Development Geek Sun, 07 Feb 2016 21:48:59 +0000 en-US hourly 1 The Way of the Developer Sun, 31 Jan 2016 04:15:09 +0000

Continue Reading]]> samurai

Recently, I’ve been reading Musashi: An Epic Novel of Samurai Era. I actually found it quite inspiring.

Though largely self-taught in his use of swordsmanship and fighting, the main character strives to constantly hone his craft and to follow what he sees as the Way of the Warrior. He learns by watching other warriors, nature, and by following teachings of Sun Tzu and later from Buddhism.

Maybe it’s because I’m also largely self-taught and learn mostly through interacting with other developers and from the code I work with every day, but this story resonated with me. As a developer, I feel like it’s important to cultivate one’s own Way of the Developer.

]]> 0
2016 Goals Fri, 01 Jan 2016 01:46:03 +0000

Continue Reading]]> goals-signThis past year has been full of unexpected twists and turns but overall it’s been pretty fun.

On the professional side of things, I’ve enjoyed participating in lots of interesting private bug-bounty programs and getting more involved in learning new development languages.

By working on other software projects, though, it’s really reinforced how important it is to keep up with the latest design trends. Especially with some of the commercial code I’ve been able to work with, it seems much more heavily abstracted than I’m used to.

In the upcoming year, I’m hoping to get more hands-on experience with more the more advanced OOP styles.

]]> 0
Reinventing The Wheel Thu, 19 Nov 2015 03:20:10 +0000

Continue Reading]]> WheelIn business, it generally doesn’t make sense to reinvent the wheel. Why spend time and resources developing something that already exists commercially?

For personal development projects, though, it’s a great way to appreciate the amount of work that went into the existing solutions. Plus, it can obviously be customized to behavior however you’d like.

Lately, I’ve been working on a tool to take a domain name, suggest similar names, and then check to see if those sites are active.

The primary use will be in discovering and reporting domains being used for typosquatting or fraud. There are existing tools, like dnstwist, but I figured it might be fun to attempt something similar on my own.

My tool will allow me to define which domains I’m interested in monitoring out of the automatically-suggested list (since some are just super unlikely) and perform periodic checks against them. It’ll also grab a thumbnail image of the site (if a website for the domain exists) and maybe some meta-data… and allow me to add my own notes.

This will let me identify active domains with similar names to the ones I’m interested, but can also exclude sites I’ve identified as being legitimate. By periodically evaluating the registration data, I can also flag domains as needing reviewed. This way, if I identified as legitimate, but then a year later it changes hands, I wouldn’t want to treat it the same as the original that I originally reviewed.

I’m doing it all in my free time. Since I don’t have a whole lot of that these days, things are progressing quite slowly. Still, though… it’s fun. That’s what’s important, right?

]]> 0
Catch And Release: Barracuda WSA Tue, 29 Sep 2015 22:30:58 +0000

Continue Reading]]> fish*** EXECUTIVE SUMMARY ***

While reviewing Barracuda Network’s Web Security Agent, I identified three security vulnerabilities.

Exploitation of these vulnerabilities allow the disclosure and alteration of local WSA settings, shutting down of the WSA service, and local elevation of privilege allowing execution as SYSTEM.

These issues were initially discovered within of WSA. They were responsibly disclosed in early June 2015 and were fully resolved at the end of September, as part of their 4.4.1 release.


I’m purposely leaving this details out of this section for now. Developers interested in evaluating the security posture of their applications will hopefully get something out of it, but there’s no reason to rush with the details until users have had a chance to update away from the vulnerable versions.


Throughout the entire process, I couldn’t have asked for a better contact at Barracuda than Justin Kelly. He and the rest of the BNSEC team did a great job keeping me in the loop. Justin provided the perfect blend of professionalism and casualness. It was clear that they were taking things seriously on their end, but I never got the feeling that they were going to go Oracle-style with it with legal threats for picking apart their product a bit. I’m looking forward to working with them more in the future.

