Category Archives: Security engineering

Bad security, good security, case studies, lessons learned

Permissive action links for individual bullets

Security engineering

I read with interest about US Patent application 20060117632, which proposes to apply the notion of cryptographic accessory control to individual bullets in firearms. Only after an authentication protocol has convinced the tiny microprocessor in a cartridge that it is OK to potentially kill someone, it will close a transistor switch that normally blocks the electrical ignition mechanism.

It does not seem to me technically infeasible, or even cost prohibitive, to apply security mechanisms comparable to those we have come to expect to be used in weapons of mass destruction also to smaller weapon systems that were designed to kill only a few people at a time.

(The idea could be extended. If we add a chip to each cartridge, we might as well place it into the bullet itself. The bullet processor could then store in its NVRAM an audit log of the certification chain that ultimately authorized the firing of this bullet. With the right packaging, NVRAM chips can be made extremely tough and withstand hundreds of km/s² acceleration, much more than the conditions a normal bullet faces when penetrating a body. Having a log file in each bullet that identifies who is responsible for firing it could make the forensic investigation of shootings and war crimes so much easier.)

Oracle attack on WordPress

Cryptology, Meta

This post describes the second of two vulnerabilities I found in WordPress. The first, a XSS vulnerability, was described last week. While the vulnerability discussed here is applicable in fewer cases than the previous one, it is an example of a comparatively rare class, oracle attacks, so I think merits further exposition.

An oracle attack is where an attacker can abuse a facility provided by a system to gain unauthorized access to protected information. The term originates from cryptology, and such attacks still crop up regularly; for example in banking security devices and protocols. The occurrence of an oracle attack in WordPress illustrates the need for a better understanding of cryptography, even by the authors of applications not conventionally considered to be cryptographic software. Also more forgiving primitives and better robustness principles could reduce the risk of future weaknesses.

The vulnerability is a variant of the ‘cache’ shell injection bug reported by rgodm. This is caused by an unfortunate series of design choices by the WordPress team, leading to arbitrary PHP execution. The WordPress cache stores commonly accessed information from the database, such as user profile data, in files for faster retrieval. Despite them being needed only by the server, they are still accessible from the web, which is commonly considered bad practice. To prevent the content being read remotely, the data is placed in .php files, commented out with //. Thus when executed by the web server, in response to a remote query, they return an empty file.

However, putting user controlled data in executable files is inherently a risky choice. If the attacker can escape from the comment then arbitrary PHP can be executed. rgodm’s shell injection bug does this by inserting a newline into the display name. Now all the attacker must do is guess the name of the .php file which stores his cached profile information, and invoke it to run the injected PHP. WordPress puts an index.php in the cache directory to suppress directory indexing, and filenames are generated as MD5(username || DB_PASSWORD) || “.php”, which creates hard to guess name. The original bug report suggested brute forcing DB_PASSWORD, the MySQL authentication password, but the oracle attack described here will succeed even if a strong password is chosen.

Continue reading Oracle attack on WordPress

Anatomy of an XSS exploit

Meta, Security engineering

Last week I promised to follow up on a few XSS bugs that I found in WordPress. The vulnerabilities are fixed in WordPress 2.0.3, even though the release notes do not mention their existence. I think there are a number of useful lessons that can be drawn from them, so in this post I will describe some more details.

The goal of a classic XSS exploit is to run arbitrary Javascript, in the context of a another webpage, which retrieves the user’s cookies. With WordPress I will concentrate on the comment management interface. Here, the deletion button has a Javascript onclick event handler to display a confirmation dialog, which includes the comment author’s name. If malicious input can break out of the dialog box text, then when an administrator activates the button, the attacker’s Javascript is run, allowing access to the admin user’s cookies. I found two classes of bugs which allowed me to do this.

Continue reading Anatomy of an XSS exploit

The Rising Tide: DDoS by Defective Designs and Defaults

Security economics, Security engineering

Dedicated readers will recall my article about how I tracked down the “DDoS” attack on stratum 1 time servers by various D-Link devices. I’ve now had a paper accepted at the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’06) which runs in California in early July.

The paper (PDF version available here and HTML here) gives rather more details about the problems with the D-Link firmware. More significantly, it puts this incident into context as one of a number of problems suffered by stratum 1 time servers over the past few years AND shows that these time server problems are just one example of a number of incidents involving different types of system that have been “attacked” by defective designs or poorly chosen defaults.

My paper is fairly gloomy about the prospects for improvement going forward. ISPs are unlikely to be interested in terminating customers who are running “reputable” systems which just happen to contribute to a DDoS on some remote system. There’s no evidence that system designers are learning from past mistakes — and the deskilling of program development is meaning that ever more clueless people are involved. Economic and legal approaches don’t seem especially promising — it may have cost D-Link (and Netgear before them) real dollars, but I doubt that the cost been high enough yet to scare other companies into auditing their systems before they too cause a similar problem.

