I have created a spam@onhacks.org to gather interesting spam from the wild.
Come on, bot! grab this email address (spam@onhacks.org) and show me your spam!!
Filed under: Uncategorized
August 6, 2009 • 10:28 am 0
[Spamtrap] spam@onhacks.org
January 16, 2009 • 12:46 am 0
Still alive
I am still alive, actually.
Quite busy these day working with test specifications.
BTW, I got my visiting visa. Probably will go to see my team on early Feb.
Planning to make this page to be a blog showing pictures that I took. 
Filed under: Uncategorized , Alive
January 1, 2009 • 1:09 pm 1
onhacks.org – My new security playground
Me and log0 is now gathered to write on the same security blog: onhacks.org. I hope that this is a great place for us to go deeply into security techniques and news. Thank you for supporting this blog. This blog will become my personal diary, but you are always welcome to come by and drop a comment.
See you in onhacks.org
Filed under: Uncategorized
November 25, 2008 • 3:46 pm 1
Nightmare
Last nite, I was debugging programs in my dream, I saw some strange functions existed in the code (I did hope that these functions exist in real life). When I was debugging is exactly the same as in the real world. Scare. I think I need to take a small break, but when can I do so? Probably during Christmas…
November 23, 2008 • 12:50 am 0
A little trick in DNS
Last Friday, I played with DNS records. I know nothing about configuring a DNS. However, as an engineer, it is worth to (i have to) know more about DNS, not just in theory. I took a look at the record types in DNS, and I discovered that there is a trick which can confuse the DNS client. Let’s first take a look at the following DNS record type (from wiki),
| Code | Defining RFC | Description | Function |
| CNAME | RFC 1035 | Canonical name record | Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. This helps when running multiple services (like an FTP and a webserver; each running on different ports) from a single IP address. Each service can then have its own entry in DNS (like ftp.example.com. and www.example.com.). Network administrators also use CNAMEs when running multiple HTTP servers on the same port, with different names, on the same physical host. This however requires host headers support for the two sites to both listen on the default port (port 80). |
Let’s assume that we have a domain name (DN) whois.evil.org and we want it to be resolved as iam.evil.org, in the same zone file, the record can look like this
whois.evil.org CNAME iam.evil.org
When a client querying where whois.evil.org is, the DNS will discover this record, and try to resolve iam.evil.org for the client, or just return iam.evil.org back to the client. CNAME record also works to point the domain outside your zone (in this case, the zone is evil.org). For example, if we have a DN whereis.evil.org which resolved to hell.net, then our record can look like this
whereis.evil.org CNAME hell.net.
Ending with dot “.” means that the value is a fully qualified domain name (FQDN). The DNS server may return hell.net to the client if it cannot help to resolve it. Then what if I change the value hell.net to localhost? ie.
whereis.evil.org CNAME localhost.
localhost is a famous “domain name”, it will take you back home. Depends on what kinds of software you are using, it will have different outcome. The current approach of using CNAME record in this post is not aggressive enough, is it possible to harm the user? I am still thinking about this. Let me know if you have any great idea or existed attack using the similar technique.
Thanks Greg! Greg pointed me to this interesting trick.
November 21, 2008 • 10:52 pm 0
Smtp (RFC 2821)
I did not write a new entry for a very long time. This time, I would like to discuss the RFC 2821. This is the first time I read documents in RFC. Simple Mail Transfer Protocol (SMTP) is the simplest Internet standard for delivering emails across IP networks. The one I read is not the updated version of SMTP, the most updated one is RFC 5321, I may take a look on it later. But still, it is worth to take a look at RFC 2821, see how the engineers think about message delivery in the past.
Once the SMTP client connected to the SMTP server, the client should perform the command EHLO to introduce itself to the server, the server will reply with a list of extensions if it has. After initiate the connection between client and server, there are 3 basic steps the client need to perform to complete the mail submission.
MAIL FROM:<username@domain> – This is the command to declare the sender of the email, it can be used to identify the sender and can be used as the replying address (Of course you can specify the replying address with other commands).
