Big Mac

PayPal warns against using Apple's Safari:

Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer.

A perfectly valid reasoning. A couple of Mac users cannot seem to understand the precaution suggested.

In other news, Apple customer service representatives are in denial too.

I called Apple and spoke with a couple of their reps. […] The reps were incredulous about the existence of malware specifically targeting Macs. They looked up articles about it while we were on the phone — they wouldn't believe me until they looked it up for themselves.

I have a couple of friends who use primarily use Mac OSX and other Apple products because of the sense of superiority that comes with it. Most of them are oblivious of the dangers. The sense of invincibility is simply a liability.

Revisiting OOB

I was reading the entry for TCP at Wikipedia, one thing that caught my attention is the description of Out of Band data. The verbatim description:

You are able to interrupt or abort the queued stream instead of waiting for the stream to finish. This is done by specifying the data as urgent. This will tell the receiving program to process it immediately, along with the rest of the urgent data.

When finished, TCP informs the application and resumes back to the stream queue. An example is when TCP is used for a remote login session, the user can send a keyboard sequence that interrupts or aborts the program at the other end.

These signals are most often needed when a program on the remote machine fails to operate correctly. The signals must be sent without waiting for the program to finish its current transfer.

I find the description lacking considering a whole Chapter is dedicated to it in the book UNIX® Network Programming. Extensive discourse for Out of Band data can also be found in the book TCP/IP Illustrated.

OOB data abuse made the news back in 1997 with the DoS tool Winnuke affecting at least Windows 95 and NT. An OOB related bug is CVE-1999-1214 with OpenBSD's advisory. Also who can miss Delivering Signals for Fun and Profit where Zalewski discussed remote exploitation of signal delivery in WU-FTPD's case. And there's using OOB data for IDS evasion. Have we seen the last of OOB abuse?

Point and Click Trojan

SharK definitely dumbs down Trojan creation, requires no programming skill at all. It allows for the creation of malware with features such as:

• encryption
• polymorphism
• custom payloads
• virtual machine detection
• compression
• debugger detection
• password mining
• remote management
• software inventory
• active process and network connection information
• capture desktop and webcam images
• record audio
• log keystrokes
• analyze network traffic
• take out the trash (not really)

Impressive set of features and capabilities. I wouldn't be surprised if signature-based detection for sharK-made malware variants are abysmal. At the moment I can't think of legitimate uses for sharK besides remote administration.

It's interesting to note that sharK has detection capabilities for sandboxes and virtual machines. The Trojan can be made to behave differently when detected running inside the following:

• VMWare
• Microsoft Virtual PC
• Innotek VirtualBox
• Symantec Altiris SVS
• Sandboxie
• Norman Sandbox

If you're wondering how the local neighborhood kiddie is churning out custom malware, sharK is the likely tool.

Posix File Capabilities

I mentioned before that suid binaries are getting scarce. In Linux, since 2.6.19-rc5-mm2 posix file capabilities are implemented. It was introduced into mainline in 2.6.24-rc2.

As an example let's look at the ping program, as you may know ping needs CAP_NET_RAW to generate raw packets and the old practice is to make the ping executable binary suid root. Tinyping is a small assembly version of ping.
/usr/bin $ uname -a
Linux sandbox 2.6.24.2 #5 Fri Feb 22 12:40:15 PHT 2008 i686
/usr/bin $ ls -l tinyping_suid
-rwsr-xr-x 1 root root 320 Feb 22 13:09 tinyping_suid
/usr/bin $ tinyping_suid 127.0.0.1
127.0.0.1 is alive!
Of course it works. Now a non-suid root ping without capabilities set.
/usr/bin $ ls -l tinyping_nocapnetraw
-rwxr-xr-x 1 root root 320 Feb 22 13:08 tinyping_nocapnetraw
/usr/bin/ $ getcap tinyping_nocapnetraw
tinyping_nocapnetraw =
/usr/bin $ tinyping_nocapnetraw 127.0.0.1
/usr/bin $
Fails silently. Not let's try a non-suid root ping with cap_net_raw set.
/usr/bin $ ls -l tinyping_capnetraw
-rwxr-xr-x 1 root root 320 Feb 22 05:01 tinyping_capnetraw
/usr/bin $ getcap tinyping_capnetraw
tinyping_capnetraw = cap_net_raw+ep
/usr/bin $ ./tinyping_capnetraw 127.0.0.1
127.0.0.1 is alive!
It works expectedly.

