Tuesday, 14 March 2017

Beating BSides Vancouver 2017 CTF using a search engine

A group separate from the BSides Vancouver organizing team put on a CTF the past two days (archive) with a prize of a four-month SANS Netwars Continuous Subscription. However, it appears that the CTF organizers (who are separate from the conference organizers) have been engaging in some shenanigans with regards to the challenges.


This came on my radar when a TinyCTF challenge from 2014 showed up and I ended up looking at the other challenges to see what was done. The ones that were not borrowed from TinyCTF were most documentation or forensics-related which I assume was created by the CTF organizers.

Challenge Name Type Points Flag Details
Choo Choo! Puzzle 50 snc 52 Link
Fore! Web 250 it's_a_h0le_in_0ne Link
Undocumented Instruction in x86 Puzzle 75 LOADALL Link
BFF..or P? Puzzle 100 esolangs_for_fun_and_profit Link
It's OK to be a CISsy! Puzzle 250 3,8,7,4,9,5,6,1,2 N/A
Hail Caesar Crypto 50 ITSHAPPENING N/A
Crypto for you sir! Crypto 100 no_this_is_not_crypto_my_dear Link
First time flag test Crypto 100 hello_world Link
János the Ripper Crypto 250 ev3n::y0u::bru7us?! Link
Movie Time! RE 100 poppopret Link
Ooooh! What does this button do Dexter? RE 250 w4nn4_j4r_my_d3x Link
Gandalf! RE 500 s0me7hing_S0me7hinG_t0lki3n Link
Sound Bites! Misc 250 infosec_flagis_sound Link

The annoying aspect of this is that with 'Crypto for you sir!' it ends up being wrong when you solve it. Here is the ciphertext:

XMVZGC RGC AMG RVMG HGFGMQYCD VT VWM BYNO, 
NSVWDS NSGO RAO XG UWFN AF HACDGMVWF. AIRVFN AII AMG 
JVRRVC-XVMC, FYRBIG TVIZ ESV SAH CGQGM XGGC RVMG NSAC A RYIG 
TMVR NSG SVWFG ESGMG NSGO EGMG XVMC WCNYI NSG HAO FVRG IVMH 
JARG MVWCH NV NAZG NSGR VTT NV EAM. OVWM TIAD YF "CV NSYF YF 
CVN JMOBNV RO HGAM", YC IVEGMJAFG, EYNS WCHGMFJVMGF YCFNGAH 
VT FBAJGF, FWMMVWCHGH XO NSG WFWAI "TIAD" NAD ACH JWMIO 
XMAJGF. GCUVO.

When decoded it comes out as this:

BROKEN MEN ARE MORE DESERVING OF OUR PITY, 
THOUGH THEY MAY BE JUST AS DANGEROUS. ALMOST ALL ARE 
COMMON-BORN, SIMPLE FOLK WHO HAD NEVER BEEN MORE THAN A MILE 
FROM THE HOUSE WHERE THEY WERE BORN UNTIL THE DAY SOME LORD 
CAME ROUND TO TAKE THEM OFF TO WAR. YOUR FLAG IS "NO THIS IS 
NOT CRYPTO MY DEAR", IN LOWERCASE, WITH UNDERSCORES INSTEAD 
OF SPACES, SURROUNDED BY THE USUAL "FLAG" TAG AND CURLY 
BRACES. ENJOY.

You'd assume that based on that you'd want to use flag{no_this_is_not_crypto_my_dear} as your flag, but nope, get rid of the "flag" and curly braces as well. This lack of flag formatting behaviour repeated itself across all of the other answers that were borrowed from TinyCTF.


Now in their defence, they did say in the challenge that you are to submit it without the braces, but why not just write your own caesar cipher? Automated deciphering was used here, so why not just use a generator to create something original?


Of the 2,325 points I list above, 350 were solutions that they likely created themselves--I did not bother attempting the rest of the challenges. In the case of Choo Choo, it was literally watching a YouTube video and looking at the markings on the second train to come up with an answer. Of course, since there was inconsistencies across the flags where you either used underscores or you didn't and since there were at least three markings on the train, you pretty much stood a good chance to get it wrong because they only gave you four chances to get it right.


