“A digital cyber attack and defense competition in detecting application security vulnerabilities.”

…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! . I believe that attack has merits on its own, but that is a discussion for another time.

CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.

In CSAW CTF, participants are given a series of challenges divided into different categories and each challenge is worth a specified number of points. In reality, a “challenge” is a small bit of code with a single security vulnerability implanted in it. “Solving” the challenge means exploiting this vulnerability. The challenge spits out a secret password upon completion which the participant can redeem for points on the scoreboard. We relate this to events like the Defcon Pre-quals without the requirement that participants solve easier challenges first to reach the harder ones. We try to keep a similarly wide breadth of categories; this year we had Web Applications, Binary Exploitation, Reverse Engineering, Trivia, and Bug Hunting. If you’re interested in what the challenges were then pay attention to, what will likely be called, the OWASP CTF Project which this year’s CSAW CTF has been donated to. I expect all that to be ready within a week or two and I will definitely make a separate blog post about it.

This year’s CSAW CTF was our largest ever. We had 46 teams, over 150 individual players, and 50 different schools compete in it (all students too!), putting us at one of the largest CTF competitions world-wide. It’s gotten to the point where I can name a few, and only a few, other competitions that are larger than we are.

CSAW08 CTF started at 8pm EST on Friday, September 19th and it quickly become clear which teams would end up in the top 10. MyLittlePwnies, a team of 8 from NPS, methodically solved a majority of the challenges that very first night and got off to an early lead. To my surprise, a small handful of other teams trailed close behind and before the night was over RPISEC passed them by! This was not good news for me because between trying to work out the kinks people were finding and answering questions (it was basically a one-man-show this year), I didn’t have much time to put up new challenges. Let that be a lesson for everyone else planning CTFs out there: always work with a partner, no matter how smooth you think the scoring system is!

As a low-cost way of getting a binary exploitation challenge up, I gave everyone Lurene Grenier’s Advanced WIndows Buffer Overflow (AWBO) #2 to chew on. For a challenge that comes with the warning:

“This next test could take a very, very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline.”

… I expected this to buy me some time but 5 teams solved AWBO#2 and some did it within 2 hours. One team even solved it on Vista just because they had no other Windows installations available. Those teams were: TeamTefaye, RPISEC, MyLittlePwnies, teamSparta, and FluxFingers. Congratulations guys, that was really impressive!

The final trivia question for that night was: What does this code do? 31C04089460C89C34089460804048946108D4E08B066CD8089C231
C0C646080266C7460A358289460C8956118D4E08894E154389D980
C10E894E198D4E11B066CD80B0664343CD8031C043894615894619
B066CD8089C331C089460C89C1B03FCD8041B03FCD8041B03FCD80
EB1A5E31C08846098D1E895E0B89460FB00B89F38D4E0B8D560FCD80
E8E1FFFFFF2F62696E2F62617368

Right after I posted it, I made sure to remind MyLittlePwnies since they were asking me for something exploitation or reversing related. Here is my conversation with one of their team members (hint: check the timestamps).

(1:52:15 AM) dan: btw, you saw the trivia right?
(1:53:54 AM) blacksheep: yup, just saw that.
(1:54:34 AM) blacksheep: trivia answer is
(1:55:02 AM) blacksheep: bind port backdoor shell on port 13698 on a linux system with /bin/bash as the shell

I gave them extra points for such a fast answer . The second day ended with RPISEC in first, by a small margin, over Team Tefaye and Pwntatoes in a distant third.

The last day of the competition was a short one, the game was over at 3pm EST on Sunday, September 21st. The only challenges any teams really had time to do were some of the more open-ended ones like the “Client-side Challenge” which I’ll now explain. In the Client-side Challenge, you are taking a class with “Joe the TA” and you really want to break into either his e-mail or his local computer for advance information about tests and homeworks. He handed out his e-mail to you at the beginning of the semester and you know that he logs in to a webmail installation conveniently hosted on the CTF server. “Joe” also tends to click on any link that looks convincing. Teams were given 500 points for access to his mail spool, 1000 points for access to his filesystem, and 400 points if they could persist that access across the “semester” (a rootkit, an email forward, a persistent XSS, etc). Let me tell you, NEVER click on a link from Team Tefaye! Their first try set up an e-mail forward, a persistent XSS, and stole my session cookies while forwarding me to the intended link target described in their e-mail all in a single action. They returned later and trojaned the box for an extra 1000 points. Damn! This finally put Team Tefaye in a solid lead over RPISEC which they were able to maintain until the end of the contest.

