December 29, 2011
Root via XSS
Denis Baranov's presentations about XSS
Root via XSS
View more presentations from Positive Hack Days
December 14, 2011
How to Hack a Telecommunications Company and Stay Alive
Sergey Gordeychik, Technical Director of Positive
Technologies, presented his research work on information security of
telecommunications companies at the
ZeroNight conference.
How is penetration testing performed for
telecom networks? What dangers to expect from subscribers? How to avoid
financial losses under hacker attacks?
See his 71-slide presentation How to Hack a
Telecommunications Company and Stay Alive under the cut.
December 13, 2011
How to Hack a Telecommunications Company and Stay Alive
Sergey Gordeychik, Deputy CEO at Positive Technologies
Penetration testing of telecommunications companies' networks is one of the most complex but still interesting tasks. Millions of IP addresses, tens of thousands of hosts, hundreds of web servers — and just a month for all this. What challenges are waiting for an auditor during the telecom network testing? What notes should be taken?
What is so peculiar about telecoms?
The present-day telecommunications companies serve tens or sometimes hundreds of subscribers, which obliges such companies to build and support huge networks. Most of the companies of the field are going through a convergence process, which is merging different services: broadband and wireless access services, hosting, mobile communication, VoIP and PST of different regions and countries as a part of a company, network and on convergent technological platforms.
Penetration testing of telecommunications companies' networks is one of the most complex but still interesting tasks. Millions of IP addresses, tens of thousands of hosts, hundreds of web servers — and just a month for all this. What challenges are waiting for an auditor during the telecom network testing? What notes should be taken?
What is so peculiar about telecoms?
The present-day telecommunications companies serve tens or sometimes hundreds of subscribers, which obliges such companies to build and support huge networks. Most of the companies of the field are going through a convergence process, which is merging different services: broadband and wireless access services, hosting, mobile communication, VoIP and PST of different regions and countries as a part of a company, network and on convergent technological platforms.
November 18, 2011
Positive Hack Days Forum
Registration on Positive Hack Days 2012 is open - http://phdays.com/registration.asp
November 14, 2011
PHD CTF Quals opens up a team registration for the information security contests
The coming December will see a qualification competition for PHD CTF, an international information security contest. The main contests will be held on May 30-31, 2012, in Moscow, Russia, as a part of Positive Hack Days, an international forum on information security.
This year everyone can participate in the qualification competitions: either in CTF Quals, or in CTF Afterparty. The competitions will contest participants’ skills of information security assessment, vulnerability search and exploitation, reverse engineering and hacking in general. The contest conditions will be as close to the real-life ones, as possible: vulnerabilities used for PHD CTF Quals and CTF Afterparty are not made-up but taken from the “wildlife”.

October 11, 2011
SAP DIAG Decompress plugin for Wireshark
SAP DIAG Plugin extends the basic functionality of the WireShark network packet analyzer and provides additional features of SAP DIAG protocol analysis. This extension allows one to collect and decompress SAP DIAG packets in the course of interaction between SAP FronTend client software and SAP application servers.
Author: Vladimir Zarichnyy (Positive Research Center)
License: AS IS
Setup:
Plugin work only in Wireshark for Windows.Installation steps: you must copy plugin pt_sap_diag_wireshark_plugin.dll in folder %WiresharkInstallDir%/plugins/%version%
In future versions:
- Open Source (GPL)
- Auto SAP account grabber (to file)
September 21, 2011
ASV Vulnerabilities

When applying for a PCI DSS ASV certificate we came across a service based on the Qcodo
framework with quite an amusing vulnerability in it. The vulnerability is caused by the peculiar behavior of the PHP interpreter that occurs when deserializing inherited objects. All versions of this CMS proved vulnerable.
August 29, 2011
RankMyHack.Com – Who is the coolest web hacker

August 17, 2011
Http Parameter Contamination (more)
To continue investigating the Http Parameter Contamination (HPC) attack, I’ve done some primitive fuzzing in the environments which had not been covered in the original research of Ivan Markovic. It must be mentioned, that I have not found out anything new. On the other hand, an interesting feature of the Python interpreter was revealed; I also got a payload exploit for conducting a denial-of-service attack against the Tomcat server:) But I won’t disclose anything else about the latter so far.
The results are presented in the figure below.
The results are presented in the figure below.
August 11, 2011
PenTest Magazine August Issue
Positive Hack Days material win the world – now there is an article in August issue of PenTest Magazine completely devoted to cloud computing and prepared by Sergey Gordeychik, CTO of Positive Technologies and Yuri Goltsev, penetration testing expert.
July 12, 2011
More Cisco, "more" vulnerability
Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.
Details
IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827
Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.
Details
IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827
Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)
July 7, 2011
ServiceDesk security or rate penetration testing

