October 12, 2011

Book Review: Reamde by Neal Stephenson

Posted in Book Review, Pen-Testing tagged , , , , at 16:22 by Alex McGeorge

I recently finished the latest Neal Stephenson book, Reamde. I really enjoyed it, stylistically I think it is most similar to Cryptonomicon and is definitely an improvement (for me) over Anathem. The book does incorporate some realistic hacking plot devices to further the story. All of my complaints are really pedantic, which is to say Stephenson executed the hacking bits very well and they do not detract from the story. My review is going to focus on those pieces of the novel. A more in depth technical look that probably contains spoilers is below.

Word Count: ~1000

The first plot device used is a conversation between the characters Peter and Wallace which starts on page 73. Peter is selling Wallace a database of credit card information he obtained via his experiences in his side job as an above board penetration tester. He claims to have used a SQL Injection bug in a website which allowed him to install a rootkit and thus maintain access to the server. Though he discovered this flaw on a legitimate gig, he used the knowledge to exploit other websites designed by the same 3rd party in the same way.

  • SQLi bugs are ridiculously common by almost any measure, so that’s a perfectly appropriate attack.
  • To install a rootkit though, you typically need some kind of shell access. Depending on the flavor of the underlying SQL DB this can be relatively straight forward or impossible. So shell access is typically another step which would net you a shell with the privileges of either the SQL DB or the webserver.
  • The other piece required to install a rootkit is as the name implies, root. Typically SQL and httpd do not run as root and any privileges you inherited from those services would be insufficient for this attack. You would therefore need to run a local privilege escalation attack.

Ifs and butts: The scenario is perfectly reasonable, I have used an SQLi bug as the first step in a path to root a webserver numerous times. There are a ton of wonky webserver configurations out there so it’s possible you may be able to leverage SQLi to drop instantly to a root shell, but that is not typical. My issue is that he left out a few steps.


The second plot device used is a description of the reamde virus itself, which starts on page 119. In briefing Ivanov, Zula discloses that the virus leverages a buffer overflow in Outlook to run code on the target system and achieve root level access.

  • Outlook is very common, it has had buffer overflows in the past, no stretch in the imagination here.
  • Again, typically you cannot transition from the user running Outlook directly to Local/System without some kind of additional step.
    1. I will grant that most users would be running their primary account as the machine’s administrator
    2. In Windows XP and 2k it was possible to install a service as an administrator automagically which you could then use to inherit Local/System.
    3. Given the description of the game and its performance (specifically in contrast to WoW), I would argue that the hardware requirements alone would mean that Vista/Win7 era machines would be required. And high ones as that. The security measures in place, even as an administrator prevent you from easily transitioning into running code as Local/System, you need a privilege escalation attack.
  • Zula mentions that the virus is able to abuse vulnerability in Outlook by virtue of an addon bridge between T’Rain and the Outlook calendar to manage in game events. I’m not entirely clear on what the infection vector would be, it seems reasonable that in order to get the kind of infection numbers they talk about the vulnerability would have to be in the functionality related to this Outlook checking for a conflicting appointment. So you’d get something like:
    1. Some kind of mass invite procedure is available
    2. You go to some populated area with a bot and start inviting everyone you see
    3. The invite contains some string which is passed to Outlook, which then checks if you’re free and in the process of doing so the string triggers the vulnerability
    4. Therefore the vulnerability would have to be reachable pre-acceptance

Ifs and Buts: Again this scenario is perfectly reasonable but a step is missing. While they specifically mention this vulnerability in Outlook was previously known and patched, I think a more interesting target would be whatever fictional software T’Rain used to manage the addons in use by the users (analogous to the Curse updater for WoW). But this is neither here nor there really.


Finally, when arriving in China Zula, Sokolov and Csongor convince Ivanov the best way to find the location of virus writer is by driving around Xiamen and taking a survey if IP addresses. IP addresses in close proximity (i.e. netblock) to the IP of the virus writer should correspond to the physical proximity of the computer with the IP they’re after.

  • First and foremost, don’t want to get your door kicked in by Russian Blackwater? Two words: anonymous proxy
  • I’ll admit my experience with ISP style networking is fairly limited but I don’t think their assumption that geographic area and IP proximity is going to work with the precision they’re thinking.
  • Talk about labor intensive, you’re assuming there’ll be a ton of open APs using the same ISP, those that aren’t open you’d have to see if you can buy access to (i.e. internet cafe)

Ifs and Buts: I recognize that this activity was central to the plot as it gave Sokolov a chance to reconnoiter the area, introduces the Yuxia character and eventually introduces us to Marlon. But given the amount of money Ivanov is willing to throw at this problem, it seems much easier to just find an engineer at the ISP and buy the answer. Or just have Peter and Csongor hack into the ISP and steal the answer.


Coming soonish: at least one more review

This post brought to you by: Lyrics Born – Bad Dreams

%d bloggers like this: