iplosion security

In my review practice I often have to look at Java source code which is used to generate passwords, authentication tokens or session ids. Ever so often this code uses the Java API class java.util.Random to generate random numbers. It is well-established in security industry that this particular random generator is not secure. Since I did not know what the reason is for this perception I started to have a closer look.

During the review of the Java API source code I discovered two vulnerabilities which cause the internal state of java.util.Random to be partially exposed or easy guessable. The paper Ruining Security with java.util.Random demonstrates two techniques how security mechanisms based on java.util.Random can be attacked and under certain conditions can be broken within seconds. Using these weaknesses an attacker can synchronize into the stream of random numbers and therefore calculate all future random numbers. For security relevant code java.util.Random should never be used. At least the Java class java.security.SecureRandom with the default constructor should be utilized. This provides much better security.

If you know about other vulnerabilities in the design of java.util.Random or you know about vulnerabilities in java.security.SecureRandom I would be happy to hear about it.

In January 2006, using fuzzing techniques, I discovered the HTML Parsing Vulnerability CVE 2006-1185 in Internet Explorer versions 5.01 to 6.0 SP2. I reported this bug to Microsoft by responsible disclosure which in turn has lead one of the fixes in April’s super Tuesday Internet Explorer cumulative patch MS06-013. But how did I get there?

The whole thing got started in December 2005 with a presentation Ilja van Sprundel held at the 22C3 in Berlin. Since I was working on a new course on content security I thought I will give it a try and play around with fuzzing. I took Michal Zalewski’s mangleme fuzzer, which was already used to identify the IFRAME vulnerability CVE 2004-1050, and modified it to cover all HTML tags which are supported by Internet Explorer.

Within a quarter of an hour I had my first reproducible sample which crashed Internet Explorer. Within the next couple of hours I found additional reproducible crashes. So what was I am going to do? Test Microsoft’s Incident Handling. So I took all the samples and sent them to secure@microsoft.com. After 2 weeks Microsoft confirmed that one of the repros was indeed doing more than crashing the browser. So I had found my first zero-day vulnerablity in a bulk product.

At Compass Security Event 2006 I held a talk on how I fuzzed the bug out of Internet Explorer and how Microsoft has responded to my report. Included was an introduction to fuzzing and a timeline of events from discovery until now. The slides can be found here.

Colin Wong’s Paper XML Port Scanning - Bypassing Restrictive Perimeter Firewalls describes a way of abusing XML parsers in web services and web applications to footprint DMZ and backend services. Actually the attack scheme is not new. It was already described in a Post on October 2002 by Gregory Steuck as XML eXternal Entity Attack (XXE).

So here are my two cents on this topic: Actually the attack scheme is more potent than they imagine. Depending on the application it is possible to include server-side files into XML documents. If e.g. the content of the processed XML document is stored in database and it is possible to read the database through the same or other web services or web applications then the file content is disclosed.

(more…)

Forensic analysis in e-business applications is not a trivial task since it requires good preparation. At the Swiss Infosec Event in 2005 I held a high-level talk on this topic. On the basis of three real-life cases (Web-Site Defacement, Phishing and insufficient log content) I showed what can go wrong when web site owners are not prepared for an incident. The presentation leads to the conclusion that there should be centralized logging, unique identifiers to correlate log files accross application tiers and sufficient verbose log content to accomplish meaningful forensic results. The german version of the slides can be download here.

(more…)

Web services have been hyping for quite a while and many security professionals still do not know what it is all about. At the Compass Security Event in 2003 I gave a introductury talk on web service security. It covers SOAP, WSDL and UDDI and some high level threat analysis on web service attacks. For details see slides.

Penetration testers are often faced with the situation in which they have to test authentication, authorization and failure behavior. One question could be: Is it possible for a customer to access or modify the data of another customer? For browser applications to test this, they modify the requests sent to the server using some kind of inspection proxy, like Paros.

However, there are also non-browser client applications written in high-level languages like Java. Often these applications do not communicate in plaintext HTTP requests with the server but instead utilize some sort of binary communication. Such traffic cannot be decoded and modified easily due to their proprietary data format, which makes testing with text based proxy tools almost impossible.

To facilitate the testing of client applications written in Java 1.2 and above, I have developed a tool called the Java Object Inspector. This tool allows inspection and modification of data records (i.e. member variables of Java objects) in running Java applications and applets. For details see paper.