]]> 0
DLL Hijacking Sun, 27 Sep 2015 19:54:21 +0000

Continue Reading]]> Procmon_BGInfo

I’ve been having a lot of fun recently with DLL Hijacking. It’s been around for quite a few years now and the ‘best practices’ recommended by Microsoft are to fully-qualify the DLL paths.

Quite a lot of applications that don’t do this, however…

Thankfully, the Windows OS has gotten quite a bit smarter over the years when it comes to this sort of thing. They’ve altered the priority of paths being searched, which significantly cut down on the impact to most applications. Additionally, some of their core DLL files are set up in such a way that even if an explicit path is given, it will ignore it in favor of where it knows the ‘good’ copy is.

The MSDN documentation provides some pretty useful information on the way searching happens.

  1. If a DLL with the same module name is already loaded in memory, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
  2. If the DLL is on the list of known DLLs for the version of Windows on which the application is running, the system uses its copy of the known DLL (and the known DLL’s dependent DLLs, if any) instead of searching for the DLL. For a list of known DLLs on the current system, see the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
  3. If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path.

The first and last items were interesting to me.

But, really, it’s even more simple if the application you’re looking to hijack is installed outside of the usual “Program Files” or “Program Files (x86)” directories. At least when an application is installed in one of those folders, local admin rights are needed to write to them. But if the program is installed to its own folder, plenty of fun can be had…

One such example I’ve had success with in my home environment is BGInfo utility, from Sysinternals. It’s a popular utility with system administrators and generally seems to get installed in C:\bginfo\ (which doesn’t have any built-in protections, by default). It looks like I wasn’t the only one who found it to be a worthwhile target

This allows a custom DLL to be added to the directory (by a tech-savy user, malware, an attacker, etc.) without any special rights being needed.

Using procmon, also by Sysinternals, I was able to see that one of the libraries BGInfo uses is version.dll

I found the legitimate file, made my own DLL with the same name and public methods. All requests made to it get sent over to the appropriate routine in the legitimate version.dll file (so the program continues to work as expected). I also added my own custom payload into the DLL’s initial execution. That payload gets run under the context of the account executing BGInfo.exe

As a proof-of-concept, I simply added a message box. If this had been a real exploit, however, there’s a lot more potential for abuse…

At most organizations, BGInfo gets executed upon login by all users… which includes local administrators and potentially domain administrators. Just let that sink in for a bit… Here’s code provided by a non-admin, malware, etc. and it’s getting automatically executed by an admin. Ouch!

Granted, it’s a bit of a waiting game… but it can allow for some rather easy elevation of privileges… Especially if logins by local administrators happen pretty frequently.

What about if domain admins don’t do local logins? No problem. Use the initial DLL hijacking to execute code for a local admin. From there, additional hijacking for programs commonly used by domain admins (via Run As…) can be done without a whole lot of additional effort.

This can also lead to pass-the-hash attacks, spreading similar attacks to other machines on the network, etc.

All in all… it’s bad news for an enterprise.

Even if no admins (local or otherwise) execute the DLL-hijacked application, it’s still going to have persistent code that launches whenever the program does (which is login, in the case of BGInfo). Probably not ideal.

If there isn’t an obviously-exploitable program in an unprotected directory, though… what then? I’ve had a surprisingly amount of success dropping hijacked DLLs into the current user’s AppData temp directory. Using my same tainted version.dll from earlier, I was able to trigger my ‘rogue code’ during a Notepad++ update. Pretty handy.

The moral of the story is… fully qualify your DLL paths. And even if you do, be aware of potential DLL hijacking through the dependencies of the DLLs you are fully-qualifying. If it can be abused… it probably will be.

Next on my list of techniques to get more familiar with is DLL Injection. Seems like it’ll be a lot of fun, too.

]]> 0
The All-Knowing-Oracle Wed, 12 Aug 2015 15:37:15 +0000

Continue Reading]]> crystal-ballOracle’s CSO, Mary Ann Davidson, provided a wonderful of example of how not to handle having your products reverse engineered.

