agregator rss

Zbigniew Sosnowski, podsekretarz stanu w MSWiA wziął udział w spotkaniu podsumowującym działania powodziowe na terenie powiatu chełmińskiego (województwo kujawsko-pomorskie).

Od 2011 r. darmowy e-profil dla każdego w ZUS
Gazeta Prawna
Osoby, które chcą przesyłać e-dokumenty ale bez konieczności płacenia za bezpieczny podpis elektroniczny, będą musiały założyć konta na rządowym portalu ...

Od 2011 r. darmowy e-profil dla każdego w ZUS
Gazeta Prawna
Osoby, które chcą przesyłać e-dokumenty ale bez konieczności płacenia za bezpieczny podpis elektroniczny, będą musiały założyć konta na rządowym portalu ...

Polska nauka znalazła sponsora
Gazeta Prawna
Jak tłumaczy Hanna Godula z zespołu badań i rozwoju w agencji, to rozwiązanie dotyczy tylko firm, które posiadają kwalifikowany podpis elektroniczny. ...

Polska nauka znalazła sponsora
Gazeta Prawna
Jak tłumaczy Hanna Godula z zespołu badań i rozwoju w agencji, to rozwiązanie dotyczy tylko firm, które posiadają kwalifikowany podpis elektroniczny. ...

У квітні, 19.06.2009 (а також додатково сьогодні), я знайшов Insufficient Anti-automation та Full path disclosure уразливості на сайті http://shalb.com (це українська секюріті компанія). Про що найближчим часом сповіщу адміністрацію сайта.

Insufficient Anti-automation:

http://shalb.com/en/company/orderform/
http://shalb.com/support/open.php (ця сторінка була в 2009 році, зараз вона відсутня)
http://shalb.com/ru/company/orderform/
http://shalb.com/ru/company/contacts/
http://shalb.com/en/company/contacts/

В даних контактних формах немає захисту від автоматизованих запитів (капчі).

Full path disclosure:

На сторінках сайта http://shalb.com виводився повний шлях на сервері.

Якщо Full path disclosure дірки вже виправлені, то Insufficient Anti-automation уразливості все ще є на сайті. Як я вже казав, дані уразливості є типовим явищем для секюріті сайтів.

Після попереднього дослідження похаканих сайтів, приведу нову інформацію про взломані сайти. З числа українських сайтів.

• http://cs-servera.net (хакером SAms0n) - 28.08.2010, зараз сайт вже виправлений адмінами
• http://valfork.com (хакером CmTr) - 24.08.2010, зараз сайт не працює (закритий адмінами)
• http://firstline.com.ua (хакером TekZ)
• http://shela.org.ua (хакером Delp0rt3) - 20.08.2010, зараз сайт не працює
• http://muza.lg.ua (хакерами AHG)

Пропоную вашій увазі добірку цікавих новин на тему безпеки.

За повідомленням hackzona.com.ua, Panda Security допомогла заарештувати хакера Iserdo.

Компанії Panda Security і Defence Intelligence допомогли зловити кіберзлочинця. Ці компанії надали ФБР та іншим міжнародним органам важливу інформацію, завдяки якій вдалося зловити 23-річного хакера Iserdo. Доведено, що саме він є творцем набору “Метелик” (Butterfly), на якому засновано багато бот-мереж.

За повідомленням ua-hack.com, невідомі знищили офіційну українську базу даних сертифікатів якості на всі види продукції. Ця подія трапилася 11 серпня.

Електронна база даних сертифікації УкрСЕПРО знищена, повідомив перший заступник генерального директора державного підприємства Українського науково-дослідного і навчального центра проблем стандартизації, сертифікації та якості Сергій Доротич. Знищення інформації на сервері відбувалося в офлайні, шляхом її фізичного знищення.

За повідомленням hackzona.com.ua, HackZonA.ru був взломаний.

IRC-сервер сайта hackzona.ru був взломаний першого липня 2010 року. Після чого був отриманий контроль над основним сервером даного хакерського портала. Окрім опису процеса взлома сайта також наводяться скріншоти, що демонструють факт взлому.

Koncern z Redmond wciąż nie poinformował, które z jego aplikacji są podatne na atak wykorzystujący lukę w zabezpieczeniach związaną z pewną biblioteką DLL. Kilku producentów oprogramowania już potwierdziło, że problem dotyczy ich produktów (niektórzy zdołali już nawet usunąć błędy). Microsoft wciąż milczy - choć z nieoficjalnych informacji wynika, że niektóre produkty firmy też są dziurawe.

20.04.2010

У жовтні, 10.10.2009, я знайшов SQL Injection та Redirector (URL Redirector Abuse) уразливості в CMS WebManager-Pro. Дані уразливості я виявив на webmanager-pro.com - сайті розробників даної CMS. Про що найближчим часом повідомлю розробникам.

Раніше я вже писав про уразливість в CMS WebManager-Pro.

Детальна інформація про уразливості з’явиться пізніше. Спочатку повідомлю розробникам системи.

02.09.2010

SQL Injection:

http://site/c.php?id=1%20and%20version()=5

Redirector:

http://site/c.php?id=1&url=http://websecurity.com.ua

Уразливі дві системи CMS WebManager-Pro від двох розробників. Уразливі версії CMS WebManager-Pro до 8.1 (версія від WebManager).

