It's only been two weeks since I released version 1.2.0 of my SWF reverse engineering tools collection SWFRETools and here is already the next version. This new version 1.3.0 focuses primarily on allowing users to pass command line arguments to Flash Dissector to do useful things like unpack compressed SWF files or dump the content of SWF files to stdout. The latter is very useful because it is easier to understand disassembled ActionScript code when you have it in a real code editor instead of the (still) crude GUI of Flash Dissector. Here is an example of what the output of such a dump looks like.
The official list of changes:
As usual you can download the SWFRETools from GitHub. If you find bugs or want features to be added to the SWFRETools, please open issues on GitHub. I am thankful for any kind of feedback I get.
I have just made version 1.2.0 of my SWF reverse engineering tools collection SWFRETools available for download. This release focused on improving the disassembly quality of ActionScript 2 code after a user reported some issues last Friday. Specifically the changes I made are:
- Feature: Made parsing of files more robust. This became necessary after the recent spike in obfuscated ActionScript code malware.
- Feature: Unknown ActionScript 2 instructions are now shown in the GUI with their action code.
- Feature: In ActionScript 2 code, the jump target of ActionIf instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: In ActionScript 2 code, the jump target of ActionJump instructions shown in the GUI is now the adjusted address instead of the raw relative address. This makes it easier for the user to find out where a jump is going.
- Feature: Strings defined in ActionScript 2 ConstantPool actions are now surrounded by quotes to make them more readable.
- Feature: When ActionScript 2 code is shown in the GUI, registers pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, constants pushed by ActionPush are now easily distinguished from pushed integers.
- Feature: When ActionScript 2 code is shown in the GUI, strings pushed by ActionPush are now easily distinguished from pushed integers.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: In previous versions, the ActionScript 2 actions belonging to a DoInitAction tag were not shown in the Flash Dissector tree. This has been fixed.
- Bugfix: The constant list defined by an ActionScript 2 ConstantPool instruction is now better formatted for improved readability.
- Bugfix: ActionScript 2 Push instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PushDuplicate instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Pop instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Play instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 PreviousFrame instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RandomNumber instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 RemoveSprite instructions were previously not shown in the GUI.
- Bugfix: ActionScript 2 Return instructions were previously not shown in the GUI.
Happy using and please use GitHub to open tickets for problems or feature requests you encounter. Or alternatively shoot me an email.
Two weeks ago I gave a presentation at SOURCE Boston where I released a new collection of open-source tools for Adobe Flash SWF file reverse engineering. I am developing these tools, called SWFRETools, to help reverse engineers like vulnerability researchers and malware analysts that have to deal with SWF files regularly. Today I have published version 1.1.0 of the SWFRETools on GitHub for everyone to download.
As of right now, the SWFRETools package contains three different tools. The most advanced tool is called Flash Dissector. It is a Java-based GUI tool you can use to inspect the binary content of SWF files. The second tool is a Java-based command-line tool called Minimizer. This tool is useful for vulnerability researchers that have a SWF file that crashes Flash Player and now they want to get rid of all parts of the SWF file that are not related to the crash. The third tool is a primitive Python-based debugger that can be used to hook and trace the Flash Player executable.
Flash Dissector hex view showing the binary content of a SWF file
Flash Dissector code view showing ActionScript 3 code in a SWF file
Recently I became aware that all H-1B salary data is is publicly available on the Internet. You can get a very detailed Access database of the salary information and there is even a very nifty web application that allows you to quickly search for whatever salary data you are interested in. Now, these figures are probably the best available resource for figuring out how your salary compares to that of your peers. Unlike salary information from sites like Glassdoor, this salary data is not self-reported but directly taken from H-1B visa proceedings making the salary figures much more truthful.
I had already played around with the web application a few weeks ago and uncovered a few interesting pieces of data (mostly related to information security jobs, the field I am working in) which I posted on my Twitter but until today I had not had time to actually do further analysis with the Access database.
The first thing I tried was to search for the highest average salaries in the database. I applied additional filters like only counting job titles for each company that had at least three granted H-1B visas for each listed position (to remove outliers like CEOs on H-1B visas making millions of dollars, for example). I also aggregrated all statistics over the minimum salary specified for each position in the database. Originally I wanted to work with the maximum salary field but apparently this field is optional and not many positions have it listed. Still, I know that at least for my position (I am in the database too) the maximum salary field gives the amount of money I am really making. To make things simpler for me I also only considered salaries given per year and discarded those given per hour.
