This issue has bit me hard a couple of times this week, so I decided to make some notes on it. When installing a service pack on Microsoft Windows, you may get an "Access is denied" error message and have the entire install fail. In one case, I lost the entire machine and it wouldn't reboot. Another time, it survived the reboots, but still was a bit unnerving. Here is what I found out about the issue.
Apparently, this is a permissions issue within the registry. To verify this, check c:\windows\svcpack.log and search for "Access is denied". I found this in the log file.
1024.156: DoRegistryUpdates:SetupInstallFromInfSection Failed for ProductInstall.GlobalRegistryChanges.Install error: 0x5
1024.156: INF_REGISTRY Failed
1024.156: DoInstallation:DoRegistryUpdates failed
1034.047: Unregistration of sprecovr successful
1034.234: Access is denied.
To reset the permissions to the registry to the defaults you will need to use the secedit tool. I ran the following:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /areas regkeys
/areas regkeys tells the tool to only reset permissions on the registry and leave the rest of the OS alone. This is important, since firing it off at everything will reset file permissions, etc.
Once the registry permissions are reset, go ahead and fire the service pack install again. I used "WindowsServer2003-KB914961-SP2-x86-ENU.exe /norestart" to prevent a restart before I was ready. For my issue, this worked perfectly.
Links are:
Access is denied when installing SP - http://support.microsoft.com/kb/873148
Reseting registry permissions - http://support.microsoft.com/?kbid=313222
Thursday, December 27, 2007
Sunday, November 04, 2007
Inactivity on the blog
So things have been pretty silent for the last 4 months on the blog. It's not that I've been idle, but I've just had so much going on that writing was one of the last things on my mind. Here's a recap of some of the more notable events.
I plan to start doing more blogging and research related work. Somethings I won't be able to talk about, others I will. What I can will go down here. If nothing else so that I can find it again later when looking something up.
- July - Last month of school for me and I finally graduated with my Bachelors Degree in Computer Science! I still can't believe I've finally accomplished this. It was a lot of work and overdue by a fair bit.
- August - We had a family reunion in Salt Lake City for my wife's family. I decided to go stop by the University of Utah to see what their graduate program looked like. I found out a number of things I hadn't known before, one of which included a way to get my Master's degree in CS without going further into debt. We talked about it when we got home and made a fairly quick decision to move. So the last part of the month was doing all the things you need to do for moving.
- September - Moving time. We left the Los Angeles area early September and headed up to the Salt Lake City area. To sum it all up, it sucked. Moving is bad enough, but we got the house we had rented for 6 months and found that nothing had been cleaned or maintained. I've seen worse, but it wasn't good by any stretch. Our neighbor thought we had gray carpet, when it was actually brown. We also had to deal with 6-8 feet tall thistle plants in the yard. Such fun.
- October - Work, cleaning (still), preparing for the GRE tests. I took the general GRE in October and signed up for the Computer Science exam in November. I've learned a healthy dislike for these tests. I also started to file paperwork for my consulting business. JW Network Consulting LLC was born. :)
- November - Took the Computer Science GRE yesterday. Hopefully I did well enough for school, but we shall see. It was a nasty exam, but I am alive and relieved that I never have to take these silly exams again.
I plan to start doing more blogging and research related work. Somethings I won't be able to talk about, others I will. What I can will go down here. If nothing else so that I can find it again later when looking something up.
Wednesday, June 27, 2007
Changing Firefox to allow XSS on any site???
Well, I guess the title of this post is a *bit* unfair, but it's close enough for me. First some background. I'm studying cross site scripting right now for my final independent study at school. As part of this I'm messing around with a book on AJAX to learn more about javascript and how this whole Web 2.0 booya works. Tonight I'm banging on one of the early examples in the book. I created the HTML and javascript files on my local machine and hit them via Firefox. The javascript makes an XMLHttpRequest to the author's web site since there is almost zero info on server side code in the book. Firebug immediately starts complaining to me with "Permission denied to call method XMLHttpRequest.open". What the heck?? Time to troll google.
Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...
Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*
Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...
Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*
Thursday, June 14, 2007
Darpa Robot Project
Here's an interesting DARPA project someone threw out in IRC today. It looks a lot like what I did but a WHOLE lot smaller. The military can throw out a number of these things and build a communications network on the fly in a battle zone using wifi. I hope they use better encryption methods than the current public uses, but it still is a cool idea. It is also similar to a project that was done for urban search and rescue. Send out a team of robots, build some kind of mesh network and guide rescuers through the burning building or whatever.
