tag:blogger.com,1999:blog-50194946226392084172024-02-21T04:18:48.176+01:00(B)(F)uzzing on my worldComputer security researching: WebApps and browsers vulnerabilities, exploits, my stuff...José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-5019494622639208417.post-68773215620272606902013-10-28T22:55:00.000+01:002013-10-28T22:55:35.239+01:00MS13-069/CVE-2013-3845: Microsoft Internet Explorer (CTreePos) use-after-free vulnerabilityTal y como prometí, aunque no con la celeridad que hubiera querido, al fin he sacado unos días para preparar el material sobre uno de mis últimos casos, <b>CVE-2013-3845</b>, o mejor dicho para hacerlo medianamente presentable.<br />
<br />
Creo que debe ser algo que odiamos los researchers, eso de preparar material para postear, documentación, etc. Todo lo que sea salir del debugging parece tiempo perdido :-)<br />
<br />
Bueno, no me quiero extender demasiado porque el material ya está listo y éste no será su sitio:<br />
<br />
<ul>
<li>Paper en español: <a href="http://research.yenteasy.com/releases/CVE-2013-3845/unzip/CVE-2013-3845.pdf">Aquí</a>.</li>
<li>Prueba de Concepto con control de EIP: <a href="http://research.yenteasy.com/releases/CVE-2013-3845/unzip/poc.html.txt">Aquí</a>.</li>
<li>Exploit con DEP deshabilitado: <a href="http://research.yenteasy.com/releases/CVE-2013-3845/unzip/exploit_no_dep.html.txt">Aquí</a>. </li>
<li>Exploit con DEP habilitado: <a href="http://research.yenteasy.com/releases/CVE-2013-3845/unzip/exploit.html.txt">Aquí</a>.</li>
<li>Módulo para metasploit: <a href="http://research.yenteasy.com/releases/CVE-2013-3845/unzip/ms13-069_ie_ctreepos.rb.txt">Aquí</a>.</li>
<li>Toda esta información comprimida (con pass: ysr-2013-3845): <a href="http://research.yenteasy.com/releases/CVE-2013-3845/zip/CVE-2013-3845.zip">Aquí</a>.</li>
</ul>
<div>
Saludos!</div>
José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-10206074556365695012013-09-26T14:03:00.001+02:002013-09-26T14:05:47.922+02:00Long time...<div style="text-align: justify;">
Ha pasado mucho tiempo desde mi último post. Podría decir que he estado muy ocupado o saturado, la típica excusa aun cierta, que no he tenido tiempo para nada, etc. Pero realmente, el motivo principal por el que creo que he dejado de escribir en el blog, ha sido el inicio de mi aventura como empresario en el mundo de las vulnerabilidades: <a href="http://research.yenteasy.com/">research.yenteasy.com</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
El blog lo inicié cuando todavía era un "nini". O más bien un parado sin expectativas, como desgraciadamente a tantos les ocurre hoy en día. Y mi objetivo era dar a conocer las vulnerabilidades en las que estuviera actualmente involucrado ya que al principio no vivía de esto, solo lo hacía para aprender y mejorar. Para así recopilar todo el material online, y como tengo una memoria de pez, poder recordar que he hecho y que no.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Puesto que ahora es mi web la que se ocupa de esta recopilación, por cierto tampoco esperéis actualizaciones constantes (lo hago cada 6 meses y a volar), el blog lo tengo excesivamente parado. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Sin embargo, espero que los casos más interesantes que encuentre y que no estén sujetos a NDAs (Non-disclosure agreements), se puedan liberar en breve. Como alguno de los solucionados recientemente.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Saludos a los pocos lectores que me queden :-)</div>
<div style="text-align: justify;">
<br /></div>
<br />José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com2tag:blogger.com,1999:blog-5019494622639208417.post-60939188086851328512011-10-10T20:30:00.019+02:002011-10-20T21:26:54.864+02:00:::SPAS3C-SV-006:::OPERA BROWSER 10/11/12 (0-DAY) EXPLOIT<div style="text-align: justify;">In this post, I do the release of an issue that I discovered 362 days ago and it was reported to Opera using the <a href="http://www.beyondsecurity.com/ssd.html">SSD</a> program (SecuriTeam Secure Disclosure), but they have decided not to fix it.<br /></div><br /><div style="text-align: justify;">Thanks to sinn3r of metasploit.com for his heap spray method for Opera Browser (tested on v11.51 and v11.50) that uses VirtualAlloc. You can try it, setting the target to 1. I will keep both methods to avoid heap spray holes, I mean, if you are trying the exploit with default target and it lands on a hole, change to target 1 and try it again.<br /></div><br />But, next results were taken with default target.<br /><br /><div style="text-align: justify;">By the way, Opera Next was updated two days ago (r1076 -> r1085). I have not had time to get results of this release, but I confirm that it's still vulnerable and even I've seen remote code execution.<br /></div><br /><br /><span style="font-weight: bold;">Testing Method</span>:<br /><br /><br /><div style="text-align: justify;">In this case, I was looking for success at first attempt, so I needed to find a method that did not use the crash-dialog, kept (by default) the config and did not use the last-visited feature (The next one maybe too paranoic):<br /></div><br /><br />0. In attacker: exploit ready.<br />1. In victim: Start Opera.exe and launch the exploit.<br />2. In victim: If success -> Close shellcode -> Turn off the computer.<br />3. In victim: If not success -> Do not restart + Do not send/Send -> Turn off the computer<br />4. In attacker: kill id_exploit and exploit (new random url)<br />5. In victim: Start the computer.<br />6. In victim: Go to step 1.<br /><br /><br /><span style="font-weight: bold;">The results:</span><br /><br /><ul><li>Opera 12 pre-alpha -> RCE on 6/10 attempts</li><li>Opera 11.51 -> RCE on 3/10 attempts</li><li>Opera 11.50 -> RCE on 3/10 attempts</li><li>Opera 11.11 -> RCE on 4/10 attempts</li><li>Opera 11.10 -> RCE on 4/10 attempts</li><li>Opera 11.01 -> RCE on 5/10 attempts</li><li>Opera 11.00 -> RCE on 4/10 attempts<br /></li></ul><br />The exploit 0day <a href="http://pastebin.com/SSfhvemZ">here</a> and <a href="http://www.exploit-db.com/exploits/17960">here</a>.<br /><br /><br />You can find more info:<div><br /><ul><li><a href="http://dev.metasploit.com/redmine/projects/framework-unstable/repository/changes/modules/exploits/incomplete/windows/browser/opera_svg.rb">Metasploit</a> (English)<br /></li><li><a href="http://enred20.org/node/27">EnRed 2.0</a> (Spanish)<br /></li></ul><div><br /></div><div><b>Update (2011/10/17): I want to explain that I do not have an exact date when Opera was reported. As I've explained in my report in spanish, probably it was 10 months ago. By the way, note that they fixed the known as "frameset exploit" in <a href="http://www.opera.com/support/kb/view/992/">May</a>. However, all the vulnerabilities were reported together.</b></div><div><b><br /></b></div><div><b>Update (2011/10/19): Opera has patched the vulnerability with the new version released: 11.52.</b></div><div><br /></div>Happy (0)day, folks!</div>José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com10tag:blogger.com,1999:blog-5019494622639208417.post-89096051605386611402011-10-05T19:15:00.006+02:002011-10-10T18:32:06.117+02:00:::SPAS3C-SV-004:::FINAL DISCLOSURE AND RELIABILITY TESTS (SSD-1010101 / PART-II)<div style="text-align: justify;">I have taken a while and been trying to improve this one, unsuccess. But, I would like to thank to sinn3r and the rest of metasploit members who have tried to get a more reliable exploit. The poc is unstable and the crash is variable. Also I could not lead to more stable/reliable crashes. Anyway, I cannot discard the possibility of DEP bypass. Under some versions, it could be possible (controllable EAX to pivot) but unreliable/unstable. Give me a feedback if you get a poc that improves these issues :)<br /><br />So far, the final result is not as nice as I wanted. Since I could not publish my ms10-090 exploit, you know, someone discovered before I could publish :) I am glad to get released this one and probably it does not come alone.<br /><br />Here goes the reliability tests (click to see correctly):<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF4KgRd3dfYWBhnx5CR-TVaV3CIuUrZRN9EpaTohUDUV6EfVgbcrpqQI1rA03fMR0qJF1kLMxyaFmxbwl-R9jNGXvLzikw08m2hW-hMZT5bCM7ef98MTEAPANCdWMVZc_dE6s9qHmrbRw/s1600/reliability-table.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF4KgRd3dfYWBhnx5CR-TVaV3CIuUrZRN9EpaTohUDUV6EfVgbcrpqQI1rA03fMR0qJF1kLMxyaFmxbwl-R9jNGXvLzikw08m2hW-hMZT5bCM7ef98MTEAPANCdWMVZc_dE6s9qHmrbRw/s400/reliability-table.JPG" alt="" id="BLOGGER_PHOTO_ID_5658307471631264450" border="0" /></a><span style="font-size:85%;"><span style="font-style: italic;">Fig. 1: Reliability table.</span></span><br /><div style="text-align: justify;"><br /><span style="font-weight: bold; font-style: italic;">It is important to notice that most of versions will not work at first attempt. Although it is possible and I have seen it: The crash-dialog helps here and the table above is based on it.</span><br /><br /><span style="font-weight: bold;">Crash-dialog options:</span><br /><br /><ol><li>Restart-speech-dial -> close opera.exe -> open opera.exe -> go to url of exploit.<br /></li><li>Restart and reopen all tabs.</li><li>Do not restart -> open opera.exe.</li></ol><br /><span style="font-weight: bold;">Tests features:</span><br /><br /><ul><li>Master Box: Windows 7 Ultimate with SP1 (English) (fully updated)</li><li>VM engine: Virtual Box</li><li>Virtual boxes: Windows XP Professional with SP3 (English) (fully updated) x 15</li><li>Opera: Clean installations with configuration by default</li><li>Browser cache: It's not cleaned</li><li>Number of attempts: 100</li><li>Number of OS restarts: 5<br /></li><li>Number of url-exploit changes: 10</li></ul><br /><span style="font-weight: bold;">Notes:</span><br /><br /><ul><li>I have noticed that the reliability changes when the box is restart. So it is very possible that you will get another results.<br /></li><li>This exploit was coded when the stable release was v10.61 At that time, my best results was got with v10.62 and v10.61 (not clean installation: v10.6-> v10.61)<br /></li></ul><br />Finally, the msf module <a href="http://pastebin.com/7nJfKbze">here</a> and <a href="http://www.exploit-db.com/exploits/17936/">here</a><br /><br /><br /></div></div></div>José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-79310713357118171612011-06-17T05:41:00.019+02:002011-06-17T14:00:52.809+02:00:::SPAS3C-SV-005:::IE8/9 USE-AFTER-FREE VULNERABILITY POC (ZDI-11-194/MS11-050/CVE-2011-1260)Just the poc for my (and not only my finding) last IE (use-after-free) vulnerability:<br /><br /><div class="code"><br /><STYLE><br />object{<br />float: left;<br />}<br /></STYLE><br /><acronym><br />hggssssssssssssssssssssssssddddddddddddddddddddddddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadddddddddddddddddddddddddddddddddddddddddddddddddddddddd<br /></acronym><br /><object><br />head<br /></object><br /><col><br />ccc<br /></col><br /><div style = 'layout-grid-char: 35735636357357354ex;'><br />aaaaaa<br /></div><br /><br /></div>You will find an awesome work, exploit, even new targets (IE6/IE7) in <a href="http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html">d0c_s4vage's blog</a>.<br /><br />More references:<br /><ul><li><a href="http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx">Microsoft advisory</a></li></ul><ul><li><a href="http://www.zerodayinitiative.com/advisories/ZDI-11-194/">ZDI advisory</a></li></ul>José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com3tag:blogger.com,1999:blog-5019494622639208417.post-72839594272097391442011-05-27T16:00:00.020+02:002011-05-27T16:26:22.752+02:00:::SPAS3C-SV-004:::OPERA BROWSER < 11.11 FRAMESET MEMORY CORRUPTION VULNERABILITY (SSD-1010101 / PART-I)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLMzi-MJCi_IGUQUXwe81LCVkSJFQ3awbhnQgjjFjQNvEy_wQrpG6ajen0yIgO-9qHzp6ltZltRUcoXZz5BgzR3sS2zWkpnVD7SPNFCa6n3S94iMbPBn-6dnWj7Du-qWu2gIDaOI7u_AM/s1600/opera_software.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 200px; height: 77px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLMzi-MJCi_IGUQUXwe81LCVkSJFQ3awbhnQgjjFjQNvEy_wQrpG6ajen0yIgO-9qHzp6ltZltRUcoXZz5BgzR3sS2zWkpnVD7SPNFCa6n3S94iMbPBn-6dnWj7Du-qWu2gIDaOI7u_AM/s200/opera_software.png" alt="" id="BLOGGER_PHOTO_ID_5610461842548964162" border="0" /></a><br /><div style="text-align: justify;">Voy a escribir este post en español porque llevo mucho tiempo sin hacerlo y de todas formas en inglés tampoco me explico demasiado bien.<br /><br />En primer lugar, algunas aclaraciones sobre la vulnerabilidad/exploit:<br /><br /><ul><li>Esta vulnerabilidad la encontré hace ya tiempo, si mal no recuerdo a finales de Septiembre de 2010 y fue mi segundo exploit, por lo que no era muy elaborado, un heap spray y cruzar los dedos para que se cayera en esta zona. Lo bueno de la versión en la que lo encontré, es que a pesar del carácter aleatorio de la vulnerabilidad se podía sacar buen provecho de una forma reliable (ver advisory para más detalles). En concreto la versión de Opera por aquél entonces era la v10.61, posteriormente, este exploit ha ido perdiendo fiabilidad conforme han ido pasando las versiones hasta convertirse en un DoS, aún explotable pero realmente poco reliable. El caso es que he estado varios días dándole vueltas al poc, buscando en primer lugar un forma controlada de disparar la vuln y al mismo tiempo, reliable.</li></ul><ul><li>Dejar claro que parece que tanto Opera, como el resto de fuentes que se han hecho eco de la vulnerabilidad, en algunos casos no están en disposición de testear la vuln (por un lado) y en otros casos (como Opera) no parecen hacerlo: <span style="font-weight: bold;">La vulnerabilidad afecta a Opera v10.xx y Opera v11.xx (<11.11)</span>.<br /></li></ul><ul><li>Y es más (esto explica porque no voy a dar detalles de PoCs y exploits, más allá de un vídeo y un pequeño informe): <span style="font-weight: bold;">La vulnerabilidad se dispara con éxito en Opera Mobile v11.x y Opera Mobile v10.x</span>. Ahora bien, no sé si hasta el punto de conseguir explotabilidad o no, lo que sí puedo asegurar (tras hacer algo de debugging usando un Nokia N8, Symbian^3 y con carbide.c++ / IDA) es que quizás pueda ser explotable, me explico, mis conocimientos en debugging ARM y explotabilidad no van más allá de éste, como primer caso. Dicho esto, tras disparar varias veces la vuln en Opera Mobile, he visto que el PC (Program Counter) se carga con valores bajos (0x00000134, 0x00000130, etc) , lo cual es comúnmente poco explotable, pero a veces, he visto crashes en (0x006xxxxx, 0x005xxxxx), lo cual corresponde a zonas del heap y stack, es por ello, que no descarto la posibilidad de explotación en esta arquitectura. Es más, en su momento y aunque no tenía la posilidad de testear el poc, porque no tenía ningún smartphone, sólo pude hacer algunas pruebas usando el emulador de Windows Mobile y también resultó vulnerable. Lo que sí conseguí es tener un exploit en Opera Mobile Emulator for Windows. Sin embargo, y ante la posilibilidad de analizarlo en un entorno real, la explotación móvil quedó (y parece ser que aún queda) en el olvido. De todas formas, no es más que una posibilidad que trataré de comprobar.<br /></li></ul><ul><li>La explotación bajo sistemas con hw DEP y ASLR (> Windows Vista SP0) es poco probable debido fundamentalmente al carácter aleatorio de la vulnerabilidad y la dificultad de construir un ROP exploit. Por el mismo motivo, la explotación en cada versión de Opera es más o menos reliable.</li></ul><ul><li>Otras plataformas donde se ha testeado con éxito la vulnerabilidad son: MacOS X Snow Leopard y Ubuntu (GNU/Linux). Además de las versiones de Windows: XP, Vista y 7.<br /></li></ul><br /></div><span style="font-weight: bold;">Reformando el exploit...