Version 1.0 December 31, 2015 - benjaminrobinson.ninja · December 31, 2015 1 Introduction It was a...

Version 1.0 December 31, 2015

The 2015 SANS Holiday Hack Challenge Gnome in Your Home: A Whodunnit

December 31, 2015

i

Table of Contents Introduction .................................................................................................................................... 1

Part 1: Gnomadic Surveillance ........................................................................................................ 2

1) Which commands are sent across the Gnome’s command-and-control channel? ........... 2

2) What image appears in the photo the Gnome sent across the channel from the Dosis home? ..................................................................................................................................... 2

Part 2: Gnome Your Enemy ............................................................................................................. 3

3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in? ................................................................... 5

4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database? ....................................................... 5

Part 3: Egnomeration ...................................................................................................................... 6

5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood? .......................................................... 7

6) Where is each SuperGnome located geographically? ........................................................ 7

Part 4: Gnomesploitation ................................................................................................................ 8

7) Please describe the vulnerabilities you discovered in the Gnome firmware. .................... 9

8) Describe the technique you used to gain access to each SuperGnome’s gnome.conf file.9

Part 5: A Gnoming Threat ............................................................................................................. 10

9) Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation? ...................... 11

10) Who is the villain behind the nefarious plot. ................................................................. 12

Conclusion ..................................................................................................................................... 13

Appendix A: Gnome in Your Home Vulnerability Assessment ..................................................... 15

Executive Summary ................................................................................................................... 15

Methodology ............................................................................................................................. 17

Attack Narrative ........................................................................................................................ 17

SG-01 ..................................................................................................................................... 17

SG-02 ..................................................................................................................................... 18

SG-03 ..................................................................................................................................... 20

SG-04 ..................................................................................................................................... 22

SG-05 ..................................................................................................................................... 24

Vulnerabilities ........................................................................................................................... 24


December 31, 2015

ii

Code Quality .......................................................................................................................... 25

Input Validation .................................................................................................................... 25

Password Management ........................................................................................................ 27

Session Management ............................................................................................................ 28

Appendix B: GnomeNET ................................................................................................................ 29

Appendix C: Command and Control ............................................................................................. 30

Extract Script ............................................................................................................................. 30

Commands ................................................................................................................................ 30

Appendix D: Attribution ................................................................................................................ 33

SG-01 ......................................................................................................................................... 33

SG-02 ......................................................................................................................................... 35

SG-03 ......................................................................................................................................... 35

SG-04 ......................................................................................................................................... 36

Table of Tables Table 1 Exploit Techniques ............................................................................................................. 9

Table 2 Vulnerability Ratings Count .............................................................................................. 15

Table 3 SG-02: Directory Traversal ............................................................................................... 19

Table of Figures Figure 1 The legs... Those horrible legs........................................................................................... 2

Figure 2 Firmware: /etc/banner showing OpenWRT ..................................................................... 3

Figure 3 Firmware: Corroborating OpenWRT ................................................................................. 4

Figure 4 Firmware: System Information in MongoDB .................................................................... 4

Figure 5 Firmware: Default Credentials in Gnome Database ......................................................... 5

Figure 6 Firmware: /etc/hosts file .................................................................................................. 5

Figure 7 Using Shodan to identify the SuperGnomes ..................................................................... 6

Figure 8 XORing the layered images to reveal the CEO ................................................................ 11

Figure 9 Cindy Lou Who ................................................................................................................ 12

Figure 10 Cindy Lou Who's Nameplate ......................................................................................... 12

Figure 11 Vulnerability Rating Percentages .................................................................................. 15

Figure 12 Vulnerability Ratings by Category ................................................................................. 16

Figure 13: GnomeNET Attack Surface ........................................................................................... 17

Figure 14 SG-01: Gnome Serial Number ....................................................................................... 18

Figure 15 Unsanitized user input allowing Local File Inclusion .................................................... 18

Figure 16 SG-02: Creating a directory with '.png' for filter evasion ............................................. 19

https://d.docs.live.net/8eb09f5acdc9d26b/Security/SANS/HHC%202015/HHC2015%20Mung.docx#_Toc439329556


December 31, 2015

iii

Figure 17 SG-02: Filter evasion directory created ........................................................................ 19


Figure 19 Querying MongoDB for executed queries .................................................................... 20

Figure 20 SG-03: NoSQL Injection using JSON object ................................................................... 21


Figure 22 SG-04: Unsanitized user input passed to Javascript eval() function ............................. 22

Figure 23 postproc_syntax allowing for SSJS injection ................................................................. 22

Figure 24 SG-04: SSJS injection to retrieve gnome.conf ............................................................... 23


Figure 26 SG-04: Extracting binary files with SSJS ........................................................................ 24

Figure 27 GIYH Architecture ......................................................................................................... 34

https://d.docs.live.net/8eb09f5acdc9d26b/Security/SANS/HHC%202015/HHC2015%20Mung.docx#_Toc439329571


December 31, 2015

iv

Document History Version Date Changes

1.0 12/31/2015 Initial draft


December 31, 2015

1

Introduction It was a clear winter day like any other. There was snow layering the sidewalks and roofs while leaving the streets clear, the way it ought to be when you are rendering the world in all its 8-bit glory. The air was still, crisp and so cold that it felt pure. I saw an open door and wandered into a stranger's house, as I am wont to do on cold winter days in new neighborhoods. But I had good cause to be there; I had been called in by Duke Dosis to work on identifying the source of an Advanced Persistent Threat (APT) that was threatening to pollute Christmas like tracking cookies in a browser cache. "May I help you?" Duke asked as I walked into the living room. "I'm Mung," I said while handing a business card out to him. Duke looked at the card and looked up at me. His mouth dropped open before he spoke. "Right. The Forensic Investigator that I called." He glanced about, as if nervous. "Well. Let's go to the kitchen and I can fill you in over coffee." I followed Duke into the kitchen and took a seat while he grabbed a cup for me. He was silent, clearly a methodical man. Once he sat down, the words started flowing. Duke's kids had discovered that the 'Gnome in Your Home' was more than a creepy stuffed toy; it was the apparent source of command and control channel traffic. Duke suggested that I speak with Ed Skoudis. I knew that this thing was bigger than me and I would need some help with the case. Ed is an immediately likeable guy. Ed told me that his staff were in the area and I should talk to them as the case progressed for help. In return, he asked that I keep an eye out for his intern. This intern had recently disappeared and Ed was starting to worry since no one from Ed’s company seemed to know where he was.


