Jan 11, 2013

Microsoft .NET Framework Privilege Escalation

The Microsoft .NET Framework contains an error in the Intermediate Language (IL) verifier which could allow hosted partial trust code to elevate privileges to escape a sandboxed environment resulting in arbitrary code execution with the permissions of the user. Affected are Microsoft .Net Frameworks versions 1.1 through 4.5.
Source: http://packetstormsecurity.com/files/119438 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Securing Web Application Technologies [SWAT] Checklist By SANS

Error Handling and Logging
Best PracticeDescriptionCWE ID

display generic error messagesError messages should not reveal details about the internal state of the application. For example, file system path and stack information should not be exposed to the user through error messages.cwe-209

No unhandled exceptionsGiven the languages and frameworks in use for web application development, never allow an unhandled exception to occur. Error handlers should be configured to handle unexpected errors and gracefully return controlled output to the user.cwe-391

suppress framework generated errorsYour development framework or platform may generate default error messages. These should be suppressed or replaced with customized error messages as framework generated messages may reveal sensitive information to the user.cwe-209

Log all authentication activitiesAny authentication activities, whether successful or not, should be logged.cwe-778

Log all privilege changesAny activities or occasions where the user's privilege level changes should be logged.cwe-778

Log administrative activitiesAny administrative activities on the application or any of its components should be logged.cwe-778

Log access to sensitive dataAny access to sensitive data should be logged. This is particularly important for corporations that have to meet regulatory requirements like HIPAA, PCI, or SOX.cwe-778

do not log inappropriate dataWhile logging errors and auditing access is important, sensitive data should never be logged in an unencrypted form. For example, under HIPAA and PCI, it would be a violation to log sensitive data into the log itself unless the log is encrypted on the disk. Additionally, it can create a serious exposure point should the web application itself become compromised.cwe-532

store logs securelyLogs should be stored and maintained appropriately to avoid information loss or tampering by intruder. Log retention should also follow the rention policy set forth by the organization to meet regulatory requirements and provide enough information for foresic and incident response activities.cwe-533

Data Protection

use SSL everywhereIdeally, SSL should be used for your entire application. If you have to limit where it's used then SSL must be applied to any authentication pages as well as all pages after the user is authenticated. If sensitive information (e.g. personal information) can be submitted before authentication those features must also be sent over SSL. Example: Firesheepcwe-311

disable hTTP access for all ssL enabled resourcesFor all pages requiring protection by SSL, the same URL should not be accessible via the non-SSL channel.cwe-319

use the strict- Transport-security headerThe Strict-Transport-Security header ensures that the browser does not talk to the server over non-SSL. This helps reduce the risk of SSL stripping attacks as implemented by the sslsniff tool.

store user passwords using a strong, iterative, salted hashUser passwords must be stored using secure hashing techniques with a strong algorithm like SHA-256. Simply hashing the password a single time does not sufficiently protect the password. Use iterative hashing with a random salt to make the hash strong. Example: LinkedIn password leakcwe-257

securely exchange encryption keysIf encryption keys are exchanged or pre-set in your application then any key establishment or exchange must be performed over a secure channel

set up secure key management processesWhen keys are stored in your system they must be properly secured and only accessible to the appropriate staff on a need to know basis.cwe-320

disable weak ssL ciphers on serversWeak SSL ciphers must be disabled on all servers. For example, SSL v2 has known weaknesses and is not considered to be secure. Additionally, some ciphers are cryptographically weak and should be disabled.

use valid ssL certificates from a reputable caSSL certificates should be signed by a reputable certificate authority. The name on the certificate should match the FQDN of the website. The certificate itself should be valid and not expired. Example: CA Compromise (http://en.wikipedia.org/wiki/DigiNotar)

disable data caching using cache control headers and autocompleteBrowser data caching should be disabled using the cache control HTTP headers or meta tags within the HTML page. Additionally, sensitive input fields, such as the login form, should have the autocomplete=off setting in the HTML form to instruct the browser not to cache the credentials.cwe-524

Limit the use and storage of sensitive dataConduct an evaluation to ensure that sensitive data is not being unnecessarily transported or stored. Where possible, use tokenization to reduce data exposure risks.