<br /><br /><br /></span><div style="text-align: justify;">En mi lab, preparé una máquina virtual con Windows XP SP3 (full updated) y con /nx=alwayson (DEP soft on). Tomé la última versión vulnerable, en concreto, v11.10 y a empezar... Como dije anteriormente, este exploit era bastante reliable en v10.62 pero en v11.10 era muy poco explotable. En primer lugar, encontré la forma de disparar la vulnerabilidad de forma controlada y finalmente ajuste el spray para conseguir la máxima fiabilidad. Así pues el exploit consta de dos etapas, una primera donde se hace el heap spray y en otra, se dispara la vulnerabilidad.<br /><br />Este exploit no he llegado a testearlo en más versiones, pero el exploit anterior, lo testeé en numerosos entornos desde v10.00 hasta v11.10 y todos consiguieron RCE al menos una vez (alguno más reliable que otro). Por tanto, con un poco de trabajo podría convertirse en un exploit con una cobertura bastante amplia.<br /></div><br /><div style="text-align: justify;">Así pues, y cómo más vale prevenir que curar, de momento no haré publica más información que ésta:<br /></div><div style="text-align: justify;"><ul><li>Un video donde se puede ver la explotación con éxito y reliable (80-90%) en v11.10.</li></ul><br /><center><br /><object style="height:300;width:400"><param name="movie" value="http://www.youtube.com/v/zlm2YesH1ds?version=3"><param name="allowFullScreen" value="true"><param name="allowScriptAccess" value="always"><embed src="http://www.youtube.com/v/zlm2YesH1ds?version=3" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" height="300" width="400"></embed></object></center><br /><br /></div><ul style="text-align: justify;"><li>El <a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0ByM4dUppVlrTNWVjNGMxOTMtZDc4NC00N2E2LWFlZjctNmVkN2RhYjU5M2My&hl=es"></a><a href="https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0ByM4dUppVlrTNWVjNGMxOTMtZDc4NC00N2E2LWFlZjctNmVkN2RhYjU5M2My&hl=es&authkey=CMH_hb4O">advisory</a> (en inglés), con algunas modificaciones desde su envío a SSD (sobretodo correcciones de idioma). Probablemente, haya dejado demasiada información a la vista pero obtener el poc es más complejo que fuzzear el tag frameset, al menos eso parece xD<br /></li></ul><br /><div style="text-align: justify;"><span style="font-weight: bold;">Actualización:</span> <span style="font-style: italic;">SecuriTeam reconoce haber notificado el tema móvil a los desarrolladores de Opera que descartan tener un update cercano, sin embargo no descartan parchear algún que otro asunto más ;)</span><br /></div><br /><br /><span style="font-weight: bold;">Referencias:</span><br /><ul><li><a href="http://www.opera.com/support/kb/view/992/">Advisory de Opera</a></li></ul><ul><li><a href="http://www.beyondsecurity.com/ssd.html">SecuriTeam Secure Disclosure program</a></li></ul>José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com1tag:blogger.com,1999:blog-5019494622639208417.post-35488267330924005122011-02-23T21:30:00.009+01:002011-02-23T21:33:10.877+01:00:::SPAS3C-WV-006:::Multiple Vulnerabilities in Mozilla Sites<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpQJcwo-K42xPYm1gv9gAJHtkgaUz-8Hg0Sr7wQSTlqPcRnXs5rauJGY4rXnvDtgZ5NgNbxFWFfJjT7x4lDbrbpdlZshK6rrzqHt97JmoiTRigHVmGSGYff7j9eiS2PLgOzBj1w5_JwjU/s1600/mozilla.png"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 128px; height: 128px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpQJcwo-K42xPYm1gv9gAJHtkgaUz-8Hg0Sr7wQSTlqPcRnXs5rauJGY4rXnvDtgZ5NgNbxFWFfJjT7x4lDbrbpdlZshK6rrzqHt97JmoiTRigHVmGSGYff7j9eiS2PLgOzBj1w5_JwjU/s320/mozilla.png" alt="" id="BLOGGER_PHOTO_ID_5576985723214691410" border="0" /></a><br /><br />This is old stuff, which i should have posted before, discovered in Mozilla websites several weeks ago:<br /><br /><ul style="text-align: justify;"><li><span style="font-weight: bold;">bugzilla.mozilla.org</span>: CSRF (saved searches).<br /></li><li><span style="font-weight: bold;">creative.mozilla.org</span>: CSRF (user profile).<br /></li><li style="text-align: justify;"><span style="font-weight: bold;">developer.mozilla.org</span>: Plain text password disclosure.</li></ul><div style="text-align: justify;">I will provide some details about them.</div><div style="text-align: justify;"><br /><span style="font-weight: bold;">1. CSRF (</span><span style="font-weight: bold;">saved searches</span><span style="font-weight: bold;">) in bugzilla.mozilla.org</span><br /><br /><span style="font-style: italic;">PoC</span>: <a href="http://pastebin.com/0r1MyvVv">http://pastebin.com/63H2YtMd<br /></a><br /><span style="font-style: italic;">Sec-Severity</span>: Low/Medium<br /><br /><div style="text-align: left;"><span style="font-style: italic;">CVE</span>: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0046">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0046</a><br /></div><br /></div><div style="text-align: justify;"><span style="font-style: italic;">Description</span>: Saved searches for bugzilla user's panel are not protected against CSRF attacks and it could be used to add bullshit.<br /><br /><div style="text-align: justify;">This vulnerability affects to Bugzilla (bug tracking system of mozilla foundation) <= 3.2.9, 3.4.9, 3.6.3, and 4.0rc1<br />Reference: <a href="http://www.bugzilla.org/security/3.2.9/">http://www.bugzilla.org/security/3.2.9/</a><br /><br /></div><span style="font-style: italic;">Screenshot</span>:<br /><br /></div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtc931ubIwYWBd9ND1LkGR1MQ3dVsp_nrbgO57nwV1_ul20gD6HcWF7IUG6M5XAuC41HfOT3_WSJyHsoxseJokvKexBYNqsg12SMQuVahYt2uKCJowsrQIwZJqZCJwLBEME1wCXf8uiwA/s1600/bugzilla_1.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 146px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtc931ubIwYWBd9ND1LkGR1MQ3dVsp_nrbgO57nwV1_ul20gD6HcWF7IUG6M5XAuC41HfOT3_WSJyHsoxseJokvKexBYNqsg12SMQuVahYt2uKCJowsrQIwZJqZCJwLBEME1wCXf8uiwA/s320/bugzilla_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5576952294780911618" border="0" /></a><span style="font-style: italic;font-size:85%;" >Fig.1: Launching the CSRF exploit</span><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPQii0T5ua9MWyszdDq2FNDaj_1-COvz_PTpob3rCDQBCiUB9wS1hUaGKZbnMkEEaB6n0023NS1iLD-VkhrEoq6OxSEofMPDJOdOlTXqE6rLvwuAKqNBvVaSlXcOW39228C-GwOAXlODM/s1600/bugzilla_2.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 158px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPQii0T5ua9MWyszdDq2FNDaj_1-COvz_PTpob3rCDQBCiUB9wS1hUaGKZbnMkEEaB6n0023NS1iLD-VkhrEoq6OxSEofMPDJOdOlTXqE6rLvwuAKqNBvVaSlXcOW39228C-GwOAXlODM/s320/bugzilla_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5576979310152792066" border="0" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRochmmGwOjImUcVKgRwBHqUi7YAbJGa43tgmFd0tvfzUmsWVhyphenhyphen4dKXpr-8OLCJUi5e7qaGQKI2MuICup6Sg9zpn76qO7oCYh7kfB8Xl3kXPAZ5HXxHBAjiX0pFDvi7f7isz1Jd16mc1w/s1600/bugzilla_2.JPG"><br /></a><span style="font-size:85%;"><span style="font-style: italic;">Fig.2: Exploit executed succesfully</span></span><br /></div><div style="text-align: justify;"><br /></div><span style="font-weight: bold;">2. CSRF (user profile) in creative.mozilla.org</span><br /><div style="text-align: justify;"><br /><span style="font-style: italic;">PoC</span>: <a href="http://pastebin.com/0r1MyvVv">http://pastebin.com/0r1MyvVv</a><br /><br /><span style="font-style: italic;">Sec-Severity</span>: Critical<br /><br /><span style="font-style: italic;">CVE</span>: N/A<br /><br /><span style="font-style: italic;">Description</span>: User profile could be changed using a CSRF attack.<br /><br /><span style="font-style: italic;">Screenshot</span>:<br /><br /></div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzEf8L8tfBN3cWN2jL5z873w1yJcIREv70xuAMBSBV6ME7b8Qbr2Wj7eSLxUsmTq8gZgypSdzTW7KNi-y_XJ-odCtRlGNANPkthSqre23npqTS8ejVKzA9UUNNayvJ3dWhi39vWW6X40/s1600/creative_1.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 183px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzEf8L8tfBN3cWN2jL5z873w1yJcIREv70xuAMBSBV6ME7b8Qbr2Wj7eSLxUsmTq8gZgypSdzTW7KNi-y_XJ-odCtRlGNANPkthSqre23npqTS8ejVKzA9UUNNayvJ3dWhi39vWW6X40/s320/creative_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5576954161409306578" border="0" /></a><span style="font-size:85%;"><span style="font-style: italic;">Fig.3: CSRF (user profile) in create.mozilla.org</span></span><br /></div><div style="text-align: justify;"><br /><span style="font-weight: bold;">3. Plain text password disclosure in developer.mozilla.org</span><br /><br /><div style="text-align: justify;"><span style="font-style: italic;">PoC</span>: Register to developer.mozilla.org and then, come back to check your mail. This site sent your password in plain text.<br /></div><br /><span style="font-style: italic;">Sec-Severity</span>: High<br /><br /><span style="font-style: italic;">CVE</span>: N/A<br /><br /><span style="font-style: italic;">Description</span>: MDC sent your password in plain text.<br /><br /><span style="font-style: italic;">Screenshot</span>:<br /><br /></div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTn3Bnzns1Tx4lFCKR9Yvrk8zrfxFWo0pj169GdDjlRX4LPu3RzfQP051ogwg6OvexKVbJJO9g-X_HL2Zja4hn4bWjVjC4-FaNboPZZWbwzQWu3Mwm3Jywja-V98jLw3-05pGjDeUPqW8/s1600/developer_1.JPG"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTn3Bnzns1Tx4lFCKR9Yvrk8zrfxFWo0pj169GdDjlRX4LPu3RzfQP051ogwg6OvexKVbJJO9g-X_HL2Zja4hn4bWjVjC4-FaNboPZZWbwzQWu3Mwm3Jywja-V98jLw3-05pGjDeUPqW8/s320/developer_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5576980688737421634" border="0" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiia01dMV5A8acDpGibKWYt3LVqOFiKHkeHs506xc0I93HNSO7RXzPqvh1UBQRRn6egve4tPuqBHf_S_D8kOPm4QoGQJmeBacfL4Nsl3_Sp4tNgZy1jYeupSSF9p4oUcC1xOtQRatz33tY/s1600/developer_1.JPG"><br /></a><span style="font-size:85%;"><span style="font-style: italic;">Fig.4: Plain text password disclosure</span></span><br /></div><div style="text-align: justify;"><br />And yep, my MDC password contains an "e".<br /><br />On the other hand, Mozilla security team solves these issues quickly.<br />That's all. <span style="font-weight: bold;">Be safe ;)</span><br /><br /></div>José A. Vázquezhttp://www.blogger.com/profile/00052810570694941063noreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-84824615072669049932010-12-14T22:30:00.004+01:002011-02-23T18:54:20.238+01:00:::SPAS3C-SV-003:::INTERNET EXPLORER 6/7/8 MEMORY CORRUPTION VULNERABILITY (CVE-2010-3962/ MS10-090)<div style="text-align: justify;">At last, I can talk about a vulnerability which was publicly known because it was being exploited in the wild. Today I would have liked to disclose my exploit, but it (including a metasploit module) is available one month ago, so i cannot give more information, just my experience and a repository of interesting links about it.<br /></div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9npyjxZZFo62NUd37-u6IP2CsOfUOZT4Bq4WOFpo1Xf3_-8C6R_fttQKWG2v1jpxFJ3LEoMYYGHGdY0D3NJb_xPIGzoaCN9mZhICQZDNiFr4hUDNbANRe7FAL9sD5p_h1mT_DOwR-OP_/s1600/iexplorer0day.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 184px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9npyjxZZFo62NUd37-u6IP2CsOfUOZT4Bq4WOFpo1Xf3_-8C6R_fttQKWG2v1jpxFJ3LEoMYYGHGdY0D3NJb_xPIGzoaCN9mZhICQZDNiFr4hUDNbANRe7FAL9sD5p_h1mT_DOwR-OP_/s200/iexplorer0day.jpg" alt="" id="BLOGGER_PHOTO_ID_5550255570478373858" border="0" /></a><span style="font-weight: bold;"><br /></span><ul><li><span style="font-weight: bold;">Description:</span></li></ul><br /><div style="text-align: justify;">This one was very nice to find it. Someone talked about a smart vuln, because it only needed one line of HTML code to trigger it, one html tag and two different styles. But when I found, about five months ago, I discovered it using this poc:<br /></div><br /><span style="color: rgb(255, 0, 0);">----------------------------------------poc.html------------------------------------------------</span><br /><br /><div style="text-align: justify;"><span style="color: rgb(255, 0, 0);"><table style = 'position: absolute;clip: rect(5px, 55px, 45px, 5px);' ></span><span style="color: rgb(255, 0, 0);"> <hr /></span><br /><br /><span style="color: rgb(255, 0, 0);">----------------------------------------poc.html------------------------------------------------</span><br /></div><br /><div style="text-align: justify;">The reason is that my fuzzer always tries to get a correct HTML code and applies fuzzing on some styles, properties, etc.<br /></div><br /><div style="text-align: justify;">On late of June, my fuzzer gets a working poc triggering the vuln. I was very newbie on exploiting but I noticed that it could be easily exploited. I sent it on <a href="http://labs.idefense.com/">iDefense</a> and they confirmed the vulnerability on early of July.<br /><br />On September, I had learnt something on exploiting because I needed to sell other stuff and this buyer needed working exploits, so when the other job was finished, I thought that it would be interesting to use my new knowledge as exploit writer, so I did my own exploits and it was very simple using heap spraying. I stored all until today, but it would be silly to release when there is many information and exploits about this issue.<br /><br />Finally, this is my history about CVE-2010-3962 or MS10-090. I have to admit that this vuln has taught me to have more experience as bug hunter. It was very nice, easy for finding (so easy for losing) and it was alive from version 6.<br /><br />Good bye 0day, I always will remember you :_(<br /></div><br /><ul><li><span style="font-weight: bold;">Links (interesting stuff):</span></li></ul><br /><div style="text-align: center;"><a href="http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx">MS10-090 (Microsoft Security Bulletin)</a><br /></div><div style="text-align: center;"><a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=885">Advisory from iDefense</a><br /></div><div style="text-align: center;"><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3962">CVE-ID: CVE-2010-3962</a><br /></div><div style="text-align: center;"><a href="http://www.exploit-db.com/exploits/15418/">PoC from exploit-db</a><br /></div><div style="text-align: center;"><a href="http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb">Exploit from metasploit</a><br /></div><div style="text-align: center;"><a href="http://www.morenops.com/?p=738">Nice description of vulnerability</a><br /></div><div style="text-align: center;"><a href="http://community.websense.com/blogs/securitylabs/archive/2010/11/10/Amnesty-International-Hong-Kong-Website-Injected-With-Latest-Internet-Explorer-0_2D00_day-.aspx">Exploiting in the wild</a><br /></div><div style="text-align: center;"><a href="http://hdlsec.com/exploiting/process-continuation-after-exploit-aka-internet-explorer-is-my-process-launcher/">Interesting post about restoring after explotation</a><br /></div><br /><br /><span style="font-weight: bold;">Be safe ;)</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-31221069830743389822010-11-19T16:40:00.013+01:002010-11-19T17:23:18.800+01:00Uncoordinated disclosure or bad credits…? Rethinking my own disclosure’s policy<!