Exploit writing tutorial site? This is what you're looking for...

On 11 March this year I've asked this question on my twitter account: "Is there a woodmann.com alternative to our security scene? I don't care about the good/bad guy part, I just want to know if it exists!" and I received no answer.

While searching the internet in the usual places, I did found something interesting on Offensive Security's blog, entitled QuickZip Stack BOF 0day: a box of chocolates. It sounded interesting, so I took a peak at it. Damn, it was the best thing I did this entire month. That article/blog post, name it whatever you want, simply rocks!

Do you remember all the vulnerability reports that you see on milw0rm/secunia/vupen/securityfocus? They simply announce the bug, and maybe if you're lucky they write a few lines of code or they write a POC for it. I'm not suggesting that this is bad or something, but if you want to see the logic behind it all, you're lost, because that's a topic that's not covered. Sometimes you see a shellcode and you just stare at it. Why is it there? Why is it so long/short? Why if I change something in it doesn't work anymore? How did someone found a bug and then exploit it and write that shellcode? This questions remain after you've read any vulnerability report on the sites mentioned earlier. But not with QuickZip Stack BOF 0day: a box of chocolates. The author takes you step by step. The best thing of it all, is that he's not feeding you his logic of doing things. The writes a dozen times that you should stop reading, think for yourself what would you do in that particular stage, and only after that you should read further. This is absolutely amazing. That way of teaching/writing reminds me of a famous quote that's still used in the cracking scene by the famous +ORC cracker, but it's still valid and true nonetheless: 

"If you give a man a crack he'll be hungry again tomorrow, but if you teach him how to crack, he'll never be hungry again".

This is what Peter Van Eeckhoutte (corelanc0d3r) does. Do you want to hear another good news? He has posted the 2nd part of the article QuickZip Stack BOF 0day: a box of chocolates Part 2.

Are you ready for another great news? He was made a series of tutorials on how to start writing exploits in the same manner! You can start reading them, starting with the first called Exploit writing tutorial part 1 : Stack Based Overflows and going further until you reach he's last article (Exploit writing tutorial part 9 : Introduction to Win32 shellcoding at this date). His blog is full of excellent well written articles. Do you have problems understanding some of his tutorials? Go and the forum and ask a question. How cool is that?

Even tough nobody answered my question on twitter then, I sure can answer myself now: there is a very well written site, and that's Peter Van Eeckhoutte Blog.

I'm very happy that I've took the time to search the answer to my question, because it surely does pay out.

Thanks Corelan Team and I hope the rest of you will find it at least as good as I did!

Public disclosure? Why even bother?

Hello again,

This time I'm going to talk about proper disclosure. For those that don't know what's that, here it is: you test a product, you see that it has a bug, you exploit it and you write an email to the vendor to inform about it. You wait a few days, they work on a fix in the meantime, they release a fix and finally they thank you and we are all happy. This is in theory, but...

Real life is almost never like this. You can consider yourself lucky if you get a response from the vendor, or if something get's fixed. If indeed something get's fixed, it usually takes a few weeks (even months sometimes) and you'll certainly never get a simple thanks (from my experience, at least).

I remember a few years ago when I had some spare time, that I started poking around with a few high class .ro domain potential targets. All I did was just a few basic sql injections and a couple of cross-site scripting, but I found a few interesting vulnerabilities out there. I contacted the companies in order to inform about the problems, but nothing. I also stood still for a couple of weeks, and still nothing. After a month, I tried again, and the problems weren't there anymore (at least they've changed their codes).

When I've seen that they did repaired their vulnerabilities, I decided to try a little harder and see if something pops out. It did. I again tried to get in contact, but no response. After a while, they again changed their code, but I'm afraid to look again - who knows what I'll find again? Of course, still no contact.

From that point on, I decided that what i'm going to do is this: when i find a bug, i contact the vendor. From that point on, the vendor has exactly 1 week to respond or correct the bug. If by that time I get no response, I'll go public and disclose the vulnerability. I know that some of you will blame me for what I've written here, but let's face it: it's not right. You do find a vulnerability (you're doing in your free time what other people are payed to do), you contact the vendor, and you don't even get a response. It that fair? It's not fair to me, to you, or to the wasted time taken to find it. I know that there are some vulnerability issues that can be devastating for the public (see Kaminsky's DNS flaw back in 2008), but that's an exception that I'm going to make. The only thing that vendors are afraid of is bad publicity that they get if their code is hacked in broad daylight. Like it or not, that's the truth!

You say that maybe the vendor doesn't have time to answer? Come on! One week is enough for anyone. If they don't do it in a week, they will not do it in 2 or 3 weeks or ever. And please don't tell me that they have no time or programmers to fix the vulnerability, because nowadays everybody works in teams.

To be concise, write back in a week or fix your code in the same time frame or hope that i'll find the next Kaminsky bug, else i'm going public baby!