Chris Eng and Brandon Creighton of Veracode were first to go up on stage. In the third CanSecWest talk about an Adobe product, they exposed many security issues in ColdFusion web applications. At first they talked about the usual suspects like XSS and SQL injection and what these attacks look like in ColdFusion code. Then they went through a few other issues that are specific to ColdFusion and not existant in other web application frameworks. For me, the funniest part was the incredible amount of variables that are supposed to be server side read-only but still writable by web applications. This has plenty of potential for all sorts of unintedend havoc.
The second talk was about automated pointer analysis by my former co-worker Vincenzo Iozzo and his friend Giovanni Gola. They talked about doing interprocedural pointer analysis with the goal of automatically finding bugs like double-frees. After about five minutes in I got a work-related call that occupied me for the next half an hour. Shortly after I had headed back into the conference room, the fire alarm went off. I already had ReCon 2010 flashbacks but fortunately it turned out to be a false alarm. I can't say I saw a lot about that talk, but I am sure it was good.
The fourth and last talk about an Adobe Product came from Richard Johnson of Sourcefire. He described some of the internals of the Acrobat Reader sandbox, that abstraction layer that was introduced in Acrobat Reader 10 to mitigate the effects of Acrobat Reader exploits. He also talked about some of the potential weaknesses in the sandbox, for example how the networking code and the filesystem code is not properly sandboxed, potentially allowing attackers to send file information over the network.
More work-related issues made me miss much of the talk about fuzzing by Dan Kaminski, Adam Cechetti, and Mike Eddington. From what I saw they set their fuzzers on applications like MS Office, OpenOffice, and Acrobat Reader and tried to draw conclusions about improvements in products security from the number of exploitable crashes (as determined by !exploitable) they got. The talk itself was pretty entertaining but the methodology they used to draw the conclusions did not always seem to be solid. Several people asked very good question during the discussion after the talk. In the end, the speakers made their raw fuzzing results data available to everyone in the form of a SQL dump.
Alright, I am back from day 2 of CanSecWest. Even though we started right at 9:00 AM today, surprisingly many people made it to the conference room at the Sheraton Wall Centre on time. I am detecting disturbing lacks of party dedication there. Or maybe all these people were just like me hoping for a free breakfast. Unfortunately, the free food provided by the hotel gets worse from year to year. Anyway, let's take a quick look at the talks today as the line-up was amazingly strong today.
The day started off with a talk about malware on gaming consoles and mobile devices by DongJoong Ha and KiChan Ahn. They talked about what kind of network attacks are possible by owning some kind of always-connected gaming consoles. They also showed how malicious code can be injected in pirated software to build up botnet capabilities with the help of people that really, really need to get the latest Super Mario game for free. I really enjoyed the talk even though they did not really present new ideas. Rather, they ported known techniques from older devices to game consoles. Still, you can never be wrong talking about game consoles in front of a crowd of nerds.
The second talk was called Dynamic Cryptographic Trapdoors by Eric Filiol. That was the only talk I skipped. Eric is a pretty smart guy and when he talks about cryptography it will fry my brain. I did not need this again. Rather, I went outside to hack away for an hour on my Flash RE tools.
After Eric's talk I went back inside to see Haifei Li's talk about ActionScript 3 vulnerabilities in Flash. He focused on type confusion in the ActionScript virtual machine caused by mismatches between what the ActionScript code verifier verifies and what the ActionScript JIT compiler compiles and executes. Due to my day job I have seen exactly that kind of bug roughly a million times already. Still, Haifei's talk was interesting and it is good to see what kind of work other people do on Adobe stuff.
After lunch (my food quality complaint still applies), Andrea Barisani and Daniele Bianco of Inversepath talked about Chip & PIN cards which are very popular in Europe. The talked a bit about the Chip & PIN standard, its weaknesses, and potential attack vectors. They also brought some surprisingly small skimming devices to show to the audience. Even though this is not my kind of topic, the talk was the most interesting talk of the day. As part of their presentation, Andrea and Daniele produced a short movie that can only be described as legendary. I have already asked them to upload the video to YouTube but unfortunately they did not warm up to that idea.