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:trackmoves/> <w:trackformatting/> <w:hyphenationzone>21</w:HyphenationZone> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:donotpromoteqf/> <w:lidthemeother>ES</w:LidThemeOther> <w:lidthemeasian>X-NONE</w:LidThemeAsian> <w:lidthemecomplexscript>X-NONE</w:LidThemeComplexScript> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> <w:splitpgbreakandparamark/> <w:dontvertaligncellwithsp/> <w:dontbreakconstrainedforcedtables/> <w:dontvertalignintxbx/> <w:word11kerningpairs/> <w:cachedcolbalance/> </w:Compatibility> <m:mathpr> <m:mathfont val="Cambria Math"> <m:brkbin val="before"> <m:brkbinsub val="--"> <m:smallfrac val="off"> <m:dispdef/> <m:lmargin val="0"> <m:rmargin val="0"> <m:defjc val="centerGroup"> <m:wrapindent val="1440"> <m:intlim val="subSup"> <m:narylim val="undOvr"> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" defunhidewhenused="true" defsemihidden="true" defqformat="false" defpriority="99" latentstylecount="267"> <w:lsdexception locked="false" priority="0" semihidden="false" unhidewhenused="false" qformat="true" name="Normal"> <w:lsdexception locked="false" priority="9" semihidden="false" unhidewhenused="false" qformat="true" name="heading 1"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 2"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 3"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 4"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 5"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 6"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 7"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 8"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 9"> <w:lsdexception locked="false" priority="39" name="toc 1"> <w:lsdexception locked="false" priority="39" name="toc 2"> <w:lsdexception locked="false" priority="39" name="toc 3"> <w:lsdexception locked="false" priority="39" name="toc 4"> <w:lsdexception locked="false" priority="39" name="toc 5"> <w:lsdexception locked="false" priority="39" name="toc 6"> <w:lsdexception locked="false" priority="39" name="toc 7"> <w:lsdexception locked="false" priority="39" name="toc 8"> <w:lsdexception locked="false" priority="39" name="toc 9"> <w:lsdexception locked="false" priority="35" qformat="true" name="caption"> <w:lsdexception locked="false" priority="10" semihidden="false" unhidewhenused="false" qformat="true" name="Title"> <w:lsdexception locked="false" priority="1" name="Default Paragraph Font"> <w:lsdexception locked="false" priority="11" semihidden="false" unhidewhenused="false" qformat="true" name="Subtitle"> <w:lsdexception locked="false" priority="22" semihidden="false" unhidewhenused="false" qformat="true" name="Strong"> <w:lsdexception locked="false" priority="20" semihidden="false" unhidewhenused="false" qformat="true" name="Emphasis"> <w:lsdexception locked="false" priority="59" semihidden="false" unhidewhenused="false" name="Table Grid"> <w:lsdexception locked="false" unhidewhenused="false" name="Placeholder Text"> <w:lsdexception locked="false" priority="1" semihidden="false" unhidewhenused="false" qformat="true" name="No Spacing"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 1"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 1"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 1"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 1"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 1"> <w:lsdexception locked="false" unhidewhenused="false" name="Revision"> <w:lsdexception locked="false" priority="34" semihidden="false" unhidewhenused="false" qformat="true" name="List Paragraph"> <w:lsdexception locked="false" priority="29" semihidden="false" unhidewhenused="false" qformat="true" name="Quote"> <w:lsdexception locked="false" priority="30" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Quote"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 1"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 1"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 1"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 1"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 1"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 1"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 1"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 2"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 2"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 2"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 2"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 2"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 2"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 2"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 2"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 2"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 2"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 2"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 3"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 3"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 3"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 3"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 3"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 3"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 3"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 3"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 3"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 3"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 3"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 3"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 3"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 4"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 4"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 4"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 4"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 4"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 4"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 4"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 4"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 4"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 4"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 4"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 4"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 4"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 4"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 5"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 5"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 5"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 5"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 5"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 5"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 5"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 5"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 5"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 5"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 5"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 5"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 5"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 5"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 6"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 6"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 6"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 6"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 6"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 6"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 6"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 6"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 6"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 6"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 6"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 6"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 6"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 6"> <w:lsdexception locked="false" priority="19" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Emphasis"> <w:lsdexception locked="false" priority="21" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Emphasis"> <w:lsdexception locked="false" priority="31" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Reference"> <w:lsdexception locked="false" priority="32" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Reference"> <w:lsdexception locked="false" priority="33" semihidden="false" unhidewhenused="false" qformat="true" name="Book Title"> <w:lsdexception locked="false" priority="37" name="Bibliography"> <w:lsdexception locked="false" priority="39" qformat="true" name="TOC Heading"> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} </style> <![endif]--><div style="text-align: justify;"><span style="font-style: italic;">Disclaimer: This is only my personal opinion based on logical assumptions, following the timeline while I was trying to publish my researching. I won’t provide any information about contacts, names, etc. </span><br /></div><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKRohEWAqaRZz8rRGW0NbucJnssZWIlfAB8tSFmoE2wZoAWgEhk11GeIZcoLT8rPhl7dXPJ_eD3oJWrmbKHUJa1CdczKql2R3H02VwjKcbgUbyhUo3gTuO6Fkv4HcAHV2lPUMBElYs7-pB/s1600/disclosure.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 308px; height: 204px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKRohEWAqaRZz8rRGW0NbucJnssZWIlfAB8tSFmoE2wZoAWgEhk11GeIZcoLT8rPhl7dXPJ_eD3oJWrmbKHUJa1CdczKql2R3H02VwjKcbgUbyhUo3gTuO6Fkv4HcAHV2lPUMBElYs7-pB/s400/disclosure.jpg" alt="" id="BLOGGER_PHOTO_ID_5541287932290779186" border="0" /></a><br /><div style="text-align: justify;">When I posted <a href="http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html">this</a>, I really thought that this issue was fixed, so why do I get credits again (from yesterday's update)?<br /></div><br /><div style="text-align: justify;">Issue was found using fuzzing on Google Chrome. In early August, Chrome Security Team got fixed releasing Google Chrome 5.0.375.125, but I knew that issue was affecting to Webkit (and nightly builds), so I had to wait before make my own disclosure (Safari also was affected). In late August, Apple Security Team contacted me (I suppose that Chrome Security Team provided my contact information) and they would fix the issue on September and like to know how to credit me on Apple Security Update Site, so I provided my usual information as “Jose A. Vazquez of spa-s3c…” and I waited for the Security Update. On 7th September Apple updated Safari to 5.0.2/4.1.2 and I thought that this would be my hoped update, but when I checked it, I noticed that they didn’t fix my issue…? Next day, they published another update on iOS and they gave me credits…? So I contacted again and asked them, they confirmed that it was the fix which I was waiting. I tested again the PoC and it still worked, but as I was (and am yet) a beginner, I thought that it probably would be the Null ptr dereference. Wtf?! Apple confirmed that it was fixed. But my question is if it was fixed…Credits on same issue? Fixed issue?<br /></div><br /><div style="text-align: justify;">Responses probably would be these:<br /></div><ol><li style="text-align: justify;">Failure (Apple) on Credits (unlikely). </li><li style="text-align: justify;">Failure (Apple and me) on coordinated disclosure.</li></ol><div style="text-align: justify;">I’ve downloaded current release (5.0.3) and tested the issue again and it hasn't worked, not crash and not Null ptr.<br /></div><br /><div style="text-align: justify;">In short, this smells like an uncoordinated disclosure, they fixed the issue on iOS but it still was alive on Safari for MacOS, Windows, etc. Assuming the latter case (uncoordinated disclosure) I have a new question about large temporal differences on using fixed code in stable releases (having a third party as common denominator).<br /><br />Clearly, I tried to make a responsible and coordinated disclosure but finally, I made a bullshit... My failure or Apple failure? Each one draw their own conclusions.</div><p class="MsoNormal" style="text-align: justify; line-height: 150%;"><span style="line-height: 150%;font-family:";font-size:12pt;" lang="EN-US" ></span></p> <p class="MsoNormal" style="text-align: justify; line-height: 150%;"><span style="font-weight: bold;">Be safe ;)</span><br /><i style=""><span style="line-height: 150%;font-family:";font-size:10pt;" lang="EN-US" ><span style=""></span></span></i></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-66443336989137005162010-10-07T08:51:00.005+02:002010-10-07T08:51:00.368+02:00Firefox vs Thunderbird...¿y qué pasa con Seamonkey?<div style="text-align: justify;">Mucho tiempo sin postear nada nuevo y menos en español. Por eso he decido escribir esta entrada sobre algo que me ha llamado notablemente la atención y para lo que he pedido una explicación, sin resultado por el momento.<br /></div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13VwheC3BnRGWsZMbThH8ZMlSTbUm0ZDRc788F4U_NvtIhsmDsCQ1V1PNgZYmF-cRRvdHRIG-x1uQjPjhf1HAuLnuAXz2mibmDbakSG8u3fE9QET6x4UxhTq_VkM4nNDxtw0GmqkWHsCY/s1600/idefense.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 73px; height: 73px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj13VwheC3BnRGWsZMbThH8ZMlSTbUm0ZDRc788F4U_NvtIhsmDsCQ1V1PNgZYmF-cRRvdHRIG-x1uQjPjhf1HAuLnuAXz2mibmDbakSG8u3fE9QET6x4UxhTq_VkM4nNDxtw0GmqkWHsCY/s400/idefense.png" alt="" id="BLOGGER_PHOTO_ID_5525083236459605378" border="0" /></a><div style="text-align: justify;">Como "contributor" de idefense, me ha llegado un correo un tanto peculiar sobre una bonificación válida hasta finales de año y por la cual se ofrecen las siguientes ofertas:<br /></div><br /><div style="text-align: justify;">"The total dollar value of prizes we're giving away is $70,000, and bonus quantities and values are broken down into the following categories:<br /></div> <ul style="text-align: justify;"><li> <span style="font-weight: bold;">8 awards: Internet Explorer, Outlook, Thunderbird: ($6000 Bonus)</span></li></ul><ul style="font-weight: bold; text-align: justify;"><li> 4 awards: Firefox, Flash, Silverlight, Windows Media Player: ($4000 Bonus)</li></ul><ul style="font-weight: bold; text-align: justify;"><li> 2 awards: Java, Adobe Reader, Office 2007/2010 ($3000 Bonus)</li></ul> <div style="text-align: justify;"> The program will be going on until December 31st, 2010 or whenever all the prizes are given away, whichever comes first. We hope to hear from you soon, good luck!"<br /></div><br /><div style="text-align: justify;">El mensaje parece claro, se ofrecen bonificaciones por una cuantía total de 70000 USD, que se reparten en 8, 4 y 2 premios, respectivamente.<br /></div><br /><div style="text-align: justify;">Lo que realmente me llama la atención no es que para Internet Explorer y Outlook se ofrecen las mismas cantidades, lo cual me parece lógico, hasta cierto punto, ya que habría que evaluar si una misma vulnerabilidad que es explotable en ambos se compraría por el doble, es decir, como IE + Outlook = $6000 + $6000, o sin embargo, cuenta como una, es decir, $6000.<br /></div><br /><div style="text-align: justify;">Pero lo que realmente me llama la atención es la distinción en cuanto precios entre Firefox y Thunderbird, ambos de la casa Mozilla, lo cuál me lleva a la pregunta de ¿qué pasa con Seamokey?. ¡La cantidad entre uno y otro varía hasta $2000!<br /></div><br /><div style="text-align: justify;">Parece lógico pensar que un mismo bug que afecte a IE, probablemente afecte también a Outlook (aunque no tiene por qué ser así, a mí por lo menos me ha sucedido), de igual forma, un mismo bug en Firefox probablemente sea reproducible a su vez en Thunderbird o Seamonkey. Por propia experiencia, aunque sólo he encontrado/cazado un bug (null pointer) en Mozilla (y pude reproducirlo en Firefox y Seamonkey).<br /></div><br /><div style="text-align: justify;"><div style="text-align: justify;">Entonces dado el caso expuesto, un mismo bug afectando a los 3 productos, parece bastante absurdo venderlo como un bug en Firefox y perder $2000 (siempre y cuando sea explotable también en Thunderbird).<br /></div><br /><div style="text-align: justify;">Es llamativa esta distinción de precios entre productos de la misma casa, cuando probablemente exista mayor número de usuarios que utilicen el navegador Firefox y sin embargo no hagan uso del gestor de correo Thunderbird. Así pues, la cuota de mercado no será la causa de esta distinción (Ver cuotas de mercado en clientes de correo: <a href="http://fingerprintapp.com/email-client-stats">aqui</a> y <a href="http://visibleranking.com/2010/05/most-popular-email-clients.php">aqui</a> y las cuotas de mercado en navegadores <a href="http://marketshare.hitslink.com/browser-market-share.aspx?qprid=0">aqui</a>). Entonces, ¿cuál es?<br /></div><br />Be safe ;)<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-33345469912286164772010-09-10T16:10:00.010+02:002011-02-23T18:54:33.908+01:00:::SPAS3C-SV-002:::WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY (CVE-2010-1813)<div style="text-align: justify;"><span>This time, I'm going to post a new remote software advisory, which was fixed about one month ago, but i couldn't post because i was waiting an advisory and fix from Safari. Now fix is out, so i can post my own advisory.