Pages

Thursday, December 24, 2009

Google Sites Privacy Chaos - Is it unthical or Is this the way it has to be? A Talk!

Google sites provide services to the users for hosting their websites on Google's domain. I was going through the privacy column of this website and a stringent issue regrading content policy came in front of me. The policy is presented below:



There is an excerpt in this privacy policy of Google Sites

You may permanently delete any content you create in Google Sites. Because of the way we maintain this service, residual copies of your files and other information associated with your account may remain on our servers for three weeks.


http://www.google.com/sites/privacy.html

This is completely not true. The policy point is quite okay but considering the real time functionality this policy is not applicable. The time period for residual copies is set for three weeks , I suppose not more than a month. I personally tested the stuff six months back. I have noticed even after six months , the deleted file (a PDF file which I do not want anybody to look into) is still recoverable from the Google site , a quite unacceptable fact. According to the policy, the deleted content should not reside on Google's server for more than three weeks.
Let's see:



So there is an ambiguity in the applied policy of Google sites. Is the policy being implemented in right way?

Ofcourse , Google owns web!

Google Translate - Google User Content - File Uploading Cross - XSS and Design Stringency - A Talk



Google translate services provide an efficient way of translating content. The web is a playground for attackers and everyday new bug or flaw is detected in the web services provided by major giants. An interesting concept is to dissect the web based design of websites handling user generated content. On discussion with Google about this problem , the issues is treated as design by default.

The problem (or web bug) persists in the file uploading feature on Google translate website Malicious content such as XSS payload , Iframe, etc. gets executed and rendered into the context of the running website. On discussion with Google it was stated that:

"With JavaScript is executed on the translate.googleusercontent.com domain,rather than translate.google.com. This is by design as files uploaded to the translate service are regarded as untrusted content."

There are two features provided by Google translate service which are mentioned below
1. Translation through file uploading.
2. Direct translation of content online.



Question: Why users consider translation services as secure? What If somebody is doing some monetary transaction or some other issues like that?

The question and answer in itself is hard to answer. But one thing is sure for any critical work, the translate services should not be used.

Let's have a look at the attack point:

Step 1: Uploading a malicious content file through Google Translate service



Step 2: Executing Content



Another layout



Looking at the different domains

1. translate.google.com

Name: www3.l.google.com
Addresses: 209.85.231.102
209.85.231.100
209.85.231.101
Aliases: translate.google.com

2. translate.googleusercontent.com

Name: googlehosted.l.google.com
Address: 209.85.231.132
Aliases: translate.googleusercontent.com


Both the google.com and googleusercontent.com serves the same google search functionality. The specific user content server can be used for differential purposes because content on it is not trusted.

Looking for the different perspective.It would be great if a small message is being displayed on the Google translate service bar as mentioned below

"Google does not assure the integrity of the source of the content"

After considering this as a notification, I checked the Bing translation which already have applied this notification message. Great.




May be its not a solution but a good step in visualizing your concern about content is a better design practice.

Note: a previously reported phishing vulnerability in Google translation was patched and a check was introduced by Google on the source and destination translation languages.


Saturday, December 19, 2009

Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency

Yahoo Babel-fish online is a service for translating content to different languages. The stringent design bug leads to the possibility of conducting FRAME injection attacks in the context of yahoo domain there by resulting in third-party attacks. The issues has been demonstrated in some of my recent conferences. The flaw can be summed up as:

1. There is no referrer check on the origin i.e. the source of request.
2. Direct links can be used to send requests.
2. Iframes can be loaded directly into the context of domain.

Points to ponder:
1. Yahoo login Page – perform certain checks , authorized ones.
2. Yahoo implements FRAME Bursting in the main login Page.

It is possible to remove that small piece of code and design a similar page with same elements that can be used further. It is possible to impersonate the trust of primary domain (YAHOO in this case) for legitimate attacks. There is a possibility of different attacks on YAHOO users.

Note: there is no specific notification is displayed on the top of a translated page.

Attacker can conduct a FRAME attack by following below mentioned steps

1. Remove the above stated entities code from the main Login Page.
2. Design the fake domain. Load in the context of Yahoo domain
3. Inline IFRAME provides a familiar fake Login page.
4. Set the backdoor in the Login input boxes for stealing credentials.
5. Trap the victims by diversifying the manipulated URL’s on the Web.One can use
dedicated spamming.
6. The attack is all set to work.