What's your policy on disclosing vulnerabilities?

UPDATE: It seems that there are others that don't care about their users and the vulnerabilities that can be exposed from their bogus software. Does Microsoft ring any bell? Check it out here! How about Apple? 20 vulnerabilities found with only 5 lines of code written in Python... this is pure blasphemy guys (story here).
Blame me all you want, but i'll stick with my 1 week policy !

PS: It seems that my 1 week period policy works good so far. Kaspersky Romania took 2 days to respond. More update on the Kasperky will follow. 

Usability versus security or how browsers password managers got 0wned!

Last days there has been a storm on the Internet regarding security. Internet Explorer was hit again and again, and now it seems that even browser passwords are not safe as password managers. I want to talk about the latest, and to respond to Jeremiah Grossman's question: YES, I think that Password Managers are the best tool that users have!

I agree that they offer somehow the best solution from the user's POV, but i have a few objections to make here:

1) How is there to say that a standalone password manager don't have bugs? Let's not forget, password managers are also written by humans, and we are far from perfect.

2) People are lazy by nature. Why do 2 steps (open the password managers and then copy-paste the password), when you could do it in just 1 step? The results are the same, you're still virtual insecure.

3) I could invoke the true statement that a computer that's connected to the Internet is never secure, but I will not say it. Short said, nothing is impenetrable (e. g. remember your tweet? [@claudiufrancu all websites can be messed with. The question is only how and to what extent.]). The same thing applies to programs running offline (this and this are good examples).

The thing is how much security you implement, and how much usability you still have. Users in general want simple stuff: search the web, check e-mails, see videos, chat. They don't want to know all these details about security, and it's normal. When i drive a car, i'm not supposed to know the frequency of my key chip that starts it, or hide it, or keep it in a vault when i'm not driving. I think the analogy applies to the users. They want things that work and are secure.

I think that from a security POV Joanna Rukiwska's approach (Red, Yellow and Green VM) is the best, far better the the password manager's approach, but maybe the users don't have the time/CPU/skill/desire to do it.

From the users POV i think that the built-in pm's that are in web browser's will be long used. They are simple, they do the trick and they almost work. If we want something better, I think it's time to give the users a break and start coming up with good idea's and implement them (in my opinion a 2 way factor protection would be best, like a token that produces a 1 minute password after you input your password, but for this we would need a really big standardization regarding web security and password policies).

As long as we rely on one password, as long and complicated as it is, it can and it will be broken easily. We need to start implementing another type of security, a type where the user does not have the power to pick "123abc" as a password for it's e-mail. Only then we will make progress on the security side, until then we're running in circles.

Why is security important?

This is an introduction post, so it won't be very technical, maybe just a little bit theoretical. I'm a 23 years old computer enthusiast, that lives in Sibiu, Romania.

I've grown up around computers, and i'm still fascinated with them. They are logical, simple (at least most of the times) and human made. Think of almost any real world situation, and you can transform it into a computer problem/simulation. It's amazing what we have accomplished in only a few hundred years. Remember when we were fighting between ourselves with tanks? Or swords? Or even better, when we used rocks and spears to hunt for animals in order to provide our basic food? Those days are over.

We now have created computers to help us in our daily lives. We had the knowledge to do this. Come to think of it, we are playing God right now. There is only just a problem with it all: are we secure? Many people will argue now that cyber security isn't for us to concern. Is that so? Do you lock the door of your automobile when you're not in it? Do you lock your house when you're not around? The same thing you should do with your blog/e-mail/pictures and everything that you're sharing online. You must protect them at all cost. If you don't want something on the web about you, it's simple: don't do it.

Are you a simple user that surfs the Internet? Pick good passwords, udate your environment as many times as needed, use a daily updated antivirus, use a firewall, use a password on your account, lock your windows accout when you're away and you should be secure in general. [actually the only method to be secure 100% is to don't plug your computer, but this is another topic].

Are you a programmer? Things become more complicated now! With great power comes big responsibility. Not only that you should do all on the top by default, but if you're building a web application you should also implement input and output validation, error handling, authentication and authorization, session management, secure communication, secure resource access, secure storage and many more[visit owasp for more infos]. If you're building a non-web application, you must watch out for a lot of possible errors, here are just a few.

As you can see, things are more complicated as they look like, and this is normal. Things haven't been build with security in mind, we just adapted it on the fly and we pay for it now. Continue to ignore it and you'll see more things like this, this, this and many more alike. It's time to wake up and see the problems around us. Security is one of them, and it's big!

You can always contact me at klaudyus_at_gmail.com. Be safe!

claudiufrancu.ro is up!

Hi all!

After giving some thoughts, i've made it after all. http://claudiufrancu.ro is up and running!

Updates will follow soon, and also a few of my projects that i'm working. Stay tuned!