The capability flags are:

• Effective Set = e
• Permitted Set = p
• Inheritable Set = i

To know more about these flags and for valid capabilities check CAP_FROM_TEXT(3) and linux/capability.h. The user utilities are provided by libcap2.

Post Valentine DDoS

As seen from various sources such as Arbor, Shadowserver and a couple of gambling sites, DDoS is back in the limelight. Gambling sites were getting hit since around Valentine's day.

I've noticed small 12-hour attacks from Feb 13-15 on a couple of gambling sites hosted here in the Philippines. I reckon the attack is not directed to the sites I'm monitoring but is getting affected by attacks on other sites hosted by the common provider. A sample from one of them.
     

Another site I'm monitoring which is hosted in Taiwan got hit directly from Feb 18-19, was down and now back up. You will also notice the broken lines which indicate it was up and down during the duration of the DDoS attack.
              
Attacks are a mix of non-/spoofed ICMP, UDP, TCP SYNs and HTTP GETs. DDoS really is the greatest threat to the online gambling industry and yes it won't go away anytime soon.

No credit = exploit

Because Microsoft refused to credit the researcher who reported MS08-011/CVE-2008-0108 a corresponding exploit was publicly released. A person or group going by the name chujwamwdupe chujwamwdupe posted the exploit to Full-disclosure.

Unfortunately, Microsoft has refused to credit you using the name you requested.

I think there's a mixup in the iDefense Labs advisory, unless sillypea is chujwamwdupe. The CREDIT section says:

This vulnerability was reported to VeriSign iDefense by sillypea.

The acknowledgments on the Microsoft bulletin says:

VeriSign iDefense VCP for reporting the Microsoft Works Converter Overrun Vulnerability (CVE-2008-0108).

Microsoft flagged the pseudonym as offensive. This is similar to what happened when Manuel Santamarina Suarez aka FistFuXXer reported MS06-059/CVE-2006-2387. They had to drop FistFuXXer in the bulletin.

I wonder what does the polish word chujwamwdupe really mean ?

Top 10 Podcast Episodes

Over the years I have compiled my favorite security podcast episodes. Here is my list of top ten shows. Most of these episodes are interviews. Here they are in no particular order:

1. The Silver Bullet Security Podcast, Show 013 - An Interview with Ross Anderson
   Gary McGraw interviews Ross Anderson author of the book Security Engineering. He is one of the researchers in the Security Group at the University of Cambridge Computer Laboratory which has a blog that I check regularly called Light Blue Touchpaper.
   
   Gary and Ross talk about the book, economics of information security, Ben Edelman's paper, disclosure and RFID MITM attacks
   


2. The Silver Bullet Security Podcast, Show 016 - An Interview with Greg Hoglund
   Gary interviews Greg Hoglund author of Exploiting Software, Rootkits, Exploiting Online Games. In fact Gary McGraw co-authored the first and third book mentioned.
   
   They talk about reverse engineering, disclosure, rootkits, EULAs, exploiting software and cheating online games.
   


3. SploitCast Podcast #008
   Guest Victor Oppleman author of Extreme Exploits discuss the RADB, ISP attacks, darknets, uRPF, botnets, DDoS, DNS attacks, tools.
   
   I originally wanted to feature a ThreatCast interview of Barrett Lyon, founder of Prolexic but I think this interview of Victor covers more ground not just DDoS attacks.
   


4. SploitCast Podcast #016
   The host interviews Dino Dai Zovi, discussing the fascinating topic of virtual machine rootkits, OS X security, wifi attacks, vulnerability development, disclosure and Microsoft security.
   


