W01f Labs

Jun 30, 2010

Reverse Engineering Flash games

Majority of online games uses Adobe Flash these days. While trying out this online games, i was surprised find out that there are still many unsecured flash games. Some are still sending the score in clear text (shown below). I think it is the basic for all online games to protect the score (or data) while submitting back to the server. I even created a simple Web challenge (Data Manipulation attacks for Web applications) on this flaw several months back, to teach and share this knowleadge.

Hashing, good enough?
But there are others that try to protect the score that is transmit back to the server using hashing. They hash the score with a secret key or "Salt". It look safe to many by protecting the data transmission. But they did not protect the Flash itself. It can be easily decompiled to extract the key (shown below) or change the code. Flash code should be obfuscated so that decompiling could not be easily done.

Below is the example of the unsecured Flash game that i came across recently. I had inform their administrator about the possible hacking on their game but they never reply to find out more. So i decided to share some of my finding and show how easy it can be reverse engineered.

Below is function that calls the hashing and submit the user's info and score.

Below shows the "key" or "Salt" that is use for the hashing.

-Update on 19 Jul

After the programmer of the game (that i previously mentioned) tried to secure their code, they were hacked again. This time it looks like an Indonesian hacker, which uses the name "Rank 1 to 10 all cheated" in Bahasa Indonesia, put himself on the top of the score table (with obvious reason).

Looks like the programmer don't understand malay language at all as the name was listed for a few days and was not removed. Time for me to send them a note again.

Jun 8, 2010

DOS vulnerability on Internet Browser

While contributing to the OSVDB. I notice about the recent DoS (Denial of Service) vulnerability on the Internet Browser and decided to research on it.

Internet Browser such as IE and Firefox contains a flaw that may allow a remote denial of service. The vulnerability can be triggered when processing a web page with a large number of various invalid request such as NNTP, NEWS and Mailto. This may cause the system to crash due to high resources consumption.

I have tested on some of these exploits. Test at your own risk.

Affected Browser: Internet Explorer, FireFox, Chrome, Opera, etc
OSVDB: 65110
Exploit Code: Download

Jun 1, 2010

Wing FTP Server - Cross Site Scripting Vulnerability

The Wing FTP Server was found to be vulnerable to Cross Site Scripting(XSS) vulnerability, which could be exploited using malicious scripts.

Discovered Date: May 31, 2010
System affected: Wing FTP Server for Windows, Version 3.5.0 and prior version
Discovered by: w01f

Vulnerability Description:
==================
Wing FTP server is a multi-protocol file server, which support such as HTTP and FTP. It comes with a Web-based "Administrator" Console. The XSS vulnerability is found in the "Administrator" Web interface . It is accessible using the server IP with default port 5366 (Eg. http://192.168.0.1:5466). Script can be injected to the "POST" command. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session.

Vulnerability testing:
===============
Vulnerable URL: http://192.168.41.137:5466/admin_loginok.html
Tested with: Firefox 3.5 and Internet Explorer 7 on Windows XP SP3
with Web proxy

In the "Administrator" web interface, from the login page, a simple "alert("You are HACKed!")" script was injected to the "POST" command. It was executed and display on the web browser. Malicious script could be executed using this method.

Remediation:
==========
Discussion with the wftpserver.com support. This vulnerability was not consider critical as it requires authenticated login to exploit. But it will be fixed on the next release in about a month time.

Updated 10 Jun 2010:
The flaw was fixed on version 3.5.1.

References:
- Common Vulnerabilities and Exposures: CVE-2010-2428
- National Vulnerability Database (CVE-2010-2428)
- ISS X-Force Database: wingftpserver-adminloginok-xss (59094)
- SecurityFocus: Wing FTP Server 'admin_loginok.html' HTML Injection Vulnerability
- OSVDB 65444 : Wing FTP Server Admin Interface admin_loginok.html XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert
- Bugtraq: Wing FTP Server - Cross Site Scripting Vulnerability
- Packet Storm: wingftp-xss.txt

May 14, 2010

XSS vulnerability found on D-Link Router

Cross Site Scripting (XSS) vulnerability was found on the D-Link DI-724P+ Router, which can be exploited by conducting a cross-site scripting attacks.

Discovered Date: May 14, 2010
System affected: D-Link DI-724P+ Router, Firmware Version: v1.03
Discovered by: w01f

Vulnerability Description:
==================
The XSS vulnerability is found in the Admin Web interface. It is accessible using http://192.168.0.1 (by default). Script can be injected from the GET string. This can be exploited by injecting arbitrary HTML and malicious script code, which will execute in a user's browser session.

