Optimized Derivative of Complex Security.

Elsevier - Is Your System Pwned

Elsevier has released a new article as "Is your system pwned".

Article Overview:
"What is the relationship between humans, technology, and fraud? They are all linked together in a triangle. Most monetary transactions today are carried out using digital technologies, most frauds are monetary, and all frauds are perpetuated by people. As fraud prevention experts, we try to break the triangle – to ensure that people don’t interact with technology to create fraudulent situations."

Link to Journal

Regards

Posted on 6/11/2009 06:23:00 AM by 0kn0ck | 0 Comments

Gmail/Google Doc PDF Repurposing Integrated Attacks - Cookie Hijacking / Stealing





Google docs network was vulnerable to PDF repurposing attacks. The vulnerability was disclosed to Google with a discretion. This was done to mitigate the risk. Google had worked over it and patched it with in a period of 5 days.

The Google doc has been refined now and the integrated support for adobe plugin is removed. The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment. Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts.

The advisory is released here:
http://secniche.org/gmd_hijack/gc_hijack.xhtml
http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf

Regards

Posted on 5/11/2009 07:11:00 AM by 0kn0ck | 0 Comments

Troopers 09 Security Conference

The troopers security conference is the one of the finest conference I have been to. Its very nice to have such conference in the heart of Germany. a great technical content and nice crew to discuss things and hang around :). I gave a talk on "Browser Design Flaws". There were some good talks around rootkits , malware for business purposes and web application firewall stuff. All talks were good and it was a great learning environment. Visit :Troopers09

Personally I liked the Packet Wars Hacking Competition by Bryan. It was nicely organized. You can look at the stuff at : Packet Wars Good hacking games to enjoy.

If you miss the fun you can have a look at the snaps here : Troopers09 fun

Regards

Posted on 5/02/2009 08:23:00 AM by 0kn0ck | 0 Comments

Google Chrome Alert Single Thread Out of Bound Denial of Service Vulnerability


The vulnerability reported to Google is not appropriately understood.There is more discussion required on it. The vulnerability link is provided below:-

http://secniche.org/gcalrt.html

The denial of service condition persists efficiently with the reported version.

When this vulnerability is triggered , following output is undertaken:

1. The browser gets in locked state and becomes unresponsive. The user
can not perform any operation
2. It is not only restricted to single tab but it impacts all the opened windows.
3. Process killing is the only solution left.

This works perfectly fine on Windows XP platform.

Note: The new version of Google Chrome is also Vulnerable.

All views are welcomed for any type of discussion.

Posted on 4/11/2009 01:56:00 AM by 0kn0ck | 0 Comments

Browsers Behavior : Handling Carriage Return "window.open('\r\n\r\n');" JavaScript Calls


The carriage return and null characters are considered to be as a potential elements of testing behavior of various programs. This works efficiently with different browsers too. The resultant output is quite stringent in relation to the normal behavior that must be shown by the browsers. The Carriage Return (CR) encompass Line Feed and New Line characters as a basic part. As per the standard fact

"carriage return character, alone or with a line feed, to signal the end of a line of text, but other characters are also used for this function (see newline); others use it only for a paragraph break (a hard return)"


Based on this fact a number of tests have been conducted on different browsers. These characters are passed as an argument to javascript:window.open() function to notice the behavior of the new window. It can be used as one of the fuzzed input for testing browser dependencies. Based on this artifact one of the Google Chrome advisory was released. The links are mentioned below:

http://www.securityfocus.com/bid/31375

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23189

http://osvdb.org/show/osvdb/48680

http://www.secniche.org/gcrds.html

That was the vulnerability noticed in Google Chrome and was patched by the vendor. The behavior that is noticed all the time with different browsers are:-

1. Mozilla Firefox opens bundle of windows in single stretch.
2. Google Chrome open number of windows too.

Note: We are not considering loops here but only carriage return character. some stability has been added because presence of Pop UP blockers stops the execution
of these child windows.

We have noticed this differential responses from number of browsers. I think the CR is good element to be used for fuzzing. The browsers behavior is hard to control considering the issue presented above.