Here’s the final scoreboard:

Team Tefaye took first, RPISEC took second, and Pwntatoes took third. The Down Ownerz got the bonus prize for being the youngest team playing. Congratulations guys!

There was a lot of great stuff that went on last weekend and I’m sorry I couldn’t get to all of it in this blog post. If any of the people who played have more to say, post it in a comment.

rgov from RPISEC: “(Bonus: I was able to use cross-site scripting to RickRoll most of the players and some of the organizers.)” Yep, NoScript doesn’t work so well when you whitelist the domain

Rob Escriva from RPISEC: “This weekend I’ll be doing a writeup on a bug I found in the “leaky” challenge of the 2008 CSAW contest.”

I almost forgot, I have a few people to thank for helping out in various ways with CTF: Alicia Bozyk, Aleksey, Dean De Beer, Stephen Ridley, Michael Aiello, and Eric Hulse. Thanks guys!

Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw

Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!

I’ll talk about some of the challenges I went through, but if you’re really interested in these kinds of things you should compete in one of the capture the flag competitions that I developed for these upcoming events:

• NYU-Poly’s Cyber Security Awareness Week – A yearly event for students that our lab puts on. Compete in 7 different information security competitions for prizes! If you win, we’ll pay for you to come to NYC and collect your prize!
• OWASP AppSec NYC – A 2-day web application security conference taking place downtown this September. There will be a web capture the flag contest, also with prizes. Everyone is welcome to play and challenges will be accessible to beginners and experts alike!

Now about HOPE/Packetwars CTF…

(many details are witheld as I’m unsure whether they reuse contest images for other events)

All the challenges were time-limited and you could only play them solo. This was awesome and is something I’m considering for the CTF’s that I run (OWASP and CSAW). I wouldn’t have played CTF if I knew I was going to miss 3 days of my life but 30 minutes was easy to give up.

The CTF was split into 3 rounds where the first round was a qualifier. The objective was to find all the hosts in your network and enumerate their services. It sounds simple but some services were specifically tuned to throw off nmap and pf and tcpwrappers were playing tricks on you. Still think it’s easy? Try building new tools (who really carries around more than just nmap?), figuring out how pf/tcpwrapper are protecting the services, bypassing that protection, and then scribbling down everything you know on a 3×5 index card (yep, an index card) in 30 minutes!

I started off the first challenge without realizing that we were being graded partially based on how fast we handed in our answers. I ended up in 7th place and just barely qualified for round 2 because of that! I don’t think anyone else got more information than me, but they all handed it in faster. Oops!

The Packetwars guys hinted that the later rounds would be based on the first, so Friday night I researched a few things about OpenBSD, ssh, dig, and tcpwrapper that might (did) help me out the next day.

That worked great, because round two was a .NET web application (a shopping cart) running on Windows. They gave us no direction and just told us to find the hidden codes inside it in 1 hour. “Awesome,” I said, “my day job is spent doing web security testing, I am going to blow everyone out of the water on this one”… The freakin’ app had Fortify Defender (a Web Application Firewall) in front of it and it caught every code injection, SQL injection, and session manipulation attack I tried! I figured they must be asking us to look for logic bugs, leaking credentials in the comments (gasp!) or something else lame like that. 2 clicks later, I used WebScarab’s “Fragments” tab to find the administrative credentials. Go me for thinking like a CTF developer!

So now I’m hard at work on the admin interface trying to steal money from other users and trying to buy things with my ill-gotten funds, reading other user’s shopping carts, and locking out my competitors. I tried to violate every single item in their security model. Some of it worked, most of it didn’t, but I couldn’t find those codes! In my last act of desperation, I started fuzzing every variable I could find with Burp Intruder. Time ended up running out and I never found anything, but luckily no one else did either.

After the second round was over they explained that all they wanted us to do was XSS the front page o_0. WHAT!? Who was there to XSS!? Ourselves!? Sheesh, I really overthought that one. I blame Erik for only teaching me how to 0wn the living daylights out of web apps (no cursing on the blog ). When they started looking through packet logs, they unanimously decided I won that round.