December 31, 2015

2

Part 1: Gnomadic Surveillance Josh Dosis asked me to figure out what the packet capture file held. I told the kid not to hold his breath; packet analysis was not my forte. He let go an awkward chuckle as if he couldn't tell whether I was serious or not. He stood there holding out the flash drive. I knew he was just looking for my help so I told him not to worry; Ed Skoudis had already extolled the power of Scapy, and we were just a simple script away. I hate working out of hotels and the kid didn't appreciate my lack of social grace. Probably would have been smart to put myself in a no-interruption environment, but smart didn't bring me to the Dosis Neighborhood. I decided to pay Brittney another visit. I pulled up my collar and hit the street. Maybe Brittney had something to make that hot chocolate Irish. Tis the season and all. I managed to extract the commands from Josh's packet capture. Kid was right, it definitely was some sort of command and control (C&C) activity. Then I saw a reference to a 'snapshot_CURRENT.jpg' followed by a lot of packets with Base-64 encoding. After cursing the horror show of Scapy documentation, I finally pulled together a script that extracted an image. I was looking at those striped legs that were on every shelf this year. I recalled the website instructing parents to move the Gnome around the house and reached for my tinfoil hat.

1) Which commands are sent across the Gnome’s command-and-control channel? EXEC:iwconfig EXEC:cat /tmp/iwlistscan.txt FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg [See Appendix C: Command and Control for full command listing and script]

2) What image appears in the photo the Gnome sent across the channel from the Dosis home?

Figure 1 The legs... Those horrible legs


December 31, 2015

3

Part 2: Gnome Your Enemy Soon after I gave Josh the details of the packet capture, he let me know that Jessica had finally cracked the firmware and needed some help with the analysis. Jessica did a great job of handing off the firmware; I didn't even need to read hex. Using BinWalk and dd, I extracted the SquashFS file from the firmware and mounted it. I was trolling through the Gnome's configuration and GnomeNET source code, finally feeling like I wasn't wading upstream waist deep in an icy creek. At least my keystrokes were for taking notes and not trying to figure out how to do what needed to be done. Sure, I didn't really get the gravity of the situation yet, but it looked like these Gnomes were running or communicating with some sort of server, a so called SuperGnome. It also appeared that I had source code for a web interface; either the Gnome's or some server, I didn't know yet. What I did know was that the configuration of the Gnome was starting to take shape. I made some notes about the system being OpenWRT, running Express on Node.js webserver, using Monk as the interface to MongoDB, and some other common components and dependencies, like Jquery that were identified in the '/www/package.json' file on the firmware. From configuration files, it appeared that these gnomes were taking pictures every hour. Hideous security camera or privacy invasion? Context is a funny thing.

Figure 2 Firmware: /etc/banner showing OpenWRT


December 31, 2015

4

Figure 3 Firmware: Corroborating OpenWRT

Figure 4 Firmware: System Information in MongoDB

A few hours later, I had a 'GnomeNET' credential that I got from running strings against the MongoDB Gnome database:


December 31, 2015

5

Figure 5 Firmware: Default Credentials in Gnome Database

Even more critical to further our understanding, I had an IP address from the hosts file:

Figure 6 Firmware: /etc/hosts file

3) What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in?

OS: OpenWRT on Debian CPU type: 64-bit x86 instruction set (Note: The firmware contradicts the email found on SG-02 which orders ARM Cortex A9 CPUs) Web Framework: Express framework for Node.js

4) What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?

Database engine: MongoDB Password: SittingOnAShelf

root@kali:/mnt/fs/etc# cat hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # LOUISE: NorthAmerica build 52.2.229.189 supergnome1.atnascorp.com sg1.atnascorp.com supergnome.atnascorp.com sg.atnascorp.com


December 31, 2015

6

Part 3: Egnomeration I managed to present Jessica with most of my initial findings before she stole my punch line. Jessica asked, "North America? SG1? How many of these things are there? I think we are going global." Each word ascended in tone and excitement. I do not think an interruption has ever been as abrupt and polite as her delivery. I figured that she would be threatened or intimidated by the magnitude of the situation, but it didn't even phase her; just seemed to validate their curiosity. She asked me if I had more to go on. I said not yet, that I wanted to share the scope early. She seemed pleased with my progress and suggested that I should talk to Dan.

I do not know if she was dropping a hint because she was already a step ahead of me, or her enunciation of W's is weak, but I heard her say 'Shodan.' I flipped open my laptop, browsed to Shodan and searched for the IP address from the hosts file.

Figure 7 Using Shodan to identify the SuperGnomes

The result included a unique header field value for X-Powered-By, 'GIYH::SuperGnome.' Modifying my search to use the custom header resulted in identifying a total of five SuperGnomes. The Dosis kids had hit the nail on the head; this thing was global. Josh heard Jessica yell in excitement about our discovery and came in to check out what we had found. I told them I would keep digging, I had source code to go through. I figured that getting that code running would be nothing but helpful, so there were my plans for the evening. Brittney was probably tired of me squatting in her shop so I decided to grab some sushi. Bite size food goes well with source code analysis.


December 31, 2015

7

5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood?