</span><br /></div><span style="color: rgb(255, 0, 0); font-weight: bold;"><br /><br />-------------------------START-ADVISORY-------------------------------</span><br /><span style="font-weight: bold;"><br /><br />TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY<br /><span style="font-weight: bold;">TESTED OS: WINDOWS XP SP3</span><br /><span style="font-weight: bold;">SEVERITY: HIGH</span><br /><span style="font-weight: bold;">CVE-NUMBER: CVE-2010-1813</span><br /><span style="font-weight: bold;">DISCOVERED DATE: 2010-06-29</span><br /><span style="font-weight: bold;">FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)</span><br /><span style="font-weight: bold;">FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2</span><br /><span style="font-weight: bold;">DISCOVERED BY: JOSE A. VAZQUEZ</span><br /><br /><br /><span style="color: rgb(255, 0, 0);">======ABOUT APPLICATION======</span><br /><br /></span><span style="font-weight: bold;"><div style="text-align: justify;"><span style="font-weight: normal;">"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/</span><br /></div><br /><br /><span style="color: rgb(255, 0, 0);">======DESCRIPTION======</span><br /><br /></span><span><div style="text-align: justify;">A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr dereference, but some pointers were also corrupted.<br /></div><br />Stacktrace (using Chrome symbols):<br /><br />WebCore::RenderObject::containingBlock() Line 597<br />WebCore::RenderBlock::paintContinuationOutlines() Line 2344<br />WebCore::RenderBlock::paintObject() Line 2232<br />WebCore::RenderBlock::paint() Line 1980<br />WebCore::RenderLayer::paintLayer() Line 2447<br />WebCore::RenderLayer::paintList() Line 2499<br />WebCore::RenderLayer::paintLayer() Line 2468<br />WebCore::RenderLayer::paint() Line 2252<br />WebCore::FrameView::paintContents() Line 1943<br />WebCore::ScrollView::paint() Line 797<br />WebCore::RenderWidget::paint() Line 281<br />WebCore::InlineBox::paint() Line 180<br />WebCore::InlineFlowBox::paint() Line 682<br />WebCore::RootInlineBox::paint() Line 167<br />WebCore::RenderLineBoxList::paint() Line 219<br />WebCore::RenderBlock::paintContents() Line 2090<br />WebCore::RenderBlock::paintObject() Line 2199<br />WebCore::RenderBlock::paint() Line 1980<br />WebCore::RenderBlock::paintChildren() Line 2127<br />WebCore::RenderBlock::paintContents() Line 2092<br />WebCore::RenderBlock::paintObject() Line 2199<br />WebCore::RenderBlock::paint() Line 1980<br />WebCore::RenderLayer::paintLayer() Line 2445<br />WebCore::RenderLayer::paintList() Line 2499<br />WebCore::RenderLayer::paintLayer() Line 2468<br />WebCore::RenderLayer::paint() Line 2252<br />WebCore::FrameView::paintContents() Line 1943<br />WebCore::ScrollView::paint() Line 797<br />WebKit::WebFrameImpl::paintWithContext() Line 1795<br />WebKit::WebFrameImpl::paint() Line 1818<br />WebKit::WebViewImpl::paint() Line 979<br />RenderWidget::PaintRect() Line 390<br />RenderWidget::DoDeferredUpdate() Line 501<br />RenderWidget::CallDoDeferredUpdate() Line 428</span><span style="font-weight: bold;"><br /><br /><br /><span style="color: rgb(255, 0, 0);">======PROOF OF CONCEPT======</span><br /><br /><a href="http://pastebin.com/v7T0QK5g">http://pastebin.com/v7T0QK5g</a><br /><br /><br /><span style="color: rgb(255, 0, 0);">======STEPS TO REPRODUCE======</span><br /><br /></span><span>1.- Upload 1.html and 2.html to your server.<br />2.- Open file 1.html with vulnerable app.</span><span style="font-weight: bold;"><span style="font-weight: bold;"><br /></span><br /></span><span>-Google Chrome:<br /><br />3.- Wait for a while, then, crash is got (sad-tab).<br /><br />-Apple Safari:<br /><br />3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.</span><span style="font-weight: bold;"><br /><br /><br /><span style="color: rgb(255, 0, 0);">======REFERENCES======</span><br /></span><span><br />[ref-1] -> <a href="https://bugs.webkit.org/show_bug.cgi?id=41373">https://bugs.webkit.org/show_bug.cgi?id=41373</a><br />[ref-2] -> <a href="http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html">http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html</a><br />[ref-3] -> <a href="http://support.apple.com/kb/HT4334">http://support.apple.com/kb/HT4334</a><br />[ref-4] -> <a href="http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html">http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html</a><br /><br /></span><span style="font-weight: bold;"><br /><span style="color: rgb(255, 0, 0);">======DISCLOSURE TIMELINE======</span><br /><br /></span><span>Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)<br /><br />[2010-06-29] => Posted new issue in Chromium Project (with pocs).<br />[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.<br />[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).<br />[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).<br />[2010-09-10] => Public disclosure.</span><span style="font-weight: bold;"><br /><br /><br /><span style="color: rgb(255, 0, 0);">======CREDITS=======</span><br /><br />Jose Antonio Vazquez Gonzalez,<br />Telecom. Engineer & Sec. Researcher.<br />http://spa-s3c.blogspot.com/<br /><br /><br /><span style="color: rgb(255, 0, 0);">-------------------------END-ADVISORY-------------------------------</span><br /><br /><br />That's all. Be safe ;)<br /></span>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5019494622639208417.post-66455093537088155952010-08-06T17:30:00.004+02:002011-02-23T18:54:52.532+01:00:::SPAS3C-WV-005:::Vulnerability in Joomla! Core (Back-end) <= 1.5.19<div style="text-align: justify;"><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh40bdBw0fSICDRdgScV-SEglUX9BBcvda4pxDSAui0bzdB8N5xHs_VuyCl_d5Np5LEb-7RjHj1wpzvsJo32nDj-GuwggAFGSG1NHoxX2YHyNONXffJAzY93dXcXWxpJr_5KkFKl1Ixm23o/s1600/joomla.JPG"><img style="cursor: pointer; width: 304px; height: 92px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh40bdBw0fSICDRdgScV-SEglUX9BBcvda4pxDSAui0bzdB8N5xHs_VuyCl_d5Np5LEb-7RjHj1wpzvsJo32nDj-GuwggAFGSG1NHoxX2YHyNONXffJAzY93dXcXWxpJr_5KkFKl1Ixm23o/s400/joomla.JPG" alt="" id="BLOGGER_PHOTO_ID_5502309751524067170" border="0" /></a><br /></div><br />About two months ago, i found several vulnerabilities in Joomla! v<= 1.5.19 and these are my advisories. This one was published on Joomla! Security Center: <a href="http://developer.joomla.org/security/news/316-20100702-core-xss-vulnerabillitis-in-back-end.html">here</a><br /></div><br /><ul><li><strong>Project:</strong> Joomla!</li><li><strong>Severity: </strong>Medium</li><li><strong>Versions:</strong> 1.5.19 and all previous 1.5 releases</li><li><strong>Exploit type:</strong> XSS Injection</li><li><strong>Reported Date:</strong> 2010-June-8</li></ul><br /><div style="text-align: justify;">Back-end was vulnerable to XSS/HTML Code Injection. Get var "menutype" used in "com_menus" (core component) allowed the injection.<br /></div><br /><span style="font-weight: bold;">Proof-of-Concept:</span><br /><span style="text-decoration: underline;"><br /><a href="http://[host]/%5BJOOMLA-PATH%5D/administrator/index.php?option=com_menus&task=view&menutype=mainmenu%22%20onmouseover=%22alert%28%27Discovered%20by%20Jose%20A.%20Vazquez%27%29;"></a></span><a href="http://[host]/%5BJOOMLA-PATH%5D/administrator/index.php?option=com_menus&task=view&menutype=mainmenu%22%20onmouseover=%22alert%28%27Discovered%20by%20Jose%20A.%20Vazquez%27%29;">http://[HOST]/[JOOMLA-PATH]/administrator/index.php?option=com_menus&task=view&menutype=mainmenu%22%20onmouseover=%22alert%28%27Discovered%20by%20Jose%20A.%20Vazquez%27%29;</a><br /><br /><span style="font-weight: bold;">Some screenshots:</span><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr0Ah-s-MA24JTV15XBeVCe16S-UJ95t2YeNQ7rZMG0QAwXZ8ol9ZOcMvPWCzVStMJOMlRk2-iwcSqWzGsDSrmGbfqzQKeNVCxE8dFdWW3mfA0v21tsrif4oIZ6yVNT81x32bYJWX7tn8F/s1600/1.JPG"><img style="cursor: pointer; width: 400px; height: 218px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr0Ah-s-MA24JTV15XBeVCe16S-UJ95t2YeNQ7rZMG0QAwXZ8ol9ZOcMvPWCzVStMJOMlRk2-iwcSqWzGsDSrmGbfqzQKeNVCxE8dFdWW3mfA0v21tsrif4oIZ6yVNT81x32bYJWX7tn8F/s400/1.JPG" alt="" id="BLOGGER_PHOTO_ID_5502313210675271922" border="0" /></a><br /><span style="font-size:85%;"><span style="font-style: italic;">Fig.1: XSS triggered in Joomla! Back-end</span></span><br /></div><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVWJwUAqpFqjXOrSDjrcRfC3fEb-E925eXdNnHB_l7kUlYg377TdzEmf6frPbQZhNv1Fck7L3X3hRw61z13JCODAS5G1Ey0RDC-LIaDBNRWY7sVS_bWz5-ce8QfIC0czf2ezr8Ys1Lz_BF/s1600/3.JPG"><img style="cursor: pointer; width: 400px; height: 236px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVWJwUAqpFqjXOrSDjrcRfC3fEb-E925eXdNnHB_l7kUlYg377TdzEmf6frPbQZhNv1Fck7L3X3hRw61z13JCODAS5G1Ey0RDC-LIaDBNRWY7sVS_bWz5-ce8QfIC0czf2ezr8Ys1Lz_BF/s400/3.JPG" alt="" id="BLOGGER_PHOTO_ID_5502314847059783282" border="0" /></a><br /><span style="font-size:85%;"><span style="font-style: italic;">Fig.2: Code injected.</span></span><br /></div><br />Be safe ;)Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-5019494622639208417.post-55809024802166779742010-07-05T16:46:00.004+02:002011-02-23T18:55:02.205+01:00:::SPAS3C-WV-004:::Session Hijacking in Steam WebSite<div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzCyvrwTX9D6U4rXevMpgA8sCJ4RmeqjzXuhCozRyFTMPMQ80Iu5-o5Gt0JXdeLusmyW5nLNEvSZ65bOTDLYfkfyjAZdhiBnB1aZgzSH86SpN6xSsp0P-A6M6Ei-4T31pYJtnyl59Ml-bD/s1600/steam.JPG"><img style="cursor: pointer; width: 213px; height: 85px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzCyvrwTX9D6U4rXevMpgA8sCJ4RmeqjzXuhCozRyFTMPMQ80Iu5-o5Gt0JXdeLusmyW5nLNEvSZ65bOTDLYfkfyjAZdhiBnB1aZgzSH86SpN6xSsp0P-A6M6Ei-4T31pYJtnyl59Ml-bD/s400/steam.JPG" alt="" id="BLOGGER_PHOTO_ID_5487625770793170530" border="0" /></a><br /></div><br /><br /><div style="text-align: justify;">About two months ago, my little girl gave me a great present for my birthday and i got Call of Duty Modern WarFare 2 (I <3 C0D).<br /><div style="text-align: justify;">Lots of minutes of game later, I decided to check security in Steam Website and i got very interesting results.<br /></div><br /><div style="text-align: justify;">WebSite was vulnerable to XSS/HTML Injection and it could be exploited to steal cookies of users. I made a PoC showing how to launch the vulnerabilities using any browser (where xss was allowed) or "steam" schema uri (steam://openurl/) due to steam used its own internal browser.<br /></div><br />The "steam browser" had/has some limitations:<br /><ul><li>This browser didn't/doesn't allow to change the url -> Solution was schema uri.</li></ul></div><ul><li> This browser had/has an url length restriction -> Solution was to use an evil JS file hosted anywhere.</li></ul><ul style="text-align: left;"><li>So, these would be simple PoCs.Get var "os" was vulnerable:<span style="text-decoration: underline;"> </span><a href="http://store.steampowered.com/search/?os=mac%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C%21--&category1=998&category2=9">http://store.steampowered.com/search/?os=mac%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C!--&category1=998&category2=9</a></li></ul><ul style="text-align: left;"><li>Get var "category1" was vulnerable:<a href="http://store.steampowered.com/search/?os=mac&category1=998%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C%21--&category2=9"> http://store.steampowered.com/search/?os=mac&category1=998%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C!--&category2=9</a><br /></li></ul><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe9WDkmBxj_h-CbgkE9wDEEOYj_WwKWo6jh9igsp_cRFM9Nroz3tCLd0XsqqCN0GHEFtORW8DaOT3DSkhK5KAjRPFxsEI5iXdyVCt0GN0THMe90UxvcqdtT0FAWIrstiC9tLBwtP7pLCDn/s1600/xss.JPG"><img style="cursor: pointer; width: 400px; height: 181px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe9WDkmBxj_h-CbgkE9wDEEOYj_WwKWo6jh9igsp_cRFM9Nroz3tCLd0XsqqCN0GHEFtORW8DaOT3DSkhK5KAjRPFxsEI5iXdyVCt0GN0THMe90UxvcqdtT0FAWIrstiC9tLBwtP7pLCDn/s400/xss.JPG" alt="" id="BLOGGER_PHOTO_ID_5487627087484267042" border="0" /></a><br /><span style="font-style: italic;"><span style="font-size:85%;">Fig.1: Triggering one simple PoC.</span></span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhekiS895o6pklAvCBVB6qdb8codZydYULU3FXBN6pDwJkmbEYGD-uOtG5gb5ooLDrlkz9nyIppNOFZvXpkPZRYOHhuQgk5sOQLm_jfzzYKLexVLbiEpMWL4dMwGHJb_eWdquIMRTlv5ohK/s1600/session-hijacking.JPG"><img style="cursor: pointer; width: 400px; height: 312px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhekiS895o6pklAvCBVB6qdb8codZydYULU3FXBN6pDwJkmbEYGD-uOtG5gb5ooLDrlkz9nyIppNOFZvXpkPZRYOHhuQgk5sOQLm_jfzzYKLexVLbiEpMWL4dMwGHJb_eWdquIMRTlv5ohK/s400/session-hijacking.JPG" alt="" id="BLOGGER_PHOTO_ID_5487627706727578930" border="0" /></a><br /><span style="font-size:85%;"><span style="font-style: italic;">Fig. 2: Session Hijacking PoC.</span></span><br /></div><br />I also recorded a video showing how the issue could be exploited.<br /><div style="text-align: center;"></div> Watch in youtube: <a href="http://www.youtube.com/watch?v=XRxa1PdiKKs">here</a><br /><br />I made my game more secure but they (steam-website security team) didn't give me a present like a new nice game.<br /><br />Be safe ;)<br /><div style="text-align: center;"><br /></div>Unknownnoreply@blogger.com3tag:blogger.com,1999:blog-5019494622639208417.post-8153886146206802582010-06-23T07:59:00.010+02:002011-02-23T18:55:12.447+01:00:::SPAS3C-WV-003:::Google IO XSS/HTML Injection Vulnerability<div style="text-align: justify;"><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwm3PiSU6auaoKMR4JdZpIuKXkHC7EKusrq52WwcaDyVp4PPrQzBojF0FpxI_QG9n2Y2PdGFUfVmwK17jYA3jnqbjJ0UjGqEtD9T1agkI26Pe07RlInIBkatY8T-c3-aNNnCehANHijC8B/s1600-r/Google+3600x1500.jpg"><img style="cursor: pointer; width: 150px; height: 62px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwm3PiSU6auaoKMR4JdZpIuKXkHC7EKusrq52WwcaDyVp4PPrQzBojF0FpxI_QG9n2Y2PdGFUfVmwK17jYA3jnqbjJ0UjGqEtD9T1agkI26Pe07RlInIBkatY8T-c3-aNNnCehANHijC8B/s1600-r/Google+3600x1500.jpg" alt="" border="0" /></a><br /><br /></div></div><div style="text-align: justify;">This post is about a bug discovered in <a href="https://www.google-io.com/">Google IO</a> (XSS/HTML Injection)<br /><br /></div><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: Medium</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqsjlGp-luT88_sV73nYM8xa5dUqc6zOndk0iOGujzioXvBtwpAZjblfBpFNr1zMHVhFMnQbvcTZBqemAjlZkRH_nQPm2d4L3oWoqKPA-yLMKL0V19DU1IxgS5vvVu8Zn8GxSeLG50mM4t/s1600/google-io.JPG"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 250px; height: 76px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqsjlGp-luT88_sV73nYM8xa5dUqc6zOndk0iOGujzioXvBtwpAZjblfBpFNr1zMHVhFMnQbvcTZBqemAjlZkRH_nQPm2d4L3oWoqKPA-yLMKL0V19DU1IxgS5vvVu8Zn8GxSeLG50mM4t/s400/google-io.JPG" alt="" id="BLOGGER_PHOTO_ID_5485839006190868210" border="0" /></a><br />"Google I/O brings together thousands of developers for two days of deep technical content, focused on building the next generation of web, mobile, and enterprise applications with Google and open web technologies such as Android, Google Chrome, Google APIs, Google Web Toolkit, App Engine, and more."<br /><br />Source: <a href="http://code.google.com/events/io/2010/about.html">here</a><br /><br /><div style="text-align: justify;">Get var "error" was vulnerable to XSS/HTML code injection but some tags and javascript events were filtered trying to do more difficult the explotation.<br /></div><div style="text-align: justify;">Also i noticed that viewing source code, error var triggered a SQL error, so I tried to make a SQL Injection but no worked.<br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Proof of concept:</span></span><br /><br /><span style="font-weight: bold;">Indirect</span>. Needed user interaction (event JavaScript: onmouseout) -> <a href="https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ca%20href=%22http://www.malware.es%22%20onmouseover=%22alert%281%29%22%3EHOLA%20GOOGLE%3C/a%3E" target="_blank">https://www.google-io.com/<wbr>2010/index.cfm?fuseaction=reg.<wbr>ReturnLogin&error=36%22%3E%<wbr>3Ca%20href=%22http://www.