Step 1: Injecting IFRAME - Modified














Step 2 – Stealing Credentials















DEMONSTRATION

This attack works successfully. This is a demo setup.You can try some credentials and try to login. :)

Thursday, August 06, 2009

FTP Anonymous Services - User Enumeration and Reconnaisance


The security is termed to be as a closed asset for any organization. It has been noticed in recent times that many of the business vendor allows certain anonymous access to the services running on their server. The concern of this post is not restricted to one part but looking at the diversified impact. Apparently the issue seems small but the resultant impact is high. Anything with a default or anonymous access is potentially critical. For example:- the most common issue is FTP open access. Many of the organizations allow anonymous access without understanding the consequences that may hamper the normal functioning.

There are certain facts:

1. A vendor has to restrict the open services.
2. A vendor has to provide a standard access to the clients even for the simple download. Now days, it is not considered as an appropriate solution for providing open access to services. Even for the business perspective restricted access should be taken into consideration. Why open FTP? Why not a credential based access?
3. If the services has to be given then scrutinize the deployment strategy whether it has to be applied at internet or intranet.
4. Why not to put these services on VPN considering the business need.
5. The configuration against these deployed services. Why not to use the organization specific policy based password for FTP access. Why anonymous?
6. Open services are tactically exploited to gain information and reconnaissance.
7. These can be used to scan third party targets too.

Question: Is Security a Prime Target or Business?
Answer: Individualistic and Organizational Decision. Diversified impacts.

Let's consider a case and a risk emanating from it. For example - an organization is providing an open access to FTP services. We will be considering specific functions from security point of view:

1. Passive Mode
2. Glob() Global

"Most FTP daemon implementations provide server-side globbing functionality that performs pattern expansion on these pathnames. The actual glob() implementation is often located in the FTP daemon itself,though some FTP servers use an underlying libc implementation."

"glob - Toggle file name globbing. When file name globbing is enabled, ftp expands csh(1) metacharacters in file and directory names. These characters are *, ?, [, ], ~, {, and }. The server host expands remote file and directory names. Globbing metacharacters are always expanded for the ls and dir commands. If globbing is enabled, metacharacters are also expanded for the multiple-file commands mdelete, mdir, mget, mls, and mput."

If an FTP server provides anonymous access with a passive mode on are more vulnerable
toFTP Bounce Attacks.

Glob() function can be tested against number of buffer overflow issues. The ability of a remote or local user to deliver input patterns to glob() implementations allows
risk of exploitation once the vulnerability is exploited.

Let;s have a look at the real world scenario : Analysis of one software company. A complete thought oriented and for knowledge purposes.

Administrator@TopGun ~
$ ftp
Connected to xxxx..com.
220 xxxx. FTP services
Name (xxxx..com:Administrator): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> debug
Debugging on (debug=1).
ftp> glob
Globbing off.
ftp> glob on
Globbing on.

ftp> dir
---> PASV
227 Entering Passive Mode (216,220,63,213,73,192)
---> LIST
150 Here comes the directory listing.
-rw-rw-r-- 1 501 501 148181 Feb 07 2008 BMO and xxxx.pdf
drwxrwxr-x 2 501 501 4096 Jun 23 19:08 CVS
lrwxrwxrwx 1 501 501 33 Dec 02 2008 ReleaseNotes_xxxx5.pdf -> ../pdfs/ReleaseNotes_up.time5.p
df
lrwxrwxrwx 1 501 501 37 Dec 02 2008 ReleaseNotes_xxxx5_SP1.pdf -> ../pdfs/ReleaseNotes_up.tim

So its easy to look at the rights configured for different user groups.

Administrator@TopGun /cygdrive/c/scripts
$ perl pasvagg.pl xxxx.com
:: connected to xxxx.com
>> 220 xxxx. FTP services
:: logging into server as anonymous.
>> 331 Please specify the password.
>> 230 Login successful.
>> 227 Entering Passive Mode (216,220,63,213,89,62)
:: server ready for passive attack
:: sampling passive port selection
:: passive connection rate = 6259.7/sec
:: passive command latency = 0.4 seconds
:: starting the reaper engine

:: starting port 17200

Based on one of my designed script , lets analyze the reaped information
Administrator@TopGun /cygdrive/c/my_tools
$ perl ftp_user_reconnaisance.pl xxxx..com
ftp_user_reconnaisance.pl - ftp based system user reconnaisance
written by- 0kn0ck [at] secniche.org

