0xfeedface Tech musings and rants

One of the great things about being bored sitting at a datacenter waiting for long processes to finish is the opportunity to fill that mind-numbing boredom with useful knowledge. I spent the past little while learning DTrace. I gotta say, I love it. The SolarisInternals site has many good scripts to help teach DTrace. One of the things I'd like to do with DTrace is use it for malicious purposes. In my linux days, I authored a project called Project Hijack, which allows an attacker to effortlessly inject arbitrary code into a process during runtime and hijack dynamically loaded functions. I'd like to port that project, or as much of it as possible, to DTrace.

It took me about 30 minutes to be comfortable writing simple DTrace scripts. Here's one tiny malicious script I wrote:

syscall::open:entry
/copyinstr(arg0) == "/tmp/mal.txt"/
{
copyoutstr("/tmp/haha.txt", arg0, strlen("/tmp/haha.txt"));
}


Any time an application tries to open /tmp/mal.txt, the application will actually open /tmp/haha.txt. This script is simple--the reason why I really love DTrace.

I'll write more about it later. The processes I'm running on our production server is almost finished. Also, I'll be at Defcon. If you wanna meet up, let me know. Drop a comment or send me an email.

I bought the Droid X. It's the largest phone I've ever purchased. It feels weird being back on Verizon. I started out with a dumbphone on Verizon three years ago then I went to AT&T for the iPhone 3G and finally ended up at T-Mobile with the Nexus One. T-Mobile doesn't have the best coverage so I wanted another carrier for trips and vacations. Verizon's network sure has changed (for the better, of course) in these last three years.

The phone itself is nice. I miss the trackball the G1, MyTouch 3G, and Nexus One all have and all of which I've owned. The screen size is perfect for reading material larger than Wordpress blogs. The size of the screen, though, can be a bit uncomfortable at times--like when playing solitaire. I'm used to using one hand with my Android devices, and the Droid X occasionally requires two hands.

I've found that I can bypass the Grooveshark wifi-only restriction for certain songs if I use Froyo's built-in wireless tether on my Nexus One to tether my Droid X. Unfortunately, Grooveshark isn't the most stable of apps and can poop out if there's any packet loss (which sadly happens frequently on T-Mobile's network in my area).

I'm not a fan at all of the Motoblur UI. I quickly installed ADW Launcher from the Market and got the familiar mostly stock UI I love.

Over all, I think the Droid X is a great Android phone. I'll be buying an HDMI cable for it shortly. It might launch me into the gaming scene. I haven't tested 720p recording or playback, yet. I'm sure I'll enjoy it just like I enjoy the rest of the phone. This phone is worth its weight in money.

I updated my Nexus One to the official Froyo FRF85B release a few days ago. I love the improvements Google and others have made to Android. One of my favorite features is WiFi tether. I have a mobile WiFi hotspot where ever I go. Everything is very noticeably faster on Froyo. I'm really impressed at how everything comes together in a unified manner.

I frequently bike to work. On my way, I listen to Pandora to make the twenty-mile journey bearable. I noticed that when I bike parallel and nearly underneath power lines, all data services die. My phone still shows full 3G bars, but all data synchronization stops. Pandora stops playing, email stops syncing, etc. I bike underneath power lines for around six of the twenty miles, a pretty significant portion to be without data services.

This problem didn't occur on Eclair. I tested on both Eclair and Froyo using both a bluetooth headset and regular 3.5mm headphones. No issue on Eclair with either headset, but it was an issue on Froyo with both headsets. My guess is that the Froyo radio is much more sensitive to interference than Eclair.

I contacted Google's Nexus One tech support. They've escalated the issue to the engineering department. I'll let you guys know what happens. Here is a thread I created on the Nexus One support forums about the issue.

A few years back, I researched runtime process infection. I developed a shared library to ease code injection and hijacking. The project, libhijack, only got up to version 0.3 but was full-featured at 0.3. I now own a Macbook Pro and would like to try my hand at porting libhijack to DTrace. I'd like to research how to use DTrace for malicious purposes.

I'll report back when I learn a bit more.

For the past little while, I've had a few projects at an online security community called Binary Revolution (BinRev for short). I had the opportunity to cohost a radio show called BinRev Radio Remix. It was a lot of fun and I'll be looking forward to next month's show live at Defcon. Feedback for this episode can be sent to lattera@0xfeedface.org.

Show Notes:

• Introductions
• Show Overview
• Scheduling/next show information
• News
  • Google Wardriving
  • Hackers Wanted Documentary Leak
  • A new type of phishing attack
  • Froyo and Google TV
• Interview with PurpleJesus
  • How he got into and out of phreaking
  • Current research
• Interview with Livinded
  • Preparing for the administration of oCTF
• Goodbyes and reminders

I just bought some new networking equipment. I'll be upgrading the network this weekend. Please be patient through any downtime.

I've now integrated 0xfeedface.org with Google Apps. If you want to contact me, you can email me at lattera[at]0xfeedface.org. I also have a Google Wave account at that same address. That is also my Google Chat address. I'll be setting up accounts for our other users.