Configuration and operations

establish a rigorous change management processA rigorous change management process must be maintained during change management operations. For example, new releases should only be deployed after process Example: RBS production outage (http://www.computing.co.uk/ctg/analysis/2186972/rbs-wrong-rbs-manager) cwe-439

define security requirementsEngage the business owner to define security requirements for the application. This includes items that range from the whitelist validation rules all the way to nonfunctional requirements like the performance of the login function. Defining these requirements up front ensures that security is baked into the system.

conduct a design reviewIntegrating security into the design phase saves money and time. Conduct a risk review with security professionals and threat model the application to identify key risks. The helps you integrate appropriate countermeasures into the design and architecture of the application.cwe-701

Perform code reviewsSecurity focused code reviews can be one of the most effective ways to find security bugs. Regularly review your code looking for common issues like SQL Injection and Cross-Site Scripting.cwe-702

Perform security testingConduct security testing both during and after development to ensure the application meets security standards. Testing should also be conducted after major releases to ensure vulnerabilities did not get introduced during the update process.

harden the infrastructureAll components of infrastructure that support the application should be configured according to security best practices and hardening guidelines. In a typical web application this can include routers, firewalls, network switches, operating systems, web servers, application servers, databases, and application frameworks.cwe-15

define an incident handling planAn incident handling plan should be drafted and tested on a regular basis. The contact list of people to involve in a security incident related to the application should be well defined and kept up to date.

educate the team on securityTraining helps define a common language that the team can use to improve the security of the application. Education should not be confined solely to software developers, testers, and architects. Anyone associated with the development process, such as business analysts and project managers, should all have periodic software security awareness training.


don't hardcode credentialsNever allow credentials to be stored directly within the application code. While it can be convenient to test application code with hardcoded credentials during development this significantly increases risk and should be avoided. Example: Hard coded passwords in networking devices https://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdfcwe-798

develop a strong password reset systemPassword reset systems are often the weakest link in an application. These systems are often based on the user answering personal questions to establish their identity and in turn resetthe password. The system needs to be based on questions that are both hard to guess and brute force. Additionally, any password reset option must not reveal whether or not an account is valid, preventing username harvesting. Example: Sara Palin password hack (http://en.wikipedia.org/wiki/Sarah_Palin_email_hack) cwe-640

implement a strong password policyA password policy should be created and implemented so that passwords meet specific strength criteria. Example: http://www.pcworld.com/article/128823/study_weak_passwords_really_do_help_hackers.html cwe-521

implement account lockout against brute force attacksAccount lockout needs to be implemented to guard against brute forcing attacks against both the authentication and password reset functionality. After serveral tries on a specific user account, the account should be locked for a period of time or until manually unlocked. Additionally, it is best to continue the same failure message indicating that the credentials are incorrect or the account is locked to prevent an attacker from harvesting usernames.cwe-307

don't disclose too much information in error messagesMessages for authentication errors must be clear and, at the same time, be written so that sensitive information about the system is not disclosed. For example, error messages which reveal that the userid is valid but that the corresponsing password is incorrect confirms to an attacker that the account does exist on the system.

store database credentials securelyModern web applications usually consist of multiple layers. The business logic tier (processing of information) often connects to the data tier (database). Connecting to the database, of course, requires authentication. The authentication credentials in the business logic tier must be stored in a centralized location that is locked down. Scattering credentials throughout the source code is not acceptable. Some development frameworks provide a centralized secure location for storing credentials to the backend database. These encrypted stores should be leveraged when possible.cwe-257

applications and Middleware should run with minimal privilegesIf an application becomes compromised it is important that the application itself and any middleware services be configured to run with minimal privileges. For instance, while the application layer or business layer needs the ability to read and write data to the underlying database, administrative credentials that grant access to other databases or tables should not be provided.cwe-250

Session Management

ensure that session identifiers are sufficiently randomSession tokens must be generated by secure random functions and must be of a sufficient length so as to withstand analysis and prediction.cwe-6

regenerate session tokensSession tokens should be regenerated when the user authenticates to the application and when the user privilege level changes. Additionally, should the encryption status change, the session token should always be regeneratedcwe-384

implement an idle session timeoutWhen a user is not active, the application should automatically log the user out. Be aware that Ajax applications may make recurring calls to the application effectively resetting the timeout counter automatically.cwe-613

implement an absolute session timeoutUsers should be logged out after an extensive amount of time (e.g. 4-8 hours) has passed since they logged in. This helps mitigate the risk of an attacker using a hijacked session.cwe-613

destroy sessions at any sign of tamperingUnless the application requires multiple simultaneous sessions for a single user, implement features to detect session cloning attempts. Should any sign of session cloning be detected, the session should be destroyed, forcing the real user to reauthenticate.

