Wednesday, July 20, 2011

SC430 Antenna Mast Removal & Replacement

Going with a non-security post here to provide some helpful information that can be somewhat hard to find.


Choosing an Antenna
First, you need to get a replacement antenna. I ordered one from the ebay seller "tt_motor", which was far from OEM quality (as claimed) and it did not fit. He quickly gave me a refund, and then I ordered an antenna from "laynlow1". This was also a fairly cheap chinese antenna. I heard these cheap antennas get quite a bit less reception than the OEM ones. After several months of use, it stopped extending all the way unless I was pulling on it as it went up. It made a grinding noise. Perhaps the wind bent this flimsy metal? I tried greasing it, but never had any luck.  I'm all about saving money, but in this case I couldn't find a good quality aftermarket replacement (please comment if you have). Next, I went with a OEM antenna from http://lexus.sewellparts.com/. It was ~$60 shipped with my discount for being a clublexus member.  The unit was noticeably higher quality than the ones I've ordered off ebay.  It fixed my grinding noise, but I just installed it last night at the time of this writing.  Update: I sold this car in 2015 and the antenna still operated without issues.

Replacing the Antenna
This is a two-person job.
  • Remove the antenna retaining nut.  Be careful not to scratch it.
  • With the key in the ignition switch "LOCK" position, press the "AM" and "DISC" buttons on the radio simultaneously with turning the ignition switch to "ACC". Then the radio "LCD" display will read "ANT" and the antenna mast will hyper-extend, disengaging the cable. You can let go of the "AM" and "DISC" buttons now.
  • With the ignition switch still in "ACC", the new cable is inserted to a full stop into the motor antenna assembly through the mast pipe hole in the body panel, with the teeth on the antenna cable toward the rear of the vehicle. 
  • As the person in the driver's seat switches the key to "LOCK", feed the cable and mast pipe in. 
  • After it retracts completely, replace the retaining nut.

Wednesday, June 8, 2011

Exploiting CVE-2008-4283 - HTTP Response Spliting (CRLF Injection) in Websphere 5.1

I found this vuln a while back, but never successfully published the exploit after working with the vendor (IBM).  I say "succesfully", because I tried submitting it to securityfocus but it never got updated.

In short, this is how to exploit it.

By inserting %0A's onto the ibm_security_logout URL, a line feed character is injected into the 302 redirect URL, which allows you to insert custom headers.  Since it's in a 302, your options are pretty limited, but you can still set a cookie.

Here's a normal URL:

If the session cookie is not updated upon authentication, you can link this user and set their cookie to yours, and have them log you in.

This URL is an example exploit which sets a cookie:

Sunday, March 27, 2011

OSCP (Offensive Security Certified Professional) Course Review

I promised myself I would write summary of the OSCP class once I completed it, since there isn't much information about it.  It's not a very well known certification, but it's well respected by the people that are familiar with it.  There's quite a bit that is secret, such as the details of the exam, but I'll try to give you an idea of what to expect if you're considering taking the class.  I took it in the winter of 2009-2010, so some details may become outdated as time goes on and the class is revised.

Prerequisite Knowledge and Time Commitment
You can buy 30 or 60 days of class/lab time, and you can also buy 30-day extensions. It culminates in a 24 hour straight exam (you don’t have to use the whole 24 hours) which you can schedule whenever you want starting after 6am (Central Time) if I recall correctly. The test is fairly cheap to retake, so it's more of a time/pride thing to pass it on the first time than it is a matter of cost.  

I’m sure some people could pass the test without even taking the class, but there are also some people on the other end of the spectrum who start with no knowledge of Linux. I had some very basic experience with the topics covered, and I think I figured the time commitment was about 355 hours. I did the 60 day lab, then waited a bit, then extended it for another 30 days to finish the final challenges, then did some additional studying on my own. I started in October and took the test in April. 

The Course
The course material is something like 13 chapters (I think you can find the syllabus online) and it has a video and PDF that go through each. It goes through a lot of the basic security stuff (e.g. ARP spoofing, password cracking, etc.), but in the middle it hops into what I consider the main section, which is on exploitation through metasploit, as well as fuzzing and writing your own exploits. It gets into some intermediate exploit writing, but for the most part it’s simple stack-based buffer overflows. It gives you a good introduction into these topics, then kind of drops you into the deep end and gives you some IP's to root.  Some more training, examples of rooting boxes would have been nice here for someone who isn't a professional pentester.  Once you finish all the class material, there are a set of final challenges which are basically just some boxes to root. There are also quite a few additional boxes on the network that you can root. All that prepares you well for the test, but it doesn’t give you the answers.

The part about the class that I hated, was that if you asked almost any question, the answer would usually be this, “http://www.offensive-security.com/when-things-get-tough.php”. Even when I tried abstracting my question so it wasn’t related to the class, it was very tough to get an answer from anyone in #offsec. On one hand, it is good to not serve people the answers, but on the other hand when your'e completely stuck I don't think it's too much to ask whether you're headed in the right direction.  If I wanted to learn everything on my own without any guidance, I wouldn't have paid for the OSCP in the first place.  Having said that, overall it was an awesome class and I’d recommend it.  It’s so much fun to finally root a box that you've been attacking for the last 8 hours.  In short, it's probably one of the most frustrating yet satisfying experiences you'll come across.

Tips
· Do the class while it’s cold out. It was much easier to park myself in front of the computer on the nights and weekends during the winter.

· You don’t need to take that good of notes like it implies in the beginning, but you should keep track of exactly which boxes you have rooted. All they really care about is whether you pass the test (and your going the extra miles if it’s border line).

· If you want additional practice, set up a lab or enter one of the many online CTF’s. I found NetWars to be good practice, but it doesn’t look like they have rounds going anymore.