The robots being proposed by DARPA are surprisingly inexpensive at about $100 each. I figured they would cost a lot more. One thing that made me laugh from the article on The Register. DARPA admits "it is expected that power will be a challenging design requirement". No way!!! Really??
Thursday, May 17, 2007
Hacking Web 2.0 Applications on Securityfocus
Quite a while back there was an article on Securityfocus by Shreeraj Shah on hacking on web 2.0 apps. It was very basic, but it had some tidbits in there that I wanted to keep an eye on for later. It shows how to use Firebug, which is something I'm a newb at, to inspect web pages for client side logic, validation, XMLHTTPRequests, etc. I'm doing another project on web app security at school and am going to focus on javascript, ajax, XSS, CSRF and look at javascript worms. It should be a fun project and allow me to take a narrower look at part of webapp sec. The article should provide me with a little more guidance as I dig into this further.
http://www.securityfocus.com/infocus/1879
http://www.securityfocus.com/infocus/1879
Some Fuzzing Applications
Today jms in #pauldotcom threw out a link to some fuzzing applications that a friend of his had written or was part of writing. I haven't had a chance to take a look at them yet, but didn't want to lose the link either. So here it is. If anyone has played around with these apps, please let me know what you think.
http://appliedsec.com/resources.html
http://appliedsec.com/resources.html
Tuesday, May 15, 2007
A example of sorry web application "security" measures
So last Saturday I participated in the graduation ceremony at college and was able to don the cap and gown for a hot day in the sun. It was all right, as far as these things go, but I'm a bit biased since it was mine. It was nice to go through, but I still have a few units to finish before I really have my degree. Anyways, as you get your "diploma" you get to shake the hand of the university president and get your picture taken with him. As you hit the bottom of the stage ramp, you get your picture taken again solo. Today I got an email telling me I could order my pictures online and to go take a look. So of course I went to go see how they turned out.
Here's where the web app security comes in. It seems that for $50, they will be happy to email the picture I'm looking at to me. Now that seems a tad bit expensive for something that I know is already on my computer in my browser cache. The preview picture is 430 by 620 pixels, so it's not too tiny. It also has no watermarks on it. So, rather than digging through my cache to find it, how do I just save this picture off to my hard disk? Right click doesn't work. So I go to my menu and do View->Page Source. I read through the source code real quick and see some javascript, which I presume is blocking the right click, and find the URL to the image. The image is hosted on another site and there is no authentication to prevent unauthorized access.
So what was the security measure to prevent me from saving the file? Just that silly javascript. Oh well, they will still make a fair bit of money off of me, since my family was to the right of the stage and I ended up on the left side. Kinda limited the photo ops for them.
Here's where the web app security comes in. It seems that for $50, they will be happy to email the picture I'm looking at to me. Now that seems a tad bit expensive for something that I know is already on my computer in my browser cache. The preview picture is 430 by 620 pixels, so it's not too tiny. It also has no watermarks on it. So, rather than digging through my cache to find it, how do I just save this picture off to my hard disk? Right click doesn't work. So I go to my menu and do View->Page Source. I read through the source code real quick and see some javascript, which I presume is blocking the right click, and find the URL to the image. The image is hosted on another site and there is no authentication to prevent unauthorized access.
So what was the security measure to prevent me from saving the file? Just that silly javascript. Oh well, they will still make a fair bit of money off of me, since my family was to the right of the stage and I ended up on the left side. Kinda limited the photo ops for them.
Wednesday, April 18, 2007
Viewing Kismet's Data Remotely
So, running around a remote war driver makes little sense if you can't see what it is finding. I attempted to use kismet2html running on lighttpd last night. I kept running into some weird issue that prevented the php files to render at all though. It works great on a full blown php install, but I think the php5 package for openwrt has some issues. So instead I'll just take a page out of webif's methods and do some shell scripting to render the HTML. Not the sexiest method, but it will work.
New Router, New Batteries
I still don't know what caused the WRTSL54GS to die, but with only a few weeks until the end of the semester I had to continue on. I broke out the spare WRTSL54GS and installed it on the tank over the weekend. There were a number of modifications made this time to the assembly. First, the router was installed on thicker grommets to lift it further from the plexiglass base. Second, I bought two 12 volt lead sealed batteries to replace the 7.2 volt packs I had before. Last, and most unexpectedly, I broke the plexiglass base while drilling out the holes to hold the larger batteries. **sigh** So off I ran to Home Depot to by another sheet of plexiglass to mount everything to.
