A little obversation in Safari

After I heard that Apple already fixed the carpet bomb vulnerability in Safari 3.1.2, I tried to continue using Safari in my Mac OS. However, I discover that seems the problem still remains, so I switch to Windows and see if this is solved in Windows only. That’s true, the carpet bomb is patched in Safari 3.1.2, but only in Windows version, I don’t understand why Apple can partially fix the problem. Although the issue may not be as serious as Windows, but still, the problem exists!

When I was trying to verify whether this bug has been fixed, I discovered that by default the status bar is hidden in Safari. This is a any vulnerability, but I think sometimes it is a very useful tool to avoid phishing. It is because when you move your cursor to a hyper link, the status bar will show the destination of the link without clicking it. Take the following as an example. More than a month ago, there is a spam flowing around the Internet. The content of the mail is captured as follow.

All the links and the content of the mail look fine, but the Download link is point to a trojan! At this moment, a careful user will use the status bar to examine the links before really clicking on it. Or sometimes you use it naturally but you don’t notice that.

Since Google Chrome using the same core system of Safari, I have just checked to see if Chrome also has this issue. The status bar in Google Chrome basically is “hidden”, but when it needs the status bar appear, it will show up. What I mean is Chrome will show up the links when you move over it.

I am still looking forward to see Apple solve the carpet bomb in Mac version of Safari. At this moment, no reason for me to use it.

Filed under: browser, spam , apple, carpet bomb, safari

A week in Richmond

It is already more than a week here in Richmond. Everything is fine, there are many Chinese in the office, so it is just like working in Shanghai. There are also many Brazilian in the office, their accent is a bit strange, keep folding their tongue when pronouncing every word, but this is much “listenable” than Indian accent. I am not saying Indian is not good in English, it is just because I cannot get used to their accent.

Last Wesnesday is Microsoft company meeting 2008! During the meeting, they announced some really cool web applications, Office Live and Live Mesh. Office Live is a kind of an online version of Microsoft Office, you can upload a local office file and share with others (I don’t know if it will support creating documents online, if so, it is really cool), and Live Mesh is a synchronization tool similar Mobile Me in Apple and Dropbox. These are pretty cool applications which are going to beat Google and Apple, in my point of view. I did not try them yet, but I would like to take some time investigate on it.

Last Sunday, I cooked some soup and prepared to take it with noodle and spaghetti. The following is some pictures about the food, Yummy!

This photo is taken at mid autumn festival, the moon is round like a ball. Dear my love, family members and friends, we are watching the same moon during mid autumn festival.

Have a nice day!

Reference:

• 14-20 Sep 2008

Filed under: personal , Dropbox, Live Mesh, Mobile Me, Office Live, Richmond

Get around in Richmond

The day before yesterday, I went to Canada Border Service Agencies in downtown to finish the customs clearance process. Thanks KK that he helped me to print the required documents out (I don’t have a printer here). He also gave me a small tour around UBC (From bus station to canteen, then canteen to his office). UBC is a very nice place, full of green colors around the campus and it is really big.

Downtown is just like Central in Hong Kong, I may go to take some photos today in downtown. I can now travel around Vancouver with the monthly farecard (it takes me CAD$99). I will show you the place as soon as possible.

Yesterday, I went to supermarket, trying to feed my big fridge. There are three supermarkets within 10 to 20 minutes distance (by bus #11), one is save on food, and the other two is chinese supermarket. In save on food, and other foreign supermarkets, they provide a lower price to their members, members can sometimes save around CAD$1 to $0.5 for each item. In chinese supermarket, all the items are already taxed, which means what you see, what you pay. I saw some well known brand from Hong Kong, but they are very expensive, double or even more compare with local products.

Yesterday night is the first time I cooked in Richmond, really a home made dinner. Overall it is delicious, except the pork chops are a bit salty. Here is my home made dinner last night.

Belows are more photos I have taken yesterday. Enjoy!

here is more

Reference:

• 12, 13 Sep 2008

Filed under: personal , Richmond

1st day in Vancouver

Cannot sleep well in both flight and apartment (actually, I forgot I cannot drink coffee, it hyper my brain, that’s why I cannot sleep yesterday nite). I won’t drink coffee anymore. Green tea is great.

The apartment is really cool. It has a small pantry, and provided all basic stuffs in kitchen and bathroom, like forks, spoons; personal health care pack, laundry powder. also have rinse agent (dishes washing machine) and dryer (these are not popular in Hong Kong).

Thank you so much for the help from uncle Leung, a friend of my father. He really helps me quite a lot, and I waste much of his time. It is because I have been notified to check in an apartment somewhere in Vancouver, but the truth is it is in Richmond (because I don’t have driver license). I wasted uncle three hours waiting at the incorrect address. I am compunction about that.

