Rehi, Milw0rm

I guess enough people stepped up to the plate and offered to resuscitate Milw0rm on Str0ke's behalf. 

This is a good day. Rehi, Milw0rm!

Milw0rm has been up-and-down ever since the closing announcement hit Teh Internets. Probably due to the script kiddies recursively wgetting (downloading a mirror of all the archives)

Hopefully, the site will stabilize and be back online and back to business as usual soon!

DefCon 17

Asmodian X and I will once again make our annual pilgrimage to Las Vegas over the last weekend of July-into-August.

I haven't picked the talks I'm attending yet, but you'll be able to find me at the Podcaster's Meetup and probably a SecurityTwits meetup, if there is one.  Otherwise email me (ax0n ! h-i-r , net) - I'll probably be checking my mail frequently.

Any readers attending?

Not news: smuggling bomb parts into federal buildings

ABC News: Bomb materials smuggled into fed buildings

Federal investigators had no trouble smuggling bomb-making materials past ill-trained and poorly supervised guards at federal buildings, senators were told at a hearing Wednesday.

The thing is that if you poke around the office supply closet and the broom room, you will undoubtedly be able to amass everything that's needed to wreak some serious havoc. 

The article doesn't say whether the GAO agents used credentials or covert entry to get into the compounds with said "bomb supplies". If they were able to enter without credentials, there's a much larger problem. If they used credentials, it really doesn't matter what they can carry in. Through all of history, weapons have been made from seemingly benign objects. 

This is more pedantic security theater: Focusing on one specific threat instead of working to refine and simplify the armor.

Network programming and distributed scripting with newLISP

I'm not sure why I never re-posted this here, but alas, better late than never.  I should have an article published in the Summer 2009 issue of 2600 as well, but I haven't seen it yet.

This initially showed up in 2600: The Hacker Quarterly Volume 23 Number 4 (Winter 2006-2007)

newLISP (www.newlisp.org) is a relative newcomer to the interpreted language arena in terms of popularity. While it had its humble beginnings back in 1991 when Lutz Mueller started working on it, only in the last 4 years has development been consistently active.

newLISP is everything that old-school LISP languages are, with a lot of modern features. First off, it's a scripting language that's extremely fast. It has networking ability that's powerful enough to write TCP or UDP client or server applications. Then, to top that off, it has a command called net-eval which makes newLISP stand out from the crowd by giving it the unique ability to easily distribute tasks to other nodes over a network connection.

Binaries (under 200 kilobytes) are available for Windows, BSD, Linux, Mac OS X, Solaris and a host of other platforms. It is released under the GPL. Performance is also second to none. newLISP has been topping the charts on script interpreter benchmarks in several categories thanks to it's small size (under 200 kilobytes) and efficient C code. It outruns php, perl, and even ruby.

newLISP also has some other tricks up its sleeve that make it an excellent system administration scripting language. It has decent filesystem support, so it can see if files or directories exist, determine if a file's permissions are acceptable for reading or writing, and it has very powerful text processing ability using PCRE (perl compatible regular expressions). Finally, it's also worth mentioning that newLISP can easily import whole functions from dynamic libraries such as libmysqlclient (instant MySQL access from within newLISP!), tcl/tk (for creating graphical applications in newLISP) and zlib (for compression and decompression) just to name a few. This makes newLISP one of the most robust and flexible languages around. As you can tell, newLISP is a formidable choice for hackers, geeks, network admins or security professionals wishing to create scripted programs to do network operations or distributed computing with minimal effort

I am lucky to have been able to work directly with Lutz, the founder and creator of newLISP. I got a few direct lessons from him, and from there, started tinkering with it on my own. With that, the first thing I did was create a makeshift port scanner. I learn easiest by example, so here is what I came up with.
Click to see port.lsp

The first part simply assigns the command line arguments into a list called params, then makes sure that 4 parameters were given (program name, host, begin port and ending port). If not, it displays a usage tip before exiting. The second part assigns elements of the list to appropriate variables, then uses a for loop to iterate through the ports, displaying open port numbers that are open. Note that on machines with packet filters that "drop" packets, this port scan will take a very long time. nmap is a much more robust port scanner, however this little script demonstrates the power of newLISP's network commands. We'll run this as a test just for fun:

