Concurso Arquitectónico

“Alright, so it’s the ‘ZFon Listener’ that bombs.” Reuben was looking through the Services Control Panel on the VPN server, looking for clues. He opened up Event Viewer, looking through the Application logs first for any errors with their characteristic red circle with an ‘x’ in it. “That’s

funny, no errors at all. Maybe in System?” He switched to the System logs, but again nothing.

“You’d think this was a healthy box, looking at this. But it’s been owned twice over in the past thirty minutes,” observed MadFast.

“Yeah, not good. So if this is a root compromise, you don’t even have to clean up after yourself in the logs. By the way, is it possible to write the exploit so that it restarts the service?” Since no error message appeared anywhere on the system, determining whether the compromise was indeed bad enough to gain control of the system would require some sophisti- cated work.The method to use in this case would be to run something like Ollydbg or IDAPro on the server, and watch the process that was attacked. If they saw contents of the payload in certain registers in memory, they knew that they could make the system do whatever they wanted.

“Yeah, but only if you can restart the service.Try it.”

Reuben clicked on Start on the Control Panel. A small dialog box popped up, with a progress bar, whose increments filled in slowly. “I don’t think it’s going to start,” Reuben said. “It doesn’t go this slowly and smoothly unless it’s just marking time until it times out.”

“What if you stop the other services?”

“Good idea.” He waited until the attempt failed, and then stopped the other ZFon-related services.Then, one at a time, he started them back up, guessing at which had to come up first based on dependencies. He found that the ZFon Listener service needed to be in the middle of the group. “Ahh, that explains it.”The service started, as did all the others. “Hey, let’s try connecting to this normally now and see what it does.”

MadFast went to the client machine, and opened the VPN client. He connected with it. “I think it works. Wow.Yeah, you can write an exploit for this, if you’re good, that will stop all the services and restart them in the right order.This is really bad. If you can buffer overflow this and run your own code, you can own the box, and do it in such a way that nobody will ever notice that you did it.There won’t be an error in the logs, there won’t be a dead service, there’s just you, owning the box, with a sweet little back- door of your choosing running on it. Maybe, maybe someone won’t be

able to log in for about thirty seconds, but that’s all, and nobody would ever suspect anything based on that.”

Reuben concurred. “Yeah. Now we need to sort out the rest of this. Let’s go through the other packets. I want to reboot this server just in case, so we’re clean. Let’s do this by the numbers and get it finished, then call it a day.” Reuben started rebooting the server.

“Right on.” He loaded the third packet in the sequence, shaking his head at the fact that they were only at the third packet, having found an issue already. “Packet XB1 ready.”

“Wait for it, it’s not up yet.”They patiently waited for the server to stop chunking its hard drive, and Reuben logged in again, repeating the process of launching Task Manager. “Fire.”

They both looked closely. Nothing happened.“Want to reboot between every packet?”

Reuben considered that. “I don’t think two packets that can do damage apart would fail to do anything when used one after the other. So I don’t think so. If we find another weakness like that, we can go back and do a proper reboot to narrow it down. But for now, let’s just go through them and see what happens. In the real world, an attacker won’t be nice enough to let them reboot before attacks anyways, right?”

“Right on. Packet XB2 loaded.”

Reuben checked Task Manager one last time. “Fire.”

Nothing happened. Reuben indicated, “Alright, next packet.” MadFast hit the button to browse and open the next payload.

Reuben’s eyes widened. “What the fuck?”

MadFast turned around quickly.The little green square in the system tray that indicated processor utilization went solid bright green.The pro- cessor was suddenly maxed out. “Huh?” He turned to look at his own laptop, and verified that he hadn’t even selected the next payload yet, much less fired it. He turned back and looked first at the server then at Reuben. “What did that?”

Reuben clicked on the Performance tab, and indeed, all of a sudden in the processor utilization graph, the line soared up to 100% and was still stuck there as a plateau, straight as an arrow. “I have no idea. But did we just find something else? And if so, what?”

“What was in that payload?”

“Uh, what was that…B2? Reuben flipped through his notes on the writing tablet.That was garbage encoded data, padded out with about half a K of the letter ‘Z’.”

MadFast sat silent for a second, considering. “Waaaitaminit.” He turned back to his laptop, and opened the source code for the app he had written. He went through it, looking for a particular section. “Ah, right on, here it is.Yep, okay, I think I understand what’s happening.”

