Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Breaking Computrace LoJack Part II
From: Lmwangi <labeneator () gmail com>
Date: Sat, 7 Jan 2006 20:56:21 +0300

Maybe, Just maybe. There's a parallel universe with you and a mirror
of your laptop. Of course in the other universe, Somethings would be
different such as the DoD IP address block

On 1/7/06, obnoxious () hush com <obnoxious () hush com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Breaking Computrace's LoJack Part II

After my first hurried document, I figured I'd offer some follow
information. An employee from Absolute.com contacted my employer
rambling on about me being misinformed on their product. The
employee from Absolute was more than likely a salesman as he
couldn't answer technical questions so I requested that he send me
information about my laptop since he was "concerned" that it had
not "phoned home". But yet he was stating it had "phoned home" and
Absolute was still able to track my machine.

One thing this person stated was that "my machine was still calling
in, but not updating their database with information on the state
of my machine to their front end, but the back end was still
working". Meaning, although my machine was not phoning home, it was
phoning home. After a quick chuckle I again iterated that if this
were the case - that my machine still contacting his company - he
should be able to provide me with the information my machine was
supposedly sending. After I received his response I sent off a
detailed e-mail calling his bluff.

According to the staff at Absolute.com, my machine had called in
yesterday (January 06th 2006) morning at 9:45am. They even provided
me with an IP address. I was shocked and ready to throw in the
towel at that point, but decided to respond right back to them.

Firstly, on January 06th 2005, my machine was powered down.
Secondly, it was not physically plugged into any network. Thirdly,
Troppix was running on the machine and the CD was still in its
drive. Now I wondered what a marvelous feat it would be for 1)
Absolute to create a kinetic based program to power up my machine
at will. Such a great feat would bring them millions in revenue
from people seeking to conserve money on power. I then thought even
neater of them to have the ability to connect my machine to a
network without my knowledge. Zeroconf (www.zeroconf.org) must have
sped up production and given rights to Absolute or something.
Almost lastly would be the fact that they've ported over Windows
executable's and DLL's over to Linux.

If that wasn't enough of a slap in the face, Absolute graciously
provided me with what they labeled an IP address. The address they
gave me was 485819880. So I wondered? 1CFC05E8?
00011100111101010000010111101000? What kind of crap are they giving
me? If that's a decimal IP that would place me at 28.245.5.232.
That would mean that my machine was "phoning home" from a
Department of Defense" network which would probably make me a
terrorist. Now I informed Absolute that I have a static address at
home, this I could verify with my company's syslog server as well
as 4 other (non company) servers which could provide them with my
IP address if they wanted it for verification purposes. Surely a
provider wouldn't pull Absolute's chain and give them false
information so any claims by Absolute of me "fabricating my IP
address" would be an insult.

[root () imposter security]# echo 485819880 | trans.pl
[root () imposter security]# 28.245.5.232

[root () imposter security]# whois -h whois.arin.net 28.245.5.232
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   28.0.0.0 - 28.255.255.255
CIDR:       28.0.0.0/8
NetName:    DSI-NORTH2
NetHandle:  NET-28-0-0-0-1
Parent:
NetType:    Direct Allocation
Comment:    ARPA DSI JPO
Comment:    7790 Science Applicationis Crt.,
Comment:    Vienna, VA 22183 US
RegDate:    1996-03-11
Updated:    2000-04-13

So now as it stands, Absolute has a kinetic, Zeroconf, password
cracking, interchangeable (Windows executable to Linux binary)
product capable of finding anyone anywhere on the planet. For those
wondering about the password cracking part, how else could it have
booted up Troppix and logged in - in order to send out information.

To be fair I decided to boot into Windows XP turn on my firewall
and watch whatever tries to connect to - where and why. Sure enough
Internet Explorer was trying to send out information to a site that
just so happened to be owned by Absolute. Packet data anyone?

