The first 2017 Faraday Release is here!

We are very proud to present the first 2017 edition of the Faraday Platform! Faraday v2.3 (Community, Pro & Corp) is ready to download!

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way! Check out the Faraday project in Github.


Some of the features added to this version require that the update parameter is present the first time the client runs after updating, like this:

python faraday.py --update

New workspace comparison graphics

New report templates

Enjoy our professional-looking Executive Report templates and modify them as you wish!

We added a findings index so you can get a quick view of what was found during the assessment before diving into the full report.

New API documentation

Our API to communicate with Faraday Server now has documentation. You can find it in /persistence/server/docs/_build/html/index.html.

Corp changes

•  Improved the Workspace Comparison feature adding several graphics.

Pro & Corp changes

• Added a login dialog when GTK is run without login argument. 
• Added a template to create an Executive Report with grouped vulns. 
• Added the ability to edit and copy Executive Reports. 
• Added the ability to select a template for the Executive Report. 
• Fixed Executive Report delete button behaviour. 
• Fixed issues with new lines in MS Office. 
• Fixed bug that was overwriting vuln owner when editing. 
• Removed 'unclassified' conditionals from Executive templates. 
• Fixed update without credentials, added the ability to log in.

Community, Pro & Corp changes

• Added an activity feed panel in the Dashboard.
• Added Hping plugin.
• Enhancements to Wpscan plugin.
• Added IBM AppScan plugin.
• Improved Burp's Online plugin. Added fields and removed HTML tags. 
• Refactor remaining modules to be compatible with JS Strict Mode. 
• Fixed bug that prevented GTK from closing when user clicked CANCEL on WS creation. 
• Fixed size of Workspace creation dialog.
• New cwe databases: English and Spanish.

We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Top 10 Best Security Tools of 2016

We want to close 2016 making real a very special goal and you can help us!

Once again ToolsWatch gives the opportunity for its readers to vote and create themselves a ranking with the 10 best security tools of the year.

We are so happy to have Faraday, our Integrated Multiuser Pentest Environment and vulnerability management platform, as one of all these solutions that you can vote to update this Top 10 list and our last special wish to close 2016 is to be there.

If you have been trying and working with Faraday and you find it useful, effective and great and if you feel attracted to select it as one of your favorite, we ask you to vote and help us to become part of the Top 10.

The vote will be closed January 31st 2017 and the result will be published on February. You can find the whole information here.

A special thanks to ToolWatch for creating this big opportunity and other thanks to you for voting us.

Did you know that we just released Faradayv2.2 ? Try it, enjoy it and be prepare for 2017 where we´ll come back reloaded.

Infobyte returns to OWASP APPSEC

Each month of 2016 has been an opportunity to grow and learn. We have been working, traveling and presenting Faraday (Our Integrated Multiuser Pentest Environment) around the globe.

November will not be an exception because we are travelling to Montevideo, Uruguay to participate in OWASP APPSEC RIO DE LA PLATA 2016, one of the best application security conferences in Latin America.

Overview

This year the event will take place, December 1st - 2nd, 2016 in Montevideo, Uruguay, bringing together more than 26 qualified speakers and first class experts who will showcase their research and innovative ideas on many topics related to software security.

¡If you go, you will find impressive trainings and talks shared by the best specialists! OWASP APPSEC is a reunion of Latin American leaders of Information Security where they will show advanced trends, making it a very special opportunity to learn and share together.

Our Chief Operating Officer, Martin Tartarelli, and one of our main Security Researchers, Alejandro Parodi, will give the main training on MOBILE SECURITY! ( December 1). In this course, you will be able to see the most-used mobile device attacks (based on OWASP Top 10 Mobile) in a practical format, with demonstrations and technical details to understand each failure and learn how to remedy them. It’s aimed for developers, technicians, security analysts, auditors, students and anyone enthusiastic about software and mobile security.

(Important: This training will offer an image of VirtualBox to carry out the practices, so you should bring your laptop if you want to participate in them).

At the same event, Alejandro also will present a talk on the second day about MOBILE SECURITY WARNINGS. It will be on December 2nd at 8:30 AM.

So, if you will be in Montevideo and love to know the best topics and trends in software security, we hope to see you there, to enjoy this impressive conference.

Montevideo, here we go!

OWASP APPSEC RIO DE LA PLATA 2016

The Best Application Security Conference in Latin America

1st - 2nd December 2016

ANTEL TOWER - MONTEVIDEO ,URUGUAY

appsecriodelaplata.org

Happy Black Friday 2016!