“Well, fill me in!” Reuben was dying to understand this.

“Um, okay, so it’s like this.The application connects, and waits for us to feed it a payload. In that time the connection is still open, even after the payload. With me so far?”

“Yeah, keep going.”

“Okay, but I knew that if we were to feed it multiple payloads as we tested things, we’d want to do it in separate connections, but I didn’t want to leave them all open either. So I wrote it so that that when you closed the app or went to select a new payload, it would close the current con- nection so it could start fresh and new.”

Reuben thought he was following, but he was missing something, he felt. “Okay, so when you went to open the next payload, it disconnected. How does that figure into this?”

“Simple.They’ve got a process that takes in that encoded data, but it doesn’t check it at all. It just feeds it into a buffer, and waits until the con- nection closes to try and process it. And when it does,boom! It choked on what you gave it.”

Reuben tilted his head back in understanding, his mouth opening. “Ohhhhhh! Wow. We found ANOTHER problem?” he commented incredulously. “I can barely believe it.This is nuts.”

“Hey, you called it upstairs.You said that if we found one problem so fast there must be others.You were just right, that’s all.”

Reuben ran his hands roughly over his face. “Jeez, I don’t think I can handle this much excitement in one day. Let’s stop here, and write up what we’ve got.Then we’ll go up and tell Bob, and call it a day. I need a break from this, I think, just to keep my head clear.”

Reuben sat down and started jotting down rough notes before he forgot the thoughts. Writing on paper seemed better at times, for certain things.This was definitely one of those times. When he was done, he started typing into Word, putting things in order and making sense of it.

As it turned out, they didn’t have to go see Bob.There was a knock on the lab door, and Bob poked his head in. “I just thought I’d take a look to see what kind of an operation you guys have running here. Mind if I come in?”

The pair smiled at each other before turning to face him again. “Come on in,” Reuben invited. “We found something else.”

“Wh-hat?”This was starting to form a routine now. “Another one?” “Yeah, this one is different though. It maxes out utilization on the pro- cessor.Take a look; it’s still maxed.” Reuben pointed to the monitor.

Bob looked in at it. “This green line that’s up at the 100 percent mark. That’s what you’re talking about? Processor utilization?”

“Yeah. Click on the Start button and see how slowly it pops up.That’ll give you an idea how bad that is.”

Bob tried it, and the Start Menu on the server opened, but very badly and with a jerky delay. “Like my machine at home sometimes. I should have that fixed, I guess. Okay, write this one up too.”

“We’re on it.Then we’re calling it a day, this is just too surreal to handle any more of it today.”

“Sounds good. Oh, by the way, we have a meeting at eleven tomorrow morning, at DoJ, where we met before. It’s just like you wanted, there’ll be representatives from DoJ only, no vendor. And they’re eager to hear what you have to say. I didn’t tell them anything, just that you wanted to talk to them, but I think…I think they know, at least on some level.”

Reuben considered this. “That’s fine. Even if ZFon gets wind that we’re coming in and that we found something, they can’t start trying to

undercut it without knowing any details. So we’re good, either way.” Bob was more serious this time, having worked off the distracting part of being so thrilled earlier. “Get some good sleep, guys.Tomorrow’s a big meeting. And have a drink on me tonight, you did good.” He smiled at them, opening his wallet and handing Reuben a twenty-dollar bill. “Anything else you need?”

Reuben looked at MadFast, who looked back at him, replying “I don’t need anything, I’m good.”

Reuben nodded and turned back to Bob. “Nope, we’re all set. We’ll just finish up our findings thus far, and we’re out of here.” He looked down at the cash in his hand. “Thanks, Bob. We’ll all have to go out some night and celebrate, though. We couldn’t do this kind of work without you making sure we have what we need, and making sure we don’t have what we don’t need, if you get my drift.”

Bob waved his hand. “Ah, don’t worry about it.You guys know what you’re doing. My part is easy.”

Reuben and MadFast both laughed at that. “So, why the hell doesn’t anyone else do it right?” MadFast barely managed to exclaim in his chuck- ling.

Bob lightly laughed in return as he went to leave. “Have a good night, you two. Get some rest! And I’ll see you tomorrow, here, before we go to the meeting?”

Reuben waved to him. “Yep, we’ll be in by ten.” “Alright.Take care guys.”

Washington, DC: Monday,