Her original post has been removed, but there’s a copy of it on Scribd. It’s worth reading, if you haven’t seen it yet.

I think I get where she is coming from, on her original post. If people are using automated static analysis tools to report issues and either it isn’t actually a security issue or it’s something Oracle is already aware of and is working on, I can certainly understand how that might be a drain on their resources and their time could be better spent on finding real issues themselves.

That being said, I can’t believe that a company — especially one the size of Oracle — can think that the “Pay no attention to the man behind the curtain” approach is an effective strategy.

People are going to try to look at your code. Even if not your customers, the ‘bad guys’ certainly will. Taking a stance of “if there’s a security issue, we’ll find it on our own” isn’t helping anyone.

Ultimately, if someone running an automate tools or performing a basic static analysis is able to uncover actual issues in Oracle’s products, that’s stuff Oracle should have found on its own. If it’s mostly false-positives and duplicates that are the issue, Oracle isn’t doing a good job of clearly exposing that to their customers.

I like how Bugcrowd and similar services do it… Companies with a mature security program can define boundaries. There is a monetary incentive to follow the rules and proper procedures. Even if something happens to fall outside the scope of the bug bounty program, they are still likely to have the ability to work with the person to ensure the issue is validated and fixed within a reasonable amount of time.

The biggest downside I see with the current bug-bounty programs is that products not part of the bounty are probably worthwhile targets. The product might not get much attention internally and was simply forgotten about. A vendor might also not list it because they already know/suspect there are a lot of bugs in it. Either way, what isn’t part of a bug bounty program can sometimes be even more interesting than what is… At least if you don’t care about the rewards.

Hopefully Oracle will eventually shift more towards the bug bounty style. As it is now, it seems like they view it as purely an ‘us vs them’ approach. Where bug bounties really shine, though, is when the internal team is able to collaborate with external researchers.

I wonder how much (if any) competitive advantage the SQL Server platform has over Oracle, given the difference in how Microsoft handles the discovery and reporting of issues in their products versus Oracle. Maybe that could be a motivating factor for them to change their approach…

]]> 0
Books to read in 2015 Sat, 01 Aug 2015 15:17:23 +0000

Continue Reading]]> booksHere are five books I’d recommend checking out, if you haven’t already read them.

  • #1 — The Pragmatic Programmer — This is, by far, one of my favorite development books and I recommend everyone read it at least once.
  • #2 — Gray Hat Hacking – The Ethical Hacker’s Handbook — While not specifically geared towards software development, there are plenty of topics that developers should consider giving some thought to.
  • #3 — Threat Modeling: Designing for Security — Even in eBook format, this book is massive. No matter whether you’re building applications for mobile devices, websites, or desktops, there’s something to be gained from this book.
  • #4 — Official (ISC)2 Guide to the CSSLP CBK — Even if you are not going for the CSSLP certification, there are still some great concepts developers should keep in mind throughout the SDLC.
  • #5 — Job Reconnaissance: Using Hacking Skills to Win the Job Hunt Game — Another one that’s not specifically geared towards developers, but I found the advice to be quite useful. Even if you are a highly technical individual, controlling your ‘brand’ is important. I also like the idea of doing a bit of reconnaissance early on to find specific companies of interest, rather than relying on a company to find you.
]]> 0
Are You Being ILSpy-ed On? Sun, 19 Jul 2015 14:24:20 +0000

Continue Reading]]> ILSpyOver these past few months, one of my favorite tools has been ILSpy.

I’ve always had fun trying to reverse engineer applications and figure out how they work, but ILSpy simplifies that quite a bit — at least for .NET applications and libraries.

Since I like investing the effort up-front, so I can be lazier later on, I wrote a simple utility to make using ILSpy even easier for myself. Given a target directory, it drills down into it in order to find all of the .NET-based assemblies. To do that, it attempts a call to System.Reflection.AssemblyName.GetAssemblyName and checks to see if it returns anything. If it does, ILSpy is likely able to decompile the compiled IL code to its more readable (to me) .NET source, so it gets added to my list. Anything else is ignored. This lets me quickly see EXEs or DLLs that are of interest. From there, I can just double-click on the the entry to open it up in ILSpy. Easy-Peasy.