Regards

Posted on 3/31/2009 09:51:00 PM by 0kn0ck | 0 Comments

Internet Explorer 8 - Anti Spoofing is a Myth

With the new features implemented in IE 8, the status address bar has been transformed too. The new step taken by Microsoft IE team that is not to show the address of selected link in a status bar can have a serious impact. A user
will not be able to see the active link in the status bar. This looks like to be an implementation of security solution with an obscurity. Status bar is required for Link Integrity check that assures a user about the legitimate website. We are
not considering the ingrained vulnerabilities of status address bar spoofing in browsers at this point of time.

For more details:- http://secniche.org/ie_spoof_myth/

Regards
0kn0ck

Posted on 3/25/2009 11:39:00 AM by 0kn0ck | 0 Comments

Elsevier - NESE Journal - From Vulnerability to Patch

Elsevier has published a new thought article on "From Vulnerability to Patch" in Network Security Journal.

http://www.elsevierscitech.com/nl/ns/home.asp

As per the standards this Journal is not available freely , you need to subscribe it.

Regards
0kn0ck

Posted on 3/14/2009 06:37:00 AM by 0kn0ck | 0 Comments

Evading Web XSS Filters through Word (Microsoft Office and Open Office) in Enterprise Web Applications


This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications. This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document.

Download the Paper at : HERE

Regards
0kn0ck

Posted on 3/12/2009 03:36:00 AM by 0kn0ck | 0 Comments

Mapping HTTP Interface Embedded Devices

Hakin9 has published a new paper. This paper discusses the generic approach of detecting the HTTP interface of embedded devices. These devices perform a number of different functions based on the infrastructural need.

Check

Regards
0kn0ck

Posted on 2/28/2009 09:50:00 AM by 0kn0ck | 0 Comments

Informer - Hacking for Charity

Its matter of immense pleasure that researchers all over the world are getting collaborated together for the cause of charity. Be a part of it. Its a very good initiative by Johnny Long. We appreciate his concern and Secniche will be a pure part of it.

This is a sincere request for all talent all around to play your part in it.

About Informer:
"The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security."

Informer - Why?

Hackers for Charity

Get on the same boat for a great cause.

Regards
0kn0ck

Posted on 2/28/2009 09:35:00 AM by 0kn0ck | 0 Comments

Obfuscated HTTP Method Call based Fingerprinting Analysis

Fingerprinting of web servers can be done in different ways. It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers. It can be seen while fuzzing web servers ( if the particular HTTP method is included ). With the advent of new scripting languages number of different web servers are in a race. Let's first look at the some of the web servers which are in use now a days. The list is under mentioned:-

[Zope Web Server]Zope is an open source application server for building content management systems, intranets, portals, and custom applications. The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications. Zope is written in Python, a highly-productive, object-oriented scripting language.

[Mongrel Web Server]
Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby
web applications of any kind using plain HTTP rather than FastCGI or SCGI.

[Jetty]
Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java.

These are number of web servers which are used in open source development extensively. The IIS and Apache (different variants)are always on the role.

The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly. The IIS and Apache are efficient in handling rogue requests. But other web servers fail to instantiate this kind of behavior( interpreting HTTP requests efficiently].

This talk serves over two basic principles:

1. Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method.
2. Type of response send by the server.
3. The type of exceptions occur.

There are number of tools that fingerprint web servers. There is no doubt that 70% of web servers deployed globally can be traced by fetching banners. But our aim is to perform fingerprinting with minimum information. That's where fuzzing becomes really critical. We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers.

1. Rogue HTTP Method Call Invocation.
2. Long String of /\/\/\/\/\/\/\/\ Expression.

We have used back slash character. According to regular expression and pattern matching theory the backslash character can be used for following purposes.

1) stand for itself,
2) quote the next character,
3) introduce an operator,
4) do nothing.

It depends a lot in the context in which backslash character is used. We will see the behavior of number of web servers when a specific request is sent.

$ nc www.example.com 80
JAG /\/\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 13:48:37 GMT
Server: Mongrel 1.1.3
Status: 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 708
Set-Cookie: _session_id=5537174372e814e02fee588aa67c4a2a; path=/
Connection: close


It responds with HTTP/1.1 specification and 404 (The server has not found anything matching the URI given )Not Found. That's right. Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response. This behavior is only shown by the Mongrel web server. On the contrary the server does not point out the HTTP method used for call invocation.