<wbr>malware.es%22%20onmouseout=%<wbr>22alert%281%29%22%3EHOLA%<wbr>20GOOGLE%3C/a%3E</a><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9TT3IJsMP_uWUE38lwGcLRr_EUTcLUG5Prw-QAnj5qJ1p4WGdqY4Ck1_n-p0hC5HQvkpCgXJS9CNh4VD2Jb6iBdnOAhZrE9Onixo5HfSesI7xAqoA3B5ZaW4n1yKNAnYO-k53IcJp2LFc/s1600/xss_1.JPG"><img style="cursor: pointer; width: 400px; height: 218px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9TT3IJsMP_uWUE38lwGcLRr_EUTcLUG5Prw-QAnj5qJ1p4WGdqY4Ck1_n-p0hC5HQvkpCgXJS9CNh4VD2Jb6iBdnOAhZrE9Onixo5HfSesI7xAqoA3B5ZaW4n1yKNAnYO-k53IcJp2LFc/s400/xss_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5485846059604102610" border="0" /></a><br /><span style="font-size:85%;"><span style="font-style: italic;">Fig.1: XSS (Indirect) and HTML Injection.</span></span><br /></div><br /><span style="font-weight: bold;">Direct</span>. Not needed user interaction (event JavaScript: onerror) -> <a href="https://www.google-io.com/2010/index.cfm?fuseaction=reg.ReturnLogin&error=36%22%3E%3Ch1%3E%3Cimg%20src=%22pepe.jpg%22%20onerror=%22alert%281%29%22%3EHI%20GOOGLE%20SECURITY%20TEAM%20I%27M%20%20ONLY%20TESTING%3C/a%3E%3C/h1%3E" target="_blank">https://www.google-io.com/<wbr>2010/index.cfm?fuseaction=reg.<wbr>ReturnLogin&error=36%22%3E%<wbr>3Ch1%3E%3Cimg%20src=%22pepe.<wbr>jpg%22%20onerror=%22alert%281%<wbr>29%22%3EHI%20GOOGLE%<wbr>20SECURITY%20TEAM%20I%27M%20%<wbr>20ONLY%20TESTING%3C/a%3E%3C/<wbr>h1%3E</a><br /><br /></div><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFUIB0erWgFr0D2eJG8HTOUIXcA198473jBhs1cHvUAwYEalXk6W1GRDT2TyGLR4KLrSCyH65h9LjWvghRZXjNsOViqYMF8WmDKR8dg1v0nwbgzUl6pskmbnxqOpOsJfQKNvLMNs8QcSsN/s1600/xss_2.JPG"><img style="cursor: pointer; width: 400px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFUIB0erWgFr0D2eJG8HTOUIXcA198473jBhs1cHvUAwYEalXk6W1GRDT2TyGLR4KLrSCyH65h9LjWvghRZXjNsOViqYMF8WmDKR8dg1v0nwbgzUl6pskmbnxqOpOsJfQKNvLMNs8QcSsN/s400/xss_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5485846249606741042" border="0" /></a><br /><span style="font-size:85%;"><span style="font-style: italic;">Fig.2: XSS (Direct) and HTML Injection.</span></span><br /></div><br /><span style="font-weight: bold;">Be safe ;)</span>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5019494622639208417.post-81081146703875046612010-06-11T13:05:00.010+02:002011-02-23T18:55:26.498+01:00:::SPAS3C-SV-001:::NGINX [ENGINE X] SERVER <= 0.7.65 /0.8.39 SOURCE CODE DISCLOSURE/DOWNLOAD VULN. (CVE-2010-2263)<div style="text-align: justify;">I found this vulnerability one week ago, but I was waiting a fucking CVE number when somebody published a similar advisory without checking. This researcher made a public disclosure in an old release and he also said that it isn't fixed when this is fake (at least Source Code Disclosure/Download got fixed with lastest releases).<br /></div><br /><div style="text-align: justify;">Copied from ChangeLog for 0.8.40/0.7.66 (Final releases in stable/development channel):<br /></div><br /><span style="color: rgb(255, 0, 0);">-------------------------START-COPY-------------------------------</span><br /><br />Changes with nginx 0.8.40 07 Jun 2010<br /><br /><div style="text-align: justify;"> *) Security: now nginx/Windows ignores default file stream name.<br /></div> Thanks to Jose Antonio Vazquez Gonzalez.<br /><br />*) Feature: the ngx_http_uwsgi_module.<br /> Thanks to Roberto De Ioris.<br /><br />*) Feature: a "fastcgi_param" directive with value starting with<br /> "HTTP_" overrides a client request header line.<br /><br />*) Bugfix: the "If-Modified-Since", "If-Range", etc. client request<br /> header lines were passed to FastCGI-server while caching.<br /><br />*) Bugfix: listen unix domain socket could not be changed during<br /> reconfiguration.<br /> Thanks to Maxim Dounin.<br /><br /><span style="color: rgb(255, 0, 0);">-------------------------END-COPY-------------------------------</span><br /><br />But vulnerabilities databases seem that they didn't confirm nothing.<br /><br />This is my advisory:<br /><br /><span style="color: rgb(255, 0, 0);">-------------------------START-ADVISORY-------------------------------</span><br /><br /><div style="text-align: justify;">TITLE: NGINX [ENGINE X]<br />SERVER <= 0.7.65 (STABLE)/0.8.39 (DEVELOPMENT) SOURCE CODE DISCLOSURE/DOWNLOAD VULNERABILITY TESTED OS: WINDOWS XP SP3/ WINDOWS 7 HOME PREMIUM SEVERITY: HIGH CVE-NUMBER: CVE-2010-2263 IMPACT: READ/DOWNLOAD SOURCE CODE OF WEB APP FILES DISCOVERED DATE: 2010-06-04 FIXED DATE: 2010-06-07 FIXED VERSIONS: NGINX/0.8.40 AND NGINX/0.7.66 DISCOVERED BY: JOSE ANTONIO VAZQUEZ GONZALEZ ======ABOUT APPLICATION====== <div style="text-align: justify;">"nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010. Here are some of success stories: FastMail.FM, Wordpress.com. The sources are licensed under 2-clause BSD-like license." copied from -> http://nginx.org/en/ [ref-1]<br /></div></div><br />======TESTED VERSIONS=====<br /><br />Unix versions are not vulnerable (it only affects to NTFS file system)<br /><br />Windows Stable versions:<br /><br />nginx/0.7.66 --> Not vulnerable<br />nginx/0.7.65 --> Vulnerable<br />nginx/0.7.64 --> Vulnerable<br />nginx/0.7.63 --> Vulnerable<br />nginx/0.7.62 --> Vulnerable<br />nginx/0.7.61 --> Vulnerable<br />nginx/0.7.60 --> Vulnerable<br />nginx/0.7.59 --> Vulnerable<br />nginx/0.7.58 --> Vulnerable<br />nginx/0.7.56 --> Vulnerable<br /><br />Windows Development versions:<br /><br />nginx/0.8.40 --> Not vulnerable<br />nginx/0.8.39 --> Vulnerable<br />nginx/0.8.38 --> Vulnerable<br />nginx/0.8.37 --> Vulnerable<br />nginx/0.8.36 --> Vulnerable<br />nginx/0.8.35 --> Vulnerable<br />nginx/0.8.34 --> Vulnerable<br />nginx/0.8.33 --> Vulnerable<br />nginx/0.8.32 --> Vulnerable<br />nginx/0.8.31 --> Vulnerable<br />nginx/0.8.30 --> Vulnerable<br /><br />======DESCRIPTION======<br /><br /><div style="text-align: justify;">This application was vulnerable to source code disclosure/download vulnerability when it was running in Windows OS (NTFS file system).<br /></div><div style="text-align: justify;">App parser couldn't handle ADS (Alternate Data Streams) and it treated a data stream as an usual file. An Attacker could read/download source code of webapps files using default data stream (unnamed): "filename::$data".<br /></div><br />This issue is like an old security issue in Microsoft Windows IIS [ref-2].<br /><br />======PROOF OF CONCEPT======<br /><br />http://[IP]/[FILE]::$data<br /><br />======STEPS TO REPRODUCE======<br /><br />1.- Start the server.<br /><br />2.- Go to http://127.0.0.1/index.html::$data<br /><br />3.- Browser requests to download...yes...go to file and open it.<br /><br />======REFERENCES======<br /><br />[ref-1] -> http://nginx.org/<br /><div style="text-align: justify;">[ref-2] -> http://www.microsoft.com/technet/security/bulletin/ms98-003.mspx<br /></div><br /><br />======DISCLOSURE TIMELINE======<br /><br />Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)<br /><br /><div style="text-align: justify;">[2010-06-04] => Inicial contact with vendor and sent advisory.<br /></div><div style="text-align: justify;">[2010-06-04] => Vendor response and believe that vulnerability got fixed with previous release.<br /></div><div style="text-align: justify;">[2010-06-04] => I confirm that nginx is vulnerable in Windows 7 OS.<br /></div>[2010-06-04] => Vendor will try to see the issue.<br />[2010-06-04] => Vendor confirms the issue and he will get fixed on Monday.<br />[2010-06-07] => New releases out.<br />[2010-06-07] => I sent complete advisory and propose as disclosure date on Wednesday.<br />[2010-06-10] => Second chance to confirm public disclosure.<br />[2010-06-10] => Vendor agree.<br />[2010-06-11] => Forced to public disclosure.<br /><br />======CREDITS=======<br /><br />Jose Antonio Vazquez Gonzalez,<br />Telecom. Engineer & Sec. Researcher.<br />http://spa-s3c.blogspot.com/<br /><br /><div style="text-align: justify;">Thanks to Ruben Santamarta (@reversemode) and Jose Maria Alonso (@maligno) for their support in other issues.<br /></div><br /><span style="color: rgb(255, 0, 0);">-------------------------END-ADVISORY-------------------------------</span><br /><br /><div style="text-align: justify;">This is a visual Proof Of Concept:<br /><br /></div><div style="text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxqhkggir-i3PaOYqAgTr_pGrYNE-ZsEj-0IITCAFg0OVGfH2iLvygS9IATg_RWqWUB5jjwfOWt-CvJYLyR4w' class='b-hbp-video b-uploaded' frameborder='0'></iframe><br /><div style="text-align: justify;"><br />Watch on youtube -> <a href="http://www.youtube.com/watch?v=DvQtvV8kQhY">http://www.youtube.com/watch?v=DvQtvV8kQhY</a><br /><br /><div style="text-align: justify;">Be good (responsible disclosure) has disadvantages...bye bye my first software advisory :(<br /><br /><span style="font-weight: bold;">Update: Thanks to exploits-db and security-focus because they (will) have updated their databases and (will) have published my advisory.</span><br /></div><br /></div><div style="text-align: justify;"><span style="font-weight: bold;">Be safe ;)</span><br /></div></div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5019494622639208417.post-60384349572998718472010-06-09T11:17:00.003+02:002011-02-23T18:56:17.243+01:00:::SPAS3C-WV-002:::Google App (Ventures) BSQLi Vulnerability<div style="text-align: justify;"><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwm3PiSU6auaoKMR4JdZpIuKXkHC7EKusrq52WwcaDyVp4PPrQzBojF0FpxI_QG9n2Y2PdGFUfVmwK17jYA3jnqbjJ0UjGqEtD9T1agkI26Pe07RlInIBkatY8T-c3-aNNnCehANHijC8B/s1600-r/Google+3600x1500.jpg"><img style="cursor: pointer; width: 150px; height: 62px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwm3PiSU6auaoKMR4JdZpIuKXkHC7EKusrq52WwcaDyVp4PPrQzBojF0FpxI_QG9n2Y2PdGFUfVmwK17jYA3jnqbjJ0UjGqEtD9T1agkI26Pe07RlInIBkatY8T-c3-aNNnCehANHijC8B/s1600-r/Google+3600x1500.jpg" alt="" border="0" /></a><br /><br /></div>One month ago, I found serveral vulnerabilities in Google's sites.<br /><br /></div><div style="text-align: justify;">These issues got fixed all and I want to say that Google Security Team did a good job and they fixed it soon.<br /></div><br /><div style="text-align: justify;">All issues was discovered between 4 May and 9 May (year 2010, of course).</div><br /><div style="text-align: justify;">This issue is the most important in my opinion: Blind SQL Injection in <a href="http://www.google.com/ventures/">googleventures.com</a><br /><br /></div><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: High</span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi65r8RnNymt4Hc1dxXhllPi4ylb2U5cSzJyxad4-RoNDaRSrWN0n5DJ-233QTYr2F1F2SPwioZ0ltlw2LCjEb3XoKBAS4FMcGFvSpHV4hV5M_hcWb76YoGO2MrXgmcYI3x1t4Xwmn5FOb4/s1600/googleventures.bmp"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 195px; height: 71px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi65r8RnNymt4Hc1dxXhllPi4ylb2U5cSzJyxad4-RoNDaRSrWN0n5DJ-233QTYr2F1F2SPwioZ0ltlw2LCjEb3XoKBAS4FMcGFvSpHV4hV5M_hcWb76YoGO2MrXgmcYI3x1t4Xwmn5FOb4/s400/googleventures.bmp" alt="" id="BLOGGER_PHOTO_ID_5470120540891530098" border="0" /></a><br /><span style="color: rgb(0, 0, 153); font-weight: bold;"><br /><copy></copy></span>Google Ventures is Google’s venture capital arm.<br /><br /><div style="text-align: justify;">We do primarily three things:<br /></div><div style="text-align: justify;"><ol><li>Seek out the most innovative and interesting entrepreneurs and companies we can find</li><li>Perform in-depth due diligence and invest in those we are most excited about</li><li>Do everything we can to help those companies succeed<br /></li></ol></div><div style="text-align: justify;">We invest for financial return, across all sectors and in all stages of a company’s growth. We are particularly interested in areas where access to our team, facilities, technology or other resources can help a company become more successful, but we do not limit our investments to those of strategic interest to Google – we look for companies and people that have the best opportunity to create significant, disruptive and innovative ventures. <span style="color: rgb(0, 0, 153); font-weight: bold;"></span><br /></div><br />Source: <a href="http://www.google.com/ventures/about.html">here</a><br /><br />Site was made using PHP+MySQL (some parts) and GET var "jobid" vulnerable to injection of SQL code.<br /><br /><div style="text-align: center;"><span style="font-weight: bold;">Proofs Of Concept (Searching MySQL version)</span><br /></div><br />Return: 1=1 (True), so MySQL version is 5<br /><br />Link PoC -> <a href="http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF%28substring%28@@version,1,1%29=5,1,0%29=1--">http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=5,1,0)=1--</a><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGC6EDqSvFVnvTb07KNzASv8cmtL_kbiagfR-vFJQyQXtgm4fT5wz0e478_7BoRNYYD-zy4epENHZSK-aBeasrMijomcOcrqNBCdkM92_uWqpgg7B6HiPerGY3ubyFNELDeYYipFEQQw_M/s1600/captura_hidden_true.JPG"><img style="cursor: pointer; width: 400px; height: 220px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGC6EDqSvFVnvTb07KNzASv8cmtL_kbiagfR-vFJQyQXtgm4fT5wz0e478_7BoRNYYD-zy4epENHZSK-aBeasrMijomcOcrqNBCdkM92_uWqpgg7B6HiPerGY3ubyFNELDeYYipFEQQw_M/s400/captura_hidden_true.JPG" alt="" id="BLOGGER_PHOTO_ID_5470110537994025762" border="0" /></a><br /><span style="font-style: italic;">Fig. 1: BSQLi. True result.</span><br /></div><br />Return 1=0 (False), so MySQL version isn't 4.<br /><br />Link PoC -> <a href="http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF%28substring%28@@version,1,1%29=4,1,0%29=1--">http://jobs.googleventures.com/jobdetail.php?jobid=39109+AND+IF(substring(@@version,1,1)=4,1,0)=1--</a><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgahUV49LvFcPo1JKp6Uapetj9mZWRx4btdT4gQl2fma0pChQzUxiAQ39wYhVbCEPFwp9aUCN3-V494f8b4zSXDsFkCZoWFoesXkghhwkn1ag93WoW9GTWapPkXoD5VwibRTh_lfZA6uUND/s1600/captura_hidden_false.JPG"><img style="cursor: pointer; width: 400px; height: 185px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgahUV49LvFcPo1JKp6Uapetj9mZWRx4btdT4gQl2fma0pChQzUxiAQ39wYhVbCEPFwp9aUCN3-V494f8b4zSXDsFkCZoWFoesXkghhwkn1ag93WoW9GTWapPkXoD5VwibRTh_lfZA6uUND/s400/captura_hidden_false.JPG" alt="" id="BLOGGER_PHOTO_ID_5470110476723064434" border="0" /></a><br /><span style="font-style: italic;">Fig. 2: BSQLi. False result.</span><br /></div><br />Also I tried to get a SQL Injection, with "Union Select" Statement but It didn't work.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh1BEN0jCglZ4Dp_mozxf7wj6AwBJD4FvAyiYXwX7LXTyDZW4eUOxI-yez9Jb0ZtWnKrZusR8iLVUIPMC9XUk_M1nyW-a0kLLs4Bc9oBp6PDB87KU74Ias3AEvOcy6-sXfq81GJvIPe14D/s1600/captura_hidden_union_select.JPG"><img style="cursor: pointer; width: 400px; height: 106px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh1BEN0jCglZ4Dp_mozxf7wj6AwBJD4FvAyiYXwX7LXTyDZW4eUOxI-yez9Jb0ZtWnKrZusR8iLVUIPMC9XUk_M1nyW-a0kLLs4Bc9oBp6PDB87KU74Ias3AEvOcy6-sXfq81GJvIPe14D/s400/captura_hidden_union_select.JPG" alt="" id="BLOGGER_PHOTO_ID_5470110598708130434" border="0" /></a><br /><span style="font-style: italic;">Fig. 3: Trying SQL Injection "Union Select". MySQL error.</span><br /></div><br />I didn't want to do a further research because I considered that it was enough.<br /><br /><span style="font-weight: bold;">Be safe ;)</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-67522333768784828322010-05-18T15:57:00.008+02:002010-05-18T16:49:03.366+02:00Mini-estudio de Strings (SingleQuote vs DoubleQuote) en PHP<div style="text-align: justify;"><div style="text-align: justify;">Leyendo el <a href="http://skypher.com/">blog de Skylined</a>, su última entrada me ha inspirado para realizar un análisis similar, en español y algo más estadístico.
<br />
<br /></div>Cuando programamos en PHP, podemos escribir Strings o cadenas de la siguiente forma:
<br /></div>
<br /><span style="color: rgb(102, 102, 102);">$string="Esto es un simple string con comillas dobles";</span>
<br />o bien,
<br /><span style="color: rgb(102, 102, 102);">$string='Esto es un simple string con comillas simples';</span>
<br />
<br /><div style="text-align: justify;">Esta entrada trata de realizar un estudio o comparación entre ambos métodos.