5. StillSecure, After all these years, Podcast #47 - Web application security with RSnake and Jeremiah
   Alan and Mitchell interview Robert "RSnake" Hansen of ha.ckers.org, founder of SecTheory -- Jeremiah Grossman, founder and CTO of Whitehat Security. Of course they discussed application security and of course focused more on web application security.
   


6. ThreatCast - Great debate podcast : NAC v SNF
   Alan Shimel, Chris Hoff, Richard Steinnon and Mike Rothman debate over NAC, Network Admission Control. Bullshit was thrown, heads were rolling and no conclusions were arrived at.
   


7. Security Now 91: Marc Maiffret of eEye Digital Security
   Leo and Steve interview Marc Maiffret. Marc talks about how he got started with security, Windows and Mac OS X security, 0days, vulnerability development, client side attacks and eEye's products.
   


8. McAfee AudioParasitics Episode 17
   Jim and Dave is joined by Dave Aitel of Immunity. Dave Aitel talks about his stint at @stake, Immunity products, mobile devices, penetration testing, virtualization, vulnerability development and malware.
   


9. McAfee AudioParasitics Episode 19
   McAfee AudioParasitics Episode 20
   This two-part show features guests Rafal Wojtczuk and Rahul Kashyap. The hosts and the guests talk about malware on virtual machines and virtualization security in general.
   


10. PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 1
    PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 2
    Larry and Paul interviews Mike Poor and Ed Skoudis. They talk about their first computers, how they got started in security, SANS, ISC, botnets, malware, Brazilian hacker groups, physical NOP Sleds, research and security in general.
    

Listen up to these podcasts while they're still online and most of the topics discussed aren't stale yet.

OpenDNS proxying

An old issue but new to me. Their supposed to be reason for doing this is ridiculous.

$ dig @resolver1.opendns.com www.google.com

; <<>> DiG 9.4.1-P1 <<>> @resolver1.opendns.com www.google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3375
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.   IN A

;; ANSWER SECTION:
www.google.com.  30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.216.230
google.navigation.opendns.com. 30 IN A 208.67.216.231

;; Query time: 336 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Feb 16 17:36:09 2008
;; MSG SIZE  rcvd: 104

No official statement from OpenDNS on why they continue doing this. I wonder what other cnames are they spoofing. I call shenanigans on OpenDNS. Stopped using and recommending them.

Coredumps

I noticed a design error similar to CVE-2007-6206 in DragonFly BSD. It is reported that OpenBSD and FreeBSD exhibit the same.
   

My suggested patch:

--- kern_sig.c  2008-02-14 13:41:12.000000000 +0800
+++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800
@@ -2066,6 +2066,12 @@ coredump(struct lwp *lp, int sig)
               goto out1;
       }

+        /* Don't dump to files current user does not own */
+       if (vattr.va_uid != p->p_ucred->cr_uid) {
+               error = EFAULT;
+               goto out1;
+       }
+
       VATTR_NULL(&vattr);
       vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
       vattr.va_size = 0;

A DragonFly BSD developer asked me if they should rather remove the file and recreate a new file which then will be owned by root. In my opinion checking for ownership is better and safer. We are avoiding other possible bugs e.g. allowing to read files you don't own but resides on a directory you own. I also find my fix more compact.

By the way as seen in my patch, we wouldn't want to hard code != 0 because DragonFly may implement a type enforcement system or authorization framework in the near future.

Have you seen her?

If you ask me I have seen her countless times. I don't know her name and maybe she doesn't know she's very popular. If you don't know what I'm talking about read up on domaining and click fraud.

Domaining is the business of acquiring domains for no actual use besides generating revenue through pay per click advertisements. Generic domains and domains that has been deleted but still retains substantial traffic are commonly abused. Revenues from pay per click advertising is seen as an incentive for click fraud.

I performed a DNS lookup on a particular website I wanted to visit recently but is now used for pay per click advertising. I don't know if its sniped, kited or it's not really the URL of SABAGsecurity.