$ nc example.org 80
JAG /\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Feb 2009 13:53:29 GMT
Server: Jetty/5.1.14 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa;Path=/;Domain=.z1014
ba.ningops.com;Expires=Fri, 22-Feb-19 13:53:29 GMT
X-XN-Trace-Token: 8702916f-3dbd-4d51-978c-06abbe2adf73
Allow: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE
Content-Type: text/html
Content-Length: 1246
Connection: close


The Jetty web server responds back 405 (the client has tried to use a request method that the server does not allow.The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource). As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed.

For Zope server we will consider two cases as structured below.

$ nc example.com 80
JAG /\ HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 24 Feb 2009 14:11:37 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Content-Length: 59
Content-Type: text/plain; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close
webdav.NullResource.NullResource object at 0x2aaaacda0b18


The server responds back with 200(the request is fulfilled) OK response code. There is an null pointer exception too at the end. Let's look at the different layout

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 14:03:42 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Bobo-Exception-Line: 66
Content-Length: 1403
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: NullResource.py
Bobo-Exception-Type: NotFound
Content-Type: text/html; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close


We are not considering the exceptions here. You can see the server responds back with 404(This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.)
The response is different with string manipulation. The ambiguity is there or the code does not handle the request effectively.

Let's try this behavior for Microsoft IIS and Apache

$ nc microsoft.com 80
JAG /\/\/\/\/\/\/\ HTTP/1.0


HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI'
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 24 Feb 2009 14:06:06 GMT
Connection: close

The response code is 501(The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource). It is quite perfect as per the desired logic.

$ nc apache.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 501 Method Not Implemented
Date: Tue, 24 Feb 2009 14:50:58 GMT
Server: Apache/2.2.9 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1


The same result is returned by Apache as 501. The differential pattern is under mentioned as:

IIS Server Response String -- HTTP/1.1 501 Not Implemented
Apache Server Response String -- HTTP/1.1 501 Method Not Implemented

The word "method" is not present in the IIS response. This is a generic behavior.

The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers. Two points arise:-

1. Do web server implements a check on HTTP Method Call Invocation?
2. Are web servers processing request based on URI only ?

This all depends on the web server development. Lets try this logic on proxies:

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE6
Date: Tue, 24 Feb 2009 14:00:52 GMT
Content-Type: text/html
Content-Length: 1207
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from cache5.zmh.zope.net
Via: 1.0 cache5.zmh.zope.net:8300 (squid/2.7.STABLE6)
Connection: close

The proxy server responds back with 400 Bad Request with same HTTP/1.0. The proxy
intercepts and scrutinize the HTTP method and URI request at the perimeter level.

The behavior is again different if compared to web servers. This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor.

If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers.

Regards
0kn0ck

Posted on 2/24/2009 05:23:00 AM by 0kn0ck | 0 Comments

More Towards Clickjacking - Simulating Positive Trends



Clickjacking. You will find number of definitions about this attack. In generalized manner it is a kind of attack that simulate not only MOUSE EVENTS, while performing malicious operations but also hijacking of user interface components that are displayed by a specific site.

Usually, the aim is to trap the handling of hidden events, when a mouse is clicked over the user interface component such as buttons.I am considering all types of web based variants that can be triggered through browsers. The point of dissemination about clickjacking is to scrutinize the behavior of user interfaces(buttons). The events can be generated dynamically or manually. When an user interface is clicked , a hidden event is executed at the back.

A recent simple POC which was released based on this concept. The proof of concept revolves around the activation of a code (div) through a generic mouse event that binds to hidden structure with div tags. We are not actually sticking to general JavaScript call i.e. location.href. It is used as a one part but what is more interesting, is the pure use of hidden event through mouse clicking, which triggers it. The proof of concept clearly defines that. The clickjacking POC is a very simple variant to just show the browser request handling. More devastated actions can be performed where user authentication is required.

Well it is quite view specific here. The major trend revolves around:

1. Execution of hidden frames by triggering mouse interface with components(buttons).
2. Mouse coordinates play even a critical role to match the positions.

The coordinates function:

function clickjack_armor(evt)
{
clickjack_mouseX=evt.pageX?evt.pageX:evt.clientX;
clickjack_mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=clickjack_mouseX-1;
document.getElementById('mydiv').style.top=clickjack_mouseY-1;
}

When we are talking about hidden, we use DIV tags or other manually drafted codes to generate hidden frames.