Round 3 was back to OpenBSD and was very similar to Round 1. The objective was to gain access to as many of 3 machines you could and to maintain that access. We had 2 hours. Since this one was a little longer and a little deeper, my explanations are abridged.

Problem #0 – There was a firewall between me and the targets and it wasn’t making it easy to even find the hosts. This resulted in lots of panicked mashing on keys and liberal use of the command history but I got around it soon enough. Bigger problems followed.
Problem #1 – All 3 machines were recent versions of OpenBSD (3.9+) which meant no scalp exploit and no sshutup-theo exploit.
Problem #2 – All 3 machines were running on Sparc which meant that, even if they were vulnerable to CORE’s mbuf exploit or mod_ssl’s SSLVerify_CRL() vulnerability, there was no chance I’d ever get working shellcode, especially not in 2 hours without a test platform.

So I gave up on ever getting remote code execution. How familiar that it was down to misconfigured services and weak passwords! Some services were still messing with nmap, but that wasn’t a problem since I had amap and a few protocols memorized for netcat. One or two services were tcpwrapped and played the same tricks as before, but I couldn’t seem to find the correct IP to authenticate with and those services remained inaccessible to me throughout the round. I used DirBuster to attempt to identify usernames on host 1, used dig to do a zone transfer out of host 2, and used the [previously unknown] DNS name for host 3 to talk to its FTP server. The FTP had a 15 second delay before displaying a USER prompt, so brute forcing it was impossible. The only other service I had to brute force was SSH, so what the heck, I went after it. I used 6 py_sshbrute threads to brute force the passwords for “root” and “hacme” (their domains were *.hacme.com) with john’s password.lst. It was right about this time that someone with Nessus managed to crash the SMTP, POP3, and HTTP daemons on a few of the hosts. SMTP and POP never came back up AFAIK (note to CTF developers: always have a console on your vuln box during the contest!).

It was now about an hour into the round and, as I was flailing about trying random attack after random attack, I took detailed notes on my index cards about what I had done so far and why. I didn’t think anyone else was going to get a shell on any of the boxes unless they got incredibly lucky and I thought the index cards would determine who won. Another 45 minutes went by and I discovered a few more things but nothing that gave me a shell. I spent my last 15 minutes writing down an epic 0wn strategy I could have tried had we been given more time.

Time ran out, no one got any shells, and they used the cards to determine the winner combined with weightings from Round 2. It pays off to carefully listen to and follow the rules .

After they announced the winner we all sat around in a circle and discussed the challenges. One of the guys from the Packetwars team actually told me, “We were running an old, almost 2 years old, version of OpenBSD with remotely exploitable services!” I’m sorry guys, no one is dropping fresh exploits or giving you big-endian shellcode for your CTF . One guy also fessed up to running Nessus and bringing down said services heh.

Tools I used at some point: DirBuster, py_sshbrute, bash, Brutus, dig, w3af, THC-AMAP, netcat, john, Burp Suite, WebScarab, my brain, maybe some other ones…

All in all, I had a fun time and I would absolutely play in Packetwars CTFs in the future. Even though nothing was as epic-ly hacked as I wanted it to be, the time limits and varied challenges kept me from getting too frustrated. I was able to take away a lot of little techniques that I’ll be able to integrate into my own CTFs in the future. Thanks everyone!

If you made it this far, let me reiterate: play in the CTFs that I run! OWASP AppSec NYC CTF and CSAW CTF are both coming up in September.

On another note, I wasn’t the only one who won it big this weekend. Former ISIS member, Michael Aiello got a video interview on CNET news about his RFID-blocking apparel! Check out the video, he is wearing one of our shirts from HOPE 6 .

“Michael Aiello, president of DIFRwear, demonstrates at Last HOPE how easy it is to swipe the data off someone’s RFID-enabled credit card, building access badge, or passport from a few feet away. DIFRwear sells wallets and cases to protect cards from data thieves.”

I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!

Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.

This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.

The first meetup is this Wednesday, May 14th. See you there!

Add this event and others to your calendar: ISIS Meetings.

Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:

You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.

What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.

