Intercepting Windows Printing by Modifying GDI Subsystem

Artyom Shishkin about Windows GDI

Intercepting Windows Printing by Modifying GDI Subsystem

View more presentations from Positive Hack Days

Root via XSS

Denis Baranov's presentations about XSS

Root via XSS

View more presentations from Positive Hack Days

How to Hack a Telecommunications Company and Stay Alive

Sergey Gordeychik, Technical Director of Positive Technologies, presented his research work on information security of telecommunications companies at the ZeroNight conference. 

How is penetration testing performed for telecom networks? What dangers to expect from subscribers? How to avoid financial losses under hacker attacks?

See his 71-slide presentation How to Hack a Telecommunications Company and Stay Alive under the cut.

How to Hack a Telecommunications Company and Stay Alive

Sergey Gordeychik, Deputy CEO at Positive Technologies

Penetration testing of telecommunications companies' networks is one of the most complex but still interesting tasks. Millions of IP addresses, tens of thousands of hosts, hundreds of web servers — and just a month for all this. What challenges are waiting for an auditor during the telecom network testing? What notes should be taken?

What is so peculiar about telecoms?
The present-day telecommunications companies serve tens or sometimes hundreds of subscribers, which obliges such companies to build and support huge networks. Most of the companies of the field are going through a convergence process, which is merging different services: broadband and wireless access services, hosting, mobile communication, VoIP and PST of different regions and countries as a part of a company, network and on convergent technological platforms.

Positive Hack Days Forum

PHD 2011-2012 from  Positive Technologies on Vimeo.

Registration on Positive Hack Days 2012 is open - http://phdays.com/registration.asp

PHD CTF Quals opens up a team registration for the information security contests

The coming December will see a qualification competition for PHD CTF, an international information security contest. The main contests will be held on May 30-31, 2012, in Moscow, Russia, as a part of Positive Hack Days, an international forum on information security.

This year everyone can participate in the qualification competitions: either in CTF Quals, or in CTF Afterparty. The competitions will contest participants’ skills of information security assessment, vulnerability search and exploitation, reverse engineering and hacking in general. The contest conditions will be as close to the real-life ones, as possible: vulnerabilities used for PHD CTF Quals and CTF Afterparty are not made-up but taken from the “wildlife”.

SAP DIAG Decompress plugin for Wireshark

SAP DIAG Plugin extends the basic functionality of the WireShark network packet analyzer and provides additional features of SAP DIAG protocol analysis. This extension allows one to collect and decompress SAP DIAG packets in the course of interaction between SAP FronTend client software and SAP application servers.

Author: Vladimir Zarichnyy (Positive Research Center)
License: AS IS

Version: 0.1b
Download URL: pt_sap_diag_wireshark_plugin.zip 

Setup:

Plugin work only in Wireshark for Windows.

Installation steps: you must copy plugin pt_sap_diag_wireshark_plugin.dll in folder %WiresharkInstallDir%/plugins/%version%

In future versions:

- Open Source (GPL)

- Auto SAP account grabber (to file)

ASV Vulnerabilities

When applying for a PCI DSS ASV certificate we came across a service based on the Qcodo

framework with quite an amusing vulnerability in it. The vulnerability is caused by the peculiar behavior of the PHP interpreter that occurs when deserializing inherited objects. All versions of this CMS proved vulnerable.

RankMyHack.Com – Who is the coolest web hacker

Who is the coolest web hacker? Everyone who is involved in the field of information security asks this question from time to time. LulzSecurity? Anonymous? Anyone else? It seems impossible to objectively identify someone as the best one. However, a site appeared in the Net a couple weeks ago which is aimed at determining who the best hacker is indeed! This site is http://RankMyHack.com. As soon as the resource was created, information about it started spreading all over the Internet. Serious Internet sources such as New York Times mentioned this site in their pages. Numerous hackers rushed to find out who is the coolest one among them …

Http Parameter Contamination (more)

To continue investigating the Http Parameter Contamination (HPC) attack, I’ve done some primitive fuzzing in the environments which had not been covered in the original research of Ivan Markovic. It must be mentioned, that I have not found out anything new. On the other hand, an interesting feature of the Python interpreter was revealed; I also got a payload exploit for conducting a denial-of-service attack against the Tomcat server:) But I won’t disclose anything else about the latter so far.

The results are presented in the figure below.

PenTest Magazine August Issue

Positive Hack Days material win the world – now there is an article in August issue of PenTest Magazine completely devoted to cloud computing and prepared by Sergey Gordeychik, CTO of Positive Technologies and Yuri Goltsev, penetration testing expert.

More Cisco, "more" vulnerability

Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.

Details

IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827


Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)

ServiceDesk security or rate penetration testing

In penetration testing, Positive Research experts meet enterprise web-based solutions located inside a corporate network or on its perimeter. Applications like ServiceDesk, ERP, billing systems, etc. are examples of similar systems. The tendency «all requests via port 80» usually leads to situations when applications created for internal networks are published in the Internet.

Today we pay special attention to ManageEngine ServiceDesk user support application, that was first noted by PT experts in November, 2010 in penetration testing in a big company. ManageEngine ServiceDesk is commercial software based on Java, and aims to automate technical support service functions according to ITIL/ITSM recommendations.

We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.