3. The victims has to be trapped..

If we consider this definition of clickacking
"A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page"

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

Again I think real issue behind clickjacking have been clearly on the cards.I sincerely feel that the SecTheory has given a clear explanation here:ClickJacking Paper.

Rest its a browser issue and the events can be triggered in a number of ways. Browser interaction with users always at the verge of exploitation. So this is a threat and we have to collaborate in working against it.

Security is a prime motive so lets drive by it.

Cheers

Posted on 2/01/2009 04:32:00 AM by 0kn0ck | 0 Comments

BCS Article - Scrutinizing Business Logic

The British Computer Society has published a new article on business logic written by secniche. The article revolves around:

The vulnerability pattern is shifting more towards application level and attackers are concentrating more on exploiting web applications rather system level insecurities. The high end attacks used to start with XSS and SQL injections, but the paradigm has shifted more towards business logic flaws.

For detailed article:

http://www.bcs.org/server.php?show=ConWebDoc.24009&changeNav=8265

Regards
0kn0ck

Posted on 1/22/2009 01:13:00 AM by 0kn0ck | 0 Comments

Hakin9 Issue Jan-Feb 2009 - New Paper Published

The new paper related to "Hacking IM encryption Flaws" have been published in Hakin9 issue. This paper sheds a light on encryption problems in Instant Messaging client’s primary memory which lead to hacking. The IM clients have been used extensively all over the world to exchange messages between different parties.

For more details: http://hakin9.org/prt/view/about-the-mag/issue/959.html

Regards
0kn0ck

Posted on 1/22/2009 01:06:00 AM by 0kn0ck | 0 Comments

Clubhack 2008 Security Conference

Secniche security has presented on client side hacking at clubhack 2008 security conference. you can find all info at :

http://www.clubhack.com

0kn0ck

Posted on 12/11/2008 01:59:00 AM by 0kn0ck | 1 Comments

XCON and XKUNGfoo Security Conferences

Hi

The secniche security has presented two talks on china's most efficient hacking
and security conferences. The XCON is prime conference organized by XFOCUS group. This year there are very good talks which enlightens up the crowd with new techniques on security.

The xcon talk has been made online at http://www.secniche.org/events.html

The xkungfoo has not been released due to some reasons.

XCON : http://xcon.xfocus.org
Xkungfoo : http://www.xkungfoo.org

Enjoy

0kn0ck

Posted on 12/11/2008 01:53:00 AM by 0kn0ck | 0 Comments

WindowSecrets.com - Improve Security by Running Applications in Isolation

Windows Secret portal has published a new article on "Improve Security by Running Applications in Isolation". The article describes the positive functionality of running applications in isolation. The released Mozilla vulnerability has taken as one of the specific browser issue in it.

Read paper at:
READ

Regards
0kn0ck

Posted on 10/13/2008 04:04:00 AM by 0kn0ck | 0 Comments

Google Chrome Memory Exhaustion Bug


A new Google Chrome memory exhaustion bug has been release at SecNiche Security. Fidn the detail here:

http://secniche.org/gcrds.html

Additional Links and News:

http://blogs.zdnet.com/security/?p=1975
http://www.chromeplugins.org/chrome/chrome-memory-exaustion-dos-vulnerability/
http://milw0rm.com/exploits/6554
http://www.heise.de
/security/DoS-Schwachstelle-bringt-Googles-Chrome-zu-Fall--/news/meldung/116526


and so....

Regards
0kn0ck

Posted on 9/27/2008 10:11:00 AM by 0kn0ck | 0 Comments

Hakin9 Release - Auditing Rich Internet Applications - Testing RIA Strategically


This research deals with insecurities in designing FLEX based applications from a developer perspective. The application's behavior depends on code written at the backend. It has been noticed that most of an application's flaws are the outcome of insecure or bad code.

http://hakin9.org/prt/view/about-the-mag/issue/893.html

Regards
0kn0ck

Posted on 9/10/2008 01:57:00 AM by 0kn0ck | 0 Comments

Hackonic - The Hacker Way of Writing

This project is dedicated to hacker way of writing. The aim is to present the creative thinking of hacker over social layout. The art resides everywhere. So its a duty to craft it and to present in front of comunnity.

Hackonic - Leveraging the Hidden thinking process.

HACKONIC

Regards
0kn0ck

Posted on 8/23/2008 03:12:00 AM by 0kn0ck | 0 Comments