invalidate the session after logoutWhen the user logs out of the application the session and corresponding data on the server must be destroyed. This ensures that the session can not be accidentially revived.cwe-613

Place a logout button on every pageThe logout button or logout link should be easily accessible to the user on every page after they have authenticated.

use secure cookie attributes (i.e. httponly and secure flags)The session cookie should be set with both the HttpOnly and the Secure flags. This ensures that the session id will not be accessible to client-side scripts and it will only be transmitted over SSL, respectively.cwe-79

set the cookie domain and path correctlyThe cookie domain and path scope should be set to the most restrictive settings for your application. Any wildcard domain scoped cookie must have a good justification for its existence.

set the cookie expiration timeThe session cookie should have a reasonable expiration time. Non-expiring session cookies should be avoided.

Input and Output Handling

conduct contextual output encodingAll output functions must contextually encode data before sending it to the user. Depending on where the output will end up in the HTML page, the output must be encoded differently. For example, data placed in the URL context must be encoded differently than data placed in JavaScript context within the HTML page. Example: Resource: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet cwe-79

Prefer whitelists over blacklistsFor each user input field, there should be validation on the input content. Whitelisting input is the preferred approach. Only accept data that meets a certain criteria. For input that needs more flexibility, blacklisting can also be applied where known bad input patterns or characters are blocked.cwe-159

use parameterized sQL queriesSQL queries should be crafted with user content passed into a bind variable. Queries written this way are safe against SQL injection attacks. SQL queries should not be created dynamically using string concatenation. Similarly, the SQL query string used in a bound or parameterized query should never be dynamically built from user input. Example: Sony SQL injection Hack (http://www.infosecurity-magazine.com/view/27930/lulzsec-sony-pictures-hackers-were-school-chums) cwe-89

use tokens to prevent forged requestsIn order to prevent Cross-Site Request Forgery attacks, you must embed a random value that is not known to third parties into the HTML form. This CSRF protection token must be unique to each request. This prevents a forged CSRF request from being submitted because the attacker does not know the value of the token.cwe-352

set the encoding for your applicationFor every page in your application set the encoding using HTTP headers or meta tags within HTML. This ensures that the encoding of the page is always defined and that browser will not have to determine the encoding on its own. Setting a consistent encoding, like UTF-8, for your application reduces the overall risk of issues like Cross-Site Scripting.cwe-172

Validate uploaded filesWhen accepting file uploads from the user make sure to validate the size of the file, the file type, and the file contents as well as ensuring that it is not possible to override the destination path for the file.cwe-434

use the nosniff header for uploaded contentWhen hosting user uploaded content which can be viewed by other users, use the X-Content-Type-Options: nosniff header so that browsers do not try to guess the data type. Sometimes the browser can be tricked into displaying the data type incorrectly (e.g. showing a GIF file as HTML). Always let the server or application determine the data type.cwe-430

Validate the source of inputThe source of the input must be validated. For example, if input is expected from a POST request do not accept the input variable from a GET request.cwe-20

use the X-frame- options header Use the X-Frame-Options header to prevent content from being loaded by a foreign site in a frame. This mitigates Clickjacking attacks. For older browsers that do not support this header add framebusting Javascript code to mitigate Clickjacking (although this method is not foolproof and can be circumvented). Example: Flash camera and mic hack (http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html) caPec-103

use content security Policy (csP) or X-Xss- Protection headersContent Security Policy (CSP) and X-XSS-Protection headers help defend against many common reflected Cross-Site Scripting (XSS) attacks.cwe-79

Access Control

apply access controls checks consistentlyAlways apply the principle of complete mediation, forcing all requests through a common security “gate keeper.” This ensures that access control checks are triggered whether or not the user is authenticated.cwe-284

apply the principle of least privilegeMake use of a Mandatory Access Control system. All access decisions will be based on the principle of least privilege. If not explicitly allowed then access should be denied. Additionally, after an account is created, rights must be specifically added to that account to grant access to resources.cwe-272

don't use direct object references for access control checksDo not allow direct references to files or parameters that can be manipulated to grant excessive access. Access control decisions must be based on the authenticed user identity and trusted server side information.cwe-284

don't use unvalidated forwards or redirectsAn unvalidated forward can allow an attacker to access private content without authentication. Unvalidated redirects allow an attacker to lure victims into visiting malicious sites. Prevent these from occurring by conducting the appropriate access controls checks before sending the user to the given location.cwe-601
Source: http://www.securingtheapp.org/resources/swat 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 10, 2013

Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155

 If you want to get the full detail, please visit the Source.