Vulnerability testing:
===============
Vulnerable URL: http://192.168.0.1/wlap.htm
Tested with: Windows XP with Internet Explorer 7, using Web proxy

In the Admin web interface, under the "wireless" tab, i injected a simple "alert("You are hack!")" script in the GET string. It was executed and display on the web browser.

Remediation:
==========
According to D-Link, the router is out of support and will not be releasing any patches. Continue using on your own risk.

References:
- SecurityFocus: D-Link DI-724P+ Router 'wlap.htm' HTML Injection Vulnerability
- OSVDB 65002 : D-Link DI-724P+ Admin Interface wlap.htm GET String XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert
- Packet Storm: dlinkdi724p-xss.txt
- Full Disclosure: D-Link DI-724P+ Router - Cross Site Scripting Vulnerability

Dec 18, 2009

Adobe new vulnerbility APSA09-07, CVE-2009-4324

Adobe had recently confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

This vulnerability affects Adobe Reader/Acrobat 9.2 or older. the vulnerability was found in the JavaScript function specific when reading PDF file. Exploits were found in the form of maliciously crafted PDF files.

Exploits Behaviours:
==============
It drops and execute a malicious downloader. This downloader will download more malwares from domain such as foruminspace.com.

Other symptoms such as unexpected network connections from the Adobe Reader and in some cases, Adobe reader may crashes or terminates abnormally.

From my observation, major AV vendors such as Symantec, Sophos, McAfee, TrendMicro had specific signatures for this exploit. Not sure if other AV such as Panda or Kaspersky, which do not have a specific signature, can detect this exploit under their generic signatures. I have requested for a copy of the malware from a McAfee researcher. Hopefully can get it to do a further analysis.

So far the findings from McAfee, the malware uses JavaScript obfuscation to hide the actual exploit code in the malicious PDF.

Example of a sample code that shows the malware using XOR encoder to hide the exploit code.

s1='\x2a\x3d\x3e\x \x31\x \x31\x33\x \x25\x67\x56\x \x35\x3a\x7\x .....';

s2='';
for (i=0; i< s1.length; i++)
{
s2=s2+String.fromCharCode(s1.charCodeAt(i) ^ k);

};

eval(s2);

The patch for this vulnerbility was announced to be release next year, but user can mitigate this problem by disabling JavaScript in Adobe Reader and Acrobat. Please refer to "Disable javascript in Adobe Acrobat" or Adobe security bulletin for the steps.

Nov 4, 2009

Counter malware analysis

As a malware researcher (during leisure), we face a constant challenge from the malware writers trying to outsmart us by using many anti analysis technique in their malware. Deter and confuse researchers from analysing the malware.

These techniques include:

Obfuscation/hiding of codes & scripts

Base64

unescape(dz+cz+op+st)+'dw(dz+cz($+st));')}else{$=''};function sc(cnm,v,ed)

Encryption of Source code & data

Junk code (useless instructions and rountine)

Detection of analysis tools (virtual system, monitoring tools, debugger)

Conduct integrity checks (Prevent tampering and patching)

Below are some sample code used by malware to detect analysis tools.

Detect OllyDbg
The function IsODBGLoaded will return true if debugger is detected

__inline bool IsODBGLoaded() {
char *caption="DAEMON";
_asm {

push 0x00
push caption

mov eax, fs:[30h]
movzx eax, byte ptr[eax+0x2]
or al,al
jz normal_
jmp out_
normal_:

xor eax, eax
leave
ret
out_:

mov eax, 0x1
leave
ret
}
}

Detect VMWare
It checks the version and see if it is running inside the virtual

/* Check VMware version only */

int VMGetVersion() {

unsigned long version, magic, command;
command=VMCMD_GET_VERSION;
VMBackDoor(&version, &magic, &command, NULL);
if(magic==VMWARE_MAGIC) return version;
else return 0;
}

/* Check if running inside VMWare */

int IsVMWare() {

int version=VMGetVersion();
if(version) return true; else return false;
}

Detecting Breakpoints
The function IsBPX checks if the given memory address is a breakpoint.

__inline bool IsBPX(void *address) {

_asm {

mov esi, address
mov al, [esi]
cmp al, 0xCC
je BPXed

xor eax, eax
jmp NOBPX
BPXed:

mov eax, 1
NOBPX:
}
}

Aug 7, 2009

Malware Analysis: Antivirus System PRO

This summary is not available. Please click here to view the post.