RCPT TO:<username@domain> – In an opposite, this command is used to declare the receiver of the email, the SMTP server has to identify the recipients’ address before it accepts the mail submission. You can specify more than one recipients or even mailing list.
DATA – After this command is performed, the client can submit the content of the message to server. To declare the end of the message, client must provide an extra line with a single dot “.”. In Internet Message Format (RFC 2822), they defined some fields inside DATA block to represent different type of information, eg. SUBJECT.
The mail submission process can be visualized with the following diagram (Greatly simplfiied, give a better version later).
from RFC2821
The SMTP design may allow an attack at the very beginning, when client try to initialize the session. By design, the SMTP protocol allows server to formally reject a transaction while still allowing the initial connection; server can send a 554 (Transaction failed) response instead of 220 (<domain> service ready). However the server must wait for the QUIT command performed by the client. What if the client just leave the connection there and do not echo the QUIT command? and what if there are tons of clients (most likely is a tons of zombies) doing the same thing at the same time? Is server possible to handle that? The server may be overloaded because of these actions. In other words, it is a denial of service (DoS). In more accurate speaking, it is distributed denial of service (DDoS), because it needs more than one machine to cause the server overloaded.
I am still on the way to finish this RFC, next time I will discuss some extensions mentioned in the RFC 2821, which may help spammer to grab email addresses from the SMTP server. Let’s have a guess what are they before I really post the next entry. Enjoy!
Filed under: app sec, protocols, spec , DDoS, DoS, email, RFC, SMTP
October 25, 2008 • 10:30 am 1
How to autorun USB? – in Mac OS
Nowadays, more and more PC user move into Mac OSX environment. Infecting a Mac OS will become more and more popular in the coming few years. Apple always claim that Mac OSX is virus-free. Yes, that is true, when they are still in the PowerPC generation. Once they changed to Intel architecture, it is easier for virus writer to write code in other OS, which can also run in Mac OS.
However, long time ago Apple notified that USB autorun is a dangerous thing, even though it is very conveninet for user. This feature is excluded from the system long time ago. As a result, the techniques mentioned in the previous post are not possible to perform in Mac OS. The only way I think that can be used to infect Mac OS is like the boot virus, eg. inject a jump instruction in the boot sector of the USB storage device.
Instead of describing how the infection can be done, I want to introduce an interesting USB virus (Although I think this is a hoax) and some other viruses on Mac. The USB virus is developed by Troika, an art and design studio located in London. They published the demo of this virus on the web with name Newton. This virus will break the Mac OS in piece, and they claimed that the effect only appeared once. Here is the demo of the virus:
The first worm on Mac OS X was discovered in Feb, 2006, announced by SophosLabs. This worm spreads via iChat instant messenger, forwarding itself as a file called latestpics.tgz to contacts on the infected users’ buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.
“This is the first real virus for the Mac OS X platform,” continued Graham Cluley – Senior Technology Consultant in SophosLabs. “Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows.”
For more detail about this first virus on Mac OS X, please visit this link:
First ever virus for Mac OS X discovered
Only one worm, disproved the virus-free promise from Apple.
P.S. Apple changed its virus-free statement to “Designed with security in mind, Mac OS X isn’t plagued by constant attacks from viruses and malware. Likewise, it isn’t inundated by never-ending security dialogs.”
Reference:
October 4, 2008 • 2:05 pm 2
How to autorun USB? – in Windows
We knew that Windows disabled the USB autorun feature by default, for security issue. However, the autorun feature of CD is still enabled. Before discussing how to make the USB “autorun”-able, let’s see how to do this in CD.
In most cases, you bought CD/ DVD a software. When you insert the disc into the machine, it will prompt a welcome page, which is provided by the software company. Have you ever browse into the disc and see the content of it? You will soon discover that these CDs/ DVDs which prompt when it is inserted, has a common file with name “autorun.inf” at the root of the disc. Actually, what Windows do is, when a disc is inserted, Windows will detect and read the autorun.inf to see what should be prompt (In the case of USB, Windows will perform the same procedure but with different result). The following is a typical autorun.inf in CD/ DVD.
