Saturday, April 30, 2011
Tuesday, March 22, 2011
Google Chrome - Security Issues Reported So Far
I have enumerated the list of Google Chrome bugs given to Chrome security team.
Issue 2632:Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos
Issue 2877:Google Chrome Window Object Suppressing Denial of Service
Issue 4739: Google Chrome MetaCharacter URI Obfuscation Vulnerability
Issue 5978: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability
Issue 7099: Google Chrome 1.0.154.43 ClickJacking Vulnerability
Issue 11158: Google Chrome document.write/throw exception DOM causes NULL ptr DoS
Issue 30972: Google Chrome XSS through MS Word Script Execution Object
Issue 53096: Google Chrome: HTTP AUTH Dialog Spoofing through Realm
Issue 75937: Google Chrome 10.0.648.133 XSS Filter Bypass
Issue 2632:Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos
Issue 2877:Google Chrome Window Object Suppressing Denial of Service
Issue 4739: Google Chrome MetaCharacter URI Obfuscation Vulnerability
Issue 5978: Google Chrome FTP PASV IP Malicious Port Scanning Vulnerability
Issue 7099: Google Chrome 1.0.154.43 ClickJacking Vulnerability
Issue 11158: Google Chrome document.write/throw exception DOM causes NULL ptr DoS
Issue 30972: Google Chrome XSS through MS Word Script Execution Object
Issue 53096: Google Chrome: HTTP AUTH Dialog Spoofing through Realm
Issue 75937: Google Chrome 10.0.648.133 XSS Filter Bypass
Monday, November 15, 2010
Responsible Disclosure - Oracle.com Redirection Vulnerability Video
The issue was reported to Oracle and was patched. This video simply shows the vulnerability.
Wednesday, November 10, 2010
ISSA Journal - JavaScript Infection Model
Check out my paper on JavaScript Infection Model published in November issue of ISSA journal.
https://www.issa.org/Members/Journal/
HackInThe Box EZine - DataCenter Hacking Paper / My Interview
Check out my interview and our paper on data-center hacking through helpdesk support systems.
http://magazine.hitb.org/issues/HITB-Ezine-Issue-004.pdf
Monday, August 23, 2010
User Interface Security - Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation
Google Chrome ( 5.0.375.127 and previous versions) suffers from HTTP Auth Dialog spoofing vulnerability due to possible realm manipulation in the HTTP header. Previously, Google chrome has got a similar bug which can be seen HERE
This bug was actually patched. The issue mentioned in this bug was dialog spoofing due to long sub domain names. The patch worked only for that specific case which was outlined in that bug. There are number of tests have been conducted on Google Chrome
which verifies the inefficiency of Google Chrome to scrutinize the type of realm value set in the header. It can be tampered with double quotes and single quotes used in a definite manner.
Another related scenario: HERE
Note: Different variants have shown that these issues are still open and not patched yet.
As mentioned in RFC 2617: "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge.The realm value (case-sensitive), in combination with the canonical root URL (the absolute URI for the server whose abs_path is empty;of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database.//The realm value is a string,generally assigned by the origin server, which may have additional semantics specific to the authentication scheme. Note that there may be multiple challenges with the same auth-scheme but different realm/s"
So, realm value plays critical role in determining the framework of HTTP Access authentication for a particular resource. It has been analyzed that it is possible to spoof the HTTP Auth dialog by playing around realm values. This attack scenario
can be used to launch phishing attacks and stealing sensitive information from the legitimate websites.
As it has been released before, Google Chrome fails to sanitize the obfuscated URL and redirect it to the different domain. This potential flaw can be combined with the HTTP Auth dialog spoofing to launch attacks against legitimate websites. Looking at this particular point of time, certain solutions can be presented as
1. A new model of HTTP authentication dialog which shows the clarity between realm value and domain.
2. Setting a limit on size of strings to be passed as Realm value. This should not be applied on the string size of domain name.