I had a lot of free time over Spring break (read: no money to travel anywhere) and so I decided to start “kicking the tires” of the Synology CS407 I owned. My jaw dropped when I got this first nmap scan back:

PORT      STATE SERVICE     VERSION
80/tcp    open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e PHP/5.2.0)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
443/tcp   open  http        Apache SSL-only mode httpd
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
515/tcp   open  printer
548/tcp   open  afpovertcp?
3306/tcp  open  mysql       MySQL (unauthorized)
3493/tcp  open  tcpwrapped
3689/tcp  open  http        mt-daapd httpd 0.2.4
5000/tcp  open  http        Apache httpd 2.2.3 ((Unix) mod_ssl/2.2.3 OpenSSL/0.9.7e)
5001/tcp  open  http        Apache SSL-only mode httpd
5432/tcp  open  postgresql  PostgreSQL DB
50001/tcp open  tcpwrapped

It only got worse when I ran Nessus. And then worse when I got a shell and started poking around the filesystem. Get this: every application on the box is running as root! And all the web apps are written as compiled binaries running in CGI… with root privileges! As a friend in the lab described it, “1996 called, it wants its web technology back!” They weren’t even making it difficult.

This is where things got interesting. I looked around and there isn’t any formal security contact or even a public bug tracker (and they call themselves a Linux vendor!). I’m thinking maybe I can save myself some trouble and get this solved informally, so I made this really scary sounding post on their user support forums with just the results of that nmap scan. I also submitted a technical support request at the same time, pointing to the forum post. Best idea? No. But it was easy. I really didn’t want to write a formal report and submit it. I’m not getting paid for this, and frankly, I’m kind of pissed off that I bought this thing and that I’m stuck with it now.

Two moderators immediately replied to my forum post claiming that there were no security vulnerabilities and that security vulnerabilities were the price we pay for having the coolest NAS out there. I thought these were official representatives of Synology at first and was ready to make a post to full-disclosure after reading their replies.

Then an official response came back from their tech support: log in to the box over SSH (which they don’t provide, I had to hack it to turn it on) and turn off the affected services. They also recommended I put the box behind a firewall… This is why you’re supposed to have a security@ contact, so people like me don’t get stuck with non-tech and sales staff. I said a few specific things in my reply to get my concerns in front of the right people:

1. Ask for this issue to be escalated to a product manager
2. Explain the risks they were putting themselves and their customers under
3. Explain what would happen if they didn’t respond to my concerns (full-disclosure)
4. Included a PDF of a very early draft of my report

That worked. 3 days later I got a response from Synology (still their sales staff) indicating that more than half of the vulnerabilities I pointed out would get fixed in a new release of the firmware due out in 60 days. They denied a number of vulnerabilities, which I explained further and sent back to them.

Then I didn’t hear from them for 9 days. Apparently, my emails were getting stuck in their spam filter (again, vendors, please set up a security@ e-mail)! This went back and forth for a bit and I’ve moved about 90% of the issues into the next release! A handful of more architectural issues were pushed back until a release 6 months in the future. You can’t win them all, but at least they are aware of the issues now.

Back on the forum, I had been getting fairly actively involved by answering security questions from other users. Some intelligent people saw what I was saying and came to my defense when the fanboys attacked what I was saying about their precious devices. Two people even posted that they had delayed or reconsidered buying Synology products because of this discussion! It was really great to hear that, both as vindication that what I was saying was important and that Synology’s management had to take me seriously now. They were actively losing customers due to poor development practices.

How they reacted to this really isn’t surprising in hindsight: they moved all my posts to a separate, special forum, away from potential and current (but mostly potential) customers. Then their moderators started getting fed up that people were still talking about security issues they thought were irrelevant and resorted to character attacks and flaming. I sent an e-mail to my contact on the sales staff that someone representing their company was acting inappropriately and their behavior might be tied back to the company. Synology responded by locking my post.

And that’s the end of that mess.

If you have a Synology product… well good luck! All the problems I found won’t be resolved until 09/2008! And even then, I’m sure there will be more security vulnerabilities. Those compiled binary CGIs are a ticking timebomb. If you don’t already own a Synology product, I suggest FreeNAS. You can install it in a VM and try it before you “buy” it. I’d really like to get my hands on one of NetGear’s ReadyNAS products… anyone with one want to let me poke around it for a bit?