The next talk was by Ilja van Sprundel. Oh no, wait. When it was time for Ilja's talk he was not to be found anywhere. Instead, Graeme Neilson went on stage to give his talk first. Graeme talked about different network devices like switches and how to install rootkits on them. As part of his research he took a look at 10 devices from different vendors like Cisco, Juniper, Checkpoint, and others. He then gave three live demos of how fast he can put his own code onto those devices because of lacking code integrity checks by the network devices.
Afterwards it was finally Ilja's time on stage. Unlike the other speakers, he was not content with water. If the man wants beer, the man gets beer. He talked about iPhone security issues but unlike many other researchers he did not focus on iOS but rather on security vulnerabilities on the application level and the iPhone standard library. Stuff like cross-site scripting in default HTML components, format string vulnerabilities, or the misuse of the C-string functions. Unfortunately, Ilja was confused and surprised by the order and content of his own slides once in a while (see photo).
Then it was time for Michael Ossmann to give his talk about Bluetooth hacking. I do not know anything about Bluetooth or hardware hacking in general, so I can not comment on the content of the presentation. However, his slide set design was one of the best I have ever seen at a security conference and his speaking style was very pleasant too. The audience seemed entertained.
The last talk of the day belonged to Marc Schoenefeld. It was a talk about finding font parser bugs with his fuzzer. Most of the time when someone speaks about his awesome fuzzer at a con, he will not talk about the exploitable bugs he has found with it (because he has not found any). Marc did the opposite. He described bug after bug he found in the font parsing engines of the major browsers and operating systems. I have never seen anybody give his talk as tiefenentspannt as he did. It was great. I can only come up with one word to summarize his talk: Telephone.
And now I am off to the Tron-themed conference party!
Random observations of the day:
- Apple and Blackberry tried to game the Pwn2Own rules by releasing OS updates for their devices only days before the contest. Then they sent their biggest nitpickers to the Pwn2Own people to make sure that new OS version was used in the contest. This caused endless delays and much eye-rolling in the audience. All crocodile tears proved useless in the end and both the Blackberry phone and the iPhone fell as usual. No surprises there. More investment in security and less investment in Lincoln-Douglas courses might have helped.
- Google apparently does not have a single PR person here. Why bother if your browser always survives Pwn2Own?
- This is the first conference ever I am attending where my presence has literally no purpose. I am not giving a talk. I am not trying to connect with anyone. I am not giving product pitches or demos. I feel like I am a bum loitering around there.
- Did I mention the food quality already?
It's CanSecWest time again. How do I know? This morning I woke up in a hotel room and when I looked outside it was pouring cats and dogs. Usually when I wake up in a hotel room it is in a warm and sunny place. Anyway, once again about 400 (I guess) people interested in computer security gathered in the Sheraton Wall Centre in Vancouver, Canada to meet with friends, listen to amazing talks and make fun of HBGary.
The conference started off very unusual. The agenda was on time. That's quite a change compared to the last few years. Admittedly, the organizers moved the first talk to noon this year to make sure that everybody manages to recover from yesterday's conference dinner and karaoke bar. I had arrived early, at around 8 hoping to score some free breakfast which unfortunately did not happen today. I used the four hours to chat with old friends, some of which I was very surprised to meet here.
At noon the talks started. The first talk was by Brad Woodberg of Juniper. He talked about network application level firewalls. Admittedly I know absolutely nothing about application firewalls, so I can not comment on the content of the talk. He is a pretty decent public speaker though. I enjoyed the talk.
The second talk was by Aaron Portnoy and Logan Brown of Hewlett-Packard. They talked about their blackbox reverse engineering approach to the Adobe Shockwave player. They described what they did to triage crashes in fuzzed Shockwave files having no knowledge at all about the Shockwave file format. Using binary instrumentation and a combination of WinDbg and Python, they described how they were able to figure out the custom memory allocator of Shockwave and other important Shockwave internals. At 90 minutes, the talk was unusually long for CanSecWest but worth every minute. They have also promised to make their tools available if people are interested. I will definitely follow up with them to make that happen.
After this talk we had a lunch break and then Pwn2Own began. For the third year in a row, I ventured up to the Pwn2Own room to see what's going on. As usual, this is what happened: Some guy sat down on a computer, pressed a few buttons on the computer, and then the Hewlett-Packard people declared him a winner and there was a round of applause. That's it. You don't get to see more if you are in the audience. If you have never been there and think the whole contest is more amazing, I am sorry to disappoint there. I only stayed for the Apple Safari ownage.
