The Key to My Mind (11/12) a CC image from Tony the Misfit's Flickr stream

The private key is supposed to be private. It is what proves that the services and the certificate belong to each other. As an attacker you want to obtain this key in order to spoof the identity of the service.

When you import a certificate with private key or generate a private key via the Microsoft Crypto API (CAPI) you can mark it as non-exportable. But are these keys really non-exportable or is this just a GUI option to give administrators a false sense of security?

In order to find out how an attacker can export a non-exportable key RSA key, we need to dive into the CAPI calls.

Disassembling the CAPI functions shows that there are flags in memory that specify that the key is not exportable. It appears that these flags are stored on the same memory location and user the same function. And you can actually temper with this information and set these flags back to being exportable.

The situation is a bit different in the CAPI: Next generation (CNG). Again a disassembly of these functions shows that the CliCryptExportKey() via the c_SrvRpcCryptExportKey function get the private key from the KeyISO or KeyIsolation RPC service that is meant to isolate the RSA keys from the client memory.

It turns out that the memory of the lsass.exe process can reliably be manipulated to make the SPPkcs8IsKeyExportable function return 1 and thus allow the key to be exported.

In both CAPI and CNG the offsets to the flags are the same across the last 11 years of Microsoft products.

Jason has demonstrated the technique live on stage.

The code as well as the slides will be released to the www.blackhat.com website together with the presentation slides shortly.

Conclusion:Non-exportable keys are a GUI feature, they do not prevent a attacker from getting the key, they just slow him down.

The MSS: settings used to be here...

I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for Internet Security (CIS).

We decided on the following approach:

• Based on the CIS templates we created a baseline document specific to our company
• I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
• The windows administrator created GPOs to apply the settings.

When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.

This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?

The settings are not irrelevant, as e.g. Peter van Eeckhoutte’s blog points out. Windows 2008 does not forward IPv4 packets that have source routing on them,  but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

So if the settings are not irrelevant, how can we apply them if they are not in the Group Policy Editor? For this purpose we created an .adm file, which can be loaded into the Group Policy editor as a Classic Administrative template.

All the MSS settings can be controlled with this Administrative template. When we applied these settings we reached our desired compliancy with our own baselines.

Mission Accomplished!

So what are these MSS setting and what do they do?

My main objective in watching the webcast (which is not my usual habit) was to find out if systems that have the described workaround applied still need to apply the patch. The webcast did not give a definitive answer but this YouTube video and the Netifera website and the twitter accounts Thai Duong provide the answer: Yes you should apply the patch a.s.a.p!

Click here to view the embedded video.

However the Q&A section of the talk did give me, as a security operations guy, quite some food for thought. I made some notes in my own Twitter feed, which I have summarized here.

Q: Why did Microsoft release and OOB update for a vulnerability rated “only” as important?
A: The vulnerability itself is rated as Important because it is not a vulnerability that directly leads to remote code execution on the vulnerable system, however exploitation of the vulnerability will lead to disclosure of all information in the webroot including web.config. This information can be used for session hijacking, compromising backend databases and to attack associations between websites, e.g. the association of a website with PayPal. Hence an out of band patch was warranted.

Q: Why only release to the download center and not to WSUS etc?
A: We felt we needed to get this update out quickly, the people that need to apply this patch quickly are mainly enterprises who are capable of applying patches without the aid of WSUS. Developing the WSUS capabilities would add another few days of delay to the deployment of this patch.

Q: Is the attack actively used?

A: We have seen limited attacks against this vulnerability as well as continuous efforts to to bypass installed workarounds.

Q: Can the patch be uninstalled, does it require a reboot?
A: The patch can be uninstalled and does require a reboot.

Q: If you have multiple versions of .Net installed on the system, do you need to install all patches for each version of .Net?
A: Yes.

Q: If you have 64bit and 32bit version of Asp.Net installed, do you need to apply both 64bit and 32bit patches?
A: No, the 64bit patch will patch the 32bit versions as well.

Q: Should we regard the ASP.NET MachineKey as compromised?
A: Yes, if you have set a static MachineKey it is recommended to replace this key with a new key. (Information on AutoGenerated MachineKeys was not provided)

Q: Will the patch have an effect on end-users?
A: Yes, information stored on the client that is protected by the MachineKey can no longer be validated. This can e.g. mean that users whoo used a ‘remember me’ function will have to login in again.

