* Robots.txt file has not been found but error page reveals Microsoft Internet Information Services in Use. Robots file sometimes expose juicy information.
* Server headers provide quite a lot of information: underlying technologies, versions, and a suspicious second cookie named “amSessionId”.
* While performing the test I just gapped by chance in this Google reply that includes the X-XSS-Protection with a 0 value, this causes IE 8 to allow displaying XSS suspicious content. There is a bit of discussion regarding this protection mechanism as it is said to block some benign contents so this is why Google may include this header. The X-Content-Type-Options set to nosniff is another header related to IE8 that helps mitigating certain attacks related to MIME type abuses.
* Sometimes you can get interesting information from contents metadata; in this case for example we see that the images have been edited with Photoshop 3.0. In other occasions one can get usernames and similar stuff to be used in the engagement.
* The main search function is vulnerable to XSS
A more elaborated attack can be performed as follows. First inject the following string that will display a fake login page to trick the user (victim).
We set up a listening socket, with netcat in this example.
The user will then input his user and password.
And the attacker therefore captures them.
If we wanted to provide more impressive results we can start Beef exploitation framework in order to control a victim’s browser.
* The way of the application to locate contents seems vulnerable to path traversal. The application seems to like to server html files but when manipulating the parameter an unfiltered error is displayed with interesting information.
Insecure redirection or remote file inclusion was also tested with no luck
Here the attack (insecure redirection) seems possible here:
Abusing the URL like this
* But a warning message appears, which is vulnerable to injection, and we can perform the redirection.
* In the subscription feature they check client side what characters the user is introducing, but no server side leading to an error.
* Therefore by introducing a “’” we have a nice Database error that could derive into a SQL Injection attack.
It seems to be an underlying insert clause but does not respond as expected to Boolean clauses
We could try to perform additional SQL commands by appending a “;drop database” but It wouldn’t be fair for Altoro. Again there is a XSS here.
* Again we have another Cross Site Scripting in a message:
* They do not mark the field with the autocomplete=off tag, here is not so dangerous but it is in login forms.
* Directory indexing misconfiguration has been located with sensitive information:
* There is a local reference to a file that also reveals a user name:
* In the feedback form there is also another XSS.
* Incomplete web page coding so that the page lacks of functionality, can impact the public image of the Bank. The button does not work as the html form does not have even an action tag definition.
* Login information is transmitted in clear text:
* It reveals when a username is not in the system, it can lead to ease brute forcing attacks on username field.
We see admin works so we just have to concentrate on password
* It seems vulnerable to SQL Injection attack
It is very easy to circumvent login page according to the previous behavior exposed by the web page, we just have to use the following:
· User: “admin’--“ (exclude the double quotes).
· Password: whatever as its going to be ignored because of the “—“ symbols that are meant to comment lines in SQL.
We see we have logged in with admin account:
* By the way an easy password guessing shows us that we can log in with admin/admin credentials.
We see that admin login is in fact an administration menu of the application in which we could change other user’s password and thus log in as them as well.
Changing user password does not seem to work (to avoid abuses from pentesters I guess) but usernames are valuables to access by the “—“ technique.
* There is another directory indexing vulnerability
* There is a web service (not authenticated).
It contains the web service methods definition and the soap messages needed:
This can be attacked to obtain usernames by means of soap messages and possibly performing XML injection attacks
A captcha exists as well to avoid malicious users do brute forcing on the password field with automated tools:
* In the capcha window source code we see a password in an html comment:
With this info and the capcha number we can successfully login
* A possible XML/XPATH injection exists:
With this we would obtain the first item
By crafting a more complex syntax we would for example find recursively the rest items. The contents are anyway indexed and available:
* Header injection vulnerability exists that allows modifying the page returned by the server.
* Regarding to session management we show below admin and sjoe cookies to detect possible vulnerabilities:
- admin cookie
Cookie: ASP.NET_SessionId=35f2wi55vpoyoyrg0ve54szg; amSessionId=446643804; amUserInfo=UserName=YWRtaW4=&Password=YWRtaW4=; amUserId=1
- sjoe cookie
Cookie: ASP.NET_SessionId=hvejm345qencll55npbtsqe0; amSessionId=582146246; amUserInfo=UserName=c2pvZSctLQ==&Password=bmFkYQ==; amUserId=100116013; amCreditOffer=CardType=Platinum&Limit=12000&Interest=5.4
We can highlight the following weaknesses:
· Username and password information is resent on every query, this only should happen when login in and the server session context must maintain this information.
