Category Archives: Research

Articles/Whitepapers

MySql default [insecure] installation in debian

i recently updated my MySql server and i am currently using the version.5.0.38-Debian_1-log If you ever wondered how MySql saves data on your hard disk, then this is best explained here. I will quote from the same website

“Each database is a directory, with each table stored in a separate set of files. For an individual table, the .frm file contains information about the table structure — effectively, an internal representation of the CREATE TABLE statement. The .MYD file contains the row data, and the .MYI contains any indexes belonging with this table, as well as some statistics about the table. The data file contains only row data, with minimal overhead.”

Thus if you can read these directories/files, you can get hold of the database/table names respectively.
ISSUE-1
I looked on my debian box and these files are located in /var/lib/mysql folder. This folder is owned by user mysql and belongs to group mysql. Surprisingly, by default the permissions on this folder is 755. Thus a normal user on the box can list files and directories in the folder /var/lib/mysql and get hold of all the database names,which the MySQL server stores on this host
. However, the database directories in this folder are properly locked which denies an unprivlidged user to get tables information for databases. Although, the database mysql itslef allows directory listing but the files are not word readable. Thus a normal user cant read the file /var/lib/mysql/mysql/user.MYD which represent the table mysql.user and stores mysql username and encrypted password. :(

ISSUE-2.0

If you are able to find a local privelege escalation on a box and manage to get root access, how will you get hold of the data stored in the MySql database?
You will probably try to read the file /var/lib/mysql/mysql/user.MYD to get the Mysql Username and their password hash and would then try to crack these hashes. It then comes down to the complexity of the password and if the password is complex enough there are chances that you may still not be able to crack it. However, the story is a bit different if you are on a debian box. Debian has an inbuilt account debian-sys-maint which bydefault has privilieges equivalent to what you will have for root user. To make matter worse, the file /etc/mysql/debian.cnf contains the randomly generated clear text password for this user. However, this file is again not word readable. But if you got a privilege escalation on debian box, no need to crack the hashes, just issue the command: mysql –defaults-extra-file=/etc/mysql/debian.cnf and you will have the entire MySql server to play.

Abusing Trackback utility

I was researching a bit into the wordpress trackback utility. This is how it works:
You submit a post with trackback urls, and when you publish the post, the wordpress sends out a request to the URL you mentioned in the trackback URLs. Essentially this happens in the background.

You—–> WordPress Server———->Trackback URL

The trackback request to the trackback URL is not made by your browser, but the request will be sent by your server hosting wordpress application. This was a bit surprising to me, as what if my wordpress hosting company does not allow outbound traffic? Anyways the request is nothing special , its a straight forward post request to the trackback URL with the following parameters.

title
url
blog_name
excerpt.

I wrote a simple perl script which you can use to send fake trackback request. Although the request will go from your IP address, (unless you use some anonymous proxy) You can specify the Fake Url and other parameters which will appear to the victim’s wordpress. The Only solution i can think to avoid getting fake trackbacks is by having a check on the submitted url to see if it resolves to the same ip address. However, that might create some other problems.

However, I would be more interested in knowing if we can abuse it still further. At the moment i cant think of any more attack vectors to exploit this. As the connection to the trackback URL is made by wordpress server, can we not make it connect to a malicious host. Can we not make it connect to different ports on different hosts… blah.. blah blah... I look forward to hearing comments on this. BTW this blog is not just about hacking wordpress:)

WordPress 2.1.2 xmlrpc Security Issues

WordPress 2.1.2 xmlrpc Multiple Vulnerabilities:

Affected Versions: These issues were reported in version 2.1.2,(current stable version) and its very likely that previous versions may also be vulnerable.

1. Privilidge Escalation:

Under normal circumstances (through web interface) a user in contributor role only has access to following functions:

a. read
b. edit_posts

functionality ‘publish_posts’ is restricted to users in the author, editor or administrator roles. However, this is not implemented in xmlrpc.php and this allows a user in the contributor roles to publish a previously saved post to the website.

No exploit code is required.

2. SQL Injection:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to the backend database which results in a Sql injection. Exploiting this is pretty trivial. As, it is an integer based injection, it works irrespective of the setting “magic quote”. . I wrote a Simple Proof Of Concept for this.
Download Exploit
—————————————————–
Exploit
—————————————————–

Successful Exploitation of this will give you usernames and md5 hash of password of all users including admin user. Before you run mdcrack on this hash, read my previous post on wordpress cookies as this will save your time.
Once you have the admin user hash needless to say you can create a php backdoor and that essentialy is game over.

About Poc:
The poc demonstrates how critical SQL injection vulnerabilities can be. In this example,the poc goes beyond obtaining admin hashes. It also returns the username and encrypted password of the mysql user(s). If the database is running as privilidged user, this will also try to fetch the /etc/passwd file, or any other file for that matter. As this injection is in an integer field it works irrespective of the setting magic quote :-)

Workaround:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users only.

Vendor’s response:
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

——————————-
Advert: Testking provides highest quality 000-083 exam dumps, 000-085 video demos and 000-100 practice tests with 100% pass guarantee

SQL Injection Cheat Sheet

cheat sheet. Although there are so many articles on internet which talks about Sql Injection, this is the only document i know which is ‘complete’.

Abusing TCP/IP name resolution in Windows to carry out phishing attacks.

I was playing with name resolution in windows and i found that it sends broadcast requests over the network for the hostnames not resolved by DNS or WINS services. This is characteristic behaviour of windows and *nix boxes do not send any such broadcast requests. As these are the broadcast request, these can easily be abused to carry out phishing attacks. I wrote a small paper on this. You can access it here.

UPDATES: Here is good article from microsoft which discusses this process in detail. Here are a few drawbacks of this atatck:

1. This attack will ony work for domain names that are less than 16 characters.

2. Routers typically do not forward broadcasts, so only NetBIOS name on the local network can be resolved and the attacker thus has to be on the same local network.

3. The victim has to enable Netios Over TCP/IP to send out broadcast request.