SG-01: 52.2.229.189 SG-02: 52.34.3.80 SG-03: 52.64.191.71 SG-04: 52.192.152.132 SG-05: 54.233.105.81

6) Where is each SuperGnome located geographically? SG-01: Ashburn, USA SG-02: Boardman, USA SG-03: Sydney, Australia SG-04: Tokyo, Japan SG-05: Brazil


December 31, 2015

8

Part 4: Gnomesploitation Due to the urgency of this engagement, my testing was not as exhaustive nor comprehensive as I like it to be. Nor legal, for that matter. Normally, for a web application, I like to run through OWASP Testing Guide Version 4. It helps keep me thorough and now and again a test you thought superfluous for a specific engagement leads to a fascinating rabbit hole. Anyway, I didn't have enough time for that. As helpful as the Dosis kids were, there was a lot of work to accomplish in a couple of weeks. And while I was comfortable of donning a gray hat for the greater, it didn’t seem right to ask a couple minors nor go after the parental consent for that. The credentials from the firmware's database worked on three of the five SuperGnomes. Password re-use--easing exploitation since the dawn of time. Looking at the differences in configurations on the SuperGnomes (See Appendix B: GnomeNET) I knew that there was not one exploit to rule them all. I knew the easiest way to score access to what I needed was to use the bounty of the firmware, which included a version of the GnomeNET source code, as well as the source for an 'SGnet' service. So I focused on standing up a Virtual Machine (VM) to serve up the GnomeNET code. Once I had that running, I started to focus on identifying vulnerabilities in the source code. Based on the running configuration of each SuperGnome, I should be able figure how to exploit what where. That was the hope anyway. I was poring over the code. It was lean and mean and garnered my respect for Node.JS. I like things simple. But simple wasn't helping me identify the vulnerabilities. I banged my head against the proxy for quite a while trying to circumvent the upload filter and get a shell or something greedy like that. Pretty embarrassing for a Forensic Investigator, but I was always more of an administrator than a code review monkey. Slow as I am, I was starting to do the math. I stopped trying for excessive pwnage and stuck to the task at hand; accessing a file that I was denied access to. I noticed that there was one eval() call--that should be low hanging fruit. Then it started to click; everything that should have been exploitable was including calls to unsanitized user inputs, in the format of 'req.body.x' or 'req.query.x' where 'x' represents the user input. My first attack, after profiling SG-01, was SG-04 since it allowed for the upload of files, and the execution of the eval() function. I stayed pretty thick headed, trying to inject into the postproc()'s first parameter, but that was getting filtered by not being a valid post-process type. I put my access to the source code to good use and modified the function of my local GnomeNET instance to output some debug statements and realized that the entire function is the syntax. So I replaced 'postproc("timestamp", file)' with the file read syntax, largely gleaned from an article that Josh pointed me to. And there it was; access to files. From there, things got easier. For a while at least. After getting access to SG-04 I knew how to work the rest of the SuperGnomes, leveraging the source code and my local instance of GnomeNET to attack them as effectively as possible. That would help reduce my traffic in case they were monitoring. SG-03 folded like a cheap suit when I submitted the login as a JSON object. SG-02 certainly took effort to piece together a more complicated attack; lack of input sanitization allowed me to use path traversal


December 31, 2015

9

and local file inclusion to bypass a simplistic filter and access protected files. But it was within my wheelhouse. I had the source of the SGnet service that I knew to be running on port 4242 of SG-05. But I know my limitations, and exploit development is one of them. Of course, I like to test my limits. I got Sulley running, compiled the code and took a crack at identifying a buffer overflow. It did not go well. I was hoping for strcpy, strcat or memcpy for an easy win, but that didn’t pan out. Attribution was still on the line and I knew from reading the GnomeNet posts that I need to access five images to subtract from another image. I also knew that we only had three days to stop this heist from going off. I hoped that four would be enough, especially when we factored in the emails. Too bad the kids could not point me to someone proficient with graphics, because the Gimp was living up to its name under my efforts. I rushed back to tell the kids we were making progress and that I had artifacts for them to review. I made a mental note to swing by and thank Josh for putting me on the right track.1 Probably owed him some sake, or another candy cane.

7) Please describe the vulnerabilities you discovered in the Gnome firmware. See Appendix A:

8) Describe the technique you used to gain access to each SuperGnome’s gnome.conf file. Table 1 Exploit Techniques

Super Gnome

Exploit Serial Number Reference

SG-01 Default credentials NCC1701 Star Trek, USS Enterprise

SG-02 Path traversal, Local file include

XKCD988 Reference to the 'Tradition' comic of XKCD

SG-03 NoSQL Injection THX1138 George Lucas' directorial debut

SG-04 ServerSide Javascript Injection

BU22_1729_2716057 Reference to Futurama's Bender's full name; Bending Unit 22, unit number 1729, serial number 2716057

Exploitation details documented in Appendix A: , Attack Narrative

1 https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf

https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf


December 31, 2015

10

Part 5: A Gnoming Threat Each of the SuperGnomes that I managed to compromise included evidence of a plan to not just violate privacy but also steal Christmas. By the time I had artifacts from four SuperGnomes I was convinced that I had a complete picture of ATNAS Corporation's plan and determined that the CEO was behind the entire Gnome in Your Home conspiracy. Each of the compromised boxes included zip files of packet captures that contained emails (Appendix D: Attribution). Opening each capture file in Wireshark and following the TCP stream revealed the emails. SG-01, an email form ‘[email protected]’ and signed as ‘C,’ had an attachment that contained an image of the Gnome in Your Home architecture. After the effort it took to extract the image from Josh's Gnome traffic capture, I appreciated the simplicity of being to copy-and-paste the base-64 attachment and directly decode it without any additional shenanigans. Anyway, the email was in regards to hiring an architect for "a distributed surveillance system." SG-02 contained an email, from '[email protected]' signed as ‘CW,’ ordering two million units of each component, signed CW. While the referenced hardware listing does not exactly align to the information gathering of the Dosis provided firmware, it is close enough to suspect that, aside from the CPU disconnect (we should have seen an ARM build), the order is for the GIYM components. An email found on SG-03, from ‘[email protected]’ signed as CLW, revealed the goal of the plot, emailed to '[email protected]' [sic], emphasis added:

"On the morning of December 24, 2015, each individual burglar on this email list will receive a detailed itinerary of specific houses and an inventory of items to steal from each house, along with still photos of where to locate each item."

SG-04 contains an email, from '[email protected]' signed as ‘Cindy Lou Who,’ to a Who-ville psychiatrist that summarizes the entire operation:

"Using the latest technology and a distributed channel of burglars, we'd rob 2 million houses, grabbing their most precious gifts, and selling them on the open market."

Cindy Lou Who appears to be a little cuckoo. She writes about being psychologically scarred from a childhood event that has resulted in her becoming that which formed her and repeating the plot. You become what you fear the most, right? Psychology is outside of the scope of this engagement, so I will refrain from speculation. In order to determine the face of Cindy Lou Who, I explored another weakness of mine: image processing. The GnomeNET message stated that:

"Each cam is directed to a different SG, so each SG has one of the 5 stills I manually snagged. I named them 'factory_cam_#.png' and pushed them up to the files menu. 'camera_feed_overlap_error.png' has that garbled image."