$ ./port.lsp 192.168.0.105 1 200 

21 open 

22 open 

23 open 

25 open 

79 open 

111 open

Now, let's look into distributed computing, shall we? The core command behind newLISP's distributed computing power -- called "net-eval" -- operates on a list of lists (similar to a 3 dimensional array). The inner-most list is a list of host, port, and a string representing the command(s) you wish to run on the remote node. The outer-most list can contain as many host-port-command lists as your heart desires, allowing you to run many distributed processes at once, and get the results back all at the same time. Then, outside those lists is a timeout in milliseconds. If a result isn't returned in the timeout period, the operation returns "nil" (that is, false). To clarify, net-eval syntax is as follows: 

(net-eval (list (list "host" port-number command-string)) timeout) 

On each remote node, you must have a newLISP listener, which is simply started by running "newlisp -c -d port-number" from the command line. On UNIX environments, you may put an ampersand (&) at the end to launch it in the background, or you may even wish to use "set NOHUP" and log off to leave it running in the background indefinitely. In my example, I went to my Solaris box and launched it, listening on port 31337 as follows: 

$ newlisp -c -d 31337 &

I also launched newLISP listeners on various other machines on my home network, including a few OpenBSD machines, and my wife's MUD/BBS server running Windows Server 2003 with the "Services for UNIX" tools installed. 

Now, care must be taken. It is a bad idea to have a newLISP listener running on a public IP address, because commands like process or exec can launch shell processes on the newLISP node, which is just as good as giving away an unprotected shell account on your network. I advise using newLISP listener nodes only behind a NAT or firewall, or on a segregated network. 

Let's run a test script, shall we? In LISP, boolean and math operations are always performed by placing the operator first, followed by the symbols to apply it to. In addition, the symbols are numbers, but they could easily be strings or lists with some operations. Adding 1 + 2 in LISP is as simple as (+ 1 2) I will start by running a quick addition operation on 1 remote node with a 3000ms (3 second) timeout.

Click to see net-eval-test.lsp 

When we run it, we get the answer to this mind-boggling math problem: 

$ ./net-eval-test.lsp 

(3) 

Now, to expand this even more, I have added three other nodes into the mix, which shows more clearly how the nested list syntax of net-eval works, and I'll demonstrate remote command execution at the same time, using the "exec" command. Notice how the quotes around the command to be run is escaped with backslashes. This is needed to keep from confusing the interpreter. To put quotes inside a quoted string, you need to escape them. This is almost universal to all programming languages. On UNIX-like platforms, uname is used to get information about the operating system and architecture. uname -s -n -m will list the OS that's running, the hostname, and the machine architecture. 

Click to see uname.lsp 

The result is a newLISP list of strings, containing the results of running the command: 

$ ./uname.lsp 

(("SunOS sparky sun4u") ("OpenBSD compy386 i386") ("OpenBSD bouncer sparc") ("Windows mudbbs x86"))

The online documentation for newLISP is very extensive, and features a few rather advanced demonstration scripts, including a working web server written entirely in newLISP. While learning a new programming language is never easy, newLISP is more than mature enough in both implementation and documentation to make it a pretty easy language to add to your list.

Links:
NewLISP Website, full of demonstration newLISP programs, documentation, binaries for many platforms, and newLISP source code:

NewLISP.org

(newLISPer) is a journal, or blog, written by a guy who was just learning newLISP. It's turned into a bunch of newLISP tutorials with some philosophy tossed in as well:

Newlisper Blog ((now unbalanced-parentheses) (you see what I did there?)

Norman's code snippets is a website full of newLISP programs and snippets for Linux (not tested on other platforms). There is a lot of really interesting applications and widgets available to download:

Norman's code Snippets

Tracking Rumors (a la the OpenSSH Exploit)

By now, I'm sure you've all heard the OpenSSH Exploit rumor.  The short and sweet points are:

• The rumored exploit doesn't work on the current version (5.2/5.2p1 as of writing)
• The rumored exploit does work against older versions (but we don't know how old or when it got fixed)
• It's not a bad idea to upgrade your OpenSSH (and derivative) services to OpenSSH 5.2.

What really concerns me are forks from OpenSSH that are likely to be ubiquitous in the enterprise. There are many, but the following two seem like A Pretty Big Deal to me:

• Red Hat Enterprise Linux ships with OpenSSH 4.x, but patches it in-house and releases these updates to RHEL users to fix certain bugs as they're fixed in the 5.x series. 
  
• Sun Solaris 10 ships with "SunSSH 1.1" which is basically a mash-up based on OpenSSH 3.5p1.

You see why I'm more than a little concerned, right?   Without having the exploit code to test with, we don't know if the exploit will work against these bastardizations of the OpenSSH code-base.

