Device\Mailslot:

This will also show you the process that opened the mailslot. svchost.exe is a generic process to host Windows services, you’ll have to open the properties of the process and select the Services tab to view which Services are hosted by the process.

I’ve also discovered (with my program) that McAfee uses a mailslot.

This gives you a method to check if a Windows machine has mailslots and hence if it’s vulnerable.

Few details have been published about this vulnerability, the best I found is by TippingPoint. I wonder when H D Moore will publish an exploit module for his Metasploit framework.
Cybertrust has issued an alert for this vulnerability, warning for a possible new worm like Slammer. Wait and see…