I had the 'camera_feed_overlap_error.png' and four of the factory images. I was not able to get a clear enough picture using Gimp and the kids didn't have any suggestions.


December 31, 2015

11

I knew I was on the right path, just coming up empty. At a loss, I started over and revisited GnomeNET. There was the answer, in front of the whole time, trying to save me from a wild goose chase, "Looks like each pixel is XORed... It’s going to be a lot of work to fix this." I sure made it take a lot of work. Google pointed me to the ultimate open source documentation site--Stackoverflow.com--which suggested using ImageMagick.2 I spun up an instance of Ubuntu, installed ImageMagick and converted the images sequentially, stripping one layer at a time. I got distracted, holding down right-arrow and making a flip book out of the image progression while I waited for the final layer to process.

Figure 8 XORing the layered images to reveal the CEO

Magick indeed. Cindy Lou Who, that's who. I am not certain why a picture is more damning than the emails, but there you have it. I knew that a black background for a terminal session was a terrible thing to include in my report and I made a note to change it before delivery. The more pressing issue was to head to the Counter Hack data center and make certain that they were filtering the SuperGnome traffic, and just to be safe, any other IP address that fell under ATNAS Corporation.

9) Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?

Email recovered from SG-04, dated 3 Dec 2015 13:38:15 -0500, signed Cindy Lou Who, from [email protected]:

"Using the latest technology and a distributed channel of burglars, we'd rob 2 million houses, grabbing their most precious gifts, and selling them on the open market."

2 http://stackoverflow.com/questions/8504882/searching-for-a-way-to-do-bitwise-xor-on-images

http://stackoverflow.com/questions/8504882/searching-for-a-way-to-do-bitwise-xor-on-images


December 31, 2015

12

10) Who is the villain behind the nefarious plot.

Figure 9 Cindy Lou Who

Figure 10 Cindy Lou Who's Nameplate


December 31, 2015

13

Conclusion Inside the Counter Hack data center, things got a little Nintendo as I turned my navigation into a Konami Code--Up, Up, Down, Down, Right, Down, Left, Right, Left, Right. Defense in depth is great, security through obscurity has purpose, but convoluted floor plans just seem like a safety hazard. I managed to get to the server room and was a little surprised to see those ugly dangling candy cane legs that are everywhere. Last place I would expect to find another Gnome was in a server room. And while the individual with the Gnome had authorization to be there, I do not think that authorization factored in his intent. Ed was going to be seriously disappointed. On the bright side, I had managed to find his intern.

The intern turned out to be very forthcoming. He was not aware of the details of plan, nor even what his role was. We are going to have to evaluate the gnome that he was trying to plant in the data center to see if it had another purpose. The odds of it being a part of the holiday gift heist did not seem likely. In any event, Ed needed to know what was going on.

Ed was surprised that his intern was trying to plant a Gnome in the data center. I filled him in on the Gnome in Your Home conspiracy and Cindy Lou Who's grand plan to destroy Christmas and get rich in the process. I filled the Dosis family in as well. Duke and Ed asked me to write up everything that I had to help the authorities with their investigation and assured prosecution. Everyone seemed happy that we still had a


December 31, 2015

14

few days to notify the authorities and stop the DTOG attack--Distributed Theft of Good, well, gifts in this case. I wasn't happy yet. I knew that SG-05 still eluded me. I knew that SGnet code was susceptible to a buffer overflow and I just did not have the skill to crack it. Fortunately, Ed was looking to help me out with that.


December 31, 2015

15

Appendix A: Gnome in Your Home Vulnerability Assessment

Executive Summary Mung Investigative Forensics Detectives (MIFD) was contacted by Duke Dosis to assist his family with a forensic analysis of a toy. While this toy, ATNAS Corporation’s Gnome in Your Home (GIYH), was not marketed as a consumer electronics device, the Dosis family had determined that it was generating wireless network traffic. The Dosis family sought to understand the nature of the GIYH. MIFD was able to interpret the network activity of the GIYH and determined that the traffic established an internet connection in order to communicate with a server. The GIYH appeared to be a command and control (C&C) device. Analysis of the firmware of the GIYH determined that there was a web interface, titled GnomeNET, that supported different modes. One of the modes was that of a ‘SuperGnome’ which appears to be centralized server role supporting the C&C operations. The firmware also included source code for an ‘SGnet’ service, written in C and hosted on a SuperGnome using port 4242.

Table 2 Vulnerability Ratings Count

Critical High Medium Low

1 5 2 1

Analysis of the GnomeNET application identified numerous vulnerabilities, detailed below and represented by Table 2 Vulnerability Ratings Count and Figure 11 Vulnerability Rating Percentages, the majority of which introduce numerous high risks to the GnomeNET. As illustrated below, see Figure 12 Vulnerability Ratings by Category, a lack of input validation introduces the greatest risk to the GnomeNET system, accounting for the majority of the vulnerabilities. Defining coding standards and requiring peer reviews of code should be implemented immediately to start maturing the GnomeNET code base. While all but one of the reported vulnerabilities were confirmed through exploitation, this report will not aggregate vulnerabilities and assign risks. This is due to the time restrictions required by reporting findings as early as possible in order to thwart ATNAS Corporation's planned Christmas heist and the fact that ATNAS Corporation will not be in a position to manage risks. Details of the plan and attribution are included in Part 5: A Gnoming

Figure 11 Vulnerability Rating Percentages


December 31, 2015

16

Threat of this report. Recognizing the dire consequences of delaying delivery of this report, not all tests that were performed are acknowledged nor included as evidence (See Attack Narrative below).