[AUTORUN]
OPEN=file
ICON=icon.ico
The file assigned to OPEN is the one that you want Windows execute when the disc is inserted, the value in icon attribute is the one that will show in the explorer (when you open Computer, and the icon.ico will be shown as the driver logo of the CD/ DVD). Similarly, we can use the same autorun.inf in USB drive, however, the file assigned to OPEN will not be autorun. Instead, the autorun fuction works only when you double click the icon of the drive in the browser of Computer.
ICON = %SystemRoot%system32SHELL32.dll,3
Back to the situation of USB, when you plug the USB in, which containing the autorun.inf as above, the follow dialog will be prompted. This dialog is called autoplay dialog but not autorun, you can search more information using this keyword.
Autoplay dialog w/ or w/o CD's autorun.inf
You don’t see your expected program is auto execute, why is that? Because Microsoft discovered that auto run feature is a security hole that increase the chance of users being infected, as the popularity of USB keeps increasing. Although we cannot auto run the USB, but we can add something to the dialog above to incite user to execute our programs. The following are some useful entries in autorun.inf that helps to get the work done.
- ACTION: The action entry specifies the text that is used in the autoplay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file. The value can be expressed as either text or as a resource stored in a binary. For example, in the above dialog, “Open folder to view files”, you can create your own text show in this way on the dialog.
- SHELL\VERB: The shell\verb entry adds a custom command to the drive’s shortcut menu. Here is an example:
shell\open\command=Filename.exe
shell\open=MenuText
By adding these two entries into the autorun.inf file, we can incite users to run what we want them to run and the icon will show in the autoplay dialog as follow. (The red circle is what I added to the autorun.inf)
Added ACTION and SHELLOPENCOMMAND to autorun.inf
The following piece of code is the content of the autorun.inf, I did not need to grab any icon files because I use the one stored in users’ computer, I think we can guarantee this file always exists (SHELL32.dll in system32 folder). There are a lot more entries you can add into the autorun.inf, but I don’t see any of them helps to make the autorun more success. Please let me know if you have any good idea how to work this out more perfectly.
[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,3
open=run.bat
action=Open folder to view files
shell\open\command=run.bat
shellexecute=run.bat
Hope you guys will not be so disappointed about this because I found that there are lots of articles talking about the same method to autoplay the USB.
Reference:
ps. In Vista, even autorun feature in CD/ DVD is disabled. Currently, I don’t have a WinXP so I cannot test it, but before, CD/ DVD is allow to autorun file.
September 27, 2008 • 11:00 am 2
How to autorun USB? – An introduction
I investigated on USB virus in the past few months. USB portable drive, is one of the most popular removable device, instead of CDs and floppies (I think no one use floppy nowadays). According to its popularity, it becomes a target media for virus writer to infect and spread their virus. And in my point of view, spreading virus in USB is a very interesting topic. To fully understand how the USB virus is being spread, we should first focus on a more general question: how to autorun USB?
One of the most frequently heard sceniaros is, “When I plug the USB into the computer, my anti-virus prompt and said I have been infected!”. Sounds very familiar right? But why this works? Is that easy to autorun USB drive? Not exactly. Here are some facts.
- Mac OS disabled autorun for all removable devices (USBs, CDs, floppies). Sometimes you will see that when you insert a VCD/ DVD, the OS (also in Windows and *nux system) will automatically run video player. This is not auto running the devices, this kind of “autorun” is because the system detected that the device is VCD/ DVD.
- In Windows XP, early release allows USB autorun, but soon they discovered that autorun may cause security issues. Now, XP and Vista disabled USB autorun by default, but CDs autorun remains enabled.
So, sounds like this is not possible to autorun a USB drive, then how can I do this? or how can virus infect in this way? Without really auto running a USB, there are couple of ways to incite victim to get infect. Since these topic is very huge (the skill is varies in different OS/ architecture). So I would like to divide this study into 3 parts. in Windows, in *nux system, other methods to spread USB virus and end with a conclusion.