Below are some photos I have taken in my apartment, the link of the album.

Today, I am going to familiar with the area, take some time to walk around. Also want to cook my lunch and dinner. Ha, I am looking forward to see what will happen, I will report the result asap.

ps. Sorry guys, I need to first familiar with the area, I am worrying that I cannot write security related posts this week. But I do have some interesting thing want to share with you, wait for me please.

Filed under: personal , home, Richmond

Go to Vancouver

I am going to leave Hong Kong at 1245, in Hong Kong time. I will start working in Vancouver later.

May write some blog entries during the flight, so you can come back 15 hours later.

Hope to see you there.

Filed under: personal

Google Chrome has the same bomb as Safari

Yesterday, Google released its new web browser Chrome, I just download and give it a try. After reading a brief introduction in it official homepage, I discover that there may be a vulnerability. Here is the description from the official.

No intrusive download manager; you see your download’s status at the bottom of your current window.

I did not watch the introduction video yet, but from the description, first thing I was wondering is: Does it has the same carpet bomb as Safari? May be some of you did not read my entry before talking about the carpet bomb in Safari. There is a bomb because Safari does not notify user before it start downloading a file from a website. Which means you can push tons of files to victim’s computer without his notification, and fill his folder up with your files (in Safari, the default destination of downloaded files is desktop, then you can imagine what will happen). With a friendly file name, you can even incite victim to execute your evil file.

Unfortunately, the default setting of Google Chrome have such a problem, it downloads files without asking user’s permission, although the destination of downloaded files is not your desktop. Luckily, unlike Safari, Chrome allow user to choose the destination each time when a file is going to be downloaded. So before using Chrome as your default browser, customize its download location setting first.

I can imagine that there are more bugs comeing from Chrome in the future (Of course, no software is perfect). So before the next bug has been discovered, enjoy your life in Google Chrome.

Reference:

• Safari Carpet Bomb
• Blended Threat – Safari Carpet Bomb and More

Filed under: app sec , Google Chrome, safari

Run javascript without tag

Nowadays, Cross Site Scripting (XSS) attacking is very popular. Many web application developers trying hard to use different kinds of methods to prevent XSS attack. In many web applications, there are many text area for user to input their thoughts or comments and post it on the thread. This kind of text area is a very useful tool for performing XSS attack. There are some ways to prevent the attack in these text areas. In forum applications (eg. phpBB, Discuz!), they developed their own markup language which is used in these areas (eg. BBcode); In most small applications, programmers always try to remove those HTML tags in order to allow only plain text submission.

Consider the second approach, applications written in PHP always use strip_tags() to remove the HTML tags, or htmlentities() to keep the plain text version of users evil ‘thoughts’. Currently, htmlentities() can only be exploited by buffer overflow, I don’t know any skills that can bypass htmlentities() and perform XSS attack in the applications. Should you know about this, please feel free to let me know. Fortunately, if the developers use strip_tags() in their applications, sometimes we can bypass the strip_tags() and get our evil scripts run. Take the following code as an example.

<?php
  $userid = $_REQUEST["userid"];
  $passwd = $_REQUEST["passwd"];
  $userid = strip_tags($userid);
  // ...
?>
<!-- ... -->
  <?php
    echo "<form action=\"evil.php\" method=\"get\">";
    echo "<input type=\"text\" name=\"userid\" value=\"".$userid."\" />";
    echo "<input type=\"password\" name=\"passwd\" />";
    echo "<input type=\"submit\" name=\"submit\" value=\"Login\" />";
    echo "</form>";
  ?>
<!-- ... -->

Some of you may immediately discover the vulnerability with this code segment. For those of you who don’t come up an idea immediately, let’s first read the description of strip_tags() from PHP doc.

string strip_tags ( string $str  [, string $allowable_tags  ] )

This function tries to return a string with all HTML and PHP tags stripped from a given str . It uses the same tag stripping state machine as the fgetss() function.

From the description, we know that the strip_tags() function only remove HTML tags from the input string $str, and return the string without any tags that is not allowable. You may think that it is safe enough for keep hackers away from your applications, however it is not the way. I have to mention that inside the HTML tags, we can add some event handler to them, eg. in <input> tag, we can add an event handler when the input tag is being focused (onfocus=”…”). There are some more event handlers, you can google it with keywords “javascript event handler” (without quote). If we can add any kind of event handlers in above code segment, everything is done because the event handler can execute javascript! Now, we are only one step away from the attack, how can we add an onfocus event handler to the code? The developer actually give us a hand to add the event handler, because he use a double quote to quote the string $userid. Why I say so, consider the input string as following (with quote).

