Offensive Thinking
Internet Thoughtcrime
December 2009
2009-12-21 Remoting with PyAMF - the easy way
Aahh, Remote Procedure Calls. Gotta love ‘em. They make programmers forget all we have taught them about being careful with user input, sanitising everything and double checking that there’s nothing malicious in it, treating all user input as a potential threat against their system. Ok, frankly, most of the times developers tend to forget about this in all other scenarios too, or we wouldn’t still be plagued with XSS and the like.
But RPC, in whatever shape it comes, makes it a lot easier to forget about user input because it is more or less transparent to the developer. I mean, that’s the whole point of RPC, isn’t it? Letting you work with remote functions/methods/objects like they’re local. No worries about network protocols etc. And this is exactly what makes it so dangerous, because developers forget that all the pretty function calls and objects they send over the wire are not necessarily what they receive on the other end. Attackers can, if the data is not encrypted and signed, read and manipulate the data. Or send their own. The receiving end has to make sure that whatever it gets is checked first.
Where was I going with this again? Ah, yes, AMF. Adobe’s Action Message Format. It’s a binary format primarily used to serialise ActionScript objects (think RPC for Flash). I had to test a remote installation of an AMF gateway and searched for a decent way of pentesting that stuff. First thing I found was Jon Rose’s Deblaze, a command line tool to interact with Flash remoting end points. It’s a nice tool, but it only allows you to send Ints, Floats or Strings as method parameters. That wasn’t enough for me, as I needed to send more complicated objects to the remote server.
I continued searching and found a blog post about pentesting Adobe Flex Applications with a custom AMF client. They use pyAMF, a Python implementation of AMF. Perfect. The only thing that bothered me was that the way they build their client in the blog post seemed overly complicated. Do I really need to build my AMF object by hand and use an HTTP library to send the POST request to the server? That’s inconvenient for just a little testing.
I looked at the pyAMF homepage myself and found that you don’t have to do all this stuff manually. pyAMF provides a perfectly capable client library, with HTTPS support and authentication. It’s really easy to use. First, import the RemotingService:
from pyamf.remoting.client import RemotingService
Then, all you have to do is create a new RemotingService with the AMF gateway’s URL, get the service you want to use and invoke the method with whatever parameters it takes. Taken straight from pyAMF’s website for a service called “service” with the method “getLanguages()”:
client = RemotingService('http://demo.pyamf.org/gateway/recordset')
service = client.getService('service')
print service.getLanguages()
And that’s it. Much easier, isn’t it? You can also set custom headers etc. Of course, the approach taken in the abovementioned blog post might be better if you really want to dig more into the AMF internals when testing. But if you primarily want to check if you can invoke methods you shouldn’t be able to access, or call the methods with parameters they might choke on, then the pyAMF client is the way to go.
2009-12-17 Organizing your papers with Mendeley
Some days ago, someone (I can’t remember who, sorry) tweeted about Mendeley. It is a software to “Organize, share and discover research papers”. Okay, the next sentence on the website is “Like iTunes for research papers”, which almost made me stop looking at it…
It’s a GUI application and you can download it for free from their site. It is, however, closed source. But hey, can’t have everything. So don’t come complaining to me if it sends your private pictures to Flickr or whatever, I never said I’ve reviewed the code ;). Please be also aware of their EULA and their privacy policy, they’re well worth reading carefully and thinking about the implications before you start using this software. Consider yourself warned. I’ll give some final thoughts on this at the end of this post.
Mendeley works surprisingly well. There’s this huge directory on my laptop with all the security whitepapers I downloaded over time and never come around reading (sounds familiar? Yeah, I bet). BlackHat, Defcon, papers announced on Bugtraq, Full Disclosure or recently more and more over Twitter, you name it. And lets be honest: Either you read them immediately or you forget about them.
One problem is that after dumping them in my “Security Papers” directory, when I have a second look at it later, I already forgot what the papers in there are about. And if they do not have at least a filename telling me what the paper might be about, I don’t bother to open them all in my PDF reader again.
Mendeley did a very good job on organizing this directory and extracting meaningful meta information from that pile of whitepapers and slides. It wasn’t perfect and I had to correct a lot of stuff, but the initial guessing it did was better than I hoped for. Now I have all my papers neatly organized in the Mendeley database, with full text search, the ability to find papers by author or subject, information about papers referenced, BibTeX export, the possibility to annotate the PDFs and much more. It’s a really nice way to organize your stuff. Ok, I still have to read the papers myself. But at least now I can just mark them as read or unread and find them again in the pile of papers I hoard on my disk. Mendeley even allows you to conveniently rename the papers.
Their ultimate goal seems to be to start a kind of social network for researchers, you can synchronize all your stuff with their website and you are of course encouraged to do this. But it’s also possible to just use their client offline. Be always aware that they will collect data about the papers you organize with their software. I don’t think they send any stuff to their website if you don’t have an account and without you explicitly agreeing to it, but you never know. All the papers I have collected are freely available on the Internet and I have no problem with people knowing about me reading these papers, so I consider the potential public knowledge about what security papers I read not an issue. YMMV. Also, I’d be careful with my own papers that aren’t published yet, for example. I wouldn’t add these to Mendeley simply because I don’t know where that data might end. Their privacy policy openly addresses these issues and sounds reasonable, but: it’s the Internet, and what is uploaded to the Internet stays on the Internet. Always have that in mind.
« Nov 2009