Figure 12 Vulnerability Ratings by Category

During the testing of the GIYH product, MIFD did witness evidence of misconfiguration and system functionality that indicates presence of an Advanced Persistent Threat (APT) and believes this functionality to be deliberate. MIFD proceeded to exploit vulnerabilities without the permission of ATNAS Corporation due to the circumstances of the engagement and a sense of urgency. Considering that the initial scope of work was a vulnerability assessment, a separate write-up will be used to support the authorities’ investigation into ATNAS Corporation.3

3 TODO: Put this in the cover letter - This report is not up to par with how MIFD generally works, but we have never uncovered a global conspiracy. Not that that is an excuse for cutting corners, but MIFD is one resource and I elected to focus on helping the greater good by donning my gray hat. Consequently, this report is being delivered although it is incomplete.


December 31, 2015

17

Methodology [TODO: Insert MIFD’s OWASP/PTES methodology] [TODO: Insert MIFD’s white box methodology]

Attack Narrative Each of the five identified SuperGnome servers shared a common attack surface (see Figure 13:

GnomeNET Attack Surface). Over the course of the engagement, MIFD suspects that there was a change made to SG-05, as we were initially able to authenticate with the default firmware credentials. However, later in the engagement, the default credentials failed to authenticate us as admin on ‘SG-05.’ This is of note in that SG-05 does have a different configuration than the other SuperGnome servers in that it is running the SGnet service (port 4242). Consequently, Appendix B: GnomeNET contains a site map of SG-05, even though subsequently access was denied and exploitation of the SGnet service was not successful.

Figure 13: GnomeNET Attack Surface

SG-01 SG-01 was exploited through testing for weak password policy (OTG-AUTHN-007).4 Access was granted using the credentials discovered during system enumeration of the firmware.

4 https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)

https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)


December 31, 2015

18

Figure 14 SG-01: Gnome Serial Number

SG-02 Reviewing the source code, we could see that the 'settings upload' handler allows for the creation of a directory: The source code of the 'cam' handler shows that the 'camera' parameter is assumed to be a file., ending in '.png' and assumed to exist in the './public/images' directory. The SuperGnomes are not running this code; they are running the code prior to Stuart's change. This was verified by testing to see if the presence of a '.png' not at the end of a file still appended '.png' and it did not.

Figure 15 Unsanitized user input allowing Local File Inclusion


December 31, 2015

19

Figure 16 SG-02: Creating a directory with '.png' for filter evasion

Figure 17 SG-02: Filter evasion directory created

We now have a directory that includes '.png' so that it is not appended to the camera name. Table 3 SG-02: Directory Traversal

Context Path

Filter evasion directory /gnome/www/public/upload/eOOhZRtd/../derp.png/

Location of target /gnome/www/files/gnome.conf

Base camera directory /gnome/www/public/images/

Attack string ../upload/eOOhZRtd/../derp.png/../../../files/gnome.conf

By combining our path traversal with local file inclusion, we are able to bypass the poorly implemented '.png' requirements and obtain access to gnome.conf:

http://52.34.3.80/cam?camera=../upload/eOOhZRtd/../derp.png/../../../files/gnome.conf

http://52.34.3.80/cam?camera=../upload/eOOhZRtd/../derp.png/../../../files/gnome.conf


December 31, 2015

20


SG-03 The default admin credential was not valid on SG-03. Without authentication and a lack of direct browsing, SQL injection, or NoSQL injection as the case may be, presented the most likely attack vector. Using the local running instance of the firmware allowed for observing how commands were executed. The Node console log displays requests and writes to the console.log() function. However, this failed to show exactly what was being passed to MongoDB. Using MongoDB profiling enables inspection of the actual query statements.

Figure 19 Querying MongoDB for executed queries

This showed that our parameters were wrapped in double-quotes and double-quotes were being escaped. While we could eliminate the leading quote, inline and block comments did not prevent the trailing quote from preventing our attack. Revisiting the code, it appeared that passing an object may work. Node.js/Monk are escaping our call to MongoDB, but they are not validating the input to ensure that a string, and not an object is being submitted. This allows for us to submit an object and use Mongo's operators instead of being constrained to a string value. Even though 'application/json' was not listed as an accepted type for HTTP requests, formatting our post as JSON successfully logged us in. This was accomplished using Burp's Repeater functionality, which simplifies modifying and repeating HTTP requests. The initial attack that was successful specified a username of greater than an empty string (username : {"$gt" : ""}). Since the call uses the MongoDB findOne method it retrieves the first record that meets the specified criteria. In this case, the username of the first record was 'user,' a low permissioned account. By modifying our object to specify a username that is not 'user' (username: { "$ne" : "user")) or a username equal to 'admin' (username: {"$eq" : "admin"}) we were authenticated as admin.


December 31, 2015

21

Figure 20 SG-03: NoSQL Injection using JSON object

Since there is a redirect following successful authentication (and a new ‘sessionid’ is issued--as it should be), and we initially exploited using Burp Repeater, we modified our browser's session cookie for SG-03 and were able to directly access the files.



December 31, 2015

22

SG-04 SG-04 is configured to allow file uploads. Functionality assumes image files and allows post-processing. The post-processing variable is populated through unsanitized user input and passed to the eval() function which executes Javascript code.

Figure 22 SG-04: Unsanitized user input passed to Javascript eval() function

Replacing the postproc() function in the HTTP request allows for ServerSide Javascript (SSJS) injection.

Figure 23 postproc_syntax allowing for SSJS injection


December 31, 2015

23

Replacing the postproc_syntax (postproc request content), which is a user-supplied variable that is not validated and evaluated, allows for Server Side Script Injection.

Figure 24 SG-04: SSJS injection to retrieve gnome.conf


In order to retrieve the binary files, the request was modified to convert the files to Base-64:


December 31, 2015

24

SG-05 SG-05 is running an SGnet service on port 4242. There is a buffer overflow in there, probably related to the unallocated *buf pointer.