$ dig @8.15.231.113 sabagsecurity.com

; <<>> DiG 9.4.1-P1 <<>> @8.15.231.113 sabagsecurity.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22644
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sabagsecurity.com.  IN A

;; ANSWER SECTION:
sabagsecurity.com. 3600 IN A 8.15.231.100

;; Query time: 260 msec
;; SERVER: 8.15.231.113#53(8.15.231.113)
;; WHEN: Wed Feb 13 16:46:16 2008
;; MSG SIZE  rcvd: 51

Besides hotelcasadeplaya.net, 0-360.net, 00products.com and sabagsecurity.com her sweet smile is featured on another 11,526 domains on that IP alone, disregarding the wildcard DNS records.

KERNEXEC vs CVE-2008-0600

Besides ensuring that no untrusted user can execute arbitrary files via access control, rudimentary Unix permissions and TPE (Trusted Path Execution) PaX is effective in defeating some kernel exploits.

PaX KERNEXEC is enough for mitigating the recently disclosed vmsplice() vulnerability specifically CVE-2008-0600. The exploit is reported to work since Linux 2.6.17.

Here's the exploit ran on 2.6.24.1 (click to view).

I patched the kernel with PaX without Grsec and activated the following:

• CONFIG_PAX
• CONFIG_PAX_NOEXEC
• CONFIG_PAX_KERNEXEC

Now the exploit ran on 2.6.24.1-PaX (click to view).

Thanks to the PaX Team.

Reliable root since 2006

A couple of advisories detailing local privilege escalation vulnerabilities in the Linux kernel has been published. The CVE entries for these vulnerabilities are:

• CVE-2008-0009
• CVE-2008-0010
• CVE-2008-0600

Both CVE-2008-0009 and CVE-2008-0010 was fixed upstream on February 8 with the following commit message:

splice: missing user pointer access verification
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.

There's a public exploit for CVE-2008-0010. Below is the fix from the Linux tree. The first hunk applies to CVE-2008-0010 and the second to CVE-2008-0009:

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst
 {
        int partial;
 
+       if (!access_ok(VERIFY_READ, src, n))
+               return -EFAULT;
+
        pagefault_disable();
        partial = __copy_from_user_inatomic(dst, src, n);
        pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file
                        break;
                }
 
+               if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+                       error = -EFAULT;
+                       break;
+               }
+
                sd.len = 0;
                sd.total_len = len;
                sd.flags = flags;

CVE-2008-0600 was fixed upstream on February 10 with a commit message of:

splice: fix user pointer access in get_iovec_page_array()

Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.

But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.

The upstream fix:

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                if (unlikely(!len))
                        break;
                error = -EFAULT;
-               if (unlikely(!base))
+               if (!access_ok(VERIFY_READ, base, len))
                        break;
 
                /*

There's also a public exploit for this issue.

Linux 2.6.24.1 which was released on 2008-02-08 20:25 UTC fixes CVE-2008-0009 and CVE-2008-0010 only. Simply CVE-2008-0009 and CVE-2008-0010 affects 2.6.23-2.6.24 and CVE-2008-0600 affects 2.6.17-2.6.24.1.

A little background on vmsplice(2). Along with splice(2) and tee(2), vmsplice(2) was introduced for public consumption in Linux 2.6.17. The splice I/O method was implemented by Jens Axboe.

VMSPLICE(2)                Linux Programmer's Manual               VMSPLICE(2)

NAME
       vmsplice - splice user pages into a pipe

...

VERSIONS
       The vmsplice() system call first appeared in Linux 2.6.17.
...

Linux                             2006-04-28                       VMSPLICE(2)

This means we had at least one unknown exploitable privilege escalation vulnerability since June 2006. This vulnerability is possibly what was used to obtain root in recent mysterious compromises.

We can assume that the bad guys are hoarding more of these frightful bugs. So how can you protect from these vulnerabilities? Obtaining an under privileged shell is said to be easy because of insecure web applications and easily guessed SSH passwords. A properly configured access control system or by not allowing untrusted users to run executables from their writable directories comes into mind.

Amateur Malware Analysis

A friend asked me to check his USB drive because it was not working. I attached it to my notebook and mounted it. Seems fine, I can access his files plus a bonus suspicious executable with a blurry folder icon. Apparently the USB port he was attaching the drive to is not working. I copied the executable and the autorun.ini from his drive.