Params are first parsed by ActionDispatch::Middleware::ParamsParser, which detects the MIME type of the request and parses the body appropriately. By default ParamsParser only supports parsing XML and JSON requests. After the request body is parsed, the resulting data is coerced into a HashWithIndifferentAccess, ensuring all Hash keys are Strings.
Next, [ActionDispatch::Http::Parameters] takes the parsed request parameters and merges them with the path parameters. Note that the path parameters are first merged into the request parameters, to ensure that the request parameters cannot override the path parameters. Also note that when a Hash is merged into a HashWithIndifferentAccess, all keys are converted to Strings and all sub-Hashes converted to Indifferent ones. This ensures that params contains no Symbol keys and cannot be passed to find_by_* methods; despite what [CVE-2012-5664] claims.

Source: http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 9, 2013

Joomla Incapsula Component <= 1.4.6_b Reflected Cross-Site Scripting Vulnerability

Vendor: Incapsula Inc.
Product web page: http://www.incapsula.com
Affected version: 1.4.6_b and bellow

Summary: Once installing the Incapsula for Joomla component, simply
make the provided DNS changes and within minutes your website traffic
will be seamlessly routed through Incapsula’s globally distributed
network of POPs.

Desc: The Joomla Incapsula component suffers from a XSS issue due
to a failure to properly sanitize user-supplied input to the 'token'
GET parameter in the 'Security.php' and 'Performance.php' scripts.
Attackers can exploit this weakness to execute arbitrary HTML and
script code in a user's browser session.


22: <a href="https://my.incapsula.com/billing/selectplan?token=
    <?php echo $_GET['token']; ?> target="_blank" class="IFJ_link">
    Click here</a> to upgrade your account


22: <a href="https://my.incapsula.com/billing/selectplan?token=
    <?php echo htmlentities($_GET['token']); ?>" target="_blank"
    class="IFJ_link">Click here</a> to upgrade your account


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2013-5121
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5121.php




Source: http://packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 8, 2013

Interesting link of 1337day.com [2013-01-07]

Ettercap <= Stack Overflow Vulnerability


pfSense 2.0.1 XSS / CSRF / Remote Command Execution Vulnerabilities



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 7, 2013

Windows Tools For Penetration Testing

Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system.
HashCheck Shell Extension
The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files).
Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
Metasploit Framework
The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
RealVNC Viewer
Remote access software for desktop and mobile platforms.
SNMP tool that allows you to collect information about SNMP devices.
Cain & Abel
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development.
PuTTY is an SSH and telnet client for the Windows platform.
Pass The Hash Toolkit
The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes.
Recovering Windows Password Cache Entries.
Identify unknown open ports and their associated applications.
This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares.
Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.
ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.
SQLdict is a dictionary attack tool for SQL Server.
PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.
GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too.
DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.
BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading).
Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).
Brute-force tool for Windows Management Instrumentation (WMI).
Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled.
The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms.
RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins.
LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window.
SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever.
The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.
Extract password hashes from local user accounts.
The PsTools package provides a set of command line utilities that allow you to manage local and remote systems.
Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators.
DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.
X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc.
Windows password cracker.
Ophcrack is a free Windows password cracker based on rainbow tables.
SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations

Source: https://pentestlab.wordpress.com/2013/01/07/windows-tools-for-penetration-testing/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Automated HTTP Enumeration

Tool to enumerate the enabled HTTP methods supported on a webserver.

Currently only in the initial beta stage, but includes basic checking of files including the Apache server-status as well as well IIS WebDAV and Microsoft FrontPage Extensions, many more features will be added to this tool which will make alot of the enumeration process quick and simple.

Source: http://www.thexero.co.uk/tools/automated-http-enumeration/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Extract pix from Word file

1. Change the extension from .doc,docx to zip
2. Open it
3. Extract only picture file. 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.