Here's the tank part way through reassembly.
Finally put back together. The problem I have now is that it is too front heavy with the new batteries and gets a bit bouncy because of it. So, I'll be moving the batteries closer to the center shortly.
Here's the tank part way through reassembly.
Finally put back together. The problem I have now is that it is too front heavy with the new batteries and gets a bit bouncy because of it. So, I'll be moving the batteries closer to the center shortly.
Tuesday, April 17, 2007
Scanning Source Code for Vulnerabilities Before Checkin
I was sitting in #webappsec today when zn- made the comment that he really wanted something to check code for security vulnerabilities as code was being checked into source control. Then if something was found it could refuse the code or do whatever the group had decided to do with it. This got me thinking a bit about it. The company I work for does an extremely basic check of this nature for things like inline SQL in web code. If the code has something that matches its pattern, then it checks the code in and notifies engineering management of the issue. Now this isn't the most robust check in the world, so how could this be improved?
The Web Application Security Consortium has an article up about using security frameworks in web development. It refers to a few different frameworks such as The Java Validation Library and Microsoft's anti-xss library. So it brings up an interesting idea. How would someone do some scripting on their source control server that would run the checked in code against these libraries? What would be the issues that you would run into. At home I use Subversion on UNIX. How would I check code developed for the Microsoft platform against there anti-xss library from my UNIX host? Would it be possible? Or would the library be totally unusable for the purpose of doing automated code audits. I admit, I don't know much about either of these libraries at this time, but it would be REALLY cool to be able to call some method that runs the code through a security framework for potential issues. I think I might be playing around with this some in the future. If nothing else, I need another couple of units at school to graduate and this might make a good project to play with.
The Web Application Security Consortium has an article up about using security frameworks in web development. It refers to a few different frameworks such as The Java Validation Library and Microsoft's anti-xss library. So it brings up an interesting idea. How would someone do some scripting on their source control server that would run the checked in code against these libraries? What would be the issues that you would run into. At home I use Subversion on UNIX. How would I check code developed for the Microsoft platform against there anti-xss library from my UNIX host? Would it be possible? Or would the library be totally unusable for the purpose of doing automated code audits. I admit, I don't know much about either of these libraries at this time, but it would be REALLY cool to be able to call some method that runs the code through a security framework for potential issues. I think I might be playing around with this some in the future. If nothing else, I need another couple of units at school to graduate and this might make a good project to play with.
Wednesday, April 11, 2007
Death of a Router
Well, I guess it had to happen at some point, but I've finally had my first major setback on the project. I'm not sure when it occurred, but my WRTSL54GS bit the dust some where along the line. Friday and Saturday I mounted the routers to the car and all looked well. Sunday I ran ping tests until the batteries died on both routers. I was feeling really good about it all. I didn't mess with the machine for a couple of days, but I took it to work to show it off. Today I noticed that the router hadn't initialized the USB drive on the SL54GS, but I figured it was some kind of boot error. Not so. The router no longer responds to pings and either I botched the console head block install, or it isn't handing out console output either. The end result is that the thing is dead. Multiple failures at resetting to fail-safe mode and trying to tftp to it. **sigh**
So now what? I have my spare router, but I have a couple of questions about this whole thing. Here are the only things I can think of that caused the issue.
So now what? I have my spare router, but I have a couple of questions about this whole thing. Here are the only things I can think of that caused the issue.
- I shorted the router out at some point and didn't notice. Definitely possible and I will be doing more to insulate the mounting screw beneath the board to make sure.
- The battery test killed it when the voltage dropped too low. This seems kinda unlikely to me. Why would low voltage brick the thing? Wouldn't it just shut down? Still something to consider.
- One of my kids got to it between Sunday's testing and my demos today. Not all together unlikely either.
Tuesday, April 10, 2007
What I did over Easter weekend....
Just a quick post to show off the wardriver. I spent most of Friday and a chunk of Saturday assembling the monstrosity. It was way too much fun. Here's the basic recipe so far.
- A single Blizzard EV
- 3 - 7.2 volt battery packs
- 1 - Linksys WRTSL54GS Router
- 1 - Linksys WRT54GL Router
- 1 - Airlink 101 Omni-directional antenna for 10 dBi gain
- 1 - 1 GB USB drive
- Add plexiglass, four right angle brackets, assorted hardware and cabling
- Mix well, charge the batteries and...
