Category Archives: Research

Articles/Whitepapers

Undisclosed WordPress 2.0 Security Issues

I recently came across this security advisory and decided to find out what the undisclosed issues could be. I downloaded wordpress 2.0 to find these undisclosed issues. Why i am interested in wordpress 2.0 is a different story though. :)
It was trivial to figure out that this version has no protection against CSRF attacks. the file wp-admin/options-reading.php has a parameter posts_per_rss that seems to have been left unsanitized. It is possible to make an admin submit (via csrf) a malicious value of this paramter which will eventually result in a database error. However, the injections seems really difficult to exploit.

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now...

Logon Time Restrictions in a Domain in Windows Server 2003 allows Username Enumeration.

Windows Server 2003 can be configured to restrict the hours and days that a user may log on to a Windows Server 2003 domain. This could lead to username enumeration.

Issue:- Microsoft Windows Active Directory Username Enumeration

Criticality:- Less Critical

Impact:- Exposure of system information

Description:- It has been identified that the Microsoft windows Active
Directory contains a flaw that may lead to an unauthorized information
disclosure. The issue is triggered when the Windows Domain Controller
returns different error messages depending on if a valid username was
supplied via windows terminal services. This only happens for the
user accounts that have time restrictions set and when these accounts
are accessed during restricted time. This can be exploited to help
enumerate valid usernames resulting in a loss of confidentiality.

Vendors response:-
“We will NOT be issuing a security update for this issue.
It is likely that in a next version or service pack of the product we may consider making changes, but not before then”.

Screenshots:
1. Error returned When Account is Accessed at Restricted time
2. Error returned When Account is Accessed at Permitted time

——————————————
Advert: Download expert 000-101 questions, 000-102 study guide and 000-200 practice test to ensure your success in exams.

wordpress admin-ajax.php Sql Injection

Apologies for not posting anything on my blog for so long. I saw this wordpress exploit yesterday and its just awesome work by waraxe. Unlike my xmlrpc.php exploit this doesnot even need any privilidges and the exploit works fine. To me, it is yet another example of why magic_quote setting of php is not sufficient protection against SQL injections. Although, i have explained the wordpress cookie earlier as well, i am doing it once again.

If you dont wanna spend time cracking the md5, then this is what you need to do once you get the md5 hash of the admin password.

add the following 2 cookies in your browser before you visit the admin section of the website. I recommend using this firefox plugin
the name of the cookie if specific to the website and it has this pattern
wordpressuser_(unique suffix)
where (unique suffix) is md5 of the base url

Thus as pointed by waraxe for wordpress hosted at http://localhost/wordpress-2.1.3 the suffix become md5(‘http://localhost/wordpress.2.1.3′) =5a136e6377f39b00c76957953df945db
and thus the cookie will be wordpressuser_5a136e6377f39b00c76957953df945db

now add the value of this cookie which is the username for which you have obtained the hash.
add another cookie with the name wordpresspass_[same suffix as above] and the value as the md5 of the hash you obtained by the exploit and then u can login as that user.

example:
if hash obtained is 21232f297a57a5a743894a0e4a801fc3 (md5(‘admin’))
then the value will be c3284d0f94606de1fd2af172aba15bf3 (md5(‘21232f297a57a5a743894a0e4a801fc3′))

the two cookies will look like this then:
—————————————————————-
name:wordpressuser_5a136e6377f39b00c76957953df945db
value: admin

name:wordpresspass_5a136e6377f39b00c76957953df945db
value:c3284d0f94606de1fd2af172aba15bf3
—————————————————————-

Now enjoy the admin privilidges.

Ten Cents

Some information about MS-SQL server. You may find this info useful for exploiting SQL injection:

Finding Table Names
:
Donot use:- Select name from sysobjects where xtype=’U’
Use:- SELECT table_name FROM INFORMATION_SCHEMA.TABLES
[WHERE table_schema = ‘db_name’]
[WHERE|AND table_name LIKE ‘wild’]
The first query will only return the table names which belong to current databases, however, the second query will return the the table names from other databases as well to which the current user has access to.

Getting Current User
Use:-Select SYSTEM_USER
Someone pointed this out that Select user will return the owner of the current database which may differ from the current user. So, system-user is alwayas correct to use.

Brute Forcing ‘sa’ User’s Password
Use openrowset:-select null from openrowset(‘sqloledb’,”;’sa';'[password]’,’select 1;waitfor delay ”0:0:10” ‘)

When the password supplied is correct the query ‘select 1;waitfor delay ”0:0:10” ‘ will get executed. As i write this blog, i am just wondering if we can execute something like this:

select null from openrowset(‘sqloledb’,”;’sa';'[password]’,’exec master..xp_cmshell ”ping my_host”’). I will confirm this sometime later.

MySql default [insecure] installation in debian

i recently updated my MySql server and i am currently using the version.5.0.38-Debian_1-log If you ever wondered how MySql saves data on your hard disk, then this is best explained here. I will quote from the same website

“Each database is a directory, with each table stored in a separate set of files. For an individual table, the .frm file contains information about the table structure — effectively, an internal representation of the CREATE TABLE statement. The .MYD file contains the row data, and the .MYI contains any indexes belonging with this table, as well as some statistics about the table. The data file contains only row data, with minimal overhead.”

Thus if you can read these directories/files, you can get hold of the database/table names respectively.
ISSUE-1
I looked on my debian box and these files are located in /var/lib/mysql folder. This folder is owned by user mysql and belongs to group mysql. Surprisingly, by default the permissions on this folder is 755. Thus a normal user on the box can list files and directories in the folder /var/lib/mysql and get hold of all the database names,which the MySQL server stores on this host
. However, the database directories in this folder are properly locked which denies an unprivlidged user to get tables information for databases. Although, the database mysql itslef allows directory listing but the files are not word readable. Thus a normal user cant read the file /var/lib/mysql/mysql/user.MYD which represent the table mysql.user and stores mysql username and encrypted password. :(

ISSUE-2.0

If you are able to find a local privelege escalation on a box and manage to get root access, how will you get hold of the data stored in the MySql database?
You will probably try to read the file /var/lib/mysql/mysql/user.MYD to get the Mysql Username and their password hash and would then try to crack these hashes. It then comes down to the complexity of the password and if the password is complex enough there are chances that you may still not be able to crack it. However, the story is a bit different if you are on a debian box. Debian has an inbuilt account debian-sys-maint which bydefault has privilieges equivalent to what you will have for root user. To make matter worse, the file /etc/mysql/debian.cnf contains the randomly generated clear text password for this user. However, this file is again not word readable. But if you got a privilege escalation on debian box, no need to crack the hashes, just issue the command: mysql –defaults-extra-file=/etc/mysql/debian.cnf and you will have the entire MySql server to play.