July 26, 2012

(Un)Safe Surfing?

Nowadays a lot of popular web browsers support auto update, but a very significant part of browser plug-ins should be updated individually. A huge number of users do it very rarely without having any idea that in majority of cases not only browsers but plug-ins also can be attacked.

Interesting statistics obtained as a result of browser and plug-in security testing by the online service SurfPatrol in 2011 is under the cut.

July 16, 2012

Recreational XenAPI, or The New Adventures of Citrix XenServer


Today, I would like to speak about certain aspects of using Citrix XenServer 5.6. The problem I had to deal with seemed to be rather solvable: command execution in dom0 without using SSH. While searching methods to fix the issue, I found some funny features of HTTP API of the operating system: ways to get /etc/passwd, remote execution of rsync and XenSource thin CLI protocol. Now I will tell you a kind of a story of a research.

July 12, 2012

Gaining Control Over Cloud Infrastructure. Easy as One, Two, Three

Several months ago the Positive Research Center analyzed security of Citrix XenServer. Among other things, we studied the security of administration interfaces, and web interfaces of various system components in particular. As a result, we managed to find several critical vulnerabilities, which allow obtaining control not only over these components but over the master server as well, that is over the whole cloud infrastructure. The Citrix company was immediately notified of the detected vulnerabilities. After the issues had been fixed ([1], [2], [3]), the results were disclosed at the Positive Hack Days forum as part of the FastTrack section.

July 6, 2012

Introduction to SELinux: Modification of the Targeted Policy for Third Party Web Applications

Many of us are engaged in configuring production servers for web projects. I’m not going to explain how to set up Apache or Nginx — perhaps, you know it even better than me. However, an important aspect of creating front-end servers still remains uncovered: that is security subsystems configuration. 'Disable SELinux,' – that is a standard recommendation of the majority of amateur manuals.

I think it’s a hasty decision as the process of configuring security subsystems in the mode of ‘mild’ policy is often rather trivial.

Today I’m going to tell you about several methods of configuring the SELinux security subsystem, applied to Red Hat (CentOS) OS family. As an example, we’ll configure a set of an Apache web server + mod_wsgi + Django + ZEO on CentOS v. 5.8.

July 3, 2012

Android: Overview of Hacking Applications

Hello, everyone!

Along with the article on MiTM attacks from iPhone, I got an idea of almost similar one about Android.

We already know what iPhone is capable of. Is Android any worse?

We have considered about 25 hacking applications. And now I'd like to present you the results of this small research. Some applications didn't start at all. Others froze the phone dead. But there were a few that worked quite OK!

All software solutions were tested on the LG Optimus smartphone under Android 2.3.

And here we go: a brief overview of hacking software for Android.

July 2, 2012

iPhone: MiTM attack out of a pocket

A laptop seems to be a typical device for Wi-Fi attacks. There are multiple reasons for it: applicability of specific Wi-Fi modules, availability of necessary software and sufficient computing power. So usually we imagine an attacker holding a laptop while sitting in a car with an antenna sticking out of the window. However, development of mobile platforms is moving forward, and a lot of operations can be performed out of a pocket now.

Many of us use Apple devices based on iOS. It is not a secret that iOS is actually a representative of the *nix family, and thus has all its advantages including availability of various classical pentest applications. This time I want to consider tools for conducting simple Man in the Middle attacks against Wi-Fi clients using the arp poisoning technique.