www.notsosecure.com » News

Troopers 09

sid — Fri, 24 Apr 2009 11:50:15 +0000

I attended troopers 09 in munich and it was a wonderful event. There were some very interesting talks. With regards to web application security, Sandro Gauci & Wendel Guglielmetti Henrique gave a talk on Web Application Firewalls. They also demoed a tool which could passively fingerprint around 10 different WAF. The detection is based on features such as “set-cookie” and “server” HTTP response header etc.
The evasion techniques they mentioned were mostly vendor specific.

Michael Kemp ranted about DLP(Data Loss Prevention) software. His main argument was a DLP software was not any different from a root-kit. He also mentioned that antirootkit vendors do not detect DLP softwares even from another vendor and by changing the endpoints of a DLP software an admin could use the DLP softwares as a perfect rootkit.

I enjoyed the password cracking with GPU’s talk. The talk showed different stats to prove GPU is far more effective and “greener” than CPU. I was expecting some cool demos with play stations cracking passwords, but there were no demos

There were some more interesting talks and the videos will be uploaded soon. Thanks To ERNW for hosting such an enjoyable event.

Bsqlbf v2.2

sid — Tue, 03 Mar 2009 15:24:33 +0000

I finally managed to fix a few bugs and release a new version. Other than the bug fixing, the new version also supports blind sql injection in “order by”, “group by” clause.

There are currently a few issues with threaded perl. I have tested this under windows using activeperl. As always, any bug report is highly appreciated.

Download link

Sid

Wordpress Unauthorized Comment Disclosure

admin — Fri, 01 Jun 2007 07:05:28 +0000

By Enumerating, the name and email address of a comment author, an attacker can read the comment submitted by the author while the comment still waits an administrator to approve it and publish it. This again points to the need for a better session management in Wordpress. Read the full story here

Wordpress 2.1.2 xmlrpc Security Issues

sid — Tue, 03 Apr 2007 18:17:07 +0000

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

Affected Versions: These issues were reported in version 2.1.2,(current stable version) and its very likely that previous versions may also be vulnerable.

1. Privilidge Escalation:

Under normal circumstances (through web interface) a user in contributor role only has access to following functions:

a. read
b. edit_posts

functionality ‘publish_posts’ is restricted to users in the author, editor or administrator roles. However, this is not implemented in xmlrpc.php and this allows a user in the contributor roles to publish a previously saved post to the website.

No exploit code is required.

2. SQL Injection:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to the backend database which results in a Sql injection. Exploiting this is pretty trivial. As, it is an integer based injection, it works irrespective of the setting “magic quote”. . I wrote a Simple Proof Of Concept for this.
Download Exploit
—————————————————–

—————————————————–

Successful Exploitation of this will give you usernames and md5 hash of password of all users including admin user. Before you run mdcrack on this hash, read my previous post on wordpress cookies as this will save your time.
Once you have the admin user hash needless to say you can create a php backdoor and that essentialy is game over.

About Poc:
The poc demonstrates how critical SQL injection vulnerabilities can be. In this example,the poc goes beyond obtaining admin hashes. It also returns the username and encrypted password of the mysql user(s). If the database is running as privilidged user, this will also try to fetch the /etc/passwd file, or any other file for that matter. As this injection is in an integer field it works irrespective of the setting magic quote

Workaround:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users only.

Vendor’s response:
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

——————————-
Advert: Testking provides highest quality 000-083 exam dumps, 000-085 video demos and 000-100 practice tests with 100% pass guarantee

SQL Injection Cheat Sheet

sid — Fri, 16 Mar 2007 08:10:58 +0000

cheat sheet. Although there are so many articles on internet which talks about Sql Injection, this is the only document i know which is ‘complete’.

Abusing TCP/IP name resolution in Windows to carry out phishing attacks.

sid — Wed, 14 Mar 2007 17:21:21 +0000

I was playing with name resolution in windows and i found that it sends broadcast requests over the network for the hostnames not resolved by DNS or WINS services. This is characteristic behaviour of windows and *nix boxes do not send any such broadcast requests. As these are the broadcast request, these can easily be abused to carry out phishing attacks. I wrote a small paper on this. You can access it here.

UPDATES: Here is good article from microsoft which discusses this process in detail. Here are a few drawbacks of this atatck:

1. This attack will ony work for domain names that are less than 16 characters.

2. Routers typically do not forward broadcasts, so only NetBIOS name on the local network can be resolved and the attacker thus has to be on the same local network.

3. The victim has to enable Netios Over TCP/IP to send out broadcast request.

Under Construction

admin — Mon, 12 Mar 2007 20:31:21 +0000

This website is currently under construction. Kindly visit again in some time.