The ISC’s Handlers Diary today covers a new MySQL bot that actually is quite clever. First off, it only affects MySQL running on Windows systems (who does that? I guess quite a few people as there are a few thousand systems infected). The bot doesn’t take advantage of any vulnerability in MySQL but by bruteforcing the MySQL root password by chewing through a long list of passwords. Again, this is a great example that the use of strong passwords is a fundamental part of security. The clever part comes after the bot successfully connects to the database as the root user. As outlined in the Handlers Diary:

“Once connected, the bot will create a table called ‘bla’ using the database ‘mysql’. The ‘mysql’ database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named ‘line’.

Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called ‘app_result.dll’ using ‘select * from bla into dumpfile “app_result.dll”‘. The ‘bla’ table is dropped once the file is created.

In order to execute the ‘app_result.dll’, the bot creates a mysql function called ‘app_result’ which uses the ‘app_result.dll’ file saved earlier. This function is executed, and as a result the bot is loaded and run.”

I think that leveraging the MySQL root access the way the bot author(s) did to compromise the entire system is really sweet!

I found myself with a couple Cisco PIX 501s that were pulled from production awhile ago and needed to be redeployed. The passwords were unknown. So, I used the document Password Recovery and AAA Configuration Recovery Procedure for the PIX in order to reset the password. I needed to download the binary file available on that webpage for the version of the PIX software that was installed as well a TFTP server. Working from a Windows machine I chose SolarWinds TFTP server. I followed the steps under the section “PIX Without a Floppy Drive”. This involved going into monitor mode on the PIX by booting it up and hitting ESC, setting the interface to use by issuing ‘interface 0′, setting the IP address of the 0 interface with the ‘address’ command, setting the filename to retrieve from the server with the command ‘file np63.bin’ (the binary file I downloaded), and setting the server with the command ‘server’ (the IP of the TFTP server):

monitor> interface 0

0: i8255X @ PCI(bus:0 dev:17 irq:9 )

1: i8255X @ PCI(bus:0 dev:18 irq:10)



Using 0: i82557 @ PCI(bus:0 dev:17 irq:9 ), MAC: 000e.83b2.e0a4

monitor> address 10.3.10.24

address 10.3.10.24

monitor> file np63.bin

file np63.bin

monitor> server 10.3.10.25

server 10.3.10.25

At this point it was possible to ping the TFTP server and retrieve the binary file with the command ‘tftp’:

monitor> ping 10.3.10.25

Sending 5, 100-byte 0x891a ICMP Echoes to 10.3.10.25, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

monitor> tftp

tftp np63.bin@10.3.10.25........................................................

................................................................................

.............................................

Received 92160 bytes



Cisco Secure PIX Firewall password tool (3.0) #0: Thu Jul 17 08:01:09 PDT 2003

Flash=E28F640J3 @ 0x3000000

BIOS Flash=E28F640J3 @ 0xD8000



Do you wish to erase the passwords? [yn] y

The default telnet password after this is “cisco” and there is no enable password. Pretty painless.

I find myself having to investigate why an SSL service is not working from time to time. Usually this happens when I’m on a remote shell and don’t have access to a web browser. Debugging cleartext services is usually easy because they usually return a banner or other data after making a connection to them. For instance with the HTTP protocol you can simply do something like:

# echo -e -n "HEAD / HTTP/1.0\r\n\r\n" | nc foo.bar.com 80

HTTP/1.1 500 No Context configured to process this request

Content-Type: text/html

Date: Wed, 26 Jan 2005 16:08:19 GMT

Server: Apache Tomcat/4.0.1 (HTTP/1.1 Connector)

Connection: close

The openssl command line tool has an option, s_client, that implements a generic client that can speak SSL/TLS. If we were to use nc to connect to the host on its SSL speaking port it would not return anything. So using the openssl tool we do this in order to test https://cisco.com:

# openssl s_client -connect cisco.com:443

CONNECTED(00000003)

depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 /C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com

   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIDyDCCAzWgAwIBAgIQG0uiUxcuxmQb7twrU/JutzANBgkqhkiG9w0BAQUFADBf

MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x

LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw

HhcNMDQwNDA4MDAwMDAwWhcNMDYwNDI0MjM1OTU5WjCBgTELMAkGA1UEBhMCVVMx

EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcUCFNhbiBKb3NlMRYwFAYDVQQK

FA1DaXNjbyBTeXN0ZW1zMRowGAYDVQQLFBFJVEctV1NJKGNjby1zai0xKTEWMBQG

A1UEAxQNd3d3LmNpc2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

3U8aY/Ucx4HQGFPqojIiPBqJ3AqJDP5ELC0+LYNj+FfPkiIRb5IkjW1eI/ko1W8K

qWVVmWmZ/LawudemBy/m3HxzC/h2qxWM0SZmOF6TdBgIauxo+0iy1g6cVfyoSBo4

g2Vr1Qui9Hygbi5ImTlo5lDSlq+oI1qDEmxKNIxjUJcCAwEAAaOCAWQwggFgMAkG

A1UdEwQCMAAwCwYDVR0PBAQDAgWgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j

cmwudmVyaXNpZ24uY29tL1JTQVNlY3VyZVNlcnZlci5jcmwwRAYDVR0gBD0wOzA5

BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2ln

bi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjA0BggrBgEF

BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBt

BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa

BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j

b20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAN+AInV44pc9opxUWRuRZGE02VL