As to the title… I suggest that if a classic, zombie-originated, DDoS attack is like directing a firehose onto a system; and if a “flash crowd” (or “slashdotting”) is like a flash flood; then the sort of “attack” that I describe is like a steadily rising tide, initially easy to ignore and not very significant, but it can still drown you just the same.

Hence it’s important to make sure that your security approach — be it dams and dikes, swimming costumes and life-jackets, or wetsuits and scuba gear (or of course their Internet anti-DDoS equivalents) — is suitable for dealing with all of these threats.

XSS vulnerabilities fixed in WordPress 2.0.3

Meta, Security engineering

Users are strongly urged to upgrade their version of WordPress to 2.0.3 (as you will see that we have already!) This release fixes two XSS vulnerabilities that I reported to WordPress on 14 Apr 2006 and 4 May 2006, although they are not mentioned in the release announcement. These are exploitable in the default installation and can readily lead to arbitrary PHP code execution.

I think there a number of interesting lessons to learn from these vulnerabilities, so I plan to post more details in 10 days time (thereby giving users a chance to upgrade). The nature of the problem can probably be deduced from the code changes, so there is limited value in waiting much longer.

I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by WordPress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading WordPress is still recommended.

Persec 2006 and Naccache on tapping mobile phones

Hardware & signals, Privacy technology

Over the past couple of months I attended about half a dozen events around the world (Brussels, Pisa (x3), Tokyo, Cambridge, York, Milan), often as invited speaker, but failed to mention them here. While I won’t promise that I will ever catch up with the reporting, let me at least start.

I was, with Ari Juels of RSA Labs, program chair of IEEE PerSec 2006, the security workshop of the larger PerCom conference, held in March 2006 in Pisa, Italy. I previously mentioned the rfid virus paper by Rieback et al when it got the (second) best paper award: that was the paper I found most enjoyable of the ones in the main track.

Ari and I invited David Naccache as the keynote speaker of our workshop. This was, if I may say so myself, an excellent move: for me, his talk was by far the most interesting part of the whole workshop and conference. Now a professor at the École Normale Supérieure in Paris, David was until recently a security expert at leading smartcard manufacturer Gemplus. Among other things, his talents allow him to help law enforcement agencies tap the bad guys’s cellphones, read the numbers in their phone books and find out where they have been.

His talk was very informative and entertaining, full of fascinating war stories such as the tricks used to steal covertly an expired session key from the phone of a suspect to decrypt a recorded phone call that had been intercepted earlier as cyphertext. The target was asleep in a hotel room, with his phone under recharge on his bed table, and the author and his agents were in the next room, doing their electronic warfare from across the wall. What do you do in a case like this? pretend to be the base station, reissue the old challenge so that the SIM generates the same session key, and then listen to the electromagnetic radiation from the pads of the SIM while the key is being transmitted to the handset via the SIM’s electric contacts. Brilliant. And just one in a rapid-fire sequence of other equally interesting real life stories.

David, like many of the other speakers at the workshop, has kindly allowed me to put up his paper and presentation slides on the workshop’s web site. It won’t be as good as his outstanding live talk, but you may still find it quite interesting.

On the same page you will also find two more papers by members of the Cambridge security group: one on multi-channel protocols by Ford-Long Wong and yours truly, and one attacking key distribution schemes in sensor networks by Tyler Moore.

Video eavesdropping demo at CeBIT 2006

Hardware & signals

If you happen to be at CeBIT 2006 in Hanover this week, don’t miss a little demonstration of compromising video emanations that I developed (Halle 6, Stand A42, booth of GBS). It shows how easily now cheap FPGA DSP evaluation boards can be turned into impressive home-brew eavesdropping devices.

COVISP demonstration setup at CeBIT 2006

The system shown consists of a log-periodic antenna (not on the photo), a Dynamic Sciences R1250 wideband receiver, and an Altera FPGA DSP Development Kit, Stratix II Edition. The FPGA board is the implementation platform for my COVISP-1 (compromising video emanations processor) circuit. It receives the 30 MHz intermediate-frequency output signal from the UHF tuner, samples it with 12-bit resolution at 120 MHz, applies a number of signal-processing steps (AM demodulation, gain control, clipping, blanking), and outputs the result – along with sync-pulses – onto the connected VGA monitor. It implements all the controls necessary to adjust it precisely and comfortably to the video mode of the eavesdropping target, including a video clock synthesizer with a frequency-resolution of about 1 part-per-billion, necessary for accurate synchronization of the image.
The eavesdropping target to which the demo setup is tuned in on the above picture is a PC with a flat-panel display:
Eavesdropping target of COVISP demonstration at CeBIT 2006

It belongs to a nearby Russian stand, is about 25 meters away from our antenna. Its PowerPoint presentation is clearly readable on our eavesdropping system, which managed to isolate this signal from the many hundred PCs located in the same room.