Yeah, I just watched the movie. Yippie Kah Yay, for sure. Nokia phones are sure handy. :-) As much as I love Matrix, which seemed a little far out with the nmap scan and the SSH CRC32 exploit, this one had a reasonable amount of plausibility. A SCADA device and a printer are not too far apart in terms of the services they offer over IP. These devices have protocols like ARP, IP, TCP, UDP, SNMP, FTP (warez on a voltage regulator anyone?), HTTP, etc. and yes they do have vulnerabilities. It has a lot to do with the Network Effect. While the utility and the value of the connected systems grows (for sure) with the number of systems connected, so does the attack surface, the complexity, the unknowns and the risks. Quoting Bruce Schneier, “Machines break, Systems have bugs“. Once you are on the network, it’s fair game for anyone to reach out to you.
More »

I looked around and couldn’t find a pure-ruby implementation of Diffie-Hellman key exchange. Diffie-Hellman key exchange is a nifty way to end up with the same shared secret between Alice and Bob without ever sending the secret key to the other side. It’s used in ISAKMP, SSH and a host of other crypto-based protocols. The code for Diffie-Hellman in Ruby is unbelievably terse to the point you wonder if you actually got it working right. Two things come in handy: Ruby has open classes that you can extend and Ruby has built-in Bignum support. Integers don’t overflow in Ruby, they just keep expanding.

More »

We have created a patch for Wireshark that allows it to dissect MMS (Manufacturing Messaging Specification) PDUs when transported over COTP/TPKT. Previously, Wireshark only dissected the protocol when the OSI session and presentation layers were present. This patch adds COTP as a heuristic dissector for MMS. Be sure to enable ‘try heuristics sub-dissectors first’ in the TCP options as well as fragmentation assembly for TPKT and COTP.

USAGE:

The patch was submitted to Wireshark and was added to trunk (with some small changes made by the wireshark team). You can either download the latest development release from Wireshark(recommended) or download the latest stable release and apply the patch.

download mms_patch.txt

The Mu Security Research Team released advisory “MU-200704-01″ today. Details:
http://labs.musecurity.com/advisories/MU-200704-01.txt

We have added some options to the Tomahawk network testing tool which allows for testing of routed networks.

Consider the following topology ( A1 and A2 are network interfaces on a box running tomahawk ):

[A1] +----------+
                |
                | ip  = 192.168.1.254
                | mac = aa:aa:aa:aa:aa:aa
                |
             [ DUT ]
                |
                | mac = bb:bb:bb:bb:bb:bb
                | ip  = 10.0.0.1
                |
[A2] +----------+

When replaying an ip conversation, packets coming from A1 destined for A2 must have the destination IP address be within the subnet that contains A2 ( 10.0.0.0 ), and a destination MAC address of the router’s interface which is on the same network as A1 (aa:aa:aa:aa:aa:aa).

We have added 4 options to tomahawk to enable testing in this scenario. In the descriptions below, “client” and “server” refer to the interfaces specified by the -I and -J tomahawk options respectively ( and the examples assume “-I A1 -J A2″ ).

-x — Client side mac address of router ( aa:aa:aa:aa:aa:aa )
-y — Server side mac address of router ( bb:bb:bb:bb:bb:bb )
-X — Client side subnet ( 192.168.0.0 )
-Y — Server side subnet ( 10.0.0.0 )

The -Y and -X options only use the two most significant bytes when re-writing the packet ip addresses.

USAGE:

Apply patch and build:

download tomahawk
download tomahawk.patch
tar -xvf tomahawk1.1.tar
cd tomahawk1.1
patch -p1 < ../tomahawk_patch.txt
Then build tomahawk as normal.

Example:

tomahawk -i eth0 -j eth1 -x aa:aa:aa:aa:aa:aa -y bb:bb:bb:bb:bb:bb -X 10.0.0.0 -Y 192.168.0.0 -l 1 -f test.pcap

In previous blogs, I’ve talked about using code coverage as one metric for assessing the effectiveness of fuzzing. While protocol specifications and application definitions can be used for fuzzing, the interdependencies of fields and messages within protocols, including state, are not always obvious. For example, when looking at the telnetd source, it’s pretty obvious that you need to send 4 or 5 primary telnet options before the server will enter the main loop. Or the fact that no matter what you do with the XDISPLAYLOC telnet option, you are wasting time since the server simply passes this to setenv.

More »

The Mu Security Research Team released advisory “MU-200703-01″ today. Details: http://labs.musecurity.com/advisories/MU-200703-01.txt

The Mu Security Research Team released advisory “MU-200702-01″ today. Details: http://labs.musecurity.com/advisories/MU-200702-01.txt

In the OOMPH blog I talked about specification coverage and how the effectiveness of attacks can be measured. Part of building object oriented mutations that mimic the design and interconnectedness of protocols, is to leverage attacks on referenced structures in related protocols. But how are protocols related?

More »

As in Nada, Nothing. When I wrote the title, it sounded silly that something as simple as this would be a pattern, but the number of NULL-pointer DoS’ that this creates is pretty amazing. It’s a very effective pattern that is about removing mandatory elements/fields from a protocol and sending them off to /dev/null.

More »