“While you look over the menu, can I bring you something to drink?” The waitress asked.
MadFast looked at Reuben, then decided to answer first. “Coffee and water would be great.” He always drank those two, at every meal.
“Sugar and cream?”
“No thanks, just black is fine.” “And you, sir?”
“Iced tea for me,” Reuben responded.The waitress walked off briskly, and the pair looked over the menus to pick among a choice of tradition- ally unhealthy chain restaurant food.The waitress returned with their drinks and took their order before cheerily heading to the back of the restaurant to put the orders in.
“So, how do you like it over here so far?” Reuben inquired.
“Oh, I’m happy. Dude, I really appreciate how you’ve been, making sure I’m comfortable and everything.”
Reuben smiled as he poured sugar into his iced tea. “Don’t mention it. I mean, we need you for this, and we really appreciate that you got some time off to come work with us. And besides, this is fun for me too.You’re great to work with!”
“Right on. So, do you think we’ll find anything?”
“Yeah, I do. I don’t know why, but it’s just a gut feeling. I can’t help but think that with the way they deliberately decided to make it possible to reconstruct session keys, they really didn’t make security the number one priority.”
The waitress reappeared with their food, lowering the plates in front of them carefully, before asking if they needed anything else and striding off sweetly to tend to other things. Judging from the speed of service here, they were still geared up for the lunch rush, even though the restaurant was nearly empty at this time in the afternoon. MadFast and Reuben started attacking their food, simultaneously realizing how hungry they were after working so diligently during the previous several hours.
MadFast asked, “So, what happens if we find this thing is so screwed up that they need to pick a different product?”
Reuben hastily worked to finish chewing the mouthful of food he was working on so that he could answer. In the end though, he didn’t know why he was hurrying; he didn’t know the answer nor did he want to con- sider the situation. “I don’t really know, but I bet it’ll be a hell of a mess. Your guess is as good as mine. But I get the impression that ZFon really needs this deal to go through. I’ve never heard of them before, have you?”
“Nope. So this must be a huge deal for them.”
“Yeah. We need to watch our backs. Not that a vendor normally has any kind of incentive to play nice against guys like us, but here it might be even worse. We need to document everything, and double-check every- thing we come across. Our credibility has to be perfect all the way through, to armor us against any denials or God knows what else they might come up with. Come to think of it, I should tell Bob about some of the ramifications, just to make sure he understands. He’s very savvy, but I don’t know if he knows how the technical details play into it. I’ll talk to him this afternoon and let him know what the likely scenarios are. He’s really good at this kind of thing. He’ll probably be able to warn us if we’re about to do something politically stupid at some point.”
MadFast smiled. “Right on. I don’t think that will be hard. It isn’t like we’re critiquing art. We can prove what we find, easy as bits and bytes. It’s not like they can deny we found a buffer overflow if we root the box.”
“True enough. But just the same, whatever we do find, I want to be able to reproduce it easily in any environment. We need to keep track of how we set things up and make sure that we know if configuration plays a role in any vulnerabilities we uncover. If so, we need to know exactly
which configuration changes do what, so that they can’t turn around and ask us for a ‘demonstration’ on a box that isn’t going to be vulnerable.”
“Good point.That shouldn’t be hard either. It’s not like there are too many configuration options that are within the planned configuration that DoJ will be rolling out.”
“Yeah, true. And good to remember, too. But we might want to make sure that we know if even an unplanned config is or isn’t vulnerable to a finding of ours. Kind of the flipside of the potential for a configuration error producing an issue, it could be that a configuration choice eliminates one.Then we can show some value to DoJ by telling them how to miti- gate the risk by changing their planned standard config.”
“Ahhhh…so instead of the vendor swooping in and raining on our parade, we get to be the heroes.”
“Exactly!” Reuben was thinking proactively. At this point, the ball was entirely in their court, and they could either cover their bases or not.They had the benefit of knowing what they were going to be saying to
everyone, and what their findings would be. It wasn’t hard to guess what the motivations of the other players might be, so if there was going to be a problem, Reuben and MadFast had the edge. He returned back to his food, stuffing another frenchfry into his mouth. “How do you think we’re doing, so far?”
“I think, pretty good. I know what I’m doing, and it looks like you know what your end is too. We’ve just gotten set up, but I think we’re going to cover a lot of things. I don’t feel like we’re forgetting anything or just wandering around lost.The plan you laid out seems good.”
“Ah, good.That’s what it feels like for me too. So we’re on the same page.”
