Saturday, March 20, 2010

If we could only control that window class...

This is an example of a file run from within a local chm file.
Local chm files are considered as executables.
The following is a research into an interesting bug and NOT a
discussion on a practical security vulnerability.

[PARAM name="Command" value="ShortCut"]
[PARAM name="Button" value="Bitmap:shortcut"]
[PARAM name="Item1" value=",cmd,/c"]
[PARAM name="Item2" value="273,1,1"]


// The chm loads, executes a process and the process is closed
// The the script clicks the shortcut object after the process has already been closed
// then hh.exe tries to create an error message using a format string (wsprintfA). The error message is:
// "The program specified for the shortcut was started, but the window class "%s" could not be found."
// Then there is an attempt to read from the window class that was assigned to the process executed, which was
// FREEed/destroyed/released when the process was closed. This causes the address that is pulled from the stack to be 3 letters
// from the error message itself and another byte " th\x54"

// an exploitation would require to be able to manipulate the window class
// a proper fix would be one of the following:
// 1) Checking if the window class still exists before using it
// 2) making a copy of the window class upon process creation and using that copy
// 3) removing the format string message


Friday, December 11, 2009

Using Nmap Remotely Through F5 FirePass VPN

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.
I was connected to a network remotely through the company's F5 VPN appliance and I wanted to scan the internal network.

It looked like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed "Enter" I got:
Starting Nmap 4.85BETA10 ( ) at 2009-11-10 00:34 Jerusalem Standard Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won't work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:
LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the -- unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun. I don't think Solar is can support advanced localhost scans. You can probably use "-PN -sT localhost" though.


Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played "Imaginary Linux on Windows" and added the option "-e eth0" which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( ) at 2009-11-10 00:49 Jerusalem Standard Time
Interesting ports on XXXXX (
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

Bypassing Windows Unknown Publisher Verification For Web Downloaded Executables

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said "Honey, I am at the office, I have absolutely nothing to do and I can't connect from here to our computer at home to continue my project". I said, O.K, let's see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: "Honey, go to, can you download it?"
Her: "yes, but when I run the setup.exe it says something weired like 'windows has blocked this software because it can't verify the publisher' and it won't let me install"

Me: "O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ':Zone.Identifier' just before the last quotes. What do you see?"
Her: "I see something like ZoneId=3, now what?"
Me: "I can't talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye"

After 10 minutes I get an SMS "thanks honey it worked!!!".
Well we found a bug, I wouldn't really call it a "Privilege Escalation" but I guess you don't have to be a hacker to bypass windows security restrictions :)

Thursday, July 9, 2009

Exploiting WebView through Internet Explorer to remotely discover windows directory

As for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.

In Windows 98 a new look was introduced called "WebView" which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:

Those HTML Templates had the extension "htt". In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the "htt" files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP's code in two modules inside the system32 folder:
1) Webvw.dll
2) Mshtml.dll

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
Default = "%SystemRoot%\Web\wvleft.bmp"
Default = "%SystemRoot%\Web\wvline.gif"

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system's path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:


void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {
if (SIZEOF(char) == nCharSize) {
SHAnsiToTChar((LPCSTR)pBuf, psz, cch);
} else {
SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);

void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {
TCHAR szExpansion[MAX_PATH];
szExpansion[0] = TEXT('\0');

ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));
StrCatBuff(szKey, TEXT("\\"), ARRAYSIZE(szKey));
StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));
HKEY hkMacros;
if (RegOpenKey(HKEY_CURRENT_USER, szKey, &hkMacros) == ERROR_SUCCESS && RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hkMacros) == ERROR_SUCCESS) {
DWORD dwType;
DWORD cbData = SIZEOF(szExpansion);
SHQueryValueEx(hkMacros, NULL, NULL, &dwType, (LPBYTE)szExpansion, &cbData);

ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);

int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {
if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {
if (!_szTemplateDirPath[0]) {
GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);

*ppszExp = _szTemplateDirPath;

} else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {
if (!_szThisDirPath[0]) {
*ppszExp = _szThisDirPath;

} else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {
if (!_szThisDirName[0]) {
*ppszExp = _szThisDirName;

} else {
ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);
*ppszExp = _szExpansion;

return _StrLen(*ppszExp);

In Windows XP the variables "%THISDIRPATH%" and "%THISDIRNAME%" were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace "http:///filter_trap.htt
--------------------------- filter_trap.htt start --------------------------------
[div id="LOGOLINE"]%LOGOLINE%[/div]
--------------------------- filter_trap.htt end --------------------------------

Monday, June 15, 2009

Security Cameras - To See Or Not To See?!