· A suspicious amUserId is just used to difference one user from another, see image below.
· Special offers are set on client side by mans of amCreditOffer,CardType and Limit.
· The seemingly hashed information contained in username or password is just a base64 encoding so it is easy to intercept and reverse. (c2pvZSctLQ== is translated to sjoe'--)
* Having logged in as sjoe user we just have to ask for a privileged page like http://demo.testfire.net:80/admin/admin.aspx and modify sjoe amUserId field to set it to admin’s one (1) and we can access that critical page impersonating admin user.
Sunday, December 12, 2010
IntroductionLinksys routers can be enhanced by great firmwares that enable a lot of interesting/never ending features. So then what are you waiting for for upgrading your linksys box?
There are plenty of documentation on how to do it, this brief tutorial is based on dd-wrt firmware but I’m sure you can achieve similar results in others as well:
nvram show #show all config nvram get <variable> #gets variable content nvram set <variable>=<value> #sets variable content nvram set <variable>= #blanks a variable nvram unset <variable> #erases the variable completely nvram commit #saves the changes to nvram so they are kept after reseting the router
The architectureHere you can see how is this type of Linksys device internally:
What we see is that case labels (port numbers that we see in the rear view of the linksys device) do not match with the port numbers that dd-wrt firmware uses internally for them. This means that port 4 (externally) matches with port 0 (internally).
- port 5 (internal) leads to the cpu of dd-wrt.
- port 4 (internal) connects to the internet.
- port 0 (internal) is where we will create the new vlan (vlan2) and will be isolated from the rest of user ports (1-3) and wifi.
- port 0 (internal) will indeed need to see port 5 so that the CPU can route the packets to the internet through port 4.
Don't trust me! save your current configBefore changing any configuration following this tutorial I will be nice to you and strongly recommend to backup your config. I guess all firmwares (the original linksys one included) have the facility to backup you current configuration.
so do so!!!
The configurationThe first step is based on the premise that you already have installed dd-wrt in your Linksys/Other router.
Bearing all said before in mind we log into the router by means of telnet or ssh and do the following:
nvram set vlan0ports="3 2 1 5*" nvram set vlan2ports="0 5"With this our isolated port "0" will now belong to a new vlan called "vlan2".
The asterisk (*) signifies that the VLAN it is attached to is the default VLAN: if the switch receives a packet on port 5 that is not tagged it is put into the VLAN where the * is configured.
Now its time to define that we want to assign an IP to that vlan so that any computer that connects to that port can define its default gateway as 192.168.2.1 and be able to connect to the internet.
nvram set rc_startup=' ifconfig vlan2 192.168.2.1 netmask 255.255.255.0 ifconfig vlan2 up 'On some other tutorials similar to this one, they tell you to log into de http configuration menu and configure the ports like this but i think its not required. Do this as well just in case the configuration doesn't work.
Securing/Allowing things a bitTo isolate the port but to the internet we define the following rule in the internal linksys firewall
nvram set rc_firewall=' /usr/sbin/iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT 'The next step is rebooting the device and cross fingers
Roll back changes/fucking device!!If you happen to get desperate and you feel you have broken/bricked the router just do the following that will reset your nvram to the default settings
Locate a small button in the rear side of the router and press it with a pen or something similar for at least 10 seconds.
Next stepsIf you wanted you could assign the new port/net a dhcp server, but that was not my need.
TroubleshootingDuring some test I have been doing I lost connectivity with the web interface, this is when accessing with a web browser the page looked like it was not loading. The solution is the following:
- Access the router by means of telnet or ssh.
- Restart the http daemon
ps #look for the pid of the httpd process in order to kill it kill -9 <httpd_pid> httpd -h /www #start the proccess again
- Try to access now through your browser
IntroductionHi, after so long creating a new post this time I just wanna talk about Bluetooth devices and blackberries...not the fruit huh!
Well in fact I am not sure if I will cover something interesting related to BB (Blackberry) I just will try to
Also have in mind that the bluetooth dongle I am using is a cheap-poor-not-great one.
The hardwareI just have this and will try to see what sort of tweaks and tricks we can perform...yeah the /Rooted ad, it was a great Con that took place in Spain I want to mention in my wiki, didn't hear about it? http://www.rootedcon.es/eng/index.html
The toolsSo far a brand new Backtrack 4 seems enough.