<br /></div>
<br /><div style="text-align: justify;">En primer lugar hay que aclarar que la forma en que PHP destina un entrecomillado de otro es diferente. Las comillas dobles se evalúan, esto significa que se pueden emplear de la siguiente forma:
<br /></div>
<br /><span style="color: rgb(102, 102, 102);">$stringconcat="string2";</span>
<br /><span style="color: rgb(102, 102, 102);">$string="Esto es un string con $stringconcat";</span>
<br />
<br /><div style="text-align: justify;">En este ejemplo, las comillas dobles tienen primero que evaluar la variable $stringconcat y sustituir su contenido, con lo cual, realiza una evaluación, si hay más variables realizará X evaluaciones.
<br /></div><div style="text-align: justify;">Sin embargo no se puede emplear (esto está mal):
<br /></div>
<br /><span style="color: rgb(102, 102, 102);">$stringconcat="string2";</span>
<br /><span style="color: rgb(102, 102, 102);">$string='Esto es un string con $stringconcat';</span>
<br />
<br /><div style="text-align: justify;">Componiendo un sencillo Script PHP que realice un determinado número de ejecuciones con diferentes tipos de Strings y almacene los resultados temporales en un fichero, tal como este:
<br /></div><span style="color: rgb(102, 102, 102);"></span>
<br /><span style="color: rgb(102, 102, 102);">$handle=fopen("resultado.txt","a");</span>
<br /><span style="color: rgb(102, 102, 102);">for($j=1;$j<=50;$j++){</span>
<br /> <span style="color: rgb(102, 102, 102);">//DB sin String...</span>
<br /> <span style="color: rgb(102, 102, 102);">$time = microtime();</span>
<br /> <span style="color: rgb(102, 102, 102);">for($i=0;$i<1000;++$i){</span>
<br /> <span style="color: rgb(102, 102, 102);"> $$i = "Un String sin un numero";</span>
<br /> <span style="color: rgb(102, 102, 102);">}</span>
<br /> <span style="color: rgb(102, 102, 102);">fwrite($handle,(microtime()-$time)."\t");</span>
<br /> <span style="color: rgb(102, 102, 102);">//DB sin String...</span>
<br /> <span style="color: rgb(102, 102, 102);">$time = microtime();</span>
<br /> <span style="color: rgb(102, 102, 102);">for($i=0;$i<1000;++$i){</span>
<br /> <span style="color: rgb(102, 102, 102);">$$i = 'Un String sin un numero';</span>
<br /> <span style="color: rgb(102, 102, 102);"> }</span>
<br /> <span style="color: rgb(102, 102, 102);"> fwrite($handle,(microtime()-$time)."\t");</span>
<br /> <span style="color: rgb(102, 102, 102);">//DB con String...</span>
<br /> <span style="color: rgb(102, 102, 102);">$time = microtime();</span>
<br /> <span style="color: rgb(102, 102, 102);">for($i=0;$i<1000;++$i){</span>
<br /> <span style="color: rgb(102, 102, 102);">$$i = "Un String $i con un numero";</span>
<br /> <span style="color: rgb(102, 102, 102);">}</span>
<br /> <span style="color: rgb(102, 102, 102);">fwrite($handle,(microtime()-$time)."\t");</span>
<br /> <span style="color: rgb(102, 102, 102);">//DQ concatenado</span>
<br /> <span style="color: rgb(102, 102, 102);">for($i=0;$i<1000;++$i){</span>
<br /> <span style="color: rgb(102, 102, 102);">$$i = "Un String ".$i." concatenado con numero";</span>
<br /> <span style="color: rgb(102, 102, 102);"> }</span>
<br /> <span style="color: rgb(102, 102, 102);">fwrite($handle,(microtime()-$time)."\t");</span>
<br /> <span style="color: rgb(102, 102, 102);"> //SQ concatenado</span>
<br /> <span style="color: rgb(102, 102, 102);">$time = microtime();</span>
<br /> <span style="color: rgb(102, 102, 102);">for($i=0;$i<1000;++$i){</span>
<br /> <span style="color: rgb(102, 102, 102);"> $$i = 'Un String '.$i.' concatenado con numero';</span>
<br /> <span style="color: rgb(102, 102, 102);">}</span>
<br /> <span style="color: rgb(102, 102, 102);"> fwrite($handle,(microtime()-$time)."\r\n");</span>
<br /><span style="color: rgb(102, 102, 102);">}</span>
<br /><span style="color: rgb(102, 102, 102);">fclose($handle);</span>
<br /><span style="color: rgb(102, 102, 102);">echo "Terminado! Ahora importe los datos a una tabla de excel...";</span>
<br />
<br /><div style="text-align: justify;">Donde realizamos 50 ejecuciones, separamos entre 5 tipos de strings: Dobles Comillas (solas), Comillas simples (solas), Dobles comillas con numero, Dobles comillas con 1 concatenación y Comillas simples con 1 concatenación. Almacenamos los resultados temporales en un fichero resultado.txt. Posteriormente estos datos se importan en excel y he elaborado unas gráficas que arrojan algunos resultados interesantes.
<br /></div><div style="text-align: justify;">
<br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQzIqP5VVWwbRJIa2sA5P5KMYuSXZIQkEAfbJ4Tz2jGxA3e7QetPmT2h6ybNzgwISfHz-w-cF6vGRYnRzK4BnFewnmcBP7fnu-8NBajfLkDp4OTqCW1K3fu1AGN92K9xPO9_zJtxrhzVlE/s1600/lineas.JPG"><img style="cursor: pointer; width: 400px; height: 241px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQzIqP5VVWwbRJIa2sA5P5KMYuSXZIQkEAfbJ4Tz2jGxA3e7QetPmT2h6ybNzgwISfHz-w-cF6vGRYnRzK4BnFewnmcBP7fnu-8NBajfLkDp4OTqCW1K3fu1AGN92K9xPO9_zJtxrhzVlE/s400/lineas.JPG" alt="" id="BLOGGER_PHOTO_ID_5472612647727132546" border="0" /></a>
<br /></div><div style="text-align: center;"><span style="font-style: italic;">Fig.1: Tiempos de 50 ejecuciones.</span>
<br /></div></div>
<br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHwSPujZesd0HFWL-4o3wC42_T0f6MAUuC6ic8O6WY4uH_ddTBc0viezny9dk_lnMjgeVS4_XFVYmmmh6s8V2t7S-lKyT1bMz54QzVGfwJbUWxJnFO5qGll8o4NYL37xSAHfMiubLbydyz/s1600/promedio.JPG"><img style="cursor: pointer; width: 400px; height: 241px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHwSPujZesd0HFWL-4o3wC42_T0f6MAUuC6ic8O6WY4uH_ddTBc0viezny9dk_lnMjgeVS4_XFVYmmmh6s8V2t7S-lKyT1bMz54QzVGfwJbUWxJnFO5qGll8o4NYL37xSAHfMiubLbydyz/s400/promedio.JPG" alt="" id="BLOGGER_PHOTO_ID_5472613131550960818" border="0" /></a>
<br /></div><div style="text-align: center;"><span style="font-style: italic;">Fig.2: Promedio de 50 ejecuciones.</span>
<br /></div>
<br /><div style="text-align: justify;">En estas gráficas se aprecia como las dobles comillas con una concatenación son las que mayor retardo de ejecución producen, seguido por las comillas dobles con el número. A continuación las comillas simples con una concatenación y finalmente las dobles comillas y las comillas simples.
<br /></div>
<br /><div style="text-align: justify;">De todo esto se deduce que las comillas simples son la mejor opción de cara al rendimiento y que en general el empleo de comillas dobles no es acertado (debido a los retardos de las evaluaciones). Sin duda, esto va a cambiar mi forma de trabajar con Strings en PHP.
<br />
<br /><span style="font-weight: bold;">Be safe ;)</span>
<br /></div>
<br />
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-35278595186723325112010-05-14T12:58:00.017+02:002010-05-15T03:47:31.487+02:00Más y más WebSites desde el gobierno (ZP 2.0)<div style="text-align: justify;">Al hilo de lo sucedido hace algún tiempo en el estreno de la <a href="http://www.diariocritico.com/2010/Enero/europa/188867/moncloa-hacker-europa-web-bean.html">eu2010</a> y puesto que a día de hoy el señor Zapatero y su gobierno no despiertan muchos entusiasmos, con sus recortes, "tijeretazos", etc. He decidido escribir esta entrada como crítica para la infinidad de nuevos WebSites fomentados por el gobierno.<br /></div><br /><div style="text-align: justify;">Sinceramente, lo que más me ha llamado la atención, al margen de los ejemplos que voy a mostrar, son los casos de mayor riesgo, que evidentemente no voy a divulgar, pero que me hacen llegar a una conclusión: La seguridad de los WebSites no importa al gobierno. Lo que realmente parece importar es la idea: Crear portales a discreción.<br /></div><br /><div style="text-align: justify;">Estos casos, en su mayoría inyecciones de código en la DB e inclusiones de archivo local (LFI), se encuentran en bases de datos Oracle, MS Server, MySQL, etc. Empleando lenguajes de servidor PHP, ASP, ASPX, etc.<br /></div><br /><div style="text-align: justify;">En ciertos casos (al inicio de la legislatura), se emplea la tecnología más recomendada o más cara, pero sin embargo, la seguridad es cero. Otros (ya en crisis), denotan las prisas por lograr un portal finalizado lo antes posible y al menor precio, dando igual emplear una DB totalmente anticuada y un servidor compartido, donde todas (y no es broma, pocas se salvan), incluida esta misma, son vulnerables (seguridad cero de nuevo).<br /><br />La cuestión final que quiero aclarar es que este gobierno, el gobierno del Sr. Rodriguez Zapatero, se ha dedicado a crear WebSites para casi todo lo que se le ha ido ocurriendo, no importándole en absoluto la seguridad de los portales, siendo esta seguridad como una cuestión de tecnología robusta y al mismo tiempo, derrochando todo el dinero posible.<br /><br /><div style="text-align: justify;">Otra cuestión es el hecho de desmentir el mencionado caso de la <a href="http://www.diariocritico.com/2010/Enero/europa/188867/moncloa-hacker-europa-web-bean.html">eu2010</a>, como un caso de no hack, puesto que para ellos todo lo que no afecte al WebServer no será considerado como hack. Con esta mentalidad, de darle igual la seguridad de un usuario final (caso de un XSS o HTML injection) y preocuparse exclusivamente por la seguridad de su servidor, es la mayor de las similitudes (mundo seguridad vs. mundo real) que sufrimos actualmente.<br /></div></div><br /><div style="text-align: justify;">Dicho todo esto, dejo algunas "simpáticas" capturas de nuestro máximo representante político, en algunas de sus famosas WebSites actuales y no actuales. Se dirá que son "pintadas", que no son hacks o...para qué tanto si hubiera sido más fácil hacer "DesignMode=ON" y comenzar a retocar. Pero <span style="font-weight: bold;">la realidad es que son vulnerabilidades Web, que son cuestiones de seguridad y que deben ser revisadas</span>.<br /><br /><span style="font-weight: bold;">Site: </span><a style="font-weight: bold;" href="http://www.mpt.es/busqueda.html">http://www.mpt.es/busqueda.html</a><br /><span style="font-weight: bold;">Metodo: POST</span><br /><span style="font-weight: bold;">Tipo Vuln: HTML Injection</span><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9pDACfUdYsCvcZEUitPI0qXjpMThPqFXNnPWbzUGb8ETdCywxekZKdnUac0MCU5SM_WjiXeZt7y7tniapnEcDsgxNoaWKZw5vW-mvUh7HQIoJE90LT6mGBrGd_7rjfPAquFhIEGFaQmz4/s1600/1.JPG"><img style="cursor: pointer; width: 400px; height: 237px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9pDACfUdYsCvcZEUitPI0qXjpMThPqFXNnPWbzUGb8ETdCywxekZKdnUac0MCU5SM_WjiXeZt7y7tniapnEcDsgxNoaWKZw5vW-mvUh7HQIoJE90LT6mGBrGd_7rjfPAquFhIEGFaQmz4/s400/1.JPG" alt="" id="BLOGGER_PHOTO_ID_5471299298973426098" border="0" /></a><br /><span style="font-style: italic;">Fig.1: Zp en mpt.es</span><br /></div><br /><span style="font-weight: bold;">Site: </span><a style="font-weight: bold;" href="http://www.dgt.es/portal/buscar/">http://www.dgt.es/portal/buscar/</a><br /><span style="font-weight: bold;">Metodo: POST</span><br /><span style="font-weight: bold;">Tipo Vuln: HTML Injection</span><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLSqcv2qLiMagl5snootVD4QXj5zeW5nSkB1iJHsqbZq4XdCfrqnBRttdT309YK7K8vL84X8Qh1sDVfj-vzNw_WOXac2c2pPOSh3YqV_CualcNENMYvNiuEcxIZ6QMOdbxn79u_Jhwaind/s1600/2.JPG"><img style="cursor: pointer; width: 400px; height: 241px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLSqcv2qLiMagl5snootVD4QXj5zeW5nSkB1iJHsqbZq4XdCfrqnBRttdT309YK7K8vL84X8Qh1sDVfj-vzNw_WOXac2c2pPOSh3YqV_CualcNENMYvNiuEcxIZ6QMOdbxn79u_Jhwaind/s400/2.JPG" alt="" id="BLOGGER_PHOTO_ID_5471299837345401874" border="0" /></a><br /><span style="font-style: italic;">Fig.2: Zp en dgt.es</span><br /><br /><div style="text-align: justify;"><span style="font-weight: bold;">Site: </span><a style="font-weight: bold;" href="http://www.spainun.org/pages/busqueda.cfm"><span style="text-decoration: underline;">http://www.spainun.org/pages/busqueda.cfm</span></a><br /><span style="font-weight: bold;">Metodo: POST</span><br /><span style="font-weight: bold;">Tipo Vuln: HTML Injection</span></div></div></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdS6hghl4AwgIweStIb6Ej_RKQhMriD0ZCYNPHOTJiNWMRkzj599HEdV3lJqTPknOyuN6BB5pDcgInR0ta6UObvxI0DEjRroBZ3qgYirTiHg0docknmKcesv8Jyu_41HtRe9NULO17OxJe/s1600/3.JPG"><img style="cursor: pointer; width: 400px; height: 237px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdS6hghl4AwgIweStIb6Ej_RKQhMriD0ZCYNPHOTJiNWMRkzj599HEdV3lJqTPknOyuN6BB5pDcgInR0ta6UObvxI0DEjRroBZ3qgYirTiHg0docknmKcesv8Jyu_41HtRe9NULO17OxJe/s400/3.JPG" alt="" id="BLOGGER_PHOTO_ID_5471300152535511490" border="0" /></a><br /><span style="font-style: italic;">Fig.3: Zp en spainun.org</span><br /><div style="text-align: justify;"> <div style="text-align: left;"><span style="font-weight: bold;"><br />Site: </span><a style="font-weight: bold;" href="http://www.icex.es/icex/cda/controller/pageICEX/0,6558,5518394_5518983_5537315_0,00.html?ingresa-txt=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.rankia.com%2Fblog%2Fgenarofragueiro%2Fuploaded_images%2Fzapatero-preocupado-760376.jpg%22+width%3D%2240%25%22+height%3D%2240%25%22+title%3D%22Zapatero+sexy...%22%2F%3E&canal=5518971&x=0&y=0">http://www.icex.es/icex/cda/controller/pageICEX/0,6558,5518394_5518983_5537315_0,00.html?ingresa-txt=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.rankia.com%2Fblog%2Fgenarofragueiro%2Fuploaded_images%2Fzapatero-preocupado-760376.jpg%22+width%3D%2240%25%22+height%3D%2240%25%22+title%3D%22Zapatero+sexy...%22%2F%3E&canal=5518971&x=0&y=0</a><br /></div><span style="font-weight: bold;">Metodo: GET</span><br /><span style="font-weight: bold;">Tipo Vuln: HTML Injection</span><br /></div><div style="text-align: justify;"><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNgyKJynkPil8NIJPhvy_cTp-C2Z9bhktyhMs2UXxDai8e58D4vD2xx0p0HqZG_KM8_mcHLjwy43Fmf6Czo3f24f4oGPTKHEFj1tee_-3ojrvlFR-fB7trTK5x7Slq9xXOBQQuJXy5xyIK/s1600/4.JPG"><img style="cursor: pointer; width: 400px; height: 238px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNgyKJynkPil8NIJPhvy_cTp-C2Z9bhktyhMs2UXxDai8e58D4vD2xx0p0HqZG_KM8_mcHLjwy43Fmf6Czo3f24f4oGPTKHEFj1tee_-3ojrvlFR-fB7trTK5x7Slq9xXOBQQuJXy5xyIK/s400/4.JPG" alt="" id="BLOGGER_PHOTO_ID_5471300698008750418" border="0" /></a><br /><span style="font-style: italic;">Fig.4: Zp en icex.es</span><br /><br /><div style="text-align: justify;">Sin lugar a dudas este último es mi preferido, pues se envía por GET y con la simple URL podemos lanzar la inyección. Comprobar <a href="http://www.icex.es/icex/cda/controller/pageICEX/0,6558,5518394_5518983_5537315_0,00.html?ingresa-txt=%22%3E%3Cimg+src%3D%22http%3A%2F%2Fwww.rankia.com%2Fblog%2Fgenarofragueiro%2Fuploaded_images%2Fzapatero-preocupado-760376.jpg%22+width%3D%2240%25%22+height%3D%2240%25%22+title%3D%22Zapatero+sexy...