It's a Satuday evening and I have some time to spare so I check out the suspected malware. Here I take a shot at malware analysis.

The autorun.ini is obvious:

[Autorun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
Shell\Open\command=scvhost.exe
Shell=Open

Uploaded scvhost.exe to Jotti's malware scan.

Uploaded it to Norman Sandbox but it does not show any helpful information.

[ DetectionInfo ]
   * Sandbox name: NO_MALWARE
   * Signature name: DLoader.EGQI
   * Compressed: YES
   * TLS hooks: NO
   * Executable type: Application
   * Executable file structure: OK

[ General information ]
  * Decompressing UPX3.
  * File length:       225792 bytes.
  * MD5 hash: 24fcddb3010f0dc16079af055a9970f0.

I tried to uncompress it using UPX but it seems to be intentionally corrupted or compressed with UPOLYX.

$ upx-3.02-i386_linux/upx  -d scvhost.exe 
                       Ultimate Packer for eXecutables
  Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02        Markus Oberhumer, Laszlo Molnar & John Reiser   Dec 16th 2007

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: scvhost.exe: NotPackedException: not packed by UPX

Unpacked 0 files.

The uncompressed part of the executable reveals a couple of details. Looks like it was scripted with AutoIT.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
        <assemblyIdentity
            type="win32"
            processorArchitecture="*"
            version="3.0.0.0"
            name="AutoIt3"
        />

For dynamic analysis I used Sandboxie. The files it creates:

• C:\WINDOWS\himhem.scr
• C:\WINDOWS\scvhost.exe
• C:\WINDOWS\system32\autorun.ini
• C:\WINDOWS\system32\blastclnnn.exe
• C:\WINDOWS\system32\scvhost.exe

Based on the created files this is a variant of W32.Blastclan.

It also creates these registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "C:\WINDOWS\system32\scvhost.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "X"

I don't know why the Shell is set to X probably because it can't fetch a configuration file.

I dumped the malware's memory and found some interesting strings like this command for a scheduled run:

/C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe

I also saw a reference to IsDebuggerPresent which checks for a user-mode debugger.

I ran a sniffer to watch the malware's network traffic. It tries to fetches these files:

• http://setting3.yeahost.com/setting.xls
• http://setting3.9999mb.com/setting.xls
• http://setting3.9999mb.com/setting.doc
• http://www.freewebs.com/setting3/setting.doc

Those are offline now.

Unfortunately I do not have a valid configuration for the malware to further analyse it. Scouring the anti-malware sites this worm seems to have several variants. Good evening.

Cheating the cheaters

Web application security has a simple rule: "Never trust user input". This applies not only to applications but also games. Flash games are hard to secure and be made cheat-proof. It's like creating a JavaScript game and trusting the results from it. You should also take care of how the results are entered into your system.

AkoModelo is a Filipino social networking website similar to MySpace, Facebook and Friendster. To promote the website they have contests. Late December they had CAM-GIRL.

1. Command Cam-Girl to do things you want by typing in the command in the text box.
2. If your command is valid, Cam-Girl will perform for you!
3. Have fun and try to find all commands!

I played with it for a while as an unregistered user. A certain jhesqi has 90 points at that time. Getting a legit 100 points will be next to impossible so that 90 points is a bit fishy. It's difficult because some commands are phrases and use both English and Filipino words/slang. Later played as a registered user with username borat. I noticed that some commands are word variations of those in the trial.

Of course I watched the HTTP requests.

GET /cam_girl/bg.jpg
GET /cam_girl/camgirl_final_secure.swf
GET /cam_girl/ranking2.asp
GET /cam_girl/user_score.asp
GET /cam_girl/0.flv
GET /cam_girl/idle.flv
GET /cam_girl/user_score.asp
GET /cam_girl/correct.mp3
GET /cam_girl/ranking2.asp
GET /cam_girl/29.flv
GET /cam_girl/user_update.asp?vid=vid25&score=1
GET /cam_girl/ranking2.asp
GET /cam_girl/user_score.asp

The flow should be clear and the script names are self explaining.

