LANrev Vulnerabilities Toorcon 12 2010

Slashdot Article

LANrev's multiple vulnerabilities come to light

• LANrev is remote administration software.
• At least one school administrator was caught abusing the webcam feature.
• The webcam feature is designed to retrieve stolen laptops.
• There are three classes of vulnerabilities that LANrev is vulnerable to.
• LANrev fails to protect either side of the equation.

Image by recombinantrecords.net

Brave New World vs. 1984

• The Supreme Court caused this by saying that pricipals can search lockers.
• A draconian surveillance state faces huge resistance.
• A society where "privacy is dead" seems almost ready for adoption.
• The "privacy is dead" crowd also faces resistance.
• Youtube is a perfect place to find teens in front of webcams. [13]
• LANrev gives school administrators camera access.
• LANrev also gives hackers code execution access.
• Privacy is opt-in, surveillance is opt-out, you get a choice if you care.

Method

Wireshark

Reverse-engineering

TCPDump and Wireshark

• Capture a bunch of packets. Replay them, sometimes you get lucky. [1]
• In the case of LANrev, you get a few hours of replay allowed.
• Replay attacks usually work because they are hard to prevent.
• The server must change state and reject some packets to prevent replay. [2]

OllyDbg

• Start up your program, start up OllyDbg and get ready to attach.
• Start up your python script to send the packets.
• Attach right when you send the packet. The odds are good.
• Step through to find functions and text. [3]
• Protip: Put a breakpoint on a few functions, edit it to log function arguments instead of breaking.

OllyDbg

Listing 1 is Bruce Schneier's Blowfish compiled and disassembled.

Python

• socket is your friend.
• import socket
• s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
• s.connect(('192.168.0.3', 3971))
• s.send("strings")
• s.recv(1024)
• # repeat as necessary
• If you need extra processing from a C program, use subprocess.Popen(...).stdout and stdin
• I also suggest using ctypes.cdll.
• from Crypto.Cipher import Blowfish
• import struct

Scapy

• Scapy is perfect for nasty network attacks.
• MitM is _not_ theoretical with Scapy!
• Do you know how easy it is to MitM with a few iptables and scapy?

  from scapy.all import *
  
  data = sniff(count = 3)
  malicious_data = 'A' * 256
  a = IP(src='77.11.22.33', dst='192.168.0.8') / TCP(sport=3971, dport=9911) / malicious_data
  send(a)
  			

Middler

• Low latency, high quality MitM attacks.
• Uses scapy to arpspoof, iptables to rewrite packets, SIP and HTTP, now my LANrev attack uses it.

Exploit

Python

• A server that sniffs SeedValues, commands, data, and photos while it serves malware. [14]
• A MitM program that redirects client traffic to our server on localhost.
  

Metasploit

• msfpayload generates a cheap executable to exploit the machine, gets past ClamAV.
• msfcli gives a choice of VNC or commandline or another exploit. [4]

VNC

• VNC is a great thing for demos, interactive attacks, and eavesdropping.

Webcams

• There are three ways to access the webcam:
  • Decrypt the shot
  • a background program
  • a foreground program
• Note that Adobe Flash has built-in camera access. Chatroulette?

Problems with Remote Administration

Static symmetric keys don't secure, they obsfuscate.

• Why do we use symmetric keys? With key exchange, when the attacker doesn't have the ciphertext, or when the key is unknown.
• LANrev did it wrong. A single key is as good as saying: please don't crack us. [5]
• If you setup a different key for each student before hand, you risk losing control.
• The worst part about losing control is that the software does the opposite of its goal.

Public Key crypto is difficult to do correctly.

• You do it wrong and it's back in the press again.
• Attackers want to exploit your software, they will find weaknesses.
• Public key crypto ensures confidentiality if the key is not known.
• Public key crypto ensures authentication if the key is not known and is checked.
• Public key crypto ensures integrity if the HMAC is checked.
• Public key crypto does not ensure authentication if the client doesn't have a keypair.
• Every keypair needs to be associated with a single server, which means each client will need to associate once with the server. If the server loses its keypair, all clients will need to be reassociated.
• All these things are well known because we've done them with SSL before. [6]
• Even TLS has had problems with Man-in-the-Middle attacks. [7]

If you need webcams to find laptops, you're doing it wrong.

• Why exactly are you using webcams? Because the laptops aren't stolen, they're honestly lost.
• A person who steals a laptop has no problem reinstalling.
• Students in good environments need no tracking.
• Students in environments where laptops are stolen will benefit more from beige boxes.
• OLPC is not a broken concept, Remote Administration is.
• Giving kids laptops makes sense because they learn and they gain confidence. [12]

Data

• Download from my website*:
• Metasploit vncinject script
• passive, MitM, calls home, turns off LANrev
• A trojan that posts a pic every hour
• * In the next few days

Demo

• I will show a laptop with LANrev installed on a wifi trying to connect to its server on the net.
• I invite anyone to turn on their LANrev laptop and associate to my network ResearchNet at your own risk.
• 5 minutes later, we have proof that we owned the laptop and anyone else in the room. VNC and non-vnc.
• Of course this works against the latest version of Absolute Manage Agent 5.2.5 or earlier.

Conclusion

• Three classes of vulnerabilities:
• Symmetric key encryption with one key amongst users and attackers does not guarantee confidentiality.
• Lack of authentication means that an attacker can impersonate a server or client.
• Replay attacks allows attackers to change the state of a server or client without knowledge of any keys.

Q & A

Joel R. Voss
Leviathan Security
Greets to h1kari, Frank Heidt, Mark, Chad, Kim Zetter, strydehax, Absolute Software, meee, Neg9, my mom, and everyone who has discussed this with me using their critical reasoning skills. This wouldn't have been possible without each of you.

Works Cited

[1] Tridgell, Andrew. How Samba was written. URL: http://samba.org/ftp/tridge/misc/french_cafe.txt
[2] J-Security. "tinc VPN Replay Attack Vulnerability" URL: http://www.juniper.net/security/auto/vulnerabilities/vuln3837.html
[3] Unknown. Intro to Reverse Engineering - Part 2. URL: http://www.ethicalhacker.net/content/view/165/2/
[4] SynJunkie. Metasploit Payloads - msfpayload. URL: http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html
[5] Unknown. Symmetric Encryption Algorithms. URL: http://www.encryptionanddecryption.com/encryption/symmetric_encryption.html
[6] Schneier, Bruce. Applied Cryptography.
[7] Mitre. CVE-2009-3555. URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
[8] Evers, Joris. Getting over laptop loss. URL: http://news.cnet.com/Getting-over-laptop-loss/2100-1044_3-6089921.html
[9] Sacco, Anibal and Ortega, Alfredo. Deactivate the Rootkit. http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Deactivate_the_Rootkit
[10] Clewell, Beatriz C., Campbell, Patricia B., Perlman, Lesley. Good schools in poor neighborhoods. 2007.
[11] Stevens, Tim. 66 OLPC XO '$100 Laptops' Stolen from Poor Kids. URL: http://www.switched.com/2008/06/22/66-olpc-xo-100-laptops-stolen-from-poor-kids/
[12] Ploskonka, Yama. First Ever Objective XO Laptop Usage Research Results. URL: http://www.olpcnews.com/implementation/evaluations/ceibal_objective_research_resu.html
[13] kem06853. "cant keep my hands out the cookie jar". URL: http://www.youtube.com/watch?v=NlCmmUD9eBY
[14] Halderman, J. Alex. "School's Laptop Spying Software Exploitable from Anywhere". URL: http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere

Extra time: About DMCA, Copyright, and Reverse-Engineering