The next talk I saw was about runtime firmware integrity checking by Yves-Alexis Perez and Loic Duflot. This was a continuation of their talk they gave at CanSecWest last year but this time they focused on the defensive side of firmware attacks. Unfortunately both are not very good at public speaking. I left halfway through the talk to work on some things and talk to people outside the conference room.
Alright, now I am heading out to the conference party. The second day of CanSecWest unfortunately starts at 9:00 in the morning.
Random observations of the first day:
Of all the vendor booths, Google was by far the most popular one. It was packed with people stopping the whole day. Only Amazon managed to keep up with them. Maybe it's because both companies gave away really quirky swag and their booths were staffed by people who looked like engineers. The opposite happened at the Rapid7 booth which was pretty deserted for literally the whole day. That's what you get if you put two suits up there who could not look more like used car salesmen if they tried and you have marketing cards with dollar signs on your table instead of quirky swag.
Alex Sotirov did live reviews of the talks he saw at http://research.phreedom.org/2011/cansecwest/ . I remember how he told me about this idea at PH-Neutral last year but I never thought he would actually ever start doing it.
Google Chrome survived the first day of Pwn2Own, much to my dismay.
Last Friday I was debugging random programs I found on my hard drive when I saw this:
Apparently µtorrent is sending lots of unrelated data back to the µtorrent servers when checking for program updates. I wanted to know what. Google was not very helpful. A thread in the official forum was all I found and that thread did not exactly have a lot of information. Apparently I had to figure out things myself.
Unfortunately it turned out that µtorrent is sending a lot more data than can be seen in the screenshot so this little project took longer than originally planned. In fact I am only 90% done but I don't want to put any more time into this. One weekend is already too much time spent on this. So, here's what I figured out.
I'll be on vacation in San Francisco between November 4th and November 17th. If anybody wants to meet up there, please contact me in some way (see the side bar on the right hand side of this page). Possible reasons for hanging out with me include but are not limited to:
To waste some time today I played some Super Mario Bros 3 on my Wii. I only made it trough three levels before I reached the first Toad House. Upon receiving the item from Toad I decided to investigate something I've wanted to know for, I don't know, maybe 15 years. How exactly does the game decide what item you receive? I remember as a child that people playing Super Mario Bros 3 did the weirdest stuff in Toad Houses to improve their item karma. Running around, doing weird jumps, whatever.
Anyway, I really wanted to know when the game decides what item you receive and how it decides that. Does the game already know what item you receive as soon as you enter the Toad House? Are the items placed in the boxes when you enter the Toad House? Does it do any other weird stuff?
Continue reading "Toad Houses Disassembled"Good news from the BinNavi front. For one, our GDB Agent which connects BinNavi with arbitrary GDB servers is now working on Linux. Since that was the last part of BinNavi which had to be used from Windows, all parts of BinNavi are now usable from Linux. Even cooler news is that we have made the Cisco router emulator Dynamips work with the GDB Agent. It is now possible for users of BinNavi to use the GDB server of Cisco devices emulated on Dynamips. This has a wide range of applications for situations where people had to work with physical devices in the past even though Dynamips would have been sufficient.
Out of the box, the GDB server of Cisco devices is not emulated properly by Dynamips. There were two issues that had to be fixed in the Dynamips code:
I have created a patch that solves these two issues. You can download the patch file here. Once this patch is applied to the Dynamips source code, the GDB server of the Cisco 2600 router I used for testing works like a charm and BinNavi can use the GDB server for debugging the emulated device.
Here are some impressions of BinNavi debugging the emulated Cisco 2600 router.
The first screenshot was taken shortly after attaching to the GDB server. You can see the "trap" instruction at offset 0x8021CCAC. When you attach to the GDB server for the first time, this is where the debugger halts.
Then I single-stepped a few times to leave the function in the first screenshot. The second screenshot shows another smaller function where you end up after leaving the first function.
The third screenshot shows a bigger function. In this function I told BinNavi to record all basic blocks which are ever executed and then I resumed the debugger. The result can be seen in the Trace log in the lower part of the window. The address of each basic block hit during execution is shown there in the order in which the basic blocks were hit. Double-clicking on the trace selects all basic blocks that were hit in the graph. This makes it very easy to get a quick code coverage analysis to see what basic blocks were executed and those that were not.