We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
- Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
- Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
- Root path traversal in ManageEngine ServiceDesk Plus 8.0.0

Positive Research helps to improve Web Appliaction Firewall efficiency

Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.

On 23th of June, Trustwave, Web Application Firewall ModSecurity developer, held open competition in testing of web application protection means. SQL Injection Challenge competitors should bypass ModSecurity filter rules that block SQL Injection attacks.

The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.

ModSecurity SQL Injection Challenge attracted attention of a great number of researchers, including experts of Positive Technologies innovative department - Positive Research.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.

Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.

Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.

Asterisk DoS Vulnerabilities

One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.
Positive Research decided to check Asterisk's implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more - you can check the whole list at their website (https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip).
This resulted in two denial of service vulnerabilities being found. Both of them were on their way to the vendor when we discovered that while we were preparing the advisories they were already reported by internal staff of Digium. The vulnerabilities affected version of 1.8.x to 1.8.4.3.
Security fixed version 1.8.4.4 is already provided at the Asterisk website. Let's look at the details of both vulnerabilities to understand better the nature of software security flaws.

Preliminary Results of Positive Hack Days

The Positive Hack Days forum, which took place in Moscow on May 19, gathered a variety of representatives of information security industry. By estimations, the forum was visited by more than 500 persons, including representatives of state structures, technical specialists, top managers in the IT field, independent experts, and hackers.

Two programs were conducted simultaneously: a business program, which included seminars and master-classes, and a hacking contest program. The organizers sum up the preliminary results.

The Positive Hack Days International Forum

Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday (19/05/2011) in Moscow.

Fuzzing and exploitation of vulnerability CVE-2010-3856

The vulnerability “The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads" detected by Tavis Ormandy at the end of 2010 force most users to patch their systems as soon as possible.

An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in ld.so with spoofing $ORIGIN by hard-coded link and running a SUID program via file descriptor.

The vulnerability description includes only several potentially unsafe libraries:
liblftp-tasks.so.0 and libpcprofile.so. But indeed, there can be much more of them in the system.
If your system does not include the libraries, it does not mean that your system is not vulnerable.

Positive Hack Days 2011

The Positive Technologies company carries out a unique event - the Positive Hack Days conference, which is devoted to practical security problems and represents a place to exchange views, to gain knowledge and to obtain contacts and practical skills.

The conference subjects were developed with a special accent on the practical sides of urgent information security issues. The main themes of the conference are: web application security, protection of cloud computing and virtual infrastructure, counteraction to 0-day attacks, investigation of incidents, protection from DDoS, fraud resistance, SCADA security, and protection of business applications and ERP.

Within the bounds of the conference, the following activities will take place:

- Business program with reports from the leading domestic and foreign experts.
- Round tables, both closed and open types, which allow you to discuss complex and even delicate issues of information security with colleagues.
- Master classes conducted by practitioner experts, which allow you to gain practical experience in solving complicated information security problems, such as vulnerability detection, analysis of break-in consequences, and analysis of instruments used to conduct attacks.
- Breaking-in contests, which allow anyone to try him/herself in breaking-in iPhones, cell phones, browsers, and protection mechanisms.
- PHD CTF 2011 competition, which is an open information security team competition organized according to the Capture the Flag rules; within the bounds of this competition, teams will protect their networks and attack the networks of contestants for 8 hours.

The conference program is addressed to a wide circle of information security specialists, and everyone will find something interesting in it.

- Directors, CISOs и CIOs will be able to estimate modern threats in practice, maintain their skills, and discuss information security problems with colleagues.
- Information security specialists will gain a lot of new and urgent information and will have an opportunity to improve their practical skills in solving a wide variety of information security issues.
- Vendors of security tools and systems will be able to estimate the efficiency of their solutions in practice by introducing them into the CTF competition tasks.
- Companies providing services in the field of information security can become sponsors and get professional employees involved.
- All participants will have a unique opportunity to find themselves on the other side of the barricade and to take part in practical master classes and information security contests.

We will be glad to see you at the Positive Hack Days conference!

Backdoor in Active Directory

Less than a year ago, there was a publication on habrahabr.ru with similar title [1]. Its author proposed a way how to hide domain administrator privileges using "Program data" system storage as a container for the "hidden" account with access limitations to prevent access to the account. But, despite author words, you can easily detect the "hidden" account and delete it with a couple of mouse clicks [2].

It means that this method does not work in practice. But is there more appropriate method (including without rootkits on domain controllers))?

Complete Guide to HackQuest 2010

This work contains the description of an algorithm to pass most stages of HackQuest 2010, which was held at the end of August within the scope of the Chaos Constructions 2010 festival and was available on-line in a shorter form in the end of 2010 on the basis of the SecurityLab portal.

Dmitry Evteev (Positive Technologies); http://devteev.blogspot.com/
Sergey Rublev (Positive Technologies); http://ptresearch.blogspot.com/
Alexander Matrosov (ESET); http://amatrosov.blogspot.com/
Vladimir d0znp Vorontsov (ONsec.RU); http://oxod.ru/
Taras oxdef Ivashchenko (Yandex); http://blog.oxdef.info/

Introduction

HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)

The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.

PHP features in Windows operating system

Vladimir Vorontsov (aka d0znpp) has published rather interesting research about features in PHP interaction with Windows. It started as the equivalence between the following methods of file access was noticed:

• any.phP
• any.php
• any.ph<
• any.ph>