The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:

• Sept 4th — Introduction and CSAW, Dan Guido
• Sept 11th — Source Code Analysis, Dan Guido
• Sept 18th — Reverse Engineering, Stephen A. Ridley
• Sept 25th — Reverse Engineering, Stephen A. Ridley

• October 2nd — Overflows, Dino Dai Zovi
• October 9th — Overflows, Dino Dai Zovi
• October 16th — TAKE-HOME MIDTERM
• October 23rd — Fuzzing, Mike Zusman
• October 30th — Fuzzing, Mike Zusman

• November 6th — Client-side attacks, Dean De Beer
• November 13th — Client-side attacks, Dean De Beer
• November 20th — Web Hacking, Erik Cabetas
• November 27th — Web Hacking, Erik Cabetas

• December 4th — FINAL PROJECTS
• December 11th — hack the planet/show off projects

Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.

Any questions about the course can be e-mailed to me at dguido@gmail.com.

EDIT: The course will be held in room RH227

As far as the creation of the case goes, I didn’t really follow any guides. Pretty much all you have to do is buy a mix of legos and strip a USB stick (leaving only the chip and the metal connector). Then, you have to pick a few legos (I used 3, in two different configurations) the combination of which will house the chip. You need to cut out some of their insides with a box cutter to place the chip. Then, you need to glue them together with 3M glue, fill them with transparent construction silicone and place the chip inside. Finally, you need to place some more silicon on the chip and cover the bottom hole with flat lego pieces. The color of lego pieces matters. Yellow allowed the USB LED to shine through it. Selection of the USB stick also matters – I used “SanDisk Cruzer Micro” which are medium in size and come loaded with U3.

As far as the Hak5 package goes, well, I’m not giving a guide for that. But basically, it works by modifying the U3 binaries and autorun configuration files to execute windows batch files (that are also placed on the same stick) upon insertion of the USB. The scripts provided (payloads) vary form system password stealing to IE history viewing. The information stolen is saved on the stick itself. Alternatively, there is a way to email it to yourself. Anyway, don’t pick these up on the street (not that I would part with any ).

Here is an overview of the items not covered in the previous article:

• The director of software development at Synology contacted me one business day after my ISIS Blogs post. They have already released a firmware update to fix the most critical issues and came up with an “enhancement” plan (security fixes are not enhancements, but I digress) to fix the rest!
• I’ve started developing ARM/Linux2.6 shellcode so I can integrate a Synology exploit into Metasploit. First try: virtualize the firmware inside of qemu. Failed. Second try: install gcc directly on device. So far so good.
• I wrote an FTP request module for Sulley to fuzz the FTP server Synology is using. I haven’t been able to use yet because I hit the built-in connection limit on the FTP server and it starts ignoring me. That is a project for another day.

See the entire deck of slides here: http://cryptocity.net/archive/synology_presentation.pdf

But really, my alterior motive for posting this, was so I could point out this one particularly entertaining paragraph buried in the middle of it:

Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified “black” budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher “Kit” Bond, the committee’s vice-chairman, to supplement closed-door testimony and classified documents with a viewing of the movie Die Hard 4 on a flight the senator made to New Zealand. In the film, cyber terrorists breach FBI networks, purloin financial data, and bring car traffic to a halt in Washington. Hollywood, says Bond, doesn’t exaggerate as much as people might think. “I can’t discuss classified matters,” he cautions. “But the movie illustrates the potential impact of a cyber conflict. Except for a few things, let me just tell you: It’s credible.”

For the record:

“Except for a few things, let me just tell you: It’s credible.”
- Senator Christopher “Kit” Bond (R-MO) on Die Hard 4

Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:

You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.

What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.

I had a lot of free time over Spring break (read: no money to travel anywhere) and so I decided to start “kicking the tires” of the Synology CS407 I owned. My jaw dropped when I got this first nmap scan back:

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  http        Apache SSL-only mode httpd
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp   open  printer
548/tcp   open  afpovertcp?
3306/tcp  open  mysql       MySQL (unauthorized)
3493/tcp  open  tcpwrapped
3689/tcp  open  http        mt-daapd httpd 0.2.4
5000/tcp  open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e)
5001/tcp  open  http        Apache SSL-only mode httpd
5432/tcp  open  postgresql  PostgreSQL DB
50001/tcp open  tcpwrapped

It only got worse when I ran Nessus. And then worse when I got a shell and started poking around the filesystem. Get this: every application on the box is running as root! And all the web apps are written as compiled binaries running in CGI… with root privileges! As a friend in the lab described it, “1996 called, it wants its web technology back!” They weren’t even making it difficult.

This is where things got interesting. I looked around and there isn’t any formal security contact or even a public bug tracker (and they call themselves a Linux vendor!). I’m thinking maybe I can save myself some trouble and get this solved informally, so I made this really scary sounding post on their user support forums with just the results of that nmap scan. I also submitted a technical support request at the same time, pointing to the forum post. Best idea? No. But it was easy. I really didn’t want to write a formal report and submit it. I’m not getting paid for this, and frankly, I’m kind of pissed off that I bought this thing and that I’m stuck with it now.