” onfocus=alert(123); “

When you are clicking on the input text, a dialog will pop up. We got it! You can now exploit this vulnerability. However, some of you may wondering, instead of using strip_tags(), what can we use to prevent XSS attack, or prevent user to use HTML tags? Currently, I think the easiest way is to use htmlentities(), all characters which have HTML character entity equivalents are translated into these entities by using htmlentities() function.

A demonstration will be uploaded later, currently I am seeking for a good web hosting company, any suggestions? I would like to have almost full access on the machine.
Should you have any interesting experience or thoughts want to share, please do not hesitate to share with me.

Reference:

• PHP strip_tags not a complete protection against XSS
• The technique is proposed by .mario, a post from sla.ckers.org

Filed under: webapp sec , PHP, XSS

Commitment

Start from next month, this wordpress will become a blog for personal and security thing (because I am lazy to manage 2 blogs at the same time). Some of you may know, I am going to leave Hong Kong at Sep 10, and going to beautiful Vancouver. I just want to write some personal stuffs here to make you guys in Hong Kong updated.

Before going to work in Vancouver, I would like to make a commitment for myself, making some goals for me to grow and reach. As a person who interested in security stuffs, my first goal is to learn more security related things. As a tester in the company, another goal of mine is to familiar with the project I am going to work on, and the software testing technique. As a good photographer, take pictures at least once a week and share the best one with you is my job. Since I am an ‘English as a second language’ person, improving my English is a must. So the following is my targets and draft of how to reach them.

(From 20080901 to 20090901)

To be a security guy

• Finish writing three entries in wordpress which are related to KeyLogger, CSS history hack and USB virus.
• Find some hosting service company to buy server (Linux or Windows, I have not decided yet, comments are welcome), for network/ webapp security research purpose.
• Finish reading at least two books on my book shelf. Highest priority books: The art of computer virus, Fuzzing test.
• Publish at least two wordpress entry which is related to security, no matter techniques, or news.

To be a tester

• Understand how the software works, as I am going to work on the core part (mail routing, anti-virus, anti-spam, mail delivery, …) of a mail and collaboration system, I should know how they work and the protocol they are using (SMTP, POP3, IMAP, …) and algorithms/ techniques such as Aho-Corasick, Bayesian filter, Unified messaging.
• Familiar with testing procedure and methods: black, white, gray box testing; integration, acceptance testing; installation, Regression, upgrade and backward compatibility, accessibility, internationalization and localization, API testing; and more.
• Complete reading the book Microsoft Exchange Server 2007: The Complete Reference which is related to the project. (Backup plan: read the specific chapters which is related to my team)

To be a photographer

• Take pictures around Vancouver, Burnaby and Richmond every weekend. Focus on landscape around the area.
• Familiar with basic construction methods, and get used to them.
• Save money for new camera, current target is Nikon D90.
• Publish at least two entries here which is the best pictures I take every week.

To improve English

• Listen to English as a Second Language podcast (ESLpod.com)
• Finish reading books: eg. Digital Fortress, The Undercover Economist (if you have any good books, do not hesitate to recommend me)

I am sure that I will reach all these goals, wait for my commitment review one year later!

Filed under: others , commitment

What is HackerSafe?

Last night, I read the report of a security survey held by Jeremiah. I need to mention that I am really new to security, a novice, if you already know what HackerSafe is, you may just skip it. Of course, comments or corrections are always welcome.

In the survey, Jeremiah asked ‘What is HackerSafe’. I did not heard of this name before, that’s why I would like to spend some time study what it is. Actually, you may already see the symbol before. Following is an example taken from starbucksstore.com and buynetgear.com.

HackerSafe logo from StarbucksStore.com

HackerSafe logo from BuyNetgear.com

Once you see the above symbol, you may feel familiar with it. HackerSafe is a piece of software that let the website safe for hacker. Mostly used in e-shopping site. The symbol itself gives the customers confidence to shop in the site.

However, is it worth to have one in your e-shopping site? You can google with “hackersafe news” (without quote), you may discover that there are more negative news than positive related to HackerSafe. Although they claim that the software meet the official requirement of visa and master card and protect you from virus, spam, spyware and many other threats. But the news telling you the truth, there is still a long way to go, security is a long war between evils and protectors (hacker sometimes is also a protector, that’s why I use evils but not hackers). But still, HackerSafe is ’safe for hacker’.

ps. I cannot find a product with name HackerSafe in McAfee US site, is McAfee Secure and McAfee HackerSafe refer to the same thing? Should you know the difference between them, please let me know.