Everyone loves Fridays and even more when it brings us special prices on our favorites things! This year, our whole team has been working to offer you many exclusive promotions on this big day. Enjoy, Black Friday is here!

Starting today, from Friday to Monday, you can combine Faraday v2.2 and the most popular commercial tools with an exclusive discount of 40% off. Yes, you read that right! You can find Burp, Netsparker, Acunetix, Qualys, Core Impact, Immunity Canvas and other great solutions all gathered in one place and with this special value.

How it works?

It simple! You have to choose Faraday Pro or Faraday Cloud and add to the llist, one more tool for you to purchase. Use this chance to pick your favorite!  Acquiring and merging tools is essential to optimize your work and professionalize your security audits.

Certifications too!

If you have been looking to upgrade your knowledge and improve your skill, this promotion is ideal for you, because the exclusive discount is available for security certifications, such as CEH or CHFI as well.

All you have to do is visit our Faraday App Store and choose one. You will see the discount applied when you make your checkout.

For any questions or comments, please contact us writing to sales@infobytesec.com and our team will help you.

Have a nice Black weekend :)

Faraday Crew

Faraday debuts in Japan

October was definitely a hectic month to say the least! In addition to organizing, participating and enjoying the Ekoparty (The biggest security conference in Latin America with workshops, challenges and great talks), we continued presenting Faraday around the world. This time, we traveled to Japan for AV Tokyo 2016.

This event brings together the Japanese community of computer security at a special conference. Prior to 2007, AV Tokyo used to be a more chilled out party after Black Hat Japan with the goal to do networking and exchange information. But from 2008, it took on a life of it’s own and became a full fledged Conference open to the public.

With the slogan "do not drink, do not hack" Av Tokyo 2016 took place October 22nd in Tokyo, Japan, and there, we presented and shared the latest version of Faraday, our integrated collaborative risk environment that maps and leverages all the knowledge generated in real time. Did you know that we've already integrated all your favorite pentesting tools? Visit Faraday Appstore and get more information.

In a relaxed atmosphere, we showed our latest advances, improvements and at the same time we were able to enjoy a couple of beers and Saki after. Work and fun at the same time! Is there anything better?? It was a great opportunity for us and we are happy to have been able to participate.

Thanks Japan for welcoming us and thanks to all of you for supporting each new improvement.

Cheers and beers!

For more information about Faraday and to learn about our services, please contact us by writing to our sales team at sales@infobytesec.com.

See you next time!

Releasing Faraday 2.2

Faraday v2.2 Community, Pro and Corp edition is ready now!

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way! Check out the Faraday project in Github.

This release features a brand new library to connect with Faraday Server!

Managing vulnerabilities is now easier in Faraday!

Status and creator fields

A simple change can go a long way - we added two new ways of classifying issues stored in Faraday.

With the new update it is now possible to check the status of an issue - this could be opened, closed, re-opened or the risk is accepted.

If you set a vulnerability status as closed and later on when you re-scan the target the same issue is found again, the status will automatically change into re-opened allowing you to have a more granular view of the results of your scans. This is perfect for doing remediation retests, helping you to quickly understand what is still vulnerable. 

Also, issues created by a specific tool, can now be filtered and sorted out. A great way to see where are the sources of information used during an engagement.

For example, as we can see in the following screenshots, we have three different issues that are closed [1]. After we import a Nessus scan the issues are marked as re-opened [2], indicating that the vulnerability is still present in the last scan.

1. Closed issues

2. Re-opened by Nessus scan import

 

Corporate Changes:

• Added a message to configure the Webshell - added a descriptive message for users who don't have the Webshell properly configured

  

  Webshell configuration message

Professional & Corporate Changes:

• Updated EULA
• Fixed typo in Executive Report modal

Community, Pro & Corp Changes:

• New library to connect with Faraday Server 
• Fixed Fplugin, now it uses the new library to communicate with the Server 
• New fields for Vulnerabilities: plugin creator and status
  
• Refactor in Faraday Core and GTK Client 
• Bug fixing in Faraday Client and Server 
• Added Faraday news notifications in GTK and Web UI - now you can get the latest Faraday News through your interface of choice

  

  News boxes example in the WEB UI

• New plugins: Dirb, Netdiscover, FruityWifi, Sentinel 
• Improvements on the WPscan plugin 
• Fixed Licenses search - there was a bug that disabled the option to search for licenses, now it is fixed and full-text search is enabled in the Licenses component

  

  Licenses search

• Refactor Licenses module to be compatible with JS Strict Mode - in our efforts to improve our existing codebase for the WEB UI we refactored this component in order to make it run using Strict Mode in JavaScript

We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Find trainings and certifications in the Faraday App store

Upgrade your knowledge 

A couple of months ago, we presented the Faraday App store, our virtual market where we have compiled and have on offer what we think are essential security tools… and not to mention at an exclusive price and with special promotions. Today, we are happy to announce that now on the Faraday App store not only do you have favorite tools but now you have the chance to acquire many of the main trainings and security certifications, all from only one place!