Vulnerabilities Note that the 'Asset' describes which system(s) the vulnerability was exploited against. Since each of the five SuperGnomes had a consistent code base (All five servers showed settings that referenced a configuration file named 'sg.01.v1339.cfg'), it is assumed that even though different functionality is enabled/disabled that each asset would be vulnerable to reported vulnerabilities. OWASP Vulnerability Categories were used to categorize documented vulnerabilities.5 Common Vulnerability Scoring System v3 was used to score identified vulnerabilities.6 Since the value of assets is not known and recognizing that the software is custom written, vulnerability metrics associated with Temporal and Environmental scores were not factored into the vulnerability scoring. For the sake of space, the metrics have been abbreviated and presented using the CVSS Vector String notation. Each vulnerability was scored against the following metrics that comprise the Base Score:

Attack Vector (AV) - Indicates whether exploitation requires remote (Network (N)), bound to network stack constraint such as wireless or a subnet (Adjacent (A)), read/write/execute (Local (L) or Physical (P)

Attack Complexity (AC) - Attack conditions that must exist for exploitation. Values are: Low (L), High(H)

Privileges Required (PR) - Indicates whether no authentication is required (None (N)), User account or other non-administrative user (Low (L)), or an administrative account (High (H)) is required for exploitation

User Interaction (UI) - Indicates whether non-attacker user interaction is Required (R) or not (None (N))

Scope (S) - Whether only the vulnerable component is affected (Unchanged (U)) or an external component is affected (Changed (C))

Confidentiality (C), Integrity (I) and Availability (A) are scored as either None (N), Low (L) or High (H) to estimate the impact to each of metrics. References to OWASP Testing Guide Version 47 tests have been included with each vulnerability to provide additional detail for testing and remediation of vulnerabilities.

5 https://www.owasp.org/index.php/Category:Vulnerability 6 https://www.first.org/cvss 7 https://www.owasp.org/index.php/OWASP_Testing_Project

require('fs').readFileSync('./files/factory_cam_4.zip').toString('base64')

Figure 26 SG-04: Extracting binary files with SSJS

https://www.owasp.org/index.php/Category:Vulnerability

https://www.first.org/cvss


December 31, 2015

25

Code Quality

Buffer Overflow Rating Score Vector String Asset

High 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H SG-05

Vulnerability Source code analysis of the SGnet service suggests that a buffer overflow attack is possible against port 4242 of SG-05. This was not successfully exploited.

Recommendation Vulnerability was not successfully exploited. One aspect of remediation would be to explicitly allocate memory to the ‘buf’ pointer found in the ‘sgnet.c’ file. References: Testing for Buffer overflow (OTG-INPVAL-014)

Access to Deprecated/Unused Functionality Rating Score Vector String Asset

Medium 5.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H SG-02

Vulnerability Access to the source code revealed a handler '/cam' which is not accessed through running code nor system functionality. The /cam handler does not sanitize user inputs and allows for path traversal and local file inclusion, exposing all files that the current user has access to.

Recommendation Configuration review should have been performed to eliminate the unreferenced source code (/cam handler). Version control should be used to manage source code so that deprecated/unused functionality is not available to users. This serves to ensure proper configuration is deployed and that the attack surface is minimized to necessary functionality. References: Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004), Test Application Platform Configuration (OTG-CONFIG-002)

Input Validation

Lack of Input Validation Rating Score Vector String Asset

Critical 9.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H GnomeNET

Vulnerability The GnomeNET application generally fails to validate and constrain user inputs.

Recommendation User inputs should be enforced server-side as well as client-side to ensure that values are provided in an expected format.


December 31, 2015

26

Inputs should be constrained to valid data types to reduce the likelihood of deserialization/conversion exploits. Additionally, decoding of inputs should be context sensitive to the layer that the value is intended for. Input values should be whitelisted to ensure that only valid contents are processed. References: Testing Directory traversal/file include (OTG-AUTHZ-001), Testing for HTTP Parameter pollution (OTG-INPVAL-004)

ServerSide Javascript Injection Rating Score Vector String Asset

High 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N SG-04

Vulnerability File upload functionality includes post-processing functionality for images that expects a client-side formatted function string. This post-processing function does not sanitize the user input and executes the contents against an eval() call which processes the string as Javascript. This permits the user to execute any valid call.

Recommendation Dangerous functions that permit dynamic code execution should be avoided where possible, using explicit functions that directly correlate to intended behavior. If business need requires such functionality, whitelisting should be implemented as possible to restrict valid actions. Account permissions should be configured for least privileges to further mitigate exposure. References: Testing for HTTP Parameter pollution (OTG-INPVAL-004), Testing for Code Injection (OTG-INPVAL-012), Testing for Command Injection (OTG-INPVAL-013)

NoSQL Injection Rating Score Vector String Asset

High 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N SG-03

Vulnerability By submitting an object to the login page, NoSQL injection attacks providing read access to the MongoDB were successful. The injection allows for bypassing authentication by allowing an attacker to login to the system.

Recommendation User input should be explicitly converted to a string to ensure that escaping of contents is performed.


December 31, 2015

27

Two calls should be made to authenticate a user; one call to validate the username and another call to validate the user's password. References: Testing for NoSQL Injection (OTG-INPVAL-006)

Directory Traversal/Local File Include Rating Score Vector String Asset

Medium 4.9 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N SG-02

Vulnerability Failure to validate user inputs (filename in settings upload, camera parameter in 'cam' handler) allows for successful directory traversal and access to local files.

Recommendation Path and filenames should be validated separately. References: Testing Directory traversal/file include (OTG-AUTHZ-001)

Password Management

Default Credentials Rating Score Vector String Asset

High 8.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N SG-01, SG-02, SG-04

Vulnerability Three of the five identified SuperGnomes used default credentials that were stored in plaintext within the GnomeNET database.

Recommendation While the 15 character length of the password is acceptable, reuse of the password is not. A strong password policy should be implemented and enforced to prevent the use of default credentials. Alternatively, if default credentials are necessary to the system, additional authentication controls should be implemented. Password length and complexity should be enforced through technical controls. To identify password reuse, and further ensure password complexity, organizations may periodically attempt to crack passwords to determine the overall effectiveness of technical controls and administrative controls, such as user awareness training. References: Test Application Platform Configuration (OTG-CONFIG-002), Review Old, Backup and Unreferenced Files for Sensitive Information (OTG-CONFIG-004), Testing for default credentials (OTG-AUTHN-002), Testing for Weak password policy (OTG-AUTHN-007).

Password Plaintext Storage Rating Score Vector String Asset

High 7.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N GnomeNET


December 31, 2015

28

Vulnerability Passwords are stored in a Mongo database as plaintext.