OWx97/UT49Fi/VbL7VaR39EZ1gXAFtnNPFZ5+X/SUzUqQD0g04u/8cYpMsYPfsr/

vh6sym/jGXHNWaSkWGcUKM23b7XFJpYaZO1PHuYKN19vV32TlnsFJBNQ5YuW5UxT

EKF1Oatw5nzxpTpK

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=San Jose/O=Cisco Systems/OU=ITG-WSI(cco-sj-1)/CN=www.cisco.com

issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

---

No client certificate CA names sent

---

SSL handshake has read 1536 bytes and written 340 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID: 2932C689345E5C302FE75477926FE21ACDB2CD8D86AF720B7FBF96BF94B17994

    Session-ID-ctx: 

    Master-Key: 6D9817BBCE4723C870BAAB33FDCFFA7419DCFA192605760A93977763E31F48218C388A6D184CDE6A6C12EF8CE37DC8A1

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1106755570

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

At this point we can interact with the web service just like we did with the HTTP service earlier:

GET / HTTP/1.0



HTTP/1.1 200 OK

Date: Wed, 26 Jan 2005 16:23:58 GMT

Server: Apache/1.0 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7d

Set-Cookie: CP_GUTC=198.7.47.200.7211106756640314; path=/; expires=Sun, 20-Jan-30 16:23:58 GMT; domain=.cisco.com

Last-Modified: Tue, 14 Dec 1999 19:03:53 GMT

ETag: "330c3-41-38569499"

Accept-Ranges: bytes

Content-Length: 65

Connection: close

Content-Type: text/html

I find it useful to use the -nbio argument along with the -state argument for openssl which runs it with non-blocking IO while printing states so you can use tools like grep:

# openssl s_client -connect cisco.com:443 -state -nbio 2>&1 | grep SSL

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:error in SSLv2/v3 read server hello A

SSL_connect:SSLv3 read server hello A

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server key exchange A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:error in SSLv3 read finished A

SSL_connect:error in SSLv3 read finished A

SSL_connect:SSLv3 read finished A

SSL handshake has read 1536 bytes and written 340 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

SSL-Session:

Michael Howard has written in his blog a two part series on how you can run as admin on your Windows box and access the internet (browser, email, IM) safely by dropping certain admin privileges. Howard is a self-described “Simple Software Security Guy at Microsoft” actually Senior Security Program Manager in the Secure Engineering group at Microsoft and is co-author of Writing Secure Code. Part one of the article is here and part two is here. Of note is that only Windows XP and Windows Server 2003 (and later) support this capability because of new functionality called Software Restriction Policy also known as SAFER. In part one Howard provides a link to download DropMyRights.msi which is an app that takes the current users token (like admin) then removes various privileges from it and then will use this stripped token to spawn the application that should run under a non-admin context. DropMyRights.msi can be used with any application like IE or Outlook or Firefox or Groupwise. It couldn’t be easier to set up either. You simply create a shortcut and pass the application you want to run with least priveleges to DropMyRights.exe such as “C:\dropmyrights.exe “c:\program files\internet explorer\iexplore.exe”. Using this method means you are utilizing APIs like SaferCreateLevel and SaferComputeTokenFromLevel.

In part two Howard shows how to use Software Restriction Policies through local or enterprise policy. There are five SAFER security levels, Disallow, Unrestricted, Normal User, Constrained, and Untrusted. Howard provides a link to Group Policy Object snap-in which needs to be added to MMC. Once added there will be a Software Restriction Policy menu item where policy on an app like IE or Outlook can be changed so that runs as a low-privilege user rather than admin. Howard states that the “beauty of this solution over the solution using the SAFER APIs is that the SAFER policy mechanism is enforced by the operating system when a process starts. So you can invoke Internet Explorer from a shortcut on the desktop or a saved URL on the desktop, and Internet Explorer will run as a user.” The other exciting thing about the ability to change the security level is the Disallow level; so lets say there’s a 0day Windows virus and your AV vendor hasn’t released a definition for it. Well you can now implement a stopgap solution until your AV vendor releases the def by setting a Disallow rule. For instance W32/Bagle propagated by adding an exe in the WINDOWS SYSTEM directory named bbeagle.exe. So you could simply add the Disallow rule for c:\windows\system32\bbeagle.exe to your Group Policy and roll the policy out to the entire organization.

Other tangent knowledge I learned about when I was reading about this is about how policies are pushed or retrieved by Windows machines. Windows 2000 periodically refreshes group policy settings throughout the network. On clients, this is done by default every 90 minutes with a randomized offset of +/- 30 minutes. You can force an update by issuing “secedit /refreshpolicy machine_policy” or “secedit /refreshpolicy user_policy” on the command prompt. However, secedit has been replaced by gpupdate on XP, Server 2003, and later.

I was pointed to this forum that explained googling for inurl:”ViewerFrame?Mode=” will reveal plenty of unsecured webcams. You can control these cameras too, which makes it all the more interesting. It’s kind of neat to be able to peer in on the life of an ordinary person on the other side of the world and make the camera follow them back and forth. I don’t think vendors will ever start to ship products in *some state* of being secured rather than none simply due to ease of setup and use. Look at all the issues with APs and default SSIDs. Sad but true.

SQL Injection Attacks by Example is an article written by Steve Friedl which really drives at *how* one goes about discovering how the application can be exploited and finding a SQL injection attack. I really enjoyed this walkthrough since it is essentially a real-world hack.