| ]

Kevin Finistere and
myself gave a Bluetooth Presentation at the 23C3 congress
in Berlin on the 29.12 at 14:00 local time. We released a bit of 0day and a bit of protocol bugs and tidbits. See for yourself :) Thanks to everybody that made this possible also thanks to the CCC for organising this event, while I couldn't really participate as a spectator at least I can judge about the behind the scene work. I was impressed.
The organisation was good and poeple very friendly and helpfull.

Releases during 23C3 :

There now are underlying protocol security issues not only pure implementation issues :

What is important to understand is that non-discoverable mode no longer represents a protection. Naturaly before attacking a devicey ou have to know it's there, previosuly you could try to bruteforce the address (bd_addr) in order to find it, if it was in non-discoverable state. This however is a unreliable and takes a very long time.

During this talk i released information on how to PASSIVELY discover 90% of the address and bruteforce the 8-bit remaining. Which is reliable and fast.

THIS means the the only protection Bluetooth has to protect you from connecting to my device is GONE.

Also the paradigm shift from toys to workstations is also considerable:

  • We can eavedrop on your Laptops Microphone, we can compromise it and take control over it.
  • The random number generators and the encryption affected by them is weak.
  • New Re-pairing attack, making the pairing attack INTERESTING.
  • Your drivers lack control, no update function and are flawed beyhond comprehension
  • Live demo on how to take over a PC and get a remote shell over Bluetooth

Key points from the Lecture :

  • Pin and Link key recovery is practicaly possible (code release and live demo)
  • If you use Bluetooth beyboards or mice, your PC has a HID server, these may be attached to inject commands (!) as if you were typing on the keyboard
  • The random numbers used for encryption and so forth may be very weak for your device
  • The Pin is not that usefull the Link key is !
  • Swap over to Bluetooth 2.1 (as soon as possible) and use "Secure Simply Pairing"
  • Regard the quality of the encryption Bluetooth offers (E0) as a PRIVACY feature NOT a security feature. (Compare it to WEP)
  • New re-pairing attack : Connect to the master pretending to be from the piconet, use a fake linkkey, master will think (oops lost the pairing) and will re-initiate the pairing given an attacker the choice to capture the exchange and crack it.
  • Don't trust encryption taking place, sometimes the devices negotiate Security Mode 2, and you don't know your data is actually transferred in clear text (after being authenticated) and you can't actually check as you don't have a Bluetooth Sniffer.
  • The Bluetooth PIN is actually a Bluetooth Passkey, it supports characters not only digits (this has security implications)
Things to do once you have the link key:
  • Passively decrypt the traffic
  • Connect to the slaves pretending to be the master and have full access (no pin required)
  • Connect to the master pretending to be one of the slaves have full access (no pin required)
  • Plant the link key on a BT capable machine and have a remote encrypted stealth channel to that machine
Update your Drivers !
  • Widcomm, Toshiba, Bluesoil, ALL vulnerable
  • Don't rely on Windows update for that, your BT stack may be from a third party vendor (very likely)
  • Listening on the Microphone and recording is also possible on PCs (not only cars)

General Recommendations :

  • Delete your existing pairings as soon as you don't need them
  • Pair in "secure places" SIG recommendation
  • As soon as your device asks for a PIN again, don't enter it you might be snooped on (see previously mentioned pairing attack)
  • Don't trust Bluetooth 1.0 - 1.2 (can't tell for 2.0-2.1 yet)

Companies :

  • Mitigate and Monitor.

Companies using Bluetooth for Industrial purposes :

  • Regenerate a new key every 5 minutes, use 16 chars.

Vendors :

  • PLEASE implement the GUI to use the possibility for bluetooth to use characters (UTF8) NOT ONLY DIGITS.
  • Please be more transparent towards your device driver version numbers and propose an easy way to update.

| ]


Hack.lu is over! a nice security conference in Luxembourg. Had a great time, although sometimes organisation was a bit messed ;) Reeaaaallly nice and very interesting poeple, commercial rate was very low and finaly I saw some poeple I knew only virtually in real life.
Well as you knew or not knew, Kevin Finistere and myself gave a talk about Bluetooth security. Yaaaaaaaaaaawwwwwwwwwwnnnnnn ?