Bluetooth dongle id
root@bt:/# tail /var/log/syslog Apr 10 13:18:36 bt kernel: eth0: no IPv6 routers present Apr 10 13:21:57 bt kernel: Bluetooth: Core ver 2.15 Apr 10 13:21:57 bt kernel: NET: Registered protocol family 31 Apr 10 13:21:57 bt kernel: Bluetooth: HCI device and connection manager initialized Apr 10 13:21:57 bt kernel: Bluetooth: HCI socket layer initialized Apr 10 13:22:04 bt kernel: usb 2-2: new full speed USB device using uhci_hcd and address 2 Apr 10 13:22:04 bt kernel: usb 2-2: device descriptor read/64, error -71 Apr 10 13:22:05 bt kernel: usb 2-2: configuration #1 chosen from 1 choice Apr 10 13:22:06 bt kernel: Bluetooth: Generic Bluetooth USB driver ver 0.5 Apr 10 13:22:06 bt kernel: usbcore: registered new interface driver btusb root@bt:/# hciconfig -a hci0: Type: USB BD Address: 00:00:00:00:00:00 ACL MTU: 0:0 SCO MTU: 0:0 DOWN RX bytes:0 acl:0 sco:0 events:0 errors:0 TX bytes:0 acl:0 sco:0 commands:0 errors:0 //when "upping" the device more info is provided and more commands are accepted and do not time out. root@bt:/# hciconfig hci0 up root@bt:/# hciconfig -a hci0: Type: USB BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8 UP RUNNING RX bytes:348 acl:0 sco:0 events:11 errors:0 TX bytes:38 acl:0 sco:0 commands:11 errors:0 Features: 0xff 0xff 0x8f 0xf8 0x18 0x18 0x00 0x80 Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3 Link policy: Link mode: SLAVE ACCEPT Name: 'CSR - bc3' Class: 0x000000 Service Classes: Unspecified Device Class: Miscellaneous, HCI Ver: 1.2 (0x2) HCI Rev: 0x639 LMP Ver: 1.2 (0x2) LMP Subver: 0x639 Manufacturer: Cambridge Silicon Radio (10) //seems just a ROM memory is installed root@bt:/# bccmd -d hci0 chiprev Chip revision: 0x0015 (BC3-ROM) //dfutools for managing the firmware do not work root@bt:/# dfutool -d hci0 archive bt_dongle_orig_firmware.bin Can't find any DFU devices
We can see the dongle from the picture above is a Cambrige Silicon Radio, with a bluecore 3 firmware
Faking our name
I thought I couldn't as this device wasn't supposed to have writable memory
root@bt:/# hciconfig hci0 name eslimasec root@bt:/# hciconfig hci0 name hci0: Type: USB BD Address: XX:XX:XX:XX:XX:XX ACL MTU: 192:8 SCO MTU: 64:8 Name: 'eslimasec'
root@bt:/# hcitool scan Scanning ... XX:XX:XX:XX:XX:XX BlackBerry 8520
when the device is in listen/waiting mode for other devices to discover it, it reveals this information.
root@bt:/# hcitool info XX:XX:XX:XX:XX:XX Requesting information ... BD Address: XX:XX:XX:XX:XX:XX Device Name: BlackBerry 8520 LMP Version: 2.1 (0x4) LMP Subversion: 0x12e9 Manufacturer: Cambridge Silicon Radio (10) Features: 0xbf 0xfe 0x8f 0xfe 0x98 0x19 0x00 0x80 <3-slot packets> <5-slot packets> <encryption> <slot offset> <timing accuracy> <role switch> <sniff mode> <RSSI> <channel quality> <SCO link> <HV2 packets> <HV3 packets> <u-law log> <A-law log> <CVSD> <paging scheme> <power control> <transparent SCO> <broadcast encrypt> <EDR ACL 2 Mbps> <EDR ACL 3 Mbps> <enhanced iscan> <interlaced iscan> <interlaced pscan> <inquiry with RSSI> <extended SCO> <AFH cap. slave> <AFH class. slave> <3-slot EDR ACL> <5-slot EDR ACL> <AFH cap. master> <AFH class. master> <extended features>
BlackBerry (& other devs) Attacks
Scam attack by changing our dongle name.
It was tested that the blackberry devices have a sort of cache that allows them to remember the name of you dongle from the first time you tried to get paired.
//change the name of the dongle to make the user set the code you want, then just ask for info and that pairing message will appear on the victim screen root@bt:/# hcitool info XX:XX:XX:XX:XX:XX