Today we pay special attention to ManageEngine ServiceDesk user support application, that was first noted by PT experts in November, 2010 in penetration testing in a big company. ManageEngine ServiceDesk is commercial software based on Java, and aims to automate technical support service functions according to ITIL/ITSM recommendations.
We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.
We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
- Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
- Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
- Root path traversal in ManageEngine ServiceDesk Plus 8.0.0
July 6, 2011
Positive Research helps to improve Web Appliaction Firewall efficiency
Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.
On 23th of June, Trustwave, Web Application Firewall ModSecurity developer, held open competition in testing of web application protection means. SQL Injection Challenge competitors should bypass ModSecurity filter rules that block SQL Injection attacks.
The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.
The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.
ModSecurity SQL Injection Challenge attracted attention of a great number of researchers, including experts of Positive Technologies innovative department - Positive Research.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.
Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.
Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.
Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.
Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.
July 4, 2011
Asterisk DoS Vulnerabilities
One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.
Positive Research decided to check Asterisk's implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more - you can check the whole list at their website (https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip).
This resulted in two denial of service vulnerabilities being found. Both of them were on their way to the vendor when we discovered that while we were preparing the advisories they were already reported by internal staff of Digium. The vulnerabilities affected version of 1.8.x to 1.8.4.3.
Security fixed version 1.8.4.4 is already provided at the Asterisk website. Let's look at the details of both vulnerabilities to understand better the nature of software security flaws.
May 31, 2011
Preliminary Results of Positive Hack Days
The Positive Hack Days forum, which took place in Moscow on May 19, gathered a variety of representatives of information security industry. By estimations, the forum was visited by more than 500 persons, including representatives of state structures, technical specialists, top managers in the IT field, independent experts, and hackers.
Two programs were conducted simultaneously: a business program, which included seminars and master-classes, and a hacking contest program. The organizers sum up the preliminary results.
Two programs were conducted simultaneously: a business program, which included seminars and master-classes, and a hacking contest program. The organizers sum up the preliminary results.
May 27, 2011
The Positive Hack Days International Forum
Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday (19/05/2011) in Moscow.
April 19, 2011
Fuzzing and exploitation of vulnerability CVE-2010-3856
The vulnerability “The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads" detected by Tavis Ormandy at the end of 2010 force most users to patch their systems as soon as possible.
An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in ld.so with spoofing $ORIGIN by hard-coded link and running a SUID program via file descriptor.
The vulnerability description includes only several potentially unsafe libraries:
liblftp-tasks.so.0 and libpcprofile.so. But indeed, there can be much more of them in the system.
If your system does not include the libraries, it does not mean that your system is not vulnerable.
An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in ld.so with spoofing $ORIGIN by hard-coded link and running a SUID program via file descriptor.
The vulnerability description includes only several potentially unsafe libraries:
liblftp-tasks.so.0 and libpcprofile.so. But indeed, there can be much more of them in the system.
If your system does not include the libraries, it does not mean that your system is not vulnerable.
April 13, 2011
Positive Hack Days 2011

The conference subjects were developed with a special accent on the practical sides of urgent information security issues. The main themes of the conference are: web application security, protection of cloud computing and virtual infrastructure, counteraction to 0-day attacks, investigation of incidents, protection from DDoS, fraud resistance, SCADA security, and protection of business applications and ERP.
Within the bounds of the conference, the following activities will take place:
- Business program with reports from the leading domestic and foreign experts.
- Round tables, both closed and open types, which allow you to discuss complex and even delicate issues of information security with colleagues.
- Master classes conducted by practitioner experts, which allow you to gain practical experience in solving complicated information security problems, such as vulnerability detection, analysis of break-in consequences, and analysis of instruments used to conduct attacks.
- Breaking-in contests, which allow anyone to try him/herself in breaking-in iPhones, cell phones, browsers, and protection mechanisms.
- PHD CTF 2011 competition, which is an open information security team competition organized according to the Capture the Flag rules; within the bounds of this competition, teams will protect their networks and attack the networks of contestants for 8 hours.
The conference program is addressed to a wide circle of information security specialists, and everyone will find something interesting in it.
- Directors, CISOs и CIOs will be able to estimate modern threats in practice, maintain their skills, and discuss information security problems with colleagues.
- Information security specialists will gain a lot of new and urgent information and will have an opportunity to improve their practical skills in solving a wide variety of information security issues.
- Vendors of security tools and systems will be able to estimate the efficiency of their solutions in practice by introducing them into the CTF competition tasks.
- Companies providing services in the field of information security can become sponsors and get professional employees involved.
- All participants will have a unique opportunity to find themselves on the other side of the barricade and to take part in practical master classes and information security contests.
We will be glad to see you at the Positive Hack Days conference!
April 5, 2011
Backdoor in Active Directory
Less than a year ago, there was a publication on habrahabr.ru with similar title [1]. Its author proposed a way how to hide domain administrator privileges using "Program data" system storage as a container for the "hidden" account with access limitations to prevent access to the account. But, despite author words, you can easily detect the "hidden" account and delete it with a couple of mouse clicks [2].
It means that this method does not work in practice. But is there more appropriate method (including without rootkits on domain controllers))?
It means that this method does not work in practice. But is there more appropriate method (including without rootkits on domain controllers))?
April 1, 2011
Complete Guide to HackQuest 2010
This work contains the description of an algorithm to pass most stages of HackQuest 2010, which was held at the end of August within the scope of the Chaos Constructions 2010 festival and was available on-line in a shorter form in the end of 2010 on the basis of the SecurityLab portal.
Dmitry Evteev (Positive Technologies); http://devteev.blogspot.com/
Sergey Rublev (Positive Technologies); http://ptresearch.blogspot.com/
Alexander Matrosov (ESET); http://amatrosov.blogspot.com/
Vladimir d0znp Vorontsov (ONsec.RU); http://oxod.ru/
Taras oxdef Ivashchenko (Yandex); http://blog.oxdef.info/
Introduction
HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)
The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.
Dmitry Evteev (Positive Technologies); http://devteev.blogspot.com/
Sergey Rublev (Positive Technologies); http://ptresearch.blogspot.com/
Alexander Matrosov (ESET); http://amatrosov.blogspot.com/
Vladimir d0znp Vorontsov (ONsec.RU); http://oxod.ru/
Taras oxdef Ivashchenko (Yandex); http://blog.oxdef.info/
Introduction
HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)
The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.
January 13, 2011
PHP features in Windows operating system

- any.phP
- any.php
- any.ph<
- any.ph>
Subscribe to:
Posts (Atom)