I realized that I've been posting a lot about OpenSolaris. Today's no exception. I've been attempting to set up a vuln-dev lab here at work using OpenSolaris, Crossbow, and xVM. I love the things crossbow lets me do. I can virtualize the entire network stack, creating virtual switches, virtual NICs, and virtual VLANs. These last two days, though, have been a bit of a challenge as I work through what I think is a bug.

To set the stage, I have to do a bit of explaining. I have two separate etherstubs (an etherstub is a virtual switch). One etherstub is called xenswitch1, which is responsible for the 192.168.3.0/24 virtual network. The other etherstub is called xenswitch2 and is responsible for the 192.168.4.0/24 virtual network. The host has a vnic on each network, with the IP of .1. Here's the console output in case what I just wrote doesn't make sense:

root@shawn-vulndev:~# dladm show-link
LINK CLASS MTU STATE BRIDGE OVER
nge0 phys 1500 up -- --
xenswitch1 etherstub 1500 unknown -- --
xenswitch2 etherstub 1500 unknown -- --
xenvnic0 vnic 9000 up -- xenswitch1
xenvnic1 vnic 9000 up -- xenswitch2
xvm29_0 vnic 1500 up -- xenswitch2
xvm30_0 vnic 1500 up -- xenswitch1
xvm31_0 vnic 1500 up -- xenswitch1
root@shawn-vulndev:~# ifconfig xenvnic0
xenvnic0: flags=1100843 mtu 9000 index 7
inet 192.168.3.1 netmask ffffff00 broadcast 192.168.3.255
ether 2:8:20:e6:fc:37
root@shawn-vulndev:~# ifconfig xenvnic1
xenvnic1: flags=1100843 mtu 9000 index 6
inet 192.168.4.1 netmask ffffff00 broadcast 192.168.4.255
ether 2:8:20:a3:e3:4

I have a VM on each etherstub as well. I have a Windows Server 2008 Enterprise VM on xenswitch1 with an IP of 192.168.3.3 and an Ubuntu Desktop 10.04 VM on xenswitch2 with an IP of 192.168.4.2. Both networks are fully NATed.

You would think that if I were to ping the Win2k8 VM from the Ubuntu VM, the ICMP packet would go outbound from xenvnic1 to xenvnic0. However, the bug I found is that if Ubuntu sends a packet to the 192.168.3.0/24 network, the packet goes outbound from the xenvnic0 interface. All other traffic is treated like normal and goes outbound from the xenvnic1 interface.

I haven't found a solution, yet. I hope the explanation of the issue was clear. I'm always looking for pointers in doing this better, especially in this situation.

I've been tasked with designing and implementing a set of systems to serve as a NAS and a dedicated virus scanning machine. Three systems will be involved: a Windows Server 2003 box acting as a domain controller, a Windows Server 2008 box acting as a dedicated virus scanning machine for file uploads, and an OpenSolaris NAS. The OpenSolaris NAS will be authenticating via Active Directory and serving files over CIFS/SMB.

Because of how large this project is, I decided first to test configurations in a lab. When Windows Server acts as a domain controller, it likes to take full control over the network. It likes to serve DHCP, DNS, NTP, and act as the gateway. I needed to be able to have the virtual lab, then, on its own private network. I first tried VirtualBox, since it can natively do host-based networking. However, I learned that VirtualBox's support for host-based networking is practically broken in OpenSolaris hosts. Naturally, I turned to xVM.

Prior to choosing xVM, I knew OpenSolaris's cool networking feature Crossbow could do some pretty cool things. Crossbow can simulate a virtual layer three ethernet switch and I can set up virtual NICs (VNICs) and VLANs. Using crossbow and this tutorial, I was able to set up a private network to host my lab. I won't dive into the details in how to do it, since it's laid out really nicely in that tutorial (complete with pictures, yay!). One thing it didn't discuss, however, is that in order for your VNIC configuration to persist upon reboots, you cannot use NWAM. You have to disable NWAM via svcadm disable network/physical:nwam and set up oldschool static IP configuration via /etc/hostname.[vnic] and svcadm enable network/physical:default.

To sum up, OpenSolaris mixed with xVM and Crossbow provides an amazing virtual machine and lab solution. Crossbow is so simple to use and easy to integrate with other technologies, like xVM.

Over the past few years working as a software engineer and security analyst, I've learned a few things about server administration. One I'd like to write about today is filesystem organization and planning. The company I work for has been in business for around six to eight years. They spent quite a few thousand dollars in buying a few Intel-based servers running Windows Server 2003. After years of use, our development server has no space left and often crashes due to lack of harddrive space.

One reason why we're having space issues is because we don't have any rules regarding organization. Often, we spend at least a half hour each day looking for the latest copy of one file. Sometimes that file is documentation, others it's a necessary DLL. We have multiple versions of files stored in multiple locations on multiple drives. Figuring out which file in which directory on which drive to grab can be a daunting task.

Take a lesson from someone who has spent countless hours looking for files: keep your servers organized. Especially if those servers are to remain in production for greater than five years. Maintain strategy for expansion.