Saturday, March 31, 2007
Modding the WRTSL54GS
Work was a mess this week, due to an office move and other issues, so I've fallen a bit behind on where I wanted to be on the wireless project. I finally got some time to work on the project late this week. After a run down to the local Fry's, I had all the parts I needed to modify the main board on the WRTSL54GS. I dove into this the other night and found that I was in for more trouble than I expected. First, I pulled out my practice PCB and started soldering again, trying to get warmed up before working on some of the more important parts of the project. Next, I assembled the RS232 adapter and managed to avoid botching the soldering. That made me feel pretty good, so I pressed on... and started wrecking some parts.
The WRTSL54GS uses a very poor antenna in its stock form. It is rated at 1.5 dBi gain, which did not fill me with enthusiasm. So I decided to replace it, but I have a problem The antenna is connected directly to the main board with no way to detach the stock antenna cleanly. Since I was feeling brave after successfully soldering the RS232 adapter, I pulled out the wire cutters and clipped the antenna wire close to the antenna. I wasn't quite brave enough to attempt soldering a new antenna smack in the middle of the board. I had picked up two SMA connectors at Fry's, which I figured would be sufficient. When I attempted to crimp the center pin to the coax cable, I damaged both of them. They would not even come close to sliding up the center of the adapter. Now what? Today, I did another run to Fry's and purchased three more connectors. When I got home, I found that I had the wrong models. The center pins were hollow and I needed the solid ones. So, I needed to salvage the pins I had from the previous night. A bit of dremeling cleaned up one the center pins enough to be usable. Instead of crimping, I soldered the pin to the antenna wire, crimped on the outside of the connector and it all looked pretty good.
Next, I started hooking up the connector to the serial ports on the main board. This sounds straight forward, but Linksys decided to make it more complex. They filled the holes with solder. *sigh* After 30 minutes of messing around the holes were cleared out and I was able to solder in the new head block.
I was a bit nervous again about this because I had to apply a fair bit of heat to get the solder out. I took it up stairs, attached a 10 dBi gain antenna and booted up the router. Sure enough, it booted up cleanly! Needless to say, I'm very happy with this. But was the new antenna working? Fortunately it was. Here's a screen cap of the signal strength.
The SSID of Elune is my access point and WRT is my newly modded router. Both Linksys SSIDs are neighbors, one of which is inviting trouble. Any how, I was on the other side of the house when this cap was taken. Note the huge difference in signal strength of WRT using the new antenna when compared to Elune! Both devices were sitting right next to each other. Mission accomplished.
Here's the modded main board.
The WRTSL54GS uses a very poor antenna in its stock form. It is rated at 1.5 dBi gain, which did not fill me with enthusiasm. So I decided to replace it, but I have a problem The antenna is connected directly to the main board with no way to detach the stock antenna cleanly. Since I was feeling brave after successfully soldering the RS232 adapter, I pulled out the wire cutters and clipped the antenna wire close to the antenna. I wasn't quite brave enough to attempt soldering a new antenna smack in the middle of the board. I had picked up two SMA connectors at Fry's, which I figured would be sufficient. When I attempted to crimp the center pin to the coax cable, I damaged both of them. They would not even come close to sliding up the center of the adapter. Now what? Today, I did another run to Fry's and purchased three more connectors. When I got home, I found that I had the wrong models. The center pins were hollow and I needed the solid ones. So, I needed to salvage the pins I had from the previous night. A bit of dremeling cleaned up one the center pins enough to be usable. Instead of crimping, I soldered the pin to the antenna wire, crimped on the outside of the connector and it all looked pretty good.
Next, I started hooking up the connector to the serial ports on the main board. This sounds straight forward, but Linksys decided to make it more complex. They filled the holes with solder. *sigh* After 30 minutes of messing around the holes were cleared out and I was able to solder in the new head block.
I was a bit nervous again about this because I had to apply a fair bit of heat to get the solder out. I took it up stairs, attached a 10 dBi gain antenna and booted up the router. Sure enough, it booted up cleanly! Needless to say, I'm very happy with this. But was the new antenna working? Fortunately it was. Here's a screen cap of the signal strength.
The SSID of Elune is my access point and WRT is my newly modded router. Both Linksys SSIDs are neighbors, one of which is inviting trouble. Any how, I was on the other side of the house when this cap was taken. Note the huge difference in signal strength of WRT using the new antenna when compared to Elune! Both devices were sitting right next to each other. Mission accomplished.
Here's the modded main board.
Thursday, March 15, 2007
Web App Security Research
Just thought I'd link to my paper on web application security that I did last semester. It's pretty basic and is aimed at a technical audience that is not familiar with web app security.