These days, security is going digital.

From live and automatic event log analysis up to personal "on-key" tokens and remotely controlled security cameras.

These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to "1" and then we'll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.

When talking about security cameras, a security flaw in the camera's simple application server may cause the entire video stream to be accessible to an intruder.

While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.

Most of the security cameras in my country are bought from Korea, some of the software is written by the vendor and some by the distributer. Both of them should pay much more attention to security so we won't have the same classic vulnerabilities over and over again.

Attached are a few screen captures:

another white night at work

another white night at work

Clothing Shop

Clothing Shop

Coffee Shop

Coffee Shop

Eyes on the ball!!!

Eyes on the ball!!!

How's that shirt?

How's that shirt?"

Anyone knows a Safe-Cracker?!

Anyone knows a Safe-Cracker?!

Monday, May 4, 2009

ICQ Phishing - You Type, They Sell

My friend ax1les has a 5 digit ICQ number and he always gets wiered messages that turn out to be phishing or links to trojans. A few days ago, he got this message:

He thought it would be a good idea that we'll take a look at that website together, and we did :)

In the last decade russians really mad fun of the world using the Internet.
The website is a phishing website that "confirms" your ICQ account credentials are still valid (yeah right). The amazing thing is he didn't even bother changing the title from the former text "" :)

But of course his business is really successful as he is also the owner of the mega-icq-shop, he is trying to hide so much that he event left it in the domain's whois details......

Domain ID:D28335226-LRMS
Created On:20-Apr-2009 07:27:17 UTC
Last Updated On:29-Apr-2009 15:01:04 UTC
Expiration Date:20-Apr-2010 07:27:17 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a (R159-LRMS)
Registrant ID:DI_9732581
Registrant Name:Andrey Petrovich
Registrant Organization:Private person
Registrant Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Registrant Street2:
Registrant Street3:
Registrant City:Moskva
Registrant State/Province:Moskva
Registrant Postal Code:132132
Registrant Country:RU
Registrant Phone:+7.4951783223
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Admin ID:DI_9732581
Admin Name:Andrey Petrovich
Admin Organization:Private person
Admin Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Admin Street2:
Admin Street3:
Admin City:Moskva
Admin State/Province:Moskva
Admin Postal Code:132132
Admin Country:RU
Admin Phone:+7.4951783223
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Billing ID:DI_9732581
Billing Name:Andrey Petrovich
Billing Organization:Private person
Billing Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Billing Street2:
Billing Street3:
Billing City:Moskva
Billing State/Province:Moskva
Billing Postal Code:132132
Billing Country:RU
Billing Phone:+7.4951783223
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Tech ID:DI_9732581
Tech Name:Andrey Petrovich
Tech Organization:Private person
Tech Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Tech Street2:
Tech Street3:
Tech City:Moskva
Tech State/Province:Moskva
Tech Postal Code:132132
Tech Country:RU
Tech Phone:+7.4951783223
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Name Server:NS1.AGHOST.RU
Name Server:NS2.AGHOST.RU

Anyway, the really wiered thing about this case is that while i am writing this post this website is not loading anymore...the DNS no longer resolves to any IP and their former IP reponse with "Apache is working properley" when requesting the Host "".
May be I scared them away with a few little DNS requests or the cops just randomly knocked on their door :)

Sunday, December 28, 2008

The "DesktopSmiley, Not A Spyware" ToolBar

The "Not A Phishing Worm" really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the "Not A Phishing" website and a lot of tricky links leading to to download their toolbar. Which they say is "Not Spyware".

So we got a non-phishing worm downloading a non-spyware program, let's see its non-evil actions :)
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by "DoubleD Advertising Limited", well that's really funny, we have got to give them that :)

So I ran it in a VM:

That is quite original! "A non-virtualized hardware system is required", of course anybody technical gets how lame this lie is :)
why would an IE toolbar "require" a "non-virtualized hardware", why would it even bother to check if it's running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine :)
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let's take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us :)

The setup process command-line:
"C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe" /new /src=user

the "/src=user" really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.

Lets examine some of the the strings in the memory of this "DoubleD" software:
Well, i don't want to point a blaming finger but it seems this "legitimate smiley IE toolbar" is very interested in getting some access to our saved PuTTY SSH hosts...quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it :)