Protocol :            TCP
Local Address :       10.10.10.10
Local Port :          1596
Remote Name :         search.namequery.com
Remote Address :      209.53.113.223
Remote Port :                 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 76)
      Destination:    00-09-5b-6d-a0-9c
      Source:         00-12-f0-44-4e-4b
Type: IP (0x0800)
Internet Protocol
      Version: 4
      Header Length: 20 bytes
      Flags:
              .1.. = Don't fragment: Set
              ..0. = More fragments: Not set
      Fragment offset:0
      Time to live: 128
      Protocol: 0x6 (TCP - Transmission Control Protocol)
      Header checksum: 0xa878 (Correct)
      Source: 10.10.10.10
      Destination: 209.53.113.223
Transmission Control Protocol (TCP)
      Source port: 1596
      Destination port: 80
      Sequence number: 3493489526
      Acknowledgment number: 0
      Header length: 28
      Flags:
              0... .... = Congestion Window Reduce (CWR): Not set
              .0.. .... = ECN-Echo: Not set
              ..0. .... = Urgent: Not set
              ...0 .... = Acknowledgment: Not set
              .... 0... = Push: Not set
              .... .0.. = Reset: Not set
              .... ..1. = Syn: Set
              .... ...0 = Fin: Not set
      Checksum: 0x1dfd (Correct)
      Data (0 Bytes)

Binary dump of the packet:
0000:  00 09 5B 6D A0 9C 00 12 : F0 44 4E 4B 08 00 45 00 |
...[m.....DNK..E.
0010:  00 30 7E 5B 40 00 80 06 : 78 A8 C0 A8 00 07 D1 35 |
..0~[ ()    x      5
0020:  71 DF 06 3C 00 50 D0 3A : 6B 76 00 00 00 00 70 02 |
q..<.P.:kv....p.
0030:  40 00 FD 1D 00 00 02 04 : 05 B4 01 01 04 02 6E 61 |
@.............na
0040:  6D 65 71 75 65 72 79 03 : 63 6F 6D 00             |
mequery.com.

So what was the best thing to do? Block it via my firewall or play
with my hosts file:

echo "search.namequery.com   127.0.0.1" >> C:\PATH\TO MY\HOSTS ...

Maybe I could have played with Absolute using Scapy
(http://www.secdev.org/projects/scapy/):

<Ether dst=00:09:5b:6d:a0:9c src=00:00:00:31:33:17 type=0x800 |<IP
version=4L
 ihl=5L tos=0x6 len=67 id=1 flags= frag=0L ttl=255 proto=TCP
chksum=0xa878
 src=3.1.33.7 dst=209.53.113.223 options='' |<TCP sport=1337
dport=80 seq=0L
 ack=0L dataofs=5L reserved=0L flags=S window=8192 chksum=0xbb39
urgptr=0
 options=[] |<Raw load='POST /1DJ1TS' |>>>>

Perhaps change IP addressing every 5 minutes on a script, call them
and ask them "Can you hear me now..." ... "Can you hear me now..."

Anywho(w)...

Now I'd really like to know what Absolute has to say about 1) their
miraculous methods of finding my machine even when it is booted
into Windows with me redirecting via my hosts file. I'd also like
to know why if they were so concerned - as this salesperson's call
alluded to, why didn't he mention the 3-4 other laptops in my
stable that haven't "phoned home".

Anyhow, the jury is out on this... Absolute has yet to respond
(once again). So for those from Absolute reading this (you've done
so before... Obviously in order to contact me at work) let it be
known, prior to the original writing being posted, and prior to
this one being sent, your company was notified.

J. Oquendo
obnoxious||hush.com
"Please no tears no sympathy" -- VNV Nation Epicentre
echo "\$|[\$_-
{_,s:.(.).+.(.):print+(\$1..\$2)[15,22,13,4,3]:e}]"|perl
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkO//YwACgkQo8cxM8/cskrizgCeOx/r0Q5X+e2sJ375wMnk1qb+ShYA
nRqFBg14AaunNHf3wVeRLTNjPxd/
=xTxH
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
Article:
-
    And an unknown college dropout named Bill Gates, together with his
partner Paul Allen, wrote a version of the programming language BASIC
for the Altair, forming a company called Micro-Soft in the process. He
would later drop the hyphen and the capital S, and make billions of
dollars.
--
Comment:
+++
Dammit Slashdot! If you would just drop the capital S, you could be
making billions of dollars too!
+++++
http://slashdot.org/comments.pl?sid=171335&cid=14270286
+++++++
www.opensource.or.ke
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]