With assemblies not written in .NET, I generally stick to using Strings or maybe some really basic debugger stuff. Those tend to be less useful to me, though, since I’m still pretty weak on the assembly language side of things.

If you haven’t played with a decompiler before, I definitely recommend it. It’s amazing what you can find out, even about commercial applications.

It definitely has opened my eyes to the importance of obfuscation. While it won’t necessarily do a whole lot for someone who is determined to reverse engineer your code, it will at least provide enough of an obstacle to deter the more casual and curious users, like myself ;)

]]> 0 Sat, 13 Jun 2015 21:19:28 +0000

Continue Reading]]> securityA few months ago, I received an invite to I wasn’t sure what to think of it at first. I mean, what’s wrong with using one of the existing directories?

Since I began using it, though, I’m actually kind of diggin’ it. I like the way they handle their ‘social proofs’, too.

Exchanging encrypted messages with others is quite easy and convenient now. Definitely check it out.

You can find my profile at

]]> 0
Developer Mindset Sat, 30 May 2015 14:43:49 +0000

Continue Reading]]> IBM5150I’ve been programming almost as early as I can remember… I grew up coding in BASICA, GW-Basic, and pretty much any language that I could get my hands on for free. By middle school, I had written my own war-dialer to locate nearby BBS systems — for, you know… educational usage only ;) Some of my favorite memories were on an old AT with no hard drive and a 5.25″ floppy. There, I’d try to reverse engineer and then modify games I had, to bypass piracy protection (generally asking for special codes that came with the original game manuals) or modify how the game works.

Even before I learned how to use a computer, I would constantly take apart household appliances (causing much frustration for my parents, I’m sure). My earliest invention that I can remember making was a remote-controlled night-light. When I wanted to use the bathroom at night, I would flip a toggle switch by the bed and a light by the doorway would turn on, illuminating my path. Granted, I could’ve just cleaned up all of my toys, clothes, and stuff on the floor so I wouldn’t need the light, but where’s the fun in that?

I guess if I had to pick one motivation, it is the desire to understand how things work and make them do what I want…

It’s helped me become a bit of a development generalist. Before the term ‘DevOps’ had even been coined, I was working with the admin team. Before ‘agile’, I was prototyping and working with users to come up with the solution they wanted. I just love creating and improving on things.

I feel like that desire is something that is seriously lacking in today’s corporate world.

I’ve met so many other developers who have impressive-sounding degrees and certifications, use the latest technologies, and follow a rigid set of processes and procedures… and while some of them are great friends of mine and are certainly capable of accomplishing most business tasks, they seem to lack the ‘developer mindset’. Or maybe it’s the ‘hacker mindset’. They sort of go hand-in-hand for me, I guess.

To make an overly-simple comparison… You can’t become an ‘artist’ just by memorizing proper painting techniques and having all of the finest-quality brushes and paints. The same holds true for software developers.

Personally, I don’t believe in the concept of the ‘x10 developer’ — that so-called rockstar developer who is capable of producing truly great and innovative work. I prefer to think of that as just a plain ‘ol developer. Unfortunately, more common to see in companies is the ‘1/10th developer’.

Not all people are cut out to be developers. It isn’t that one is necessarily better than the other. It just kind of annoys me that both groups get lumped together when it comes to pay, hiring, etc.

It’s a difficult thing to quantify on paper (or blog). It’s even harder to relay to recruiters, perspective employers, etc. That’s why I pretty much only rely on word-of-mouth when it comes to working somewhere. People who have worked with me know what I’m bringing to the table. It’s more than just the buzzword-bingo filling up a resume.

I’m a developer. It’s part of who I am. It isn’t just my hobby, job, or career.

That’s what motivates me.

What about you…?

]]> 0