1. Check/show ranking
2. Check/show user's score
3. If command is valid play correct.mp3
4. Show corresponding Flash video
5. Update user's score!
6. Repeat

As cheaters we are interested in padding our score. This HTTP GET request is of utmost interest:

GET /cam_girl/user_update.asp?vid=vid25&score=1

Yes a HTTP GET we don't even need to create custom POST requests. The parameters are a dead giveaway. vid is for the Flash video to play and score is the current score. So this request below would easily gain us 100 points:

GET /cam_girl/user_update.asp?vid=vid26&score=100

. The script logic is silly you can change your score arbitrarily like jump to 90 and then to 1. Without looking at the SWF file we can instantly win but we won't settle for that. I also want to see the videos.

This Flash game has two versions each with a different SWF file. I downloaded both locally for offline viewing.

• http://www.akomodelo.com/cam_girl/camgirl_trial.swf
• http://www.akomodelo.com/cam_girl/camgirl_final_secure.swf

The camgirl_trial.swf is for unregistered users and camgirl_final_secure.swf is for registered users. Inside the SWF file are the commands, yes hard coded. Here is the CSV formatted answers.txt file of the commands. The fields in order are:

• Command
• FLV file
• Command number
• Other possible commands

If you look at the CSV or the SWF file dump you won't see commands number 15 and 27 which means it is not possible to get more than 98 points or 56 commands. This contest is a scam because it is not possible to legitimately get 58 commands. These are the two commands that are in camgirl_trial.swf but not in camgirl_final_secure.swf:

'laugh', '31.flv', '27', 'tawa
'electrocute again', '18.flv', '15', 'makuryente ulit', 'makuryente ka ulit'

I guided cam girl through all possible commands getting 98 points. Later jhesqi got 99 points. Checked the camgirl_final_secure.swf for changes but no updates so still the only possible highest score is 98 points. Obviously he is using the HTTP GET request to pad his/her score or directly updating the system. We cheat the cheaters by using the HTTP GET method:

request: GET /cam_girl/user_update.asp?vid=vid27&score=99
output: Newrank=2&Oldrank=2&score=99&rank=0&Newrank=2
request: GET /cam_girl/user_update.asp?vid=vid15&score=100
output: Newrank=1&Oldrank=2&score=100&rank=1&Newrank=1

In a shallow way I demonstrated why you should never trust user input and client-side results. Thanks to AkoModelo for the fun promotional scam. Where's my price? :-p.

NetBSD security features

The last NetBSD release I used was 3.0. Since then a couple of security mechanisms have been implemented and improved. In the recently released NetBSD 4.0 these are:

• kauth
• PaX mprotect
• fileassoc

The kernel authorization framework or simply kauth(9) first appeared in Mac OS X 10.4 Tiger and later adapted by NetBSD. It was designed to implement access control lists (ACL). With kauth(9) you can create security models using secmodel(9). Together they function similar to other pluggable security frameworks like Linux Security Module (LSM).

NetBSD has implemented mprotect(2) restrictions based on PaX. As you may know PaX is the most effective protection against a wide range of attacks such as code injection, ret-to-libc and memory corruption. Enforced non-executable memory pages without a restricted mprotect(2) is considered risky because an attacker can ret-to-mprotect(2) after injecting code bypassing the so-called NX protection.

The fileassoc(9) Kernel Programming Interface is a file system independent interface for uniquely identifying files. A proactive Tripwire-like monitor can be implemented using fileassoc(9) via Veriexec.

These in-kernel or built-in security features are really useful and cool. Thanks to Elad Efrat's initiative we can take advantage of effective security mechanisms in this great operating system. Looking forward for additional security features and specially a complete PaX implementation.

