Category Archives: Security

Debugging the MBR with IDA Pro and Bochs

Analyzing the MBR is sometimes required during a forensic process, if you suspect a malicious activity that is not detected on-line. With static analysis, you may see if an obvious corruption happened, but you will need to debug to learn more.

Prerequisite :

IDA Pro (6.0) with the IDA Python plug-in (1.4.3)

Steps :

Prepare your forensic disk image.
In general, it is that simple :
```
$ dd if=<source> of=disk.img bs=65536 conv=noerror
```
Or :
```
$ ddrescue -n <source> <dest> file.log
```
Check the disk geometry using :
```
$ fdisk -luc disk.img
```
These values will be useful for step 5.
However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :
```
$ dd if=input of=output bs=2064384 count=507
```

Refer to CHS if you wonder how to get these values.

Extract the MBR from the disk or from the image you just took.
```
$ dd if=<source> of=mbr.dump bs=512 count=5
```
Download and install the Bochs x86-64 emulator, which comes with a debugger that will work nicely with IDA.
Download this archive from Hexblog (IDA Pro’s blog). We will use two files from there : bochrc, wich is the configuration file for Bochs, and mbr.py which a python file helpful from preparing the debugging environment.
Copy bochrc in your working directory and edit the following line to match your disk image geometry :
```
ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63
```
Before going on, you may test that Bochs can use the image with these settings :
```
C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q
```

In the same directory, copy mbr.py and edit the following settings :

# Some constants
SECTOR_SIZE = 512
BOOT_START  = 0x7C00
BOOT_SIZE   = 0x7C00 + SECTOR_SIZE * 4
BOOT_END    = BOOT_START + BOOT_SIZE
SECTOR2     = BOOT_START + SECTOR_SIZE
MBRNAME    = "mbr.img"
IMGNAME     = "sdb.img"

Now open a console and type :
```
C:\> mbr update
```
With IDA Pro, open the boshrc file. IDA should recognize the format and set the proper settings.
From the menu, open File/Script File and select mbr.py. It will close IDA after execution.
Open again your *.idb file, set a breakpoint at 0x7C00.
Start the debugger.

You should now be able to go ahead and debug the MBR step by step.

References :

Hexblog : Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin
MISC Magazine #53 : Votre MBR pris en otage ! – Nicolas Brulez (Kaspersky labs)
Bochs User Manual : Chapter 8, Tips and Techniques

A link between Stuxnet and the OpenBSD IPSEC backdoor rumor ?

Found on Full Disclosure, a weired but troubling connection of two security affairs : the OpenBSD backdoor rumor and the stuxnet worm.

ESFS, new perspectives for stenography ?

Tomas Touceda advertised a new project on Full Disclosure.
The idea sounds good, so I will keep an eye on this very interesting project.
Though I would like to know more about the methods that were used for encryption and stenography.

Code and explanations are on the ESFS project homepage.
Beyond the pratical usage, I wonder if it can offer anyhow better resistance to statistical analysis that usually defeat stenography. The author addresses partialy the point on the mailing list:

What I meant with hide is that, since it uses the LSBs, you can pick
any image, and “find data” in them, so it makes it a little bit harder
to know where you actually have data, and if you really do.

To this, a reader named stormrider pointed out an interesting research document (PDF), which is a state of the art of the limitations of stenography and the attacks against it. Is it really a dead-end ?

This is indeed a very interesting field of research.

Ravan, password cracking using Javascript!

Ravan is a new password cracking tool based on Javascript.

Wait, what ? Javascript ? Yes, as the author explains, modern Javascript engines are not so slow anymore, and in addition HTML 5 brings a new “feature” with webworkers which allow the browser to run Javascript in the background (e.g without waiting on the page executing the script).

Combine it with several computers connecting to the same page executing a password cracking script and you get easily quite a powerful distributed password cracker.

Visit this page for more details.

Mitigating Slow HTTP DoS Attacks

Interesting article on the latest Apache and ModSecurity techniques to prevent DoS HTTP attacks.

The attacks are well explained. I personally knew about Slowloris but didn’t about RUDY and post attacks.

Yet OpenSSL renegociation not fully fixed

How the hell is it possible that after so many months, the fix for OpenSSL renegociation has not been yet included in either Chrome (6.0.4) or Opera (10.61)? I haven’t tested other browsers though, except Firefox which at least has fixed the issue since several months.

Phocean.net

Computer Security Blog