Give a warm welcome to EC-COUNCIL iClass

Once again, we join forces with a reputable industry partner to be able to offer to you more options and services, facilitating your purchases from only one platform. From now on, you will find training options and certifications for:

IT Security Management: Certified Chief Information Security Officer

Ethical Hacking: Certified Ethical Hacker v9  

Pen Testing: Certified Security Analyst/Licensed Pen Tester

Computer Forensics: Computer Hacking Forensic Investigator v8

Computer Security Incident Handling: Certified Incident Handler

Secure Programming: Certified Secure Programmer .Net

Core Concepts: EC-Council Core Concepts

Security Awareness: Certified Secure Computer User.

Training Methods: iLearn (Self-Paced) / Live, Online, Instructor-led / Courseware Only (Self-Study)

Here you will find training options for Ethical Hacking, Computer Forensics, Pen Testing, Incident Handling and a variety of IT Security courses. For more information, please visit https://iclass.eccouncil.org/

Visit Faraday app store and get Exclusive Benefits

Faraday and iClass have gotten together to offer a 15 % discount for customers who buy both products. This discount also is available for any users or companies already using one of the products and want to start using the other. For more information, ping us at sales@infobytesec.com

Really, you still haven't tried Faraday 2.1 ???  You can find out more here:

http://blog.infobytesec.com/2016/05/faraday-v1020-is-here.html

A tale of a DNS packet (CVE-2016-2776)

Introduction

For a number of years now BIND is the most used DNS server on the internet. It is the standard system for name resolutions on UNIX platforms and is used in 10 of the 13 root servers of the Name Domain System on the internet. Basically, it is one of the main function of the entire Internet.

With this in mind, it isn't everyday that someone finds a vulnerability (CVE-2016-2776) rated HIGH in one of the most used services on the internet (https://kb.isc.org/article/AA-01419/0).

The tests done by ISC (Internet Systems Consortium) discovered a critical error when building a response. Additionally, an advisory in the knowledge base of ISC recognizes that an attack can exploit the vulnerability remotely and probably because of that it receives a HIGH score in terms of severity.

One thing that caught our attention from the ISC Advisory was the following quote:

This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query')

We decided to dedicate a little bit of time to investigate the main cause of this error with the goal of seeing the root cause of the Denial of Service.

Identifying the modifications

Following the tradition of having errors in the necessary software for the survival of humanity, CVE-2016-2776 came to light. With details of the problem basically nowhere to be found, nor what was the mysterious "Specifically Constructed Request", we decided to see what exactly was modified in the repository of Bind9. 

In the diff of the fix,  the most interesting change is found in dns_message_renderbegin() 

Just by seeing the fix we can guess that there's undefined behaviour when r.length < msg->reserved is FALSE but r.length - DNS_MESSAGE_HEADERLEN < msg->reserved is TRUE. Having noticed this, it's worth investigating the program's context when the following condition validates:

01  not (r.length < msg->reserved) and (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)

02  (r.length >= msg->reserved) and (r.length - DNS_MESSAGE_HEADERLEN < msg >reserved)

03  r.length - DNS_MESSAGE_HEADERLEN < msg->reserved <= r.length

Now we see what we can do to make that happen. If we see dns_message_renderbegin() we note that r.length describes the space available in isc_buffer_t buffer, that is where the response of the server will be written. This calculates as buffer->length - buffer->used.

Depending on how we craft the query, we can make sure that r.length is a known value given that it is going to be the same as the maximum size a response can have and we didn't do anything to it yet (after all we are in dns_message_render***BEGIN***()).

In our case, we can assure that it is 512, the standard maximum size of a UDP DNS response. Knowing that DNS_MESSAGE_HEADERLEN is the constant value 12, if we are able to make 500 < msg->reserved <= 512, we can create the context that motivated the fix.