Two moderators immediately replied to my forum post claiming that there were no security vulnerabilities and that security vulnerabilities were the price we pay for having the coolest NAS out there. I thought these were official representatives of Synology at first and was ready to make a post to full-disclosure after reading their replies.

Then an official response came back from their tech support: log in to the box over SSH (which they don’t provide, I had to hack it to turn it on) and turn off the affected services. They also recommended I put the box behind a firewall… This is why you’re supposed to have a security@ contact, so people like me don’t get stuck with non-tech and sales staff. I said a few specific things in my reply to get my concerns in front of the right people:

1. Ask for this issue to be escalated to a product manager
2. Explain the risks they were putting themselves and their customers under
3. Explain what would happen if they didn’t respond to my concerns (full-disclosure)
4. Included a PDF of a very early draft of my report

That worked. 3 days later I got a response from Synology (still their sales staff) indicating that more than half of the vulnerabilities I pointed out would get fixed in a new release of the firmware due out in 60 days. They denied a number of vulnerabilities, which I explained further and sent back to them.

Then I didn’t hear from them for 9 days. Apparently, my emails were getting stuck in their spam filter (again, vendors, please set up a security@ e-mail)! This went back and forth for a bit and I’ve moved about 90% of the issues into the next release! A handful of more architectural issues were pushed back until a release 6 months in the future. You can’t win them all, but at least they are aware of the issues now.

Back on the forum, I had been getting fairly actively involved by answering security questions from other users. Some intelligent people saw what I was saying and came to my defense when the fanboys attacked what I was saying about their precious devices. Two people even posted that they had delayed or reconsidered buying Synology products because of this discussion! It was really great to hear that, both as vindication that what I was saying was important and that Synology’s management had to take me seriously now. They were actively losing customers due to poor development practices.

How they reacted to this really isn’t surprising in hindsight: they moved all my posts to a separate, special forum, away from potential and current (but mostly potential) customers. Then their moderators started getting fed up that people were still talking about security issues they thought were irrelevant and resorted to character attacks and flaming. I sent an e-mail to my contact on the sales staff that someone representing their company was acting inappropriately and their behavior might be tied back to the company. Synology responded by locking my post.

And that’s the end of that mess.

If you have a Synology product… well good luck! All the problems I found won’t be resolved until 09/2008! And even then, I’m sure there will be more security vulnerabilities. Those compiled binary CGIs are a ticking timebomb. If you don’t already own a Synology product, I suggest FreeNAS. You can install it in a VM and try it before you “buy” it. I’d really like to get my hands on one of NetGear’s ReadyNAS products… anyone with one want to let me poke around it for a bit?

Exploit developers spend lots of time providing R&D services to application developers. In the past this service was provided for free, and value was derived from the relationship in terms of notoriety after a responsible disclosure was made. If you were popping Oracle left and right on full-disclosure you probably made a good amount consulting to large enterprises, giving talks, and doing custom development. I don’t think Fyodor is having any trouble with money right now!

Private vulnerability disclosure came about because security vendors were available to immediately gratify exploit developers with cash. Selling my exploit to ZDI removes the notoriety I’d gain from the relationship, but it adds a Mercedes SL-55. Additionally, ZDI takes on any liability from the disclosure that the individual exploit developer may have had to deal with. I can sell and forget, not worry about legal problems, and go home with a truckload of cash. In my opinion, it’s lazy and anti-social (sadly matching many of our personalities). Of course, this works for the vendor as well: they get to differentiate their product, charge higher prices, establish a brand in the hacker community, and so on.

As an exploit developer I’m now faced with a very [simple] choice. If I develop a high-profile exploit I can face years of difficult consulting to recoup my money, expose myself legally, and directly provide R&D services to an application developer I probably despise or I can directly sell my exploit to a security vendor for a boatload of cash and never have to worry about unwanted attention. The availability and the success of this practice has pushed most of the 0day market underground and the public has started to take notice.

My greatest fear is that private vulnerability disclosure is undermining the respect of our entire profession. The security community at large is starting to take notice that it’s the same people who are privately disclosing critical vulnerabilities on one side and attempting to secure the affected businesses on the other, and they are getting pissed. As time goes on, more people will view us as a dysfunctional and harmful community until it lands in our legislators laps to “make a law”. I don’t think I have to say that this is the last thing we want.

In 2008, we are at a critical juncture. This practice is still just gaining speed. We still have the opportunity to propose something different; something that preserves exploit developers ability to make money and preserves the public’s right to know. Acceptance of private vulnerability disclosure will only continue to rise among exploit developers and security vendors as time goes on. If we wait too long, this will become an unshakable cultural norm that we cannot stop and it will sabotage our credibility to all those who use the computer systems we are supposed to protect. The time to fix this is now.