Reference:

• McAfee Secure
• McAfee HackerSafe

Filed under: app sec , HackerSafe, McAfee, Netgear, Starbucks

Aho-Corasick – Automaton

Last time, we talked about how to construct the trie of a set of patterns. But with only the trie, we cannot perform pattern matching. The edges in the trie is only the transitions when target character matches the label on an edge. What if there is a mismatch occur? How can we handle the case? Before discussing the detail on how it solves the problem, let’s define some functions that is important for the discussion.

1. The go function go(q, a) gives the state entered from current state q by matching target character a. In other words, if there is an edge from q to other state v which is labeled by a, then go(q, a) = v. Let’s assume root is state 0, then go(0, a) = 0 for all a that does not label an edge outgoing from the root. It means that the automaton stays at the initial state while scanning non-matching characters. Otherwise, go(q, a) is null, which does not exist an edge with label a.
2. The fail function fail(q) for q not equal to start state gives the state entered at a mismatch occurs, a mismatch means there is no outgoing edge with suitable label for the target character. fail(q) is a state labeled by the longest proper prefix. Considering example above, the final states with incoming edge labeled in ‘S’, their fail function should be pointing to the internal node with incoming edge labeled in ‘S’. The diagram below shows two fail transitions (dotted edges) of the example.
   

   Trie with two fail transitions

3. The out function out(q) gives the set of patterns recognized when entering state q. Before the construction of automaton, the final states are only those nodes that is the end of a pattern. When constructing the automaton, some of the internal states will become final state because the fail transitions are added to the original trie. As mentioned before, the algorithm first construct a trie then use this trie to further construct the automaton. Actually, the construction of trie is, in other words, the computation of go function. Which means, the edges in trie are main part of the go transitions. What is the missing part? What if the outgoing edges from root does not exist? Yes, there is a case need to handle which is a mismatch character occurs at the start state. By adding these edges to the root which point to itself can solve the problem.
   

   for (int i = 0; i < N; ++i) {
     if (root->go[i] == NULL) {
       root->go[i] = root;
     }
   }

According to the definition, the most part of go transitions is already finished in the construction of trie. Then what kind of go transitions is missed in the construction? Yes, when the mismatch occur at the start state (root node). Obviously, this kind of mismatch does not include in the definition of fail function, because you cannot fall back to some precedant nodes since you are at the start state. To handle this situation, add an edge to the root node which pointing to itself, with label not equal the first character of all patterns.

The completed AC automaton

The remaining part of the construction is to compute the fail functions and the out functions. There are some observations on fail function and out function. The algorithm should first compute fail function and out function on nodes closer to the root, which means that the algorithm computes these functions in breath-first order. Besides, consider node u and v where v = go(u, a), in other words u is the parent of v. The pattern from root to v, denoted as L(v) is equal to L(u)a. So, what should fail function f(v) be? It should be the deepest node labeled by a proper suffix of L(u), a deepest node is the node that most far away from the root. As a result, the algorithm will first check f(u), see if it has go(f(u), a) transition, if no, check if there is a transition g(f(f(u)), a), continue until the algorithm find a valid go(state, a) transition. Here is psuedo code of the algorithm which compute fail functions, together with out functions. Please be reminded that, there is a little change in the structure of nodes, because a node may be a terminal node of more than one pattern. Why? Leave this for you to think.

struct Node {
  Node *fail;
  Node *go[N];
  list<string> out;
  Node() {
    fail = NULL;
    for (int i = 0; i < N; ++i)
      go[i] = NULL;
  }

  ~Node() {
    for (int i = 0; i < N; ++i)
      if (go[i] != NULL && go[i] != this)
        delete go[i];
  }
};

queue<Node *> q;
for (int i = 0; i < N; ++i) {
  Node *s = root->go[i];
  if (s != NULL && s != root) {
    s->fail = root;
    q.push(s);
  }
}
while (! q.empty()) {
  Node *p = q.front(); q.pop();
  for (int i = 0; i < N; ++i) {
    Node *u = p->go[i];
    if (u != NULL) {
      q.push(u);
      Node *v = p->fail;
      while (v->go[i] == NULL) {
        v = v->fail;
      }
      u->fail = v->go[i];
      (u->out).splice((u->out).end(), u->fail->out);
    }
  }
}

After the above preprocessing to the patterns, it is trivial to perform the pattern matching.

Node *q = root;
for (int i = 0; i < strlen(S); ++i) {
  while (q->go[S[i]] == NULL) {
    q = q->fail;
  }
  q = q->go[S[i]];
  if (q->out.size() > 0) {
    report_match(i, q->out);
  }
}

Thank you for reading. Please feel free to leave any comments or suggestions. Any suggestion what I should do next? Or any interesting security stuff that I can research on?

Reference:

• Set Matching and Aho-Corasick Algorithm

Filed under: Uncategorized