Recommendation Sensitive information should be encrypted and passwords should be salted and hashed to ensure that compromise of components minimizes exposure and increases time associated with compromise of sensitive information. References: Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)

Session Management

Cleartext Submission of Password Rating Score Vector String Asset

Low 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N GnomeNET

Vulnerability Passwords submitted as cleartext over unencrypted connections make them vulnerable to interception.

Recommendation Application should SSL/TLS to protect sensitive communications. References: Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)


December 31, 2015

29

Appendix B: GnomeNET Burp Proxy History for in scope servers represented as a MindMap using Mapamajobber8 extension. Vulnerable entry points colored red.

8 https://github.com/ginjabenjamin/Burp

https://github.com/ginjabenjamin/Burp


December 31, 2015

30

Appendix C: Command and Control

Extract Script

#!/usr/bin/python

from scapy.all import *

import base64

pkts = rdpcap('giyh-capture.pcap')

write = 0

arg = open('gith.jpg', 'wb')

for x in pkts:

if(x.haslayer(DNSRR)):

str = x[DNS][DNSRR].rdata

# Look for the encoded 'FILE: ' prefix

loc = str.find("RklMRT")

# Decode string

out = base64.b64decode(str[1:])

# Test for 'FILE:' prefix

if(loc > 0):

# Contains 'FILE:' prefix, strip it

out = out[5:]

# Determine start of image packet

if(out.find('JFIF') > 0):

# print ":".join("{:02x}".format(ord(c)) for c in out)

write = 1

# Part of the image; write to file

if(write > 0):

arg.write(out)

else:

# Not part of the file, assume command

print out

Commands EXEC:iwconfig EXEC:START_STATE EXEC:wlan0 IEEE 802.11abgn ESSID:"DosisHome-Guest" EXEC: Mode:Managed Frequency:2.412 GHz Cell: 7A:B3:B6:5E:A4:3F EXEC: Tx-Power=20 dBm EXEC: Retry short limit:7 RTS thr:off Fragment thr:off EXEC: Encryption key:off


December 31, 2015

31

EXEC: Power Management:off EXEC: EXEC:lo no wireless extensions. EXEC: EXEC:eth0 no wireless extensions. EXEC:STOP_STATE EXEC:cat /tmp/iwlistscan.txt EXEC:START_STATE EXEC:wlan0 Scan completed : EXEC: Cell 01 - Address: 00:7F:28:35:9A:C7 EXEC: Channel:1 EXEC: Frequency:2.412 GHz (Channel 1) EXEC: Quality=29/70 Signal level=-81 dBm EXEC: Encryption key:on EXEC: ESSID:"CHC" EXEC: Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s EXEC: 9 Mb/s; 12 Mb/s; 18 Mb/s EXEC: Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s EXEC: Mode:Master EXEC: Extra:tsf=000000412e67cddf EXEC: Extra: Last beacon: 5408ms ago EXEC: IE: Unknown: 00055837335A36 EXEC: IE: Unknown: 010882848B960C121824 EXEC: IE: Unknown: 030101 EXEC: IE: Unknown: 200100 EXEC: IE: IEEE 802.11i/WPA2 Version 1 EXEC: Group Cipher : CCMP EXEC: Pairwise Ciphers (1) : CCMP EXEC: Authentication Suites (1) : PSK EXEC: IE: Unknown: 2A0100 EXEC: IE: Unknown: 32043048606C EXEC: IE: Unknown: DD180050F2020101040003A4000027A4000042435E0062322F00 EXEC: IE: Unknown: 2D1A8C131BFFFF000000000000000000000000000000000000000000 EXEC: IE: Unknown: 3D1601080800000000000000000000000000000000000000 EXEC: IE: Unknown: DD0900037F01010000FF7F EXEC: IE: Unknown: DD0A00037F04010000000000 EXEC: IE: Unknown: 0706555320010B1B EXEC: Cell 02 - Address: 48:5D:36:08:68:DC EXEC: Channel:6 EXEC: Frequency:2.412 GHz (Channel 1) EXEC: Quality=59/70 Signal level=-51 dBm EXEC: Encryption key:on EXEC: ESSID:"DosisHome" EXEC: Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s EXEC: 24 Mb/s; 36 Mb/s; 54 Mb/s EXEC: Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s EXEC: Mode:Master


December 31, 2015

32

EXEC: Extra:tsf=00000021701d828b EXEC: Extra: Last beacon: 4532ms ago EXEC: IE: Unknown: 000F736F6D657468696E67636C65766572 EXEC: IE: Unknown: 010882848B962430486C EXEC: IE: Unknown: 030106 EXEC: IE: Unknown: 0706555320010B1E EXEC: IE: Unknown: 2A0100 EXEC: IE: Unknown: 2F0100 EXEC: IE: IEEE 802.11i/WPA2 Version 1 EXEC: Group Cipher : CCMP EXEC: Pairwise Ciphers (1) : CCMP EXEC: Authentication Suites (1) : PSK EXEC: Cell 03 - Address: 48:5D:36:08:68:DD EXEC: Channel:6 EXEC: Frequency:2.412 GHz (Channel 1) EXEC: Quality=62/70 Signal level=-49 dBm EXEC: Encryption key:off EXEC: ESSID:"DosisHome-Guest" EXEC: Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s EXEC: 24 Mb/s; 36 Mb/s; 54 Mb/s EXEC: Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s EXEC: Mode:Master EXEC: Extra:tsf=00000021701d8913 EXEC: Extra: Last beacon: 5936ms ago EXEC: IE: Unknown: 000F736F6D657468696E67636C65766572 EXEC: IE: Unknown: 010882848B962430486C EXEC: IE: Unknown: 030106 EXEC: IE: Unknown: 0706555320010B1E EXEC: IE: Unknown: 2A0100 EXEC: IE: Unknown: 2F0100 EXEC:STOP_STATE


December 31, 2015

33

Appendix D: Attribution Each of the SuperGnomes contained two artifacts that assisted with attribution:

1. Dated zip file containing a packet capture which included an email. Each of these emails from ‘[email protected]’ and ultimately discloses the CEO’s name and nefarious plot.

2. Factory camera images included in a zip file, uploaded in response to a layering issue that was described in GnomeNET Messages.

Note that for the sake of space, newlines and extraneous headers have been removed from the emails.