Q: Does the patch need to be applied to all nodes of a cluster?
A: Yes, because the patch changes the way data in transit (such as e.g. viewstate) is encrypted, this patch needs to be applied to all nodes in a cluster as the same time or users may experience unexpected results.

Q: Does the patch change IIS?
A: No, the patch only changes ASP.NET, not IIS.

Q: Does the patch change the way encrypted data is stored on the server?
A: No, the patch changes the way data in transit is cryptographically protected, both encryption and signing is now applied. It does not effect any encrypted data stored on the server.

Q: Are the patches in the download center “smart” enough to know if they are applicable for the machine you apply them to?
A: No, detection capabilities will be built into the patches once they are deployed to WSUS.

Q: Should the update be applied to all .net installation, not just web servers?
A: The vulnerability only manifests itself via web servers. For now it is recommended to only install patches there, and way for the patches to appear in WSUS before patching other .net installs. But remember a system with an unpatched .net installation will become vulnerable as soon as a webserver is installed.

Q: Should the workaround be removed prior to patching?
A: No, you can apply the patch with the workaround in place. If you need to do so you can then remove the workaround after the patch has been applied. CustomErrors generally does not hurt and neither does UrlScan all though UrlScan is known to break SharePoint and may break other web applicaitons as well

Q: Do customer applications need to be recompiled?
A: No.

Scott Guthrie’s blog has an excellent overview of which patch is applicable to which platform.

Mark starts of by giving a very funny overview of his very impressive career. He currently has a non-security security job at Microsoft running the MSDN subscription services department. Being away from security has given him room to think about information security more.

His talk is about 10 crazy ideas that might change the state of information security. These ideas all cost little money, but may have a big impact.

#1 – Adopt Chinese Medicine Business Model

In China the doctor gets paid to keep you healthy, not to cure you. There are currently actually two companies that are experimenting with this business model.

#2 – Stop Human Pattern Matching

Humans seen things they expect so see. The brain is wired to see what it is expecting to see. This is why optical illusions work, which was demonstrated to the audience with two illusions. Security people do his all the time. I have XSS, this is going to happen, this vulnerability will cause this worm.

#3 – Community Driven Statistical modelling

An example of this is http://freerisk.org. It allows people to input and consume financial modelling data. In the security world there is no data that will give us some predictable model of how security behaves. Wine quality can actually be captured in a formula: Wine Quality = 12.145 + 0.00117 * winter rainfall + 0.0614 average growing season – 0.00386 harverst rainfall. Where is the equivalent of security? Rubbish you say? Well, the formula for wine quality is actually used in the field now

#4 – Teach Kids Computer Security

Computer Science students do often not know about IT security. It should be a core value of learning IT.

#5 – Make Developing Countries Centers for Security Excellence

IT security hotspots are where engineering is considered a good job.

#6 – Make hacking a competitive sport

If hacking is a competitive sport, nations might actually get good at it and it might just increase funding for IT security

#7 – Connected Information Security Framework

IT security tools do not talk to each other. You may want to get different part of IT security puzzle form different sources, but integrating the reports is very hard.

#8 – Embrace Design Driven Security

We must reward the builders AND the breakers. Not just the people who break IT Security.

#9 – Crowd Source Access Control

Resetting you banking password generally happens in a call center (probably in India). It is very crazy that we trust people we do not know at all to reset our password. Why not use the people who actually know you to determine if you need access or not. The wiki at OWASP was actually very successful in this aspect, because there are social networks that actually control who has access to edit the pages and who hasn’t.

#10 – Adopt Agile Mindset

It is explained in the Agile Manifesto – http://agilemanifesto.org/

The agile mindset is about:

• Individuals and interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaborations over contract negotiation

Within a constrained (time/resources) you write a working increment of the software.

Most security projects deal with a large amount of uncertainty and complexity. The right spot for the Agile mindset.

Contract negotiations are done at the point where you know the least about what is ahead of you. Basically setting you up for failure.

About the speaker:

Mark Curphey recently moved to a mainstream software management role at Microsoft running the MSDN Subscriptions engineering team. He started OWASP, ran foundstone and held various security positions at various banks around the world.

lolcat adaptation #3, a Creative Commons Attribution No-Derivative-Works (2.0) image from kevinsteele's photostream

Exploit wednessday ois the day after patch Tuesday, the second Tuesday of the month when Microsoft releases its patches. While some people say it’s impossible to write an attack in one day, Yaniv has seen it happen and tries to explain how.

