Didier Stevens

Monday 22 August 2011

Quickpost: CCTV Over UTP

Filed under: Hardware,Quickpost — Didier Stevens @ 0:04

I knew it was possible to transmit a composite video signal over UTP, but I always assumed that this was a kludge: that the preferred way was to use RG59 cable.

But recently I discovered that UTP cabling is often used in professional CCTV installations, because it offers the same benefits of structured cabling (like standardization and cost reduction).

To send the video signal over UTP, you need video baluns (one at each end of the pair). It is not transmitted via Ethernet, but the video signal is transformed to be send over a pair. Since CAT5 cable has 4 pairs, you can send 4 video signals over 1 cable. That’s what I’ve done at home, to limit the number of cables I had to install.

You can also use some pairs in the CAT cable to provide power to the CCTV camera (typically 12V) or to transmit audio (when you add a microphone to your CCTV camera). Video baluns are passive components, they don’t need power to operate. I’ve used baluns to cover distances of about 30m, and I don’t notice a difference in the quality of the video signal (compared to a video signal transmitted over RG59 cable).
Most baluns advertise distances of several hundred meters.

I was also able to transmit a video signal without noticeable quality degradation over an untwisted pair of 10m.

Quickpost info

Tuesday 16 August 2011

So How Good is Pseudo-ASLR?

Filed under: Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 0:29

Let me first define what I mean with pseudo-ASLR. Address Space Layout Randomization (introduced in Windows Vista) loads executable files at different memory addresses. Studies have shown that ASLR uses 256 different base addresses and that the distribution is pretty uniform.

Pseudo-ASLR is what EMET and my tool SE_ASLR enforce. When a DLL does not support ASLR, memory at the base address of this DLL is allocated right before the DLL is loaded into the process. Since the address is not free, the image loader will load the DLL at a different address, thereby « randomizing » the base address. But how good is this randomization?

As I pointed out in my article on EMET, this base address is different each time a new process is started (unlike ASLR which needs a reboot for the base address to change). So maybe this is better ?

I developed a test program that loads a DLL but pre-allocates memory at the address of the DLL before loading. Then I ran that program thousands of times on a Windows 7 32-bit machine.

Running this program about 50.000 times gives me 68 different addresses. That’s by far not as good as 256 with ASLR. But what’s more important, is that the distribution of these addresses is not uniform at all:

There’s one address (0x000E0000 in my test) that is used 30% of the time. 2 other addresses are used 10% of the time. Rebooting the machine does not change this distribution.

When I do the same test, but enforce ASLR with EMET, I get a similar result:

Again there’s an address that is selected 30% of the time, but it’s different from my previous test. Rebooting the Windows 7 machine doesn’t change the address.

In this test, EMET uses only 15 different addresses, compared to the 68 addresses in the first test. I’ll have to research this difference, I’ve no explanation for it.

Conclusion from this simple test: pseudo-ASLR is rather weak, because I can predict the base address and I will be right one time out of three, which is not bad at all when I can launch my attack several times.

Wednesday 10 August 2011

Force “ASLR” on Shell Extensions

Filed under: My Software,Vulnerabilities — Didier Stevens @ 0:49

I’ve written about Shell Extension without ASLR support before.

Not only do they open up explorer.exe to ROP attacks, but other applications too, like Adobe Reader and Microsoft Office.

You could use EMET to force ASLR on these DLLs, assuming you know which applications load shell extensions. Because shell extensions are not only loaded into explorer.exe, but other programs too, I wrote a tool to force Shell Extension DLLs to load at another address than their base address, effectively simulating ASLR.

When my tool, SE_ASLR.dll, is loaded into a process, it will check for the presence of comdlg32.dll inside the list of loaded modules. When comdlg32.dll is used by an application, the likelihood of shell extensions being loaded into the process by user interaction with the file dialogs is significant.

Hence SE_ASLR will patch the IAT to intercept calls to LdrLoadDll. Each time the application loads a DLL (all DLLs, not only shell extension), SE_ASLR will check if the DLL supports ASLR. If it doesn’t, SE_ASLR will pre-allocate a memory page at the base address of the DLL, thereby forcing the loader to load the DLL at another address.

Although SE_ASLR’s primary goal is to relocate shell extensions, it will effectively relocate all DLLs without ASLR support once SE_ASLR is loaded into the process.

You need to load my tool into all applications that could use shell extension, for example via the AppInit_DLLs registry key. But before you do, be sure to test this out on a test machine. Not all shell extensions support relocation.

SE_ASLR_V0_0_0_1.zip (https)
MD5: 9D6AE1A96D554AEE527EB802FE59FB20
SHA256: 8A6C1406A757CD9788A2630D76A497E2C058333EE4D44CA0B85B2A05A39F257E

Friday 5 August 2011

My Home Surveillance System: Some Details

Filed under: Arduino,Hacking,Hardware — Didier Stevens @ 11:02

I use Phidgets USB interfaces and sensors for my home surveillance system. For the moment, my home surveillance system consists of Python programs running on a PC, but once I’m past the experimental phase, I will migrate this to a dedicated controller.
I particularly like the PIR motion sensor Phidget, because it gives you an analogue output. When there’s no movement, the output will be around 500. With movement, the output value will oscillate around 500, with larger amplitudes for larger movements.This allows me to differentiate between small and large movements, and to eliminate false positives which are only of a short duration. If you have to run wires for many meters to connect your analogue sensors to the interface module, I recommend you use shielded wires and connect the shield to the ground of the interface module. This allowed me to eliminate noise I had on the readings.

Another plus is that the sensors are powered by the interface module. So if you power the PC (or micro-controller) with a UPS, your home surveillance system will also operate when there’s a power cut.

To take pictures when an event occurs (like ringing the doorbell), I use an IP camera. Take a look at my vs.py program to see how that’s done.

Blog at WordPress.com.