3. Application of appropriate parameters in scrutinizing the strings passed in double quotes and single quotes.
Further: Tim from Vsecurity notifies about similar work related to HTTP Authentication. A very good paper has been presented HERE which covers lot of issues of HTTP authentication
The video is embedded below
Monday, August 09, 2010
Debugged MZ/PE - Holistic Approach to Analysis of Defective Threads
Abstract: Threads are considered as second level structures used in the process execution. As per semantics, threads run as dynamic entities under processes. Whenever a new process is created in a system a number of threads are initialized. To understand the real cause of infection in processes, one has to traverse along the working procedure of a thread.
Online : http://debuggingexpert.dumpanalysis.org/Debugged_March_2010.htm
The hard cover will be release at Amazon : HERE
Sunday, July 11, 2010
HITB Magazine: MS Office Infection Paper
A new paper has been released in the HITB magazine about infection styles in MS Office files. It projects a pattern of infection used by chinese malware.
Fetch:http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf
Wednesday, May 05, 2010
Credentials Verification- Security Emails Phishing and Trust Manipulation
Phishing attacks based on trust exploitation are on rise. Banks are facing tremendous complexities and security issues due to these type of attacks. The primary focus of this sort of attack is to trick user’s sense of understanding and
segregating the trust to perform operations of attacker's choice. The case studies discussed in this article sheds light on phishing attacks that exploit users' trust with the third-party. Credit card forgeries are quite common considering the bank phishing frauds. The primary artifact of the attackers is to play with the user trust and to manipulate user thinking process by raising a complexity through spams. The user inability to distinguish between the trusted website and attacker controlled website, which is a replica of the original website, results in forged transactions.
Recently HSBC, Paypal security phishing emails are used to steal the credentials of users. The phished email carry online form as an attachment which looks similar to the original HSBC bank forms for updating the credentials of the user.
Case 1 - Paypal Verification Credentials Theft
The email is sent by phisher on the behalf of Paypal verification group for re-verifying your credentials. The email looks like as
During analysis the attachment is downloaded in a restrictive environment to scrutinize against malware, infection handlers etc.
Luckily the form page does not contain malware but the form is posted to a attacker controlled domain (http://probe.201w.com/verification.php) for verification as:
On further analyzing the domain, we came across the fact that some of the users have fallen into this trap as:
The users inability to distinguish between the trust boundaries lead to compromises and information stealing.
Case 2: HSBC Verification Credentials Stealing
We performed simple analysis in controlled environment. The form looked like as
The form itself does not contain any sort of malware but the form is posted to the malicious domain (http://www.thebluzmen.com/verify.php) for verification as
A normal user should be aware of the artifacts used by the phishers to betray the trust.
segregating the trust to perform operations of attacker's choice. The case studies discussed in this article sheds light on phishing attacks that exploit users' trust with the third-party. Credit card forgeries are quite common considering the bank phishing frauds. The primary artifact of the attackers is to play with the user trust and to manipulate user thinking process by raising a complexity through spams. The user inability to distinguish between the trusted website and attacker controlled website, which is a replica of the original website, results in forged transactions.
Recently HSBC, Paypal security phishing emails are used to steal the credentials of users. The phished email carry online form as an attachment which looks similar to the original HSBC bank forms for updating the credentials of the user.
Case 1 - Paypal Verification Credentials Theft
The email is sent by phisher on the behalf of Paypal verification group for re-verifying your credentials. The email looks like as
During analysis the attachment is downloaded in a restrictive environment to scrutinize against malware, infection handlers etc.
Luckily the form page does not contain malware but the form is posted to a attacker controlled domain (http://probe.201w.com/verification.php) for verification as:
On further analyzing the domain, we came across the fact that some of the users have fallen into this trap as:
The users inability to distinguish between the trust boundaries lead to compromises and information stealing.
Case 2: HSBC Verification Credentials Stealing
We performed simple analysis in controlled environment. The form looked like as
The form itself does not contain any sort of malware but the form is posted to the malicious domain (http://www.thebluzmen.com/verify.php) for verification as
A normal user should be aware of the artifacts used by the phishers to betray the trust.