This process is based on diffing. Diffing means finding the differences between the old and the patched version of the binary file.

This could be done on the same machine, or between two different versions of the OS (e.g. Windows XP and Vista).

The toolkit for a typical patch analysis consists of:

• Diff programs
• Compare programs
• Decompiles  and compilers
• Different versions of windows

Yaniv, then went off to demonstrate a to us the creation of an exploit for MS10-005.

First of all information from public source was gathered to find out which program was effected, what the root cause of the vulnerability was and in which version of Windows the problem is present.

The next part is extracting the patch and analyzing it. First this that needs to be done is finding the files that will be updated. The these files will be compared against the original file, just to find which functions have been changed.

The changed function are then converted to execution graphs which are colored to highlight the amount of change in that part of the code. This is used to determine the interesting area’s of the code. These interesting area’s are then compared byte by byte and the differences analyzed.

If we need to understand how the vulnerability work in order for us to determine how to write the exploit. Since MS10-005 deals with integer overflow in paint using the the jpeg format, understanding if the understanding of the jpeg format is crucial.

Using this knowledge a denial of service exploit could be generated. Yaniv showed us the process in real life.

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.

The heuristic filters look for suspicious requests, e.g. parameters with <script> tags in them. The dynamic signature is then generated to take into account some forms of server transformations, but basically this looks if the same text is not returned as part of the web interface. If XSS is detected one character in the original text is replaced by a hash mark (#).

The presentation then gave a breakdown of typical heuristic signatures, they can all be found at http://p42.us/ie8xss/filters02.txt.

So one of the things the researchers found was that these filters can be bypassed. Regular expressions are not perfect and complex to write. Examples are at http://goo.gl/sour, and http://goo.gl/KVDI.

But even more fun is to turn the filters against themselves.

Because the filter is designed to filter out certain tags, it can be used to disable other script tags as well. This can be used to disable framebusters, block sandboxes and disable other javascript based security mechanism.

The XSS filters can also be used to alter the ‘=’ sign into a hash sign (#). Which can alter the entire meaning of certain HTML tags.

The XSS filters can be abused to malform (neuter) html tags. The onerror properties of these tagscan then be used to triggers scripts.

The way the XSS filter where built up allow the neutering of just about any = sign on a page.

So the attack has two stages: first you need to be able to insert text into an html name value pair. Then you need to trigger a fake XSS attack the will neuter the html name,value pair into activation.
Is this common? Yes it is. Bing, Twitter, Wiki’s Social networks. About 99% of the sites that matter are vulnerable.

If you want to try out the attack yourself, use a vulnerable version of IE8 and visit http://0x.lv/attr.php

How was this fixed?
Microsoft is no longer neutering the = sign

What can you do?
* Turn XSS filtering off
* Use a different browser
* Upgrade you browser after Microsoft fixes it.

Should you disable the filters? No, benefit outways the risks.

What if I run a website?
Microsoft allows websites to add a header that will opt you out of XSS filtering.
“X-XSS-Protection: 0″ or “X-XSS-Protection: 1; mode=block” which will not disable the protection, but will block the entire page from being rendered.

This issue was discovered and reported to Microsoft in September 2009 and was patch in Jauary 2010. Public disclosure was today.

So what about other browsers?
Firefox: NoScript (good), NoXSS (don’t use)
Webkit is developing XSSAuditor. It will respect the same control headers as IE8

Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together.

I knew I was in for some fun when when the following happened:

• I installed my Issuing CA and generated the certificate request
• I issued the request to my Root CA and generated the Issuing CA certificate
• I tried to install the Issuing CA certificate and got the following error:

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl.

Intregued, I decided to check a few things:

• I could download the CRL from both CDP locations with Internet Exporer
• I could open the downloaded CRLs
• I could telnet to port 80 of the both webservers
• I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003.

It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

This did sent me on a wild goose chase:

• Microsoft own documentation, clearly blames it on unavailability of the CDP location, something I, by now, had triple checked four times and refused to believe
• This “Network Builders” forum and many others, simply suggest to turn off revocation checking, but that is clearly not a worthy solution either.
• Apparently there is also an issue with serving delta CRLs threw IIS because the + sign at the end of the basename of a delta CRL file leads to so called “double escaping”. I could rule this out by looking at the IIS logs.
• In the end this technet forum post, about OCSP reponders Brian Komar points out:

But, as stated, I would use certutil to get the “best” answer on how is my configuration.
Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately.
Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch <certfile>.cer
Issuer:
CN=Root CA
Subject:
CN=Issuing CA
Cert Serial Number: 115d5f6400020000000b
<snip>

—————-  Certificate AIA  —————-
Verified “Certificate (0)” Time: 0
[0.0] http://IIS1.domain1local/crl/Root-CA.crt

Verified “Certificate (0)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crt

—————-  Certificate CDP  —————-
Wrong Issuer “Base CRL (13)” Time: 0
[0.0] http://IIS1.domain1.local/crl/Root-CA.crl

Wrong Issuer “Base CRL (13)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crl

<snip>
E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate.