(*) resolving the generic address for domain: xxxx..com
(!) 216.220.63.213

(*) detecting nameservers for the domain : xxxx..com
(!) ns4-auth.q9.com
(!) ns1-auth.q9.com
(!) ns3-auth.q9.com
(!) ns2-auth.q9.com

(*) trying anonymous access on - xxxx..com
(*) anonymous access allowed - xxxx..com
(*) uptimesoftware.com does not support TLS

(*) trying to enumerate the configured system accounts on - xxxx..com

[conn str - 0] - [temp] is not a standard system configured user
[conn str - 1] - [root] is a standard system configured user
[conn str - 2] - [bin] is a standard system configured user
[conn str - 3] - [daemon] is a standard system configured user
[conn str - 4] - [adm] is a standard system configured user
[conn str - 5] - [lp] is a standard system configured user
[conn str - 6] - [sync] is a standard system configured user
[conn str - 7] - [shutdown] is a standard system configured user
[conn str - 8] - [halt] is a standard system configured user
[conn str - 9] - [mail] is a standard system configured user
[conn str - 10] - [news] is a standard system configured user
[conn str - 11] - [uucp] is a standard system configured user
[conn str - 12] - [operator] is a standard system configured user
[conn str - 13] - [games] is a standard system configured user
[conn str - 14] - [gopher] is not a standard system configured user
[conn str - 16] - [apache] is not a standard system configured user
[conn str - 17] - [named] is not a standard system configured user
[conn str - 18] - [amanda] is not a standard system configured user
[conn str - 19] - [indent] is not a standard system configured user
[conn str - 20] - [rpc] is not a standard system configured user
[conn str - 21] - [wnn] is not a standard system configured user
[conn str - 22] - [xfs] is not a standard system configured user
[conn str - 23] - [pvm] is not a standard system configured user
[conn str - 24] - [ldap] is not a standard system configured user
[conn str - 25] - [mysql] is not a standard system configured user
[conn str - 26] - [rpcuser] is not a standard system configured user
[conn str - 27] - [nsf] is not a standard system configured user
[conn str - 28] - [nobody] is a standard system configured user
[conn str - 29] - [junkbust] is not a standard system configured user
[conn str - 30] - [gdm] is not a standard system configured user
[conn str - 31] - [squid] is not a standard system configured user
[conn str - 32] - [nscd] is not a standard system configured user
[conn str - 33] - [rpm] is not a standard system configured user
[conn str - 34] - [mailman] is not a standard system configured user
[conn str - 35] - [radvd] is not a standard system configured user
(*) command completed successfully


The only point in presenting these facts with an example is to show the risks posed
and the impact on security.

At last : Why not a mature business with hardened security?

Monday, May 11, 2009

Gmail/Google Doc PDF Repurposing Integrated Attacks - Cookie Hijacking / Stealing





Google docs network was vulnerable to PDF repurposing attacks. The vulnerability was disclosed to Google responsibly. This was done to mitigate the risk. Google had worked over it and patched it with in a period of 5 days.

The Google doc has been refined now and the integrated support for adobe plugin is removed. The user security was the prime issue because millions of user were at risk if this attack persisted in the open environment. Integrated accounts were more susceptible as certain stolen credentials could be used to access accounts.

The advisory is released here:
http://secniche.org/gmd_hijack/gc_hijack.xhtml
http://secniche.org/gmd_hijack/advisory_gmail_google_docs_pdf_repurposing_attack.pdf

Enjoy !

Saturday, May 02, 2009

Troopers 09 Security Conference

The troopers security conference is the one of the finest conference I have been to. Its very nice to have such conference in the heart of Germany. a great technical content and nice crew to discuss things and hang around :). I gave a talk on "Browser Design Flaws". There were some good talks around rootkits , malware for business purposes and web application firewall stuff. All talks were good and it was a great learning environment. Visit :Troopers09

Personally I liked the Packet Wars Hacking Competition by Bryan. It was nicely organized. You can look at the stuff at : Packet Wars Good hacking games to enjoy.

If you miss the fun you can have a look at the snaps here : Troopers09 fun

Regards

Thursday, March 12, 2009

Evading Web XSS Filters through Word (Microsoft Office and Open Office) in Enterprise Web Applications

This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications. This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document.

Download the Paper at : HERE

Enjoy !