Також SQL Injection (але не Redirector) має місце в версії системи від FGS_Studio. Уразливі CMS WebManager-Pro v.7.4.3 (версія від FGS_Studio) та попередні версії.

Розробники з WebManager виправили SQL Injection уразливість (але не виправили Redirector) в версії CMS WebManager-Pro 8.1. Розробники з FGS_Studio не виправили SQL Injection уразливість (дані розробники взагалі проігнорували всі уразливості в їхній CMS, про які я їм повідомив).

Zamiast elektronicznego podpisu "zaufany profil"
Moja Firma
Zaletą "zaufanego profilu" - przekonywał radca ministra - jest to, że nie trzeba za niego płacić, tak jak za kwalifikowany podpis elektroniczny. ...

19 posts left…

So Pyloris doesn’t work particularly well for port exhaustion on the server, but what if we can exhaust the connections on the client to better meter out traffic? That would make it easier for a MITM to see each individual request if it worked. So I started down a rather complicated path of using a mess load of link tags on an HTTP website trying to affect the connections on the HTTPS version of the same domain. No joy. It turns out that the limits placed on one port don’t affect what happens on another (at least in Firefox). So while I can exhaust all the connections to a domain over a single port I can’t do anything using HTTPS - or so it seemed (unless I was willing to muddy the water further by sending a bunch of requests that I knew are a certain size to the HTTPS site - which just seemed more painful than helpful).

Then, based on some earlier research I stormed into id’s office and I started bitching that there was no point in trying to stop port exhaustion if they were going to allow tons of connections, just over multiple sockets anyway. As the words came out of my mouth I realized I had come up with the answer - a ton of webservers. I guessed that there must be some upper bound of outbound connections and it’s probably at or less than 130. You should have seen id’s face as I asked him to set up 130 connections / 6 connections per socket = 22 web-servers for me. Hahah… I thought he’d kill me.

It turns out it’s nowhere near 130 open connections. Firefox sets a rather arbitrary 30 connection limit. So if you can create 5 open web-servers and exhaust 30 connections and only free up one long enough to allow the victim to download one request at a time, I think we’re in business. Makes sense in theory. The problem is that it’s REALLLLY slow. I mean… painful. In my testing it seemed more like the server was broken entirely from the victim’s perspective. But eventually… and in some cases I mean minutes later - it would load. I’m sure that the attack could be optimized to work based on the fact that no more packets are being sent when the image gets downloaded or whatever… which would signal the program to free up a connection. This is opposed to my crapola time based solution combined with chunked encoding to force the connection to stay open without downloading anything that I came up with for testing. So I bet this attack could work if someone put some tender loving care into it, but it was kind of a huge waste of time for me personally - and for poor id.

Incidentally, for those who have never seen or met id, and would like to know a little about the other side of webappsec that I don’t talk about much here (the configuration, operating system and network), you’re chance is nearing. There’s a rumor that he’ll be speaking at Lascon in October. He’ll be talking on how he’s managed to secure ha.ckers.org for all these years despite how much of a target I’ve made it. Should be fun.

20 posts left…

Pyloris is a python version of Slowloris, and since it is written in python it’s SSL version is thread safe. So what better way to lock up an SSL/TLS Apache install (given that Apache still hasn’t fixed their DoS)? Well, one of the big problems attackers have when trying to decipher SSL/TLS traffic is the fact that browsers not only send a lot of request down a single connection but they also connect use a bunch of open connections over separate sockets. What if we could use pyloris to exhaust all but one open socket?

Well it turns out that while this sorta works, there are a lot of issues with the concept. Firstly, it requires Apache. Secondly the server can’t be using a load balancer (assuming the load balancer isn’t using Apache itself). Thirdly it requires that there are no other users on the system or there will be a seriously annoying user experience for the poor victim who can’t reach the site that the man in the middle is trying to decipher traffic from. Alas… So while this didn’t work particularly well in my testing, I’m certain with more thinking someone can figure out a way to do this.

21 posts left…

If you’re familiar with XSHM this is going to look awfully similar (but better). When a script creates a new popup (or tab) it retains control over where to send it at a later date. I talked about this concept before. But let’s see what else can be done. What if the attacker uses the history.length function to calculate how many pages a user has visited after they left the tab for wherever they landed. The attacker could do something like this:

a.location = 'data:text/html;utf-8,<script>alert(history.length);history.go(-1);<\/script>';

By setting either a recursive setTimeout or using some manual polling mechanism, the attacker can (in this case) cause a popup which monitors how many pages they’ve gone. Normally it wouldn’t cause a popup, the attacker would redirect to another domain that they had access to which would do the same history.length check. Voila. The user only sees a brief white flash and then the same page they were just on - as if nothing happened. They’d probably just think their browser is messing up again. This could be helpful in a number of esoteric situations where the number of pages visited may change, or you may want to force them through several flows (and back and forth again) all with a single mouse click - giving you authority to popup in the first place. The best part is that this will follow them while they surf for as long as both windows stay open.

22 posts left…

While thinking about the previous issue and listening to Jeremiah’s preso and talking with the guys at Microsoft I got to thinking about cookie clobbering. Let’s say that Microsoft thinks HTTP cookies overwriting secure cookies is a big enough problem to fix. Let’s walk through the use cases. Let’s say there is a separate place for secure cookies that can’t be overwritten by non-secure cookies. Does