Root cause

Inspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate.

I guess for me there is nothing left but to reinstall the entire chain.

Together with another 7000 techies, this is a week of planning, running, eating, experiencing all kinds of (new) technologies presented by Microsoft guys.

Feeling some blisters already, because I’m not used to running so much on a day, especially with a Lenovo T500 on my shoulder. The Berlin Messe is a huge place. But the overall sense of the MCE’s is that we are enjoying the sessions. Not all session are that good, but for instance Mark Minasi is good fun to watch and hear.  The food and beverages (very important) are good and plenty.
Technically we are not always that challenged, in many occasions the depth is lacking, but then again, it is a mass-event and not everybody is a (potential) MCE.

On Monday MS presented a Keynote, and all of us were very disappointed. Nothing new, lots of marketing blabla. Cloud computing (Azure) was the keyword here. (Literally, we counted over 100 times them using the word “cloud”.)
Reading back this sounds a bit negative, but in fact, we are having a good time. Discussing a lot about the statements made in the session, exchanging the different sessions we’ve attended, thus learning a lot. Even writing the blogs is a good learning curve. We are all cupfighters, and don’t want to blog rumors and rubbish, so for each post we do a thorough background check.
Berlin sightseeing is mainly done via U and S-bahn, ample time to discover the city (this is in case our bosses are reading this post .

We’re looking forward to the Country drink on Thursday, organized by our employer together with Microsoft (http://www.schubergphilis.com/countrydrink).

If you’re Dutch IT-pro, come and join us there. You will find the Schuberg Philis style of organizing a party is an experience not to be missed!

Next couple of days more sessions, and we’ll keep you posted if we hear some nice things.

Happy scripting!

We will blog during this event, and try to post major announcements, being made during TechEd, on this site as fast as we can. So keep an eye on this site or twitter!

http://www.schubergphilis.com/countrydrink

Now switch to dutch:

Country Drink? Natuurlijk!

TechEd 2009 Berlijn is niet compleet zonder Country Drink. Daarom organiseert Microsoft partner Schuberg Philis speciaal voor de Nederlandse Microsoft IT Pros en Developers een oerhollandse avond.

Donderdag 12 november ben je vanaf 18.00 uur van harte welkom in Club Restaurant Dante: midden in Berlijn en heel goed bereikbaar vanaf de TechEd.

Een Hollandse avond is niet compleet zonder een goede hap en biertjes die je bij onze meegereisde hostesses gewoon in het Nederlands kunt bestellen. Ook meezingers mogen niet ontbreken. Daarom komt Peter Beense, de enige echte Amsterdamse volkszanger, speciaal voor deze Country Drink naar Berlijn om een spetterend optreden te geven.

Het eerste deel van de avond is exclusief voor ons. DJ ENO-C en VJ Ed-Art zorgen voor een relaxte sfeer, zodat je lekker kunt napraten over de afgelopen dagen. Vanaf 23.00 uur, na het optreden van Peter Beense, pakken ENO-C en Ed-Art de draad weer op en stroomt het Berlijnse nachtleven binnen.

En jawel, deze avond krijg je het Microsoft TechEd 2009 t-shirt, hoogstpersoonlijk overhandigd door Tony Krijnen en Daniel van Soest.

We verheugen ons op je komst!

http://www.schubergphilis.com/countrydrink voor meer informatie!

Sorry what do I need to remember?

As allways Google was my friend and pointed me to this post.

The key is the value  WindowPos in this registry key: HKCU\Software\Microsoft\Office\12.0\Outlook\Options\Reminders

If you delete this key from the registry and restart Outlook the reminders window is back to its normal size.

• Organization name
• Agreement number
• Authorization number
• Requester name, telephone, etc
• Product
• Last 5 digits of your KMS key
• Number of additional activations
• And last but not least: A good reason why you need extra activations.