I also applaud their removal of Sendmail. Quoting Christos Zoulas in the Ars Technica interview:

Sendmail has been, is, and will be a security accident waiting to happen (unless it is rewritten from the ground up with security consciousness). Performing character pointer gymnastics in 50-100 line loops does not create any warm and fuzzy feelings for me. To top this off, most sendmail security issues are marked as confidential, and we are prevented from fixing or mentioning the problem until the ban is lifted. The last time this happened, we said "enough" and removed it altogether before the ban for that particular security issue was lifted.

Now we can say "Of course it runs a secure NetBSD."

Tongits is in the AIR

Somebody made a card game that runs on Adobe AIR. Tongits is a popular card game played for pastime and also for gambling here in the Philippines. It is played like Mahjong with card rules similar to poker.

What is the Adobe Integrated Runtime:

Adobe® AIR™ lets developers use their existing web development skills in HTML, AJAX, Flash and Flex to build and deploy rich Internet applications to the desktop.

More information at the AIR developer FAQ. According to the FAQ AIR APIs are only exposed to Flash content via ActionScript 3/AVM2. This means it requires Flash version 9 with those nifty features like network sockets.

Installed AIR. Downloaded the game installer, aptly the file extension is .air. The package can be easily unzipped.

$ unzip -l Tongits.air 
Archive:  Tongits.air
  Length     Date   Time    Name
 --------    ----   ----    ----
       59  01-24-08 11:43   mimetype
     5601  01-24-08 11:42   META-INF/AIR/application.xml
       32  01-24-08 11:43   META-INF/AIR/hash
    16931  01-02-08 01:09   icons/128x128.png
     3272  01-02-08 01:09   icons/16x16.png
     4227  01-02-08 01:09   icons/32x32.png
     5545  01-02-08 01:09   icons/48x48.png
  2558544  01-24-08 11:42   Tongits.swf
     3311  01-24-08 11:43   META-INF/signatures.xml
 --------                   -------
  2597522                   9 files

No executable in sight only a SWF file. Looks like AIR is an uber flash player. Double clicked on the .air package.
File system and network access. That's Adobe for you, bringing the Web into the desktop.

Installed the game and the files found their way into C:\Program Files\Tongits. Interestingly a new executable accompanies the rest of the files in the package, Tongits.exe with the game logo.

Loaded the binary into OllyDbg. Looks like it was compiled with Visual C++. Saw nothing specific to the game just a bunch of checks for command line options (-runtime/-stdio), registry entries and if AIR is installed. I thought it must be a generic executable to call AIR. Generating custom executables for each AIR application would be tricky and useless. I confirmed it after I found template.exe which contains the same assembly instructions as Tongits.exe. The binary template.exe is located in the AIR directory C:\Program Files\Common Files\Adobe AIR\Versions\1.0.6.

Stripped all the icon resources from Tongits.exe and I am down to the same size (6144 bytes) as template.exe. Copied template.exe over to C:\Program Files\Tongits and ran it. Expectedly it loaded the game just fine. Apparently the AIR installer just embeds the icon into template.exe and puts it along with the rest of the package files.

I did not see any registry entry specific to the game but it has files in C:\Documents and Settings\root\Application Data\Adobe\AIR\ELS\Tongits.[publisherid]:

PrivateEncryptedData
PrivateEncryptedDatai
PrivateEncryptedDatak
PrivateEncryptedDatav

The publisherid is the same as C:\Program Files\Tongits\META-INF\AIR\publisherid and in the installer package. For this game it is FEEDC458623E9216D3707124DB15BAAB6C08489C.1.

The game only has 10 trial runs before it becomes crippled. You have to buy a key if you want to play seriously.

removed... requested by game author

When registering the game, the files in C:\Documents and Settings\root\Application Data\Adobe\AIR\ELS\Tongits.FEEDC458623E9216D3707124DB15BAAB6C08489C.1 got updated. I figured this where the registration and game info is saved.

Confirmed by backing up the directory, deleting it and running the game again. I was given another 10 trial uses. Copied over from backup and I was registered again. Unfortunately for the game author it is hard to come up with pirate-proof registration schemes.

AIR is bringing Web something.0 technologies into the desktop. I think Mozilla has something similar, the XULRunner. Desktop applications are not dead after all. By the way I prefer the cool guys at AdobeAir.