%22%2F%3E&canal=5518971&x=0&y=0">aqui<br /></a><br />Como nota final quiero aclarar que esto es una simple muestra en un corto periodo de testeo, las pruebas se realizaron exclusivamente en los buscadores de ciertos sites, nada de testeos profundos de otras variables, otros formularios, etc. Por otra parte me gustaría decir, que todo esto fue reportado hace más de 6 meses, pero que los administradores de los sites: a) les ha dado igual. b) los filtros anti-spam se han comido mis advisories.<br /><br /><span style="font-weight: bold;">Be safe ;)</span><br /></div></div></div></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-5019494622639208417.post-5393148006503432272010-05-12T01:05:00.015+02:002010-05-12T02:48:53.926+02:00Probando 0-day en Safari para Windows (memory corruption) (EDB-ID: 12573 )<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKwiW8dPbsRQQuD-XSSiVMsAHSJvercH2c3vWRT-BAnlExn4bym9U72xbVNYgX2UeverJC_7HnZIrZ2-EdGedl21eEqBPFLRvQvAozO-NQKJVv3d7Imr46ITpFOG9TwSJlhPQfND599-3g/s1600/logo_safari.bmp"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 37px; height: 42px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKwiW8dPbsRQQuD-XSSiVMsAHSJvercH2c3vWRT-BAnlExn4bym9U72xbVNYgX2UeverJC_7HnZIrZ2-EdGedl21eEqBPFLRvQvAozO-NQKJVv3d7Imr46ITpFOG9TwSJlhPQfND599-3g/s400/logo_safari.bmp" alt="" id="BLOGGER_PHOTO_ID_5470177084024242882" border="0" /></a>Hace pocas horas ha sido publicado un 0-day en Safari para Windows, afectando a versiones inferiores a la 4.0.5. En este caso, yo he realizado un test del exploit con la versión 4.0.4.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI-2YYMHFqUzTC9T9BPXa-6zH2dcM4Kkr5Bh7WhvYX5f5lseh-mge8wnJbBIBeEwfn4gFbjHdPxshZ4S9taWdXkpjxeAl5iiAUpjf_MH5euBVFglt5ua1dT2s_v9Ip-pDeXq3auNN_e2S4/s1600/version_safari.bmp"><img style="cursor: pointer; width: 400px; height: 238px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhI-2YYMHFqUzTC9T9BPXa-6zH2dcM4Kkr5Bh7WhvYX5f5lseh-mge8wnJbBIBeEwfn4gFbjHdPxshZ4S9taWdXkpjxeAl5iiAUpjf_MH5euBVFglt5ua1dT2s_v9Ip-pDeXq3auNN_e2S4/s400/version_safari.bmp" alt="" id="BLOGGER_PHOTO_ID_5470163727459115698" border="0" /></a><br /><span style="font-style: italic;">Fig. 1: Mi versión de Safari para Windows (4.0.4).</span><br /></div><br /><div style="text-align: justify;">El contenido del exploit hace referencia a explotación local y remota y esto es debido a que el bloqueador de Pop-Ups está deshabilitado por defecto para archivos locales, sin embargo, cuando navegamos por la red este bloqueador permance activo (de ahí que si tenemos el exploit en un Web Server, necesitemos deshabilitar este bloqueador).<br /></div><br /><div style="text-align: justify;">Echando un rápido vistazo al exploit, básicamente se trata de un error en el manejo de la ventana padre, lo cual puede realizar una llamada a una función empleando un puntero inválido. El exploit lanza su shellcode, en este caso, calc.exe empleando la técnica Heap Spraying de SkyLined. En resumen, esta técnica (ya relativamente antigua) transforma un gran bloque de memoria inválida , en memoria válida, mediante la inserción de bloques de menor tamaño de nop+shellcode. En el supuesto de que la aplicación vulnerable caiga en esta sección inválida. Quizás éste sea el primer exploit de Skylined sobre el tema: <a href="http://www.milw0rm.com/exploits/612">aquí</a>. Aunque al parecer ya se estaban empleando técnicas basadas en heap spray desde 2001.<br /></div><br /><div style="text-align: justify;">Realmente realizando una búsqueda por la Web, encontramos referencias a este exploit desde el día 7 de Mayo.<br /></div><br />Fuentes: <a href="http://osvdb.org/show/osvdb/64482">aquí</a> y <a href="http://www.securityfocus.com/bid/39990/info">aquí</a><br /><br />Aquí dejo unas capturas del exploit en acción...<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbDPTb9DdwGIJnCmZAnmgQBmxbCARxr7d05tgkuwKSBIsTXs_-oE4qLsM-eqs-fXHaTGc9E3F8eJ3XnRMb9X0zHpdkIXX2Jrpq43Eu00i4hjtA1ZzWxdB6xj8uAFN8dlEpVEpsAqs1J0HT/s1600/0day_1.bmp"><img style="cursor: pointer; width: 400px; height: 237px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbDPTb9DdwGIJnCmZAnmgQBmxbCARxr7d05tgkuwKSBIsTXs_-oE4qLsM-eqs-fXHaTGc9E3F8eJ3XnRMb9X0zHpdkIXX2Jrpq43Eu00i4hjtA1ZzWxdB6xj8uAFN8dlEpVEpsAqs1J0HT/s400/0day_1.bmp" alt="" id="BLOGGER_PHOTO_ID_5470164192435626370" border="0" /></a><br /><span style="font-style: italic;">Fig. 2: Paso 1 en el exploit (prompt del alert)</span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPUwqoFD11NX117gdD_HKyVp66rRacqHDnq7-NFrx9eRDmyHdBrTrTRCJB3cdJnAzB2wpAdtoeR8PjFb2PTpH2yHPWnIsSwvvjQcCnMYanP5vb6ZFEiQovuPoTGKv14W6g_Uyt2y0cco88/s1600/0day_2.bmp"><img style="cursor: pointer; width: 400px; height: 44px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPUwqoFD11NX117gdD_HKyVp66rRacqHDnq7-NFrx9eRDmyHdBrTrTRCJB3cdJnAzB2wpAdtoeR8PjFb2PTpH2yHPWnIsSwvvjQcCnMYanP5vb6ZFEiQovuPoTGKv14W6g_Uyt2y0cco88/s400/0day_2.bmp" alt="" id="BLOGGER_PHOTO_ID_5470164494571152850" border="0" /></a><br /><span style="font-style: italic;">Fig. 3: Paso 2 (Prompt con un buffer de 20000 A's)</span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGK3OxKQkRY37uWAEyLfkU-gQpS4hZnU4TeDD1xR74DoTZWmFiieWL2_K_OEIV04UaRqcCY_V36evPyHTDGjCcwsRGT4DG7VIX2CWUb-eBXN536ZH4UhJysNFRBeC3_zgntEuRVKisWaFU/s1600/0day_3.bmp"><img style="cursor: pointer; width: 400px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGK3OxKQkRY37uWAEyLfkU-gQpS4hZnU4TeDD1xR74DoTZWmFiieWL2_K_OEIV04UaRqcCY_V36evPyHTDGjCcwsRGT4DG7VIX2CWUb-eBXN536ZH4UhJysNFRBeC3_zgntEuRVKisWaFU/s400/0day_3.bmp" alt="" id="BLOGGER_PHOTO_ID_5470165178191916770" border="0" /></a><br /><span style="font-style: italic;">Fig. 4: Paso 3 (Exploit ejecutado).</span><br /></div><br /><div style="text-align: justify;">Por otra parte, revisando la información de crash, tenemos una vista de los registros según Dr. Watson for Windows:<br /></div><br /><div style="text-align: justify;">eax=<span style="font-weight: bold;">0d0d0d0d</span> ebx=7e398a01 ecx=3cde8792 edx=1016f729 esi=7fdabea0 edi=7e398bf6<br /></div>eip=47330003 esp=0012e898 ebp=7e3991c5 iopl=0 nv up ei pl nz na po nc<br />cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206<br /><br />Aquí dejo unos links al 0-day: <a href="http://www.exploit-db.com/exploits/12573">exploit-db</a> y <a href="http://www.securityfocus.com/data/vulnerabilities/exploits/39990.rar">securityfocus</a><br /><br /><div style="text-align: justify;">En definitiva, un bonito exploit, que precisa de cierta interacción del usuario como la deshabilitación del bloqueador de pop-ups y el cierre de las ventanas empleando Alt+F4 (teniendo en cuenta que otros usuarios directamente hagan un asesinato del proceso de safari.exe y el exploit se rompa xD).<br /><br />Los créditos de este exploit van para: Krystian Kloskowski<br /><span style="color: rgb(255, 0, 0); font-weight: bold;"><br />Solución actual: No hay parches por el momento.</span><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">Solución temporal: Deshabilitar JavaScript en Safari.</span><br /></div><br /><span style="font-weight: bold;">Be safe ;)</span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-60735954666817560532010-05-08T15:07:00.039+02:002011-02-23T18:55:36.592+01:00:::SPAS3C-WV-001::: Multiple Vulnerabilities in ILIAS 4.0.3<span style="color: rgb(153, 153, 153); font-weight: bold;"><br /></span><div style="text-align: center;"><span style="color: rgb(255, 0, 0);"> <span style="color: rgb(255, 0, 0); font-weight: bold;"><span style="color: rgb(255, 0, 0);">==</span></span><span style="font-weight: bold;"> BRIEFING </span><span style="color: rgb(255, 0, 0); font-weight: bold;">==</span></span><br /></div><div style="text-align: justify;"><div style="text-align: justify;"> </div><span style="font-weight: bold;"><br /><a href="http://www.ilias.de/">Ilias</a> is a LMS (Learning Management System) created by a german</span><span style="font-weight: bold;"> university. It's used by universities, schools and high schools around the world.</span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCFbMR8T4iiSJ5xJnR8u-ZTRmVeSGYZE2BjmNfwZhTa5m8S-4E3DwCWnd0Q1-aeo9E0HkhyphenhyphenZ8FuEts408Xrf16oGj9hmKYqmgh5unTxIkzD9BCd-VtHigpKR6F-AaGmXPkkPJsxyWsNuWV/s1600/ilias_logo_big.png"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 140px; height: 96px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCFbMR8T4iiSJ5xJnR8u-ZTRmVeSGYZE2BjmNfwZhTa5m8S-4E3DwCWnd0Q1-aeo9E0HkhyphenhyphenZ8FuEts408Xrf16oGj9hmKYqmgh5unTxIkzD9BCd-VtHigpKR6F-AaGmXPkkPJsxyWsNuWV/s400/ilias_logo_big.png" alt="" id="BLOGGER_PHOTO_ID_5468927389045258802" border="0" /></a> <div style="text-align: justify;"><span style="font-weight: bold;">This document is the advisory sent to Ilias Security Team, theref</span><span style="font-weight: bold;">o</span><span style="font-weight: bold;">re</span><span style="font-weight: bold;"> </span><span style="font-weight: bold;">it is written in present time.</span></div> <div style="text-align: justify;"><span style="font-weight: bold;">Personally, I've worked previously with this team and vulner</span><span style="font-weight: bold;">abilities was patched in short time, but this release takes</span><span style="font-weight: bold;"> almost two months. Anyway, I think that it is a punctual fact.</span><br /></div><br /><span style="font-weight: bold; font-style: italic;">Examples are tested against my old university. I had already finished XD.</span><br /><br /><span style="font-weight: bold;">I know that my english is :( but it was enough to help.</span><br /><br /></div> <div style="text-align: justify;"><span style="font-weight: bold;">Credits given: </span><a href="http://www.ilias.de/docu/ilias.php?ref_id=35&obj_id=30006&cmd=layout&cmdClass=illmpresentationgui&cmdNode=1j&baseClass=ilLMPresentationGUI&obj_id=32447" target="_top">4.0.5 Release Notes</a></div><br /><br /><span style="color: rgb(153, 153, 153); font-weight: bold;">TITLE: MULTIPLE VULNERABILITIES IN ILIAS 4.0.3 (2010-01-26)</span><br /><div style="text-align: justify; color: rgb(153, 153, 153); font-weight: bold;">AUTHOR:JOSÉ A. VÁZQUEZ GONZÁLEZ<br /></div><div style="text-align: justify; color: rgb(153, 153, 153); font-weight: bold;">IMPACT: COOKIE STEALING AND MORE (MULTIPLE)]<br /></div><div style="text-align: justify; font-weight: bold; color: rgb(0, 0, 0);"><span style="color: rgb(153, 153, 153); font-weight: bold;">DISCOVERED DATE: 2010-02-19</span></div><br /><div style="text-align: center;"><span style="color: rgb(255, 0, 0); font-weight: bold;"> <span style="color: rgb(255, 0, 0);"><span style="color: rgb(255, 0, 0);"><span style="color: rgb(255, 0, 0);">==</span></span></span> DISCLAIMER <span style="color: rgb(255, 0, 0);"><span style="color: rgb(255, 0, 0);">==</span></span></span><br /></div><br /><div style="text-align: justify; color: rgb(204, 204, 204);">The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.<br /></div><br /><div style="text-align: justify; color: rgb(204, 204, 204);">I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.<br /></div><br /><br /><div style="text-align: center;"><span style="color: rgb(255, 153, 0); font-weight: bold;"><span style="color: rgb(255, 153, 0);">==</span> FIRST: SIMPLE BUG (NOT INJECTABLE) <span style="color: rgb(255, 153, 0);">==</span></span><br /></div><span style="color: rgb(255, 0, 0);"><br /><span style="font-weight: bold;">Risk: Low</span></span><br /><br /><div style="text-align: justify;">Using tag GET var, we could stop comments, but here XSS or HTML INJECTIONS is not possible, this would be a simple BUG.<br /></div><br /><div style="text-align: justify;">Go to --> <a href="http://[host]/ilias.php?col_side=right&block_type=pdtag&tag=[BUG]&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI">http://[HOST]/ilias.php?col_side=right&block_type=pdtag&tag=[BUG]&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI</a><br /></div><br />-> Issue in [BUG]<br /><br /><div style="text-align: justify;">Example -> <a href="http://[host]/ilias.php?col_side=right&block_type=pdtag&tag=[BUG]&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI"> http://[HOST]/docencia/ilias.php?col_side=right&block_type=pdtag&tag=--%3E%20%26%23%3C&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI</a><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZrsArG9P-m2_eDSZTLkR3_G8RMW_oHPWMO2jQaedSAQ40d4jeGixg769e_hcTxSFo6G5QVFgXApo1DPt6T1tIqnzerBQeuwStF6ggyu55WDNG2emeSYs9D9WXNiQ_CW-gbIpdhQy9tAp5/s1600/1.JPG"><img style="cursor: pointer; width: 506px; height: 83px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZrsArG9P-m2_eDSZTLkR3_G8RMW_oHPWMO2jQaedSAQ40d4jeGixg769e_hcTxSFo6G5QVFgXApo1DPt6T1tIqnzerBQeuwStF6ggyu55WDNG2emeSYs9D9WXNiQ_CW-gbIpdhQy9tAp5/s400/1.JPG" alt="" id="BLOGGER_PHOTO_ID_5468908120101389074" border="0" /></a><br /><span style="font-style: italic;">Fig. 1: Simple bug.</span><br /></div><br />This will be the HTML source code returned:<br /><br /><!-- <img border="0" src="./Customizing/global/skin/uja/images/icon_tag.gif" alt="" /> &#" title="Icono Recursos etiquetados con --> <span style="font-weight: bold;">... --> &#" id="block_pdcontent_0_blimg" /> --></span><br /><a class="ilAccAnchor" name="block_pdcontent_0_blhead" id="block_pdcontent_0_blhead"></a><span class="ilAccHidden"></span><br />We use End Comment Tag (-->).<br /><br /><div style="text-align: justify;">Anyway, html tags are restricted so this isn't exploitable with a HTML or XSS Injection.<br /></div><br /><br /><div style="text-align: center;"><span style="color: rgb(255, 153, 0); font-weight: bold;"><span style="color: rgb(255, 153, 102);">==</span> SECOND: XSS O HTML INJECTION (PERSISTENT) <span style="color: rgb(255, 153, 102);">==</span></span><br /></div><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: Medium</span><span style="color: rgb(255, 0, 0); font-weight: bold;"></span><br /><br /><div style="text-align: justify;">Edit your profile in<span style="text-decoration: underline;"></span> -> <a href="http://[host]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui%20cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI">http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI</a><br /></div><br />Changing Personal Information, setting for Street, City and Country:<br /><br /><span style="font-weight: bold;">XSS by J. A. Vazquez " onmouseover="alert('J.A. Vazquez');//</span><br /><br />Save this changes.