Actually, take away 50 more points because as I was writing this I decided to just look into Choo Choo further and it turns out to have been used for Ghost in the Shell Code. Really, could have they just looked for some other railfan video? This explains the further flag inconsistencies going on here.




In fairness, there were challenges put in place to allow for all backgrounds in information security to partake, which explains why you'd get questions like PCI-DSS questions about whether VoIP is in play in an assessment (which is asked twice) or how to order CIS controls (CISsy), but then why turn around and ask about undocumented Intel instructions to access extended memory?


Reading documentation for a CTF is not unusual but this just reeks of laziness.

At this point I would like to say that I am done covering the problems here, but then it gets worse: even the list of tools they suggest in the CTF are borrowed from AwesomeCTF without any attribution. Granted, the list is licensed in a manner where zero attribution is required, but it just goes to show the level of originality put into how things were being done by the CTF organizers. At least the rules appear to have been written by them.

But since one of the rules is to not share the flags, doesn't that mean that the CTF organizers themselves are breaking their own rules?

Also, how long did they take to put this together? The hints are baffling me.


Almost a year? Surely they could have at least changed the flags or come up with better content than whatever this was. Did they use these challenges for another event? It is my understanding that the same team ran something similar for BSides Calgary.

In full disclosure here, I was previously a conference organizer for BSides Vancouver and in 2015 I helped coordinate the first proper CTF using challenges we actually wrote ourselves with anticipated solutions for each of them. I know that it is fact that the conference organizers are again not the ones who oversaw the event (I did speak with them about the matter), so blame for the reuse of these challenges should not fall on them.

However, for the CTF organizers, why did you do this? Was this a mistake? How? If you're going to offer up a prize, put some thought and originality into your work.

Friday, 10 February 2017

Running AFL on Bash for Windows

Recently I wrote about using Virtual Machine Manager in Bash on Windows (or Windows Subsystem for Linux aka "WSL"), and since then I have been playing around with getting other utilities I use in a native Linux environment.

One utility is American Fuzzy Lop (AFL), a fuzzing tool for finding vulnerabilities within Linux ELF binaries. It has been since ported to fuzz Windows PE binaries natively, but since we're able to run ELF binaries within WSL, why not fuzz them too?

If you're running Bash on Windows and have tried to compile AFL before, you probably have run into this problem:

shmget() failed

This error results from WSL having limitations on shared memory--specifically the lack of /dev/shm. By default, AFL will outright refuse to compile because these system functions simply do not exist.

One of the most recent builds of Bash on Windows includes support for shared memory functions that AFL requires in order to compile.
Along with support for the following shared-memory syscalls which are widely used by a number of Linux tools including PostgreSQL.

  • shmct
  • shmget
  • shmdt
  • shmat
The catch here is that the mainline Windows 10 version of WSL has yet to be updated to address this problem so you must be in the Windows Insider program in order to reap the benefits of these functions. Once you've enrolled and have updated, you can confirm the version of WSL by checking the version of Linux using uname.

If you're up to date you should see this version:
Linux mycomputer 4.4.0-43-Microsoft #1-Microsoft Wed Dec 31 14:42:53 PST 2014 x86_64 x86_64 x86_64 GNU/Linux
If you're not up to date then it'll show the following:
Linux mycomputer 3.4.0+ #1 PREEMPT Thu Aug 1 17:06:05 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
Assuming you're successful you should be able to follow the instructions provided by AFL and begin fuzzing.


I'm still testing it out but at least we now know that it should compile and run fine on the surface. You will notice that the way the screen is drawn that it will look a bit wonky while running.

One thing I feel the need to add is if you're using an SSD, AFL is definitely a great way to reduce the lifespan of your drive. Instead, I recommend creating a RAM disk within Windows and then accessing it normally. I have tested ImDrive and it works just fine within WSL.

Friday, 27 January 2017

Anti-virus is worthless

I get a kick out of reading reactions by the anti-virus industry, rose-coloured glasses views from academia, or anecdotes from those who work in the IT industry whenever someone writes a constructive criticism of anti-virus solutions.