The process takes 48 hours to complete, which means you have to wait that long before your extra activations are available. The first step to activate your KMS key is to register it with:

slmgr -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

It will tell you the key is valid (or not, but you then have another problem). Then you have to activate it with:

slmgr –ato

When the key is out of activations it will respond with “ERROR: 0xc004c008: the key is valid, but cannot be activated.”

Instead of filing a 2 day taking request you can use a quick workaround:

• Enter the KMS key as the registration key on the KMS server.  (Control Panel – System – Change product key).
• Activate the key. You will get a message the key cannot be registered. Choose activation by phone.
• Call MS activation line. Enter the numbers into the automated response, and you will receive the 8 times 5 new key.
• Enter the numbers and you’re all done, the KMS server will now be activated.

You can check this with:

slmgr –dlv

On the 9th of September, together with the regular MS updates an update for WSUS 3.0 came in: Service pack 2. The first issue we encountered was the fact it was announced as an upgrade. It performs a re-install though. This means you have to reconfigure the basic setup of WSUS. The computer list and grouping definitions are safe in the database. Things like which updates and which language to download will have to be configured again though. Being prepared here by making a note of current settings will help.

We ran into a new issue the next morning. The upgrade of WSUS also upgrades all clients with the Windows Update Agent. This runs flawless on 32 bit windows clients. It causes an issue on 64 bit windows however: two files, NT5IIS.CAT and IASNT4.CAT are replaced, probably by 32 bit versions. When you connect to the console of the server it will tell you about this in the form of a Windows File Protection Error. The choice is yours to cancel this warning and ignore like we did, because it concerns a database server and the files will never be used (NT5IIS for web server, IASNT4 for internet authentication). You could also cancel and replace the files manually from CD or service pack. Fact is that the files copied with this update are dated 25-05-2005, so very old and will most like cause problems when you ever need them.

I thought I’d share this information as I’m sure other people will run into this problem as well. Would be a shame if they had to go through the same cycle!

Overview of Microsoft patches due today by Microsoft

Microsoft is even more vague than usual about the patches it plans to release today.

In this patch announcement Microsoft only states that it plans to release 5 patches.

This is the data currently known:

There is currently no indication as to why Microsoft is not disclosing more details.

Maybe we will learn those details later today.

Since the ATL is widely used it means that a lot of vulnerable software may be out there. Software vendors who used the vulnerable ATL should install the update and release updated versions of their ActiveX controls immediately.

The rest of us should at least install the ActiveX Killbit bypass update ASAP and set killbits as more and more vulnerable controls are discovered.

From: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

List of binaries which are allowed “auto-elevation” :

http://www.withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/

Windows XP Mode on Windows 7 could be used as workaround as well (The smart card is accessible from XP Mode!). But the following requirements must be met for this to work;

• Virtual XP Machine needs to be a domain member
• Have the CLM Client tools installed
• Have the SmartCard middleware installed.

[char[]]”DEFGJKLMNOPQRTUVWXY” | ?{!(gdr $_ -ea ‘SilentlyContinue’)} | select -f 1

The character array containing only valid driveletters (in this example A, B, C, H, I, S and Z are not to be used)  is piped to the where-object cmdlet which uses Get-PSDrive to filter out the non-used drive letters. These are then passed to the Select-Object cmdlet which only displays the 1st match.

Beware: the line above returns only the bare driveletter – no colon is appended.

The full version of Windows 7 Home Premium is priced at $199, with an upgrade from Vista or XP costing $119. The full version of Windows 7 Professional is $299, with upgrades going for $199. Windows 7 Ultimate is priced at $319, with the upgrade version at $219. In what’s perhaps a nod to the recession and increased competition in the software market, the prices are about 10% less than what Microsoft charged for the corresponding versions of Windows Vista when that product shipped in January of 2007.

More here: http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=218101310&subSection=All+Stories

The .Net System.Version assembly offers a CompareTo method which can do the trick, as shown in the figure below.

The CompareTo method will return 1, 0 or -1  depending whether the compare to version  is higher, equal or lower.

Thanks to Shay Levi (see the comment) I now know a better/faster method for comparing version numbers (thaks Shay). PowerShell has its own [vesion] type. This removes the need of loading the assembly and using New-Object. It still allows for using the CompareTo method and direct compare via -ge, -gt, etc.

The CompareTo method will distinguish between the 3 possibilities (>, < or =), but direct comparison might be sufficient in a script.