<br /><br /><div style="text-align: justify;">Now go to Location --> <a href="http://[host]/ilias.php?col_side=right&block_type=pdtag&tag=[BUG]&cmd=showResourcesForTag&cmdClass=ilpdtaggingblockgui&cmdNode=4f:6c:7k&baseClass=ilPersonalDesktopGUI">http://[HOST]/ilias.php?cmd=showLocation&cmdClass=ilpersonalprofilegui&cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI</a><br /></div><br /><div style="text-align: justify;">When you move mouse in input tag, with value: "XSS by J. A. Vazquez", XSS is triggered.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizMtzGi0CM41sIo8OoGLzCUoEofkMoRAZ-9xhFNjmRp3SvS9Acec88LwzdR73-77MoiuiBRwqUTga-5XnZRBfvGZTkbLZt9EmIM5V3M2RRUViF-cjzjN8UI75g5c1SN9CuXh7yddp6cpqX/s1600/2.JPG"><img style="cursor: pointer; width: 438px; height: 168px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizMtzGi0CM41sIo8OoGLzCUoEofkMoRAZ-9xhFNjmRp3SvS9Acec88LwzdR73-77MoiuiBRwqUTga-5XnZRBfvGZTkbLZt9EmIM5V3M2RRUViF-cjzjN8UI75g5c1SN9CuXh7yddp6cpqX/s400/2.JPG" alt="" id="BLOGGER_PHOTO_ID_5468908633682413634" border="0" /></a><br /><span style="font-style: italic;">Fig. 2: XSS triggered.</span><br /></div></div><br /><div style="text-align: justify;"><span style="font-style: italic;">Note: This XSS is persistent, in control event, but this only affects my account. Therefore It's medium Risk.</span><br /><br /><br /></div><div style="text-align: center; color: rgb(255, 153, 0);"><span style="color: rgb(255, 153, 102); font-weight: bold;">==</span><span style="font-weight: bold;"> THIRD: XSS O HTML INJECTION (PERSISTENT) </span><span style="color: rgb(255, 153, 102); font-weight: bold;">==</span><br /></div><span style="color: rgb(255, 0, 0);"><br /><span style="font-weight: bold;">Risk: High</span></span><br /><br /><div style="text-align: justify;">Again Edit your profile in -> <a href="http://[host]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui%20cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI">http://[HOST]/ilias.php?cmd=showPersonalData&cmdClass=ilpersonalprofilegui cmdNode=4f:6q&baseClass=ilPersonalDesktopGUI</a><br /></div><br />Changing departament parameter for:<br /><br /><span style="font-weight: bold;">");alert('XSS by J.A. Vazquez');//</span><br /><br />Saving changes, we bypass protection in CDATA...<br /><br />Now we go to Public Profile and set "Departament" as visible.<br /><br />Then, go to location and set "show in personal profile".<br /><br />Now if a user visit our profile, he could be owned with xss attack.<br /><br /><div style="text-align: justify;">For example. Going to --> <a href="http://[host]/repository.php?ref_id=34153&cmdClass=ilpublicuserprofilegui&user=742&cmd=getHTML&cmdNode=1f:ej:6p">http://[HOST]/repository.php?ref_id=34153&cmdClass=ilpublicuserprofilegui&user=742&cmd=getHTML&cmdNode=1f:ej:6p</a><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbcqS1pxXBwhNgJmBd5eoKiMZ9srR2lQ3BwHsUSvDFStXzmJY1bdPXK_8WjtDUlciCizcKLWdcvy6tHz7NiKQWzhJphLM4yZtj1H_Z2SOcQNRpCHHwv61my5l0dkpupljeDCUt1MDaOAQ4/s1600/3.JPG"><img style="cursor: pointer; width: 400px; height: 141px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbcqS1pxXBwhNgJmBd5eoKiMZ9srR2lQ3BwHsUSvDFStXzmJY1bdPXK_8WjtDUlciCizcKLWdcvy6tHz7NiKQWzhJphLM4yZtj1H_Z2SOcQNRpCHHwv61my5l0dkpupljeDCUt1MDaOAQ4/s400/3.JPG" alt="" id="BLOGGER_PHOTO_ID_5468908999778281090" border="0" /></a><br /><span style="font-style: italic;">Fig. 3: Direct and Persistent XSS</span><br /></div><br /><div style="text-align: justify;"><span style="font-style: italic;">Note: This XSS could be reproduced using other vars (any of location, for example, city, street or view) (No tested but it's probably). This XSS is persistent and it doesn't need a javascript event for triggering. It's triggered in page load.</span><br /></div><br /><br /><div style="text-align: center; color: rgb(255, 153, 102);"><span style="color: rgb(255, 153, 0); font-weight: bold;">==</span><span style="color: rgb(255, 153, 0); font-weight: bold;"> FOURTH: XSS O HTML INJECTION (PERSISTENT) </span><span style="color: rgb(255, 153, 0); font-weight: bold;">==</span><br /></div><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: Medium</span><br /><br />Go to bookmark section and create a folder, then set a new bookmark in this folder with:<br /><br /><span style="font-weight: bold;">Title: Nice XSS by J.A. Vazquez</span><br /><span style="font-weight: bold;">Description: Nice XSS by J.A. Vazquez</span><br /><span style="font-weight: bold;">URL: aa" onmouseover="alert('Creado por J.A. Vazquez!');</span><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgziqCSTTzGuAZwCDGlEDcqb3X_CwPh4JtO6kVm4jymkLhznG4jGnQwGXBWEGeqSfqfsYAGwQDazWP502jBSzSXl5njMgUzVidakuJbQdMPaxts0V906_y4nQbXD4qALoPbyOjgluLP8Hii/s1600/4_2.JPG"><img style="cursor: pointer; width: 400px; height: 147px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgziqCSTTzGuAZwCDGlEDcqb3X_CwPh4JtO6kVm4jymkLhznG4jGnQwGXBWEGeqSfqfsYAGwQDazWP502jBSzSXl5njMgUzVidakuJbQdMPaxts0V906_y4nQbXD4qALoPbyOjgluLP8Hii/s400/4_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5468909820151105106" border="0" /></a><br /><span style="font-style: italic;">Fig. 4.1: XSS in bookmark. Location 1.</span><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfIaLJd9nHgXLs8UOYE0jxLe_FDwxrVBtPR4xN_i399GxSyqQDZo1cihuMEwJTPiQiN8MhKM7xtDz5Mxjw4msa9HvgshJPceFPRLVCyDf137rbWXrFrQ49zibUzyzes0F5mz-BY7N3L2rg/s1600/4_1.JPG"><img style="cursor: pointer; width: 400px; height: 121px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfIaLJd9nHgXLs8UOYE0jxLe_FDwxrVBtPR4xN_i399GxSyqQDZo1cihuMEwJTPiQiN8MhKM7xtDz5Mxjw4msa9HvgshJPceFPRLVCyDf137rbWXrFrQ49zibUzyzes0F5mz-BY7N3L2rg/s400/4_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5468909758518638786" border="0" /></a><br /><span style="font-style: italic;">Fig. 4.2: XSS in bookmark. Location 2.</span><br /><br /></div><div style="text-align: justify;"><span style="font-style: italic;">Note: This XSS only affects to own user. It's loaded in a javascript event and it could be reproduced in two different location.<br /><br /><br /></span></div><div style="text-align: center; color: rgb(255, 153, 102);"><span style="font-weight: bold; color: rgb(255, 153, 0);">== FIFTH: ARBITRARY SESSION_ID INSERTION ==</span><br /></div><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: Medium</span><br /><br />Plugin Tiny MCE has some vulnerabilities.<br /><br /><div style="text-align: justify;">Go to here -> <a href="http://[host]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=[SESSION_ID]&client_id=docencia">http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=[SESSION_ID]&client_id=docencia</a><br /></div><br />Use [SESSION_ID] your PHPSESSID.<br /><br /><div style="text-align: justify;">But if session_id is left to nothing, ie -> <a href="http://[host]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=[SESSION_ID]&client_id=docencia">http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=742&session_id=&client_id=docencia<br /></a></div><br />You display a MDB2 (MYSQL) ERROR.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE1KH7xwi1uq4Mh9IDXJY1XYC7IXfAuNnK7MumGGUgu5-9pZc4EmEmK4qUpb_3QKe_xuS3_ex78nKyOQs1igGb7PhSCThex29eHCyN6_U8dLejrvawEaTLkpcY8WhAhsE898j5vgCpxB_y/s1600/5_1.JPG"><img style="cursor: pointer; width: 400px; height: 205px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE1KH7xwi1uq4Mh9IDXJY1XYC7IXfAuNnK7MumGGUgu5-9pZc4EmEmK4qUpb_3QKe_xuS3_ex78nKyOQs1igGb7PhSCThex29eHCyN6_U8dLejrvawEaTLkpcY8WhAhsE898j5vgCpxB_y/s400/5_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5468910397419423250" border="0" /></a><br /><span style="font-style: italic;">Fig. 5.1: SQL Error.</span><br /></div><br /><div style="text-align: justify;">But if we put any value in session_id, this value is stored. I've tried a SQL Injection Attack, but it's not reachable.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhKbqAT-V4l8pKjP2m_tgiwoNMTEz7WF4EM655yGxG9M3HCMMI-owOUasal7xGWv98IZsK0CFCiyRh0f-Vt1aGogyc2GXxAYPFEK1xcrlkhWfBoiniQUMk6e-e5YxXHe1FYGYP4semKOC3/s1600/5_2.JPG"><img style="cursor: pointer; width: 400px; height: 176px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhKbqAT-V4l8pKjP2m_tgiwoNMTEz7WF4EM655yGxG9M3HCMMI-owOUasal7xGWv98IZsK0CFCiyRh0f-Vt1aGogyc2GXxAYPFEK1xcrlkhWfBoiniQUMk6e-e5YxXHe1FYGYP4semKOC3/s400/5_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5468910461790997570" border="0" /></a><br /><span style="font-style: italic;">Fig. 5.2: Session_id corrupted in DB.</span><br /></div><br /></div><span style="color: rgb(255, 153, 102);"></span> <div style="text-align: center;"><span style="color: rgb(255, 153, 0); font-weight: bold;">==</span><span style="color: rgb(255, 153, 0); font-weight: bold;"> SIXTH: DIRECTORY TRAVERSAL VULNERABILITY </span><span style="color: rgb(255, 153, 0); font-weight: bold;">==</span><br /></div><br /><span style="color: rgb(255, 0, 0); font-weight: bold;">Risk: High</span><br /><br />Plugin Tiny MCE is vulnerable to Directory Traversal.<br /><br />Go to -> <a href="http://[host]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=6&session_id=%&client_id=test_403/../../../&obj_type=frm">http://[HOST]/Services/RTE/tiny_mce/plugins/ibrowser/imagemanager.php?obj_id=6&session_id=%&client_id=test_403/../../../&obj_type=frm</a><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4vZVP0mbwhuJNJfa9Pa9MrZbp6M377AF-YUlKvVlo0OxonZLuGaxbAIgrarbzD2bDZdkzRmQZhI5CMtEe44NwrPUKt9CJT6Grzy1jhW4iOQ3QO_vq6_xke3QUhTRKz73dM2rja9Et9f-r/s1600/6.JPG"><img style="cursor: pointer; width: 400px; height: 215px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4vZVP0mbwhuJNJfa9Pa9MrZbp6M377AF-YUlKvVlo0OxonZLuGaxbAIgrarbzD2bDZdkzRmQZhI5CMtEe44NwrPUKt9CJT6Grzy1jhW4iOQ3QO_vq6_xke3QUhTRKz73dM2rja9Et9f-r/s400/6.JPG" alt="" id="BLOGGER_PHOTO_ID_5468910521138606242" border="0" /></a><br /><span style="font-style: italic;">Fig. 6: Denial Of Service using DT.</span><br /></div><br /><div style="text-align: justify; font-style: italic;">Note: Tested only in localhost because server could be DoSed (Denial Of service). Depends on Script time execution.<br /></div><div style="text-align: justify;"><span style="font-style: italic;">Btw, Local File Inclusion (LFI) or Remote File Inclusion (RFI) is not possible) (In this case, "client_id" var is used to load image titles, etc).</span><br /></div><br /><div style="text-align: center;"><span style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">== CREDITS </span><span style="color: rgb(255, 0, 0); font-weight: bold;"><span style="color: rgb(255, 0, 0);">==</span></span></span></div><br /><div style="text-align: justify;"><div style="text-align: justify;"><span style="color: rgb(153, 153, 153); font-weight: bold;">Author of this advisory is Independient Security researcher José A. Vázquez Gonzalez.</span><span style="color: rgb(153, 153, 153); font-weight: bold;"> Copyright © 2010 José Antonio Vázquez González.</span><br /></div><span style="color: rgb(204, 204, 204);"><br /><br /></span><span style="font-weight: bold;">That's all. Be safe ;)</span><span style="color: rgb(204, 204, 204);"><br /></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-72347650785875286592010-05-08T06:36:00.017+02:002010-05-08T13:56:26.677+02:00Fail o Own3d en Wall Street?<div style="text-align: justify;"><div style="text-align: justify;">Ha sido gracioso ver la noticia publicada en algunos medios de comunicación y sites Web, donde se referían al asunto de la caída de la bolsa estadounidense.<br /></div><br /><div style="text-align: justify;">Según informan un error humano, en una compra de acciones, ha producido el mayor desplome de la bolsa en 20 años. El sujeto se equivocó en una compra de acciones, realizando una transacción de billones cuando pretendía comprar millones...LoL?<br /></div><br />El caso es que menudo fail!<br /><br />De todas formas hay que aclarar que el caso está sujeto a investigación y el fallo previamente comentado no está confirmado. Veremos en qué queda el asunto y si no hay intereses detrás...entonces el asunto pasaría a ser un Own3d en toda regla.<br /><br /><span style="font-style: italic;">Fuente de la noticia:</span> <a href="http://noticias.latam.msn.com/xl/economia/articulo_bbc.aspx?cp-documentid=24164568">aqui</a><span style="font-weight: bold;"><br /><br />Be safe ;)</span><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5019494622639208417.post-3921182402776523142010-05-08T04:50:00.008+02:002010-05-08T13:56:44.691+02:00Declaración de intenciones (presentación)...<div style="text-align: justify;">No hace mucho tiempo que he terminado la carrera y lo cierto es que el trabajo en España y aún más en Andalucia, <span style="font-weight: bold;">no está fácil</span>. El tiempo libre y puesto que llevo metido en esto de la seguridad aproximadamente 4 años, por fin me he decidido por abrir este blog donde reflejar noticias, opiniones, publicaciones, 0-days, 1-days y todo lo que se me ocurra.<br /><br />En definitiva, con este blog espero recopilar cientos de horas y horas de análisis, pen-testing, seguridad web o software, publicaciones, programación en general y un larguísimo etcétera de las cosas a las que me he dedicado, he aprendido durante estos últimos 4 años y especialmente estos últimos meses desde la finalización de mis estudios.<br /><br />Son muchas horas frente al PC o el portátil, probando, leyendo y prácticando. Es evidente, que las horas pasadas serán el auténtico reflejo de lo aprendido, intentaré expresar todos los proyectos, trabajos o investigaciones que esté llevando a cabo.<br /><br />Sin embargo, a pesar de las horas o años que uno lleve en esto, la realidad es que exige un enorme esfuerzo mantenerse actualizado. Ni mucho menos que me considero el mejor H4x0|2, tampoco pienso que sea el mejor programador o el mejor teleco (ni el mejor futbolista...bueno eso sí jaja). No obstante lo qué si tengo claro es que esto me gusta y uno nunca deja de aprender y mejorar. La vida es un constante aprendizaje...<br /><br />Me conozco y no soy optimista, en cuanto pasar muchas horas escribiendo frente a este blog (menuda forma de vender la moto jaja). Pero intentaré tomármelo como un modo de recopilar información sobre mis trabajos pasados, actuales o futuros.<br /><br /><span style="font-weight: bold;">Be safe ;)</span></div>Unknownnoreply@blogger.com