MadFast took another drink of his coffee, and the two of them resumed eating, like it was another aspect of their work. When they fin- ished, Reuben paid the bill, leaving a hefty tip. He loved tipping well; it made him feel good that someone else would feel good from something he did. And usually the difference between a bad or unremarkable tip and one that got a genuine “Thank you!” from a waiter or waitress was only about a dollar or two. MadFast put on his jacket as Reuben put the receipt in his wallet to expense, and the two of them left.
Listening to techno again in the car for the short drive back, the two grooved to the music as Reuben moved semi-aggressively through Tyson’s Corner lunch traffic.The air was thick with a sense of mission as they went back to the office to pick up where they left off, much as two com- mandos might feel as they started toward an objective in the night.They wanted so very badly to accomplish this objective, both for the glory and lust of the hunt and in service to their country and trade. If there was any- thing unsafe or insecure about this software, they would know about it before they were done.
Back in the lab, they stepped carefully over the network cables as they went back to their respective chairs, shrugged off their jackets and sat back down.They logged in and took a second to figure out where they left off, looking at their notes and contemplating.
MadFast looked over his code one last time. “I think I’m about ready here.This should compile fine, unless I made some small mistake some- where. How are you with the ‘ammunition’?”
Curiously, Reuben looked over Frank’s shoulder and glanced at the code.The first part was displayed, and Reuben could kind of follow how it worked, at least at that point in the software.
#include <winsock2.h> #include <iostream.h> #include <stdio.h> #include <conio.h> #include <stdlib.h> void mein() { WSADATA wsaData; WSAStartup(MAKEWORD(2,0), &wsaData); int iResult = WSAStartup(0x101,&wsaData); if ( iResult != NO_ERROR )
{
printf("WSAStartup doesn't work, dude!\n" ); }
{
printf( "Socket up, right on!\n" ); SOCKET m_socket;
sockaddr_in clientService;
Reuben smiled. “I’ve got a few fun things set up, and I’m almost done with the rest. Any preference or suggestion as to the characters to use for overflows?”
“Oh, right on! You’re going to love this. Use the equivalent of hex- adecimal 90 for every filler character. It’s an instruction that raises havoc in assembly.”
“Got it. Glad I asked!” Reuben fired up calc first, checking to make sure that 90 in hex was actually 144 in decimal. Seeing that it was, he then pulled up notepad, and typed Alt + 144 to cause the correct character, É, to appear. He copied this and went through each payload file one at a time, doing a search and replace of the original filler with the appropriate character. Each file had a different variable padded out to an extraordinary length with the letters. One set of the files had only an extra hundred let- ters in the proper place, and another set of them had several hundred. Sometimes a buffer overflow required a great deal of extra data to execute, and while Reuben figured they might save some time by just going with super-large values off the bat, he liked the idea of starting smaller and working upward.
MadFast started a build in Visual C++, watching for errors. “Ah, shit.” The compile stopped on an error before completing. “Must have made a typo or something somewhere. I’ll need a bit longer before I’m ready.”
“Hey, don’t sweat it. Nothing ever works right the first time. And hell, we’ve just gotten started. It’s not like we’re making bad time here.”
“Yeah, I know. But it’s sort of a pride thing.” MadFast smiled at Reuben. “I always want my compiles to go smoothly the first time. Kind of a Zen thing, even though I know it’s silly.”
Reuben smiled back. “Ah, I understand. I’m always pushing myself too. Cool.” He went back through the payload files, double-checking to see that he had named them all correctly so that he’d know which one attacked which data field, and that they all had the correct padding characters in them. “Hey, just for grins, we should try protocol attacks just for fun.”
“Right on. I was thinking that too. Of course, we probably won’t find anything other than what the operating system itself is vulnerable to. But who knows, they might have something that barfs even when Windows handles it without a problem.”
“Even so, it’s still something broken.”
“Yeah, but it’s something they already could know about. We’re focusing on the app here, that’s the thing we’re supposed to check out.”
“Yes, but we’re supposed to check it in the planned configuration, and that includes this operating system. But it could go either way, really. I see your point. I’ll get some clarification.”
“Right on. While you’re doing that, I’ll find what I did wrong in my code and fix it.”