You can read the document here. <--PDF warning
You can read the document here. <--PDF warning
Wednesday, March 14, 2007
Senior Project - War Driving Remotely
I'm finally getting close to graduation! My project consists of taking a couple of Linksys routers, hacking the hardware, installing OpenWRT and then dropping the whole thing on an RC vehicle. Voila! A quasi robotic war driving kit!
So what's the point of it really? Well, I took a robotics class and really liked working with hardware. But security is my main interest. Then I thought about doing an audit for rogue wireless access points around a corporate campus. It would take a while to walk around and war walk the campus. I can be a lazy sort, so I try to look for easier way to do things. So why not install the equipment on something that can do about 20 miles an hour? That ought to speed things up! An idea is born.
Really, I've found somewhat similar ideas for this while I've been researching for this project. So while I largely thought of this on my own, I still lose a few points for my lack of originality. But it will be fun and I will learn a lot along the way. That's really what this is about.
The Concept
Most of the project is still scratched out in my notebook, but I will document
more of what I'm doing as I go. I have purchased most of the hardware already. It's been fun to say the least. Here's the bulk of my kit.
I decided on the Kyosho Blizzard EV for the RC platform. It uses treads and has a low center of gravity, which will hopefully keep the shiny side up. More info on its upgraded form here.
Then we get to the wireless gear. I'm still waffling around some on how to set this up, but I think the WRTSL54GS for the Kismet device. I'm kicking around what to do with the lame antenna soldered into it. Unfortunately, it's not like the WRT54GL in the picture which has dual remove able antennae. But I think I can just clip the wire and add an adapter to the end. The idea of soldering a new antenna onto the board is a bit intimidating to me. I'll probably use the WRT54GL to relay information back to me via its wireless connection. I'm working with an old Zaurus PDA and trying to get a Netgear wireless card working on it. It has been a mixed experiment so far.
That's about where I am at so far. The car is assembled and I'm poking around on the WRTSL54GS to see how I can do what I want done. Next steps are:
So what's the point of it really? Well, I took a robotics class and really liked working with hardware. But security is my main interest. Then I thought about doing an audit for rogue wireless access points around a corporate campus. It would take a while to walk around and war walk the campus. I can be a lazy sort, so I try to look for easier way to do things. So why not install the equipment on something that can do about 20 miles an hour? That ought to speed things up! An idea is born.
Really, I've found somewhat similar ideas for this while I've been researching for this project. So while I largely thought of this on my own, I still lose a few points for my lack of originality. But it will be fun and I will learn a lot along the way. That's really what this is about.
The Concept
- Create a mobile wireless detection platform that can cover a wide geographical area quickly.
- Provide near real time feed back to the operator.
- Use GPS to plot the location of detected access points.
- Save data for later analysis.
- Find and use enough information to locate the rogue access point.
- Optionally, use a 2.4 GHz spectrum analyzer while performing the war driving. (I'm not sure how this will work, but I want to check it out.)
Most of the project is still scratched out in my notebook, but I will document
more of what I'm doing as I go. I have purchased most of the hardware already. It's been fun to say the least. Here's the bulk of my kit.I decided on the Kyosho Blizzard EV for the RC platform. It uses treads and has a low center of gravity, which will hopefully keep the shiny side up. More info on its upgraded form here.
Then we get to the wireless gear. I'm still waffling around some on how to set this up, but I think the WRTSL54GS for the Kismet device. I'm kicking around what to do with the lame antenna soldered into it. Unfortunately, it's not like the WRT54GL in the picture which has dual remove able antennae. But I think I can just clip the wire and add an adapter to the end. The idea of soldering a new antenna onto the board is a bit intimidating to me. I'll probably use the WRT54GL to relay information back to me via its wireless connection. I'm working with an old Zaurus PDA and trying to get a Netgear wireless card working on it. It has been a mixed experiment so far.
That's about where I am at so far. The car is assembled and I'm poking around on the WRTSL54GS to see how I can do what I want done. Next steps are:
- Design and fabricate the mounting platform for the wireless gear
- Order and fashion the antenna(s) that I will be using
- Order GPS equipment and mount it to the device
- Assemble the hardware into the completed vehicle
- Install, write, modify and integrate the software I'm researching together.
Starting Fresh
I'm not much for blogging just for the sake of doing it, but I'm working on a project for school and figured a blog would be a perfect place to log my work.
Subscribe to:
Comments (Atom)