So, what is msg->reserved?

In the library  lib/dns/message.c, we can see that it is a variable that indicates how many bytes we wish to reserve in msg->buffer for a later use and only can be manipulated with the functions dns_message_renderreserve() and dns_message_renderrelease(). The interesting thing about this, is what it does to achieve it's purpose. We can see that dns_message_rendersection() modifies the internal state of msg->buffer, or to be precise msg->buffer->length, All of this with a noble intention: make later manipulation attempts over that buffer believe that it's size is smaller than what it actually is.

The famous bufffer.cIf you were able to follow us until here you are probably asking the following:

• What does the the lib implementation do, to manipulate isc_buffer_t ?
• Who is then the famous buffer.c?

Each exposed function has a large quantity of assertions about isc_buffer_t to ensure that things are working properly and avoid potential memory corruption bugs. It's important to carefully consider the rest of the state of isc_buffer_t before changing it. Since the published CVE describes an assertion in buffer.c, clearly there exists a context where msg->reserved leaves the structure of isc_buffer_t invalid and it aborts the process on a posterior call to some function on buffer.c

Doing the POC

Now that we are convinced that msg->reserved is potentially dangerous when 500 < msg->reserved <= 512, it is time to see how we can manipulate this variable. Tracking the use of dns_message_renderreserve() in lib/dns/message.c we find that msg->reserved is used to track how many bytes will be necessary to write the Additional RR (OPT, TSIG y SIG(0)) once the response is finished rendering on dns_message_renderend().


The most direct way we've found of manipulating an Additional RR included on the response is sending a query with a TSIG RR containing an invalid signature. When this happens, the server echoes practically all the record when responding.

The following script sends a query A to the server with a TSIG large enough so as to make the server reserve 501 bytes on msg->reserved when writing the response.

https://github.com/infobyte/CVE-2016-2776/blob/master/namedown.py

Domain Status of Bind9

Running of the exploit namedown.py

We can see that the TSIG RR of the query is 517 bytes long. This is because the TSIG RR included in the server's response is 16 bytes shorter. Because of this, we should add 16 bytes to compensate.

Bind failed

Why did it work?

After parsing the request and failing to validate the signature, the process begins to render the error response. For that, even before calling dns_message_renderbegin() (fundamental for a couple of things not worth detailing... AKA: "exercise for the reader") it already reserves msg->sig_reserved bytes (calculates from the return signature by spacefortsig()) with the function dns_message_renderreserve(). In our case, as we wanted, it reserves 501 bytes.

When it gets to dns_message_renderbegin() we have the context we've looked for:  msg->reserved on 501 and r.length on 512. The if condition which should throw ISC_R_NOSPACE in the patch is not triggered. 

We can see now with the instruction immediatly after the validation why it was so important to consider DNS_MESSAGE_HEADERLEN. Inmediately after validating that the buffer has the sufficient space to store msg->reserved bytes, it allocates DNS_MESSAGE_HEADERLEN (12) bytes in it. In other words it didn't check if after reserving msg->reserved, there is enough space to store 12 bytes more. What happens in the end is that when returning from the function, the available space on buffer is of 500 bytes (buffer->length - buffer->used = 512 - 12 = 500) but we're reserving 501.

When passing through dns_message_rendersection(), msg->reserved  remembers to tell the buffer that it has reserved memory, but it doesn't even ask, it just takes it from him. This leaves the integrity of the isc_buffer_t msg->buffer structure corrupt: now msg->buffer->used is BIGGER than msg->buffer->length. All the ingredients are here, we just need to put them in the oven.

As we expected, when isc_buffer_add() was called further ahead in the same function, the assertions that assure the integrity of the buffer break. For every n, msg->buffer->used + n > msg->buffer->length.

Conclusions

Publishing a fix about a lethal bug where you would have to patch the whole internet, doesn't leave a lot of time to find elegant solutions. So if you review the fix it's possible that a new similar bug appears in dns_message_renderbegin(). while the use of msg->reserved is quite limited. It continues being a complex software. Meanwhile msg->reserved is still being used, the existence of a bug like CVE-2016-2776 is quite probable.

Remediation

Update Bind to these versions:

• BIND 9 version 9.9.9-P3
• BIND 9 version 9.10.4-P3
• BIND 9 version 9.11.0rc3

The majority of the distributions have updated their repositories.

Credits

Martin Rocha, Ezequiel Tavella, Alejandro Parodi (Infobyte Security Research Lab)