I don't believe so :
- Live demo : Remote ROOT shell over Bluetooth on MAC OS 10.3.9 / 10.4 (and source code release)- Live demo : Presenting BTCrack, Bluetooth PIN and Linkkey cracker Will be released on Nruns.com complete with source code in a few weeks!- Clearing the Air about Inqtana (The PoC Worm Kevin created)- FUD reduced to a minimum. What's a threat, what isn't.- Download our Slides from Hack.lu
See you next year !


| ]

I started using this tool last year ago during internal tests, it was immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Collman does not really seem to care if you do (or at least doesn't scream it from the top of every house)
I found out about Satori while reading the paper "Chatter on the Wire" (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools.

What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.
Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori does the fingerprinting on :DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.
It's obviously very handy for critical networks where you are not allowed to scan or to scan only a minimum. (This does exists.)



It shows it's strength when used in internal networks, I was able to spot machines that didn't belong in a certain critical network immediately (as they broadcasted their Netbios presence) by only using passive means. It's also very usefull when doing quick scans (nmap port 80 as example) across an internal network, it gathers all packets, makes a list of all responding machines, fingerprints them and gives you an exportable list. Very handy.. and speedy, I was able to pump 8000 packets per second thorough without any lags or problems.
Nice tool to have in your toolbox. Send it's author your support :)

| ]

Introduction :
Firefox has long been considered Spyware hardened and spyware safe, it never really was. Don't get me wrong on this, it's not the fault of Firefox (although it could be a bit better protected against this particular attack). I made a small movie demonstrating this particular Proof of Concept.

Update: A bit of clarification what this fuzz is all about, as you see in the small animation, the Extension installs without any user interaction. That should be quite new, Firefox tries to block silent installs though random profile directory names and various other tricks. The adbar sends any URL you visit to a google syndication server thus monitoring your surf behaviour.
Update : The animation takes some time to load, wait for it.
Details :

| ]

I. Backround
" Safe'n'Sec is complex data and user applications protection against threats and vulnerabilities for individual PC as well as workstations in corporate networks. The program uses proactive technology based on activity analysis in user PC. "

Title : Safe'nVulnerable
Ref : TZO-062006 - Safensec

II. Vulnerable versions :
- Safe'nSec Personal + Antispyware v2.0 and older
- Probably the other versions of Safe'nSec

III. Description :
Multiple Insecure File execution and Autostart handling.

During Startup, snsmcon.exe spawns the GUI process named safensec.exe through the use of CreateProcess() . By doing so it omits to set the variable'lpApplicationName' and further omits to quote the path in the variable "lpCommandLine" Ref [1]

This results in c:\program.bat|exe|com being called prior to Safensec.exe and allows automatic startup of a potentially rogue application. In particular one could imagine a scenario where it is possible to escalate
rights using this (as they are inherited from snsmcon.exe).


During Autostartup, Safe'nSec omits the quotes around the path to the executable and as such may spawn a rogue application instead of the appropriate Starforce application.


During Installation :
During installion the routines spawns a process and omits the quotes around the path, thus executing c:\program.exe (here calc.exe)

I reported this to starforce on the 15/02/2006 as there has been no feedback I decided to publish this low-impact "vulnerabilty".Update: Starforce quickly fixed the issues after the diclosure.

IV. Summary

Vendor contact : 15/02/2006
Vendor Response : None

Public Disclosure : 20/02/2006
Vendor Fix : 21/02/2006

V. Download

TXT; PDF

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the right to write to c:\

| ]



Introduction :
Flaws in the way F-Secure software handles ZIP and RAR data compression archives could allow an attacker to execute remote code on users' systems and also to bypass F-Secure's antivirus-scanning capabilities.

Details :
I found mutliple vulnerabilities within various AV Engines, F-Secure are the first to actually publish a real advisory, others fixed the bugs silently or put a small notice in a change_log. I will however not publish more details about the findings as of yet, there are too many AV engines vulnerable to similar issues and I am going to wait until most of them have patched the flaws until I exactly dislclose my findings.
http://www.f-secure.com/security/fsc-2006-1.shtml

Rain Forest Puppy once defined a "Responsible Disclosure Practice", I adhere to it.
[Update]
The Story has been posted on SecurityFocus, News.com, Washington Post, Heise, Suedeutsche, ZDnet, Computerworld, and various others. Special Thanks to Mikko for giving me Credit.