Reuben got up and went out the door towards the elevator to go upstairs. Standing at the elevator, he realized how much he hated waiting to go up just a couple of floors. But as with most buildings, the doors between the stairs and each floor were locked so that once in the stairwell, you could only exit on the ground floor. Since almost nobody would have taken the stairs anyways, nobody seemed to care, but Reuben welcomed any chance for exercise that he could get. He used to be a lot more active, being an avid cyclist, but these days he spent all his mental energy at work, and thus had neither time nor motivation for exercise. He’d not gained weight, instead losing it, as he never really got fat. Instead, his muscle mass decreased, leaving him trim…a bit too much so for his liking.
The elevator arrived, its doors opening to reveal the empty interior. Reuben stepped inside, rotating and jabbing the button to go up. A brief interval later, the doors opened again, letting him out. He barged into the office area, walking down the nearly-silent corridor to look in on Bob’s office.
Bob looked up from his desk, happy to see Reuben. “Hey! How’s it going down there?” he asked congenially. He clearly wasn’t worried, curious for the sake of his own curiosity rather than some anxiety that things weren’t going well.
“Well, we’re all up and running, we’ve got some idea of how the data looks going over the wire, and we’re getting ready to start shooting garbage at the server to see what happens. Right now, MadFast is debug- ging… I mean, Frank, is debugging the code for a tool that we’ll use to do the job.”
“Great! So, what do you need? Or did you just want to get up and stretch your legs a bit?”
Reuben laughed lightly. “Well, there is one thing. We know we’re sup- posed to test the planned configuration of the VPN, but that includes the operating system. But since there’s already a lot of information about the weaknesses and strengths of Windows, we don’t know if we’re supposed to be testing that as well. We talked about it, and we could see it going either way.”
Bob sat forward in his seat. “What’s your opinion of the impact of one option versus another?”
“Well, we can be more thorough if we go over the whole thing, including Windows. But it also means it’ll take longer, and we might miss more. Compared to an application, there’s a lot more that can be right or wrong.”
“What’s your gut tell you?”
“I say we stick with just the ZFon software, and specify that they’ll have to properly harden the host first. We’ll test for possible issues of the two in combination, but we won’t say anything about that testing unless we find something.That way we’ll cover everything without duplicating the work of others.”
“What kinds of things might be ‘in combination’? And how would you know what to look for?”
“Well, I can think of only a few things. One is network behavior. It’s a possibility that the software stands between the outside world and the oper- ating system, in which case we might find something about it that doesn’t act quite right. Or, perhaps it’ll be even better. Either way it’ll be interesting. And there’s also the likelihood that some files or registry keys need to be well protected, like private keys or whatnot.Those two are about the only things I can imagine, really.”
Bob smiled. “Okay, I understood about half of that, but the real answer, I guess, is that you know what to look for and what would be a waste of time. Okay, do it that way.”
“Cool, will do. It’s going really well. Frank’s great to work with, and we’re both on the same page.This is great; he knows a hell of a lot about certain things, and I know a good bit about other ones. Between us, we make one hell of a geek!”
Bob laughed. “Oh, God help us now! The two of you loose on the town!”
Reuben smiled back. “Oh, you have no idea. I have this really funny feeling that we’re going to make some waves with this.”
Bob smiled back. “You know something? I don’t doubt it.”
Reuben stepped a bit further into the office and pulled up a chair. “That brings to mind something else I thought I should bring up.”
Slightly taken off guard by this, Bob’s tone became a little more serious. “Alright, shoot. What’s on your mind?”
“Well, we took the time to actually check out the background of ZFon itself, the company,” Reuben explained, “and it looks like they aren’t doing too well financially.Their stock isn’t doing well at all, and I’m sure they’re giving the employees options. And this is a really huge deal for them, probably the biggest sale they’ve ever made.”
“So, in other words, you’re worried about what they might do if you and Frank find the software is all screwed up?”
“Yep, you got it.There are a few things that software companies do when faced with a vulnerability.The one that we have to worry about the least is their doing the noble thing, and owning up to it, working with us, and fixing it. If they act that way, nothing else matters, life will be easy and everyone wins. But that’s uncommon, I think. At the other end of the spectrum, ZFon might outright deny and try to bottle up information about the vulnerability. In cases like that, they might try to misrepresent things by throwing twists in, like claims that our findings were in a ‘non- supported’ configuration.”
“Well, obviously that won’t work.The configuration you’re using is the one they told DoJ to use, and DoJ knows that. And I assume that if you find anything you’ll be able to prove it, right?”
Reuben nodded. “Yes, exactly. But the whole point, as you probably know, is that they might not follow common sense, since they may feel backed into a corner by any of our findings. It’s the desperation factor that