SG-01 20141226101055.zip > 20141226101055_1.pcap

JoJo, As you know, I hired you because you are the best architect in town for a distributed surveillance system to satisfy our rather unique business requirements. We have less than a year from today to get our final plans in place. Our schedule is aggressive, but realistic.


December 31, 2015

34

I've sketched out the overall Gnome in Your Home architecture in the diagram attached below. Please add in protocol details and other technical specifications to complete the architectural plans. Remember: to achieve our goal, we must have the infrastructure scale to upwards of 2 million Gnomes. Once we solidify the architecture, you'll work with the hardware team to create device specs and we'll start procuring hardware in the February 2015 timeframe. I've also made significant progress on distribution deals with retailers. Thoughts? Looking forward to working with you on this project! -C

Figure 27 GIYH Architecture


December 31, 2015

35

SG-02 20150225093040.zip > 20150225093040_2.pcap From: "c" <[email protected]> To: <[email protected]> Subject: =?us-ascii?Q?Large_Order_-_Immediate_Attention_Required?= Date: Wed, 25 Feb 2015 09:30:39 -0500 Maratha, As a follow-up to our phone conversation, we'd like to proceed with an order of parts for our upcoming product line. We'll need two million of each of the following components: + Ambarella S2Lm IP Camera Processor System-on-Chip (with an ARM Cortex A9 CPU and Linux SDK) + ON Semiconductor AR0330: 3 MP 1/3" CMOS Digital Image Sensor + Atheros AR6233X Wi-Fi adapter + Texas Instruments TPS65053 switching power supply + Samsung K4B2G16460 2GB SSDR3 SDRAM + Samsung K9F1G08U0D 1GB NAND Flash Given the volume of this purchase, we fully expect the 35% discount you mentioned during our phone discussion. If you cannot agree to this pricing, we'll place our order elsewhere. We need delivery of components to begin no later than April 1, 2015, with 250,000 units coming each week, with all of them arriving no later than June 1, 2015. Finally, as you know, this project requires the utmost secrecy. Tell NO ONE about our order, especially any nosy law enforcement authorities. Regards, -CW

SG-03 20151201113356.zip > 20151201113358_3.pcap From: "c" <[email protected]> To: <[email protected]> Subject: All Systems Go for Dec 24, 2015 Date: Tue, 1 Dec 2015 11:33:56 -0500 My Burgling Friends,


December 31, 2015

36

Our long-running plan is nearly complete, and I'm writing to share the date when your thieving will commence! On the morning of December 24, 2015, each individual burglar on this email list will receive a detailed itinerary of specific houses and an inventory of items to steal from each house, along with still photos of where to locate each item. The message will also include a specific path optimized for you to hit your assigned houses quickly and efficiently the night of December 24, 2015 after dark. Further, we've selected the items to steal based on a detailed analysis of what commands the highest prices on the hot-items open market. I caution you - steal only the items included on the list. DO NOT waste time grabbing anything else from a house. There's no sense whatsoever grabbing crumbs too small for a mouse! As to the details of the plan, remember to wear the Santa suit we provided you, and bring the extra large bag for all your stolen goods. If any children observe you in their houses that night, remember to tell them that you are actually "Santy Claus", and that you need to send the specific items you are taking to your workshop for repair. Describe it in a very friendly manner, get the child a drink of water, pat him or her on the head, and send the little moppet back to bed. Then, finish the deed, and get out of there. It's all quite simple - go to each house, grab the loot, and return it to the designated drop-off area so we can resell it. And, above all, avoid Mount Crumpit! As we agreed, we'll split the proceeds from our sale 50-50 with each burglar. Oh, and I've heard that many of you are asking where the name ATNAS comes from. Why, it's reverse SANTA, of course. Instead of bringing presents on Christmas, we'll be stealing them! Thank you for your partnership in this endeavor. Signed: -CLW President and CEO of ATNAS Corporation

SG-04 20151203133815.zip > 20151203133818_4.pcap From: "c" <[email protected]> To: <[email protected]> Subject: Answer To Your Question Date: Thu, 3 Dec 2015 13:38:15 -0500 Dr. O'Malley,


December 31, 2015

37

In your recent email, you inquired: > When did you first notice your anxiety about the holiday season? Anxiety is hardly the word for it. It's a deep-seated hatred, Doctor. Before I get into details, please allow me to remind you that we operate under the strictest doctor-patient confidentiality agreement in the business. I have some very powerful lawyers whom I'd hate to invoke in the event of some leak on your part. I seek your help because you are the best psychiatrist in all of Who-ville. To answer your question directly, as a young child (I must have been no more than two), I experienced a life-changing interaction. Very late on Christmas Eve, I was awakened to find a grotesque green Who dressed in a tattered Santa Claus outfit, standing in my barren living room, attempting to shove our holiday tree up the chimney. My senses heightened, I put on my best little-girl innocent voice and asked him what he was doing. He explained that he was "Santy Claus" and needed to send the tree for repair. I instantly knew it was a lie, but I humored the old thief so I could escape to the safety of my bed. That horrifying interaction ruined Christmas for me that year, and I was terrified of the whole holiday season throughout my teen years. I later learned that the green Who was known as "the Grinch" and had lost his mind in the middle of a crime spree to steal Christmas presents. At the very moment of his criminal triumph, he had a pitiful change of heart and started playing all nicey-nice. What an amateur! When I became an adult, my fear of Christmas boiled into true hatred of the whole holiday season. I knew that I had to stop Christmas from coming. But how? I vowed to finish what the Grinch had started, but to do it at a far larger scale. Using the latest technology and a distributed channel of burglars, we'd rob 2 million houses, grabbing their most precious gifts, and selling them on the open market. We'll destroy Christmas as two million homes full of people all cry "BOO-HOO", and we'll turn a handy profit on the whole deal. Is this "wrong"? I simply don't care. I bear the bitter scars of the Grinch's malfeasance, and singing a little "Fahoo Fores" isn't gonna fix that! What is your advice, doctor? Signed, Cindy Lou Who

Version 1.0 December 31, 2015 - benjaminrobinson.ninja · December 31, 2015 1 Introduction It was a...

Documents

Transcript of Version 1.0 December 31, 2015 - benjaminrobinson.ninja · December 31, 2015 1 Introduction It was a...