Let me put it out there before I go any further, Robert O'Callahan is correct when he says that you should disable your anti-virus solution--unless it came with your operating system such as it does in Windows 10. And for disclosure here: I did briefly work for an anti-virus vendor.

Whenever an argument is made for the value that anti-virus doesn't provide, you are bound to get the following reactions from anyone I mentioned before:

  • [Insert testing programme here] has given [AV product] the best detection rate in the industry for [year]!
  • I use [AV product] and I have never gotten malware.
  • [Software vendors] should open up their APIs to make anti-virus much easier to work with.
  • The anti-virus industry creates the malware.
  • If you went without anti-virus for [period of time] you'll eventually catch malware!
I could go on and on about these reactions but I think this well summarizes the absentmindedness that certain pro-anti-virus persons give:



It's obvious which light bulb a sane person would choose.

Tavis Ormandy has demonstrated extremely well through Google's Project Zero initiative (and before that with Sophail) that anti-virus applications have ticking time bombs sitting within their suites. From remote file retrieval, installing shady remote access tools, improper sandboxing, Node.JS debuggers, to permitting possible collisions in SSL certificates are just a sampling of the nearly five dozen vulnerabilities discovered by one single human being. 

That is just what is being published in the open. If you are aware of an anti-virus vulnerability, Zerodium will pay for remote code execution attacks. There have been suggestions that they go for at least $20,000 to $50,000 USD.

So let's pretend now that the problems with anti-virus being typically poorly coded just simply don't exist: are they still worth using?



No.

The commonly forgotten trait about anti-virus is that it either has to predict the malware's existence through heuristics or it has to have knowledge of its past artifacts via signatures. Both of these require teams of people to write the protections to handle either approach while at the same time being mindful of the fact that for every detection they make, they could be missing a thousand others. The dirty secret that the AV industry really hates to talk about is how their approach simply cannot scale.

Part of the approach that a majority anti-virus industry has opted to go about deflecting this is to add more value to their product by redefining themselves as "endpoint solutions". In the past decade, we've seen features like application whitelisting, web content filtering, and physical device control in order to make it seem like their product is more useful than if it was just simply doing AV.

Another angle to take is come out with outlandish claims that your product can detect everything using some new obscure method that nobody else in the industry has come up with. 

This is sort of the approach that Cylance has taken where they claim that their magic algorithm can stop malware even if they haven't seen it before. Unfortunately, there are lots of anecdotes that their product has an extremely high false positive rate which sort of makes sense if they can predict future malware: detect everything and anything without pause. 

However, testing their product and being open about what your experience with them is difficult because they require an NDA to get a proof of concept demonstration going in an enterprise environment. In one instance, a friend of mine was demonstrating it, posted about it on an open forum, and apparently Cylance responded negatively, citing the agreement. 

This job posting by them reveals a lot however:



I guess all of these contractual restrictions make sense seeing that the engine is likely coded in C#, as suggested in this job posting. The whole anti-virus industry relies on obfuscation of their practices and it's either going to be done by being closed source which is really everyone or by making it so nobody can actually poke around by stipulating such in a contract.

No vendor has a better approach than the other; they're all the same. You either have it never firing on actual malware or have it fire on everything as if it were Chicken Little.

So let's make some useful suggestions here on how to actually protect your computer:
  1. Use the anti-virus your operating system provides. If it doesn't have one, don't install one. Likely if it doesn't have one already, it's either a Mac, you run Linux, or your Compaq from 2005 needs to be replaced with something running Windows 10.
  2. Keep the operating system up to date. If Windows 10 rebooting on you is so inconvenient, you're a lost cause--the most recent update lets you defer up to a month by the way.
  3. Install ad blockers and use something other than Internet Explorer or Edge such as Chrome which sandboxes things fairly well.
  4. Don't follow random guides on the Internet to allow you to make changes to your system that somehow make things go "faster". More often than not they're done by people who don't know what they're doing.
  5. Don't use pirated software or pirate any content. Netflix is cheap, Spotify is free if you tolerate ads, and honestly there are tonnes of open source solutions for whatever you need to do.
Don't waste your money or bandwidth on an anti-virus solution that will just create more holes.

Anti-virus is worthless.