Without some solid proof, I'm not going to go to my boss and scream that the sky is falling. I just want to stay in touch with the OpenSSH / 0pwn0wn exploit drama. Google Alerts to the rescue!

Google Alerts allows you to get rapid-fire email or RSS feed updates when new items show up in Google's index for given search terms. You can use this for vanity searching and a host of other things... or, as I do, to keep an eye on breaking news for more obscure stuff.

With that, I set up alerts for OpenSSH (News and Blogs) and 0pen0wn (Comprehensive search) - If an exploit is released publicly, I want to know about it so that I can test it and make recommendations on how to fix it.

Also, it's not a bad idea to set up google alerts for other mission-critical products or services you rely on, if for nothing else, to keep your fingers on their pulse.

Improvised backpacking stove

Squarely in the "Other interesting topics" category for this site, I can tie all this summer fun back to hacking a little bit. This is about improvising a little bit to solve a problem. It's also about trade-offs, fire, and building stuff in a cheap and hackish nature. So there. With that out of the way, this post will have almost nothing to do with technology.

I love camping, and usually when I go camping with family and friends, it's the all-out party at the lake kind of camping, just short of sleeping in an RV. I can tether my LG Chocolate to my MacBook, plug in my La Fonera running Jasager to mess with WiFi-toting campers, keep everything charged with the inverter and still start fires for the sake of fire -- because God knows you don't need a bonfire to cook when you have a nice propane stove hooked up to a 20-pound gas-grill propane tank! Sights like this one (from Memorial Day Weekend) aren't uncommon:


More recently, though, I've tried to get myself back into a more stripped-down backpacking mode. It's no secret that I like riding my bicycle for basic transportation. It also happens that there are decent campgrounds close enough to home for me to ride my bicycle to. For an adventure like this, the goal is to pack light (kind of like backpacking) -- In fact, the weekend after the above photo was taken, I snapped this -- which should give you some idea of how much crap I had to haul for a one-night "backpacking" adventure on my bicycle:


This is a 17-ounce (or so) propane tank and my small propane burner which I brought along on my last trip. It's definitely better than the 30-pound rig we were using a week prior. The bonus is that it still boils water in well under 5 minutes and makes fried eggs for breakfast like an ace.


I have a similar trip coming up in about 3 weeks, and over the past few days, I've been contemplating various ways to minimize the bulk. The wretched camp stove above is pretty much the only thing I can downsize cheaply. Sure, I could ditch some of my older, heavier gear and buy a $60 camp pad and a $250 tent -- No thanks. I'm on a budget, and that kind of money would be better spent on say... plane tickets to DefCon?

I decided to try going the sterno route. We have a can of it laying around, so what could it hurt? The main problems with sterno are that it doesn't get as hot as propane, and that the can itself won't support your cookware. I had some old bicycle spokes laying around and made this little contraption. It's two spokes (of different lengths) bent up and strapped together with tape on one edge. It folds nicely, but not totally flat. If I had spokes of the same length (or if I just cut the longer one, or wasn't afraid of bending the longer one so it is directly in the flame's path) it would fold flat.

I bent this so that it would hold the cookware about 1" above the fuel canister. It's so simple that I really don't think you need a full set of instructions to replicate what I did here. You can cut and re-bend a wire hanger, get some thick solid-core copper wire, or improvise whatever you want. Three level points are all you need to support a kettle over the heat source


With the sterno can in place -- and set up on a piece of my mess kit so I don't melt the counter and incite the wrath of my l33t wife -- it looks like this:


Now for the sucky part: In order to boil two cups of water (for example, to make French Pressed Coffee or re-constitute a freeze-dried backpacking meal), it takes between 10-15 minutes depending on conditions, and yes I had the lid on whilst attempting to bring this water to a boil.


One cool thing, though, is that this stove stand will work nice with many other kinds of improvised heat sources. I may just end up replacing the sterno can with a beer-can alcohol stove. That's another project for another evening, though.

Fare thee well, Milw0rm

Str0ke is apparently abandoning Milw0rm:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Milw0rm was (and for the time being, still is) a site with a simple interface to browse a vast, extensive library of exploit code that was until now quite frequently updated. For the time being, it looks like the site is still up, but it sounds like str0ke has stopped trying to add more submissions to the site. Time will tell if he keeps the page alive.

It is survived by Packet Storm and a few other fragmented archives. Nothing quite matches the pedantic focus of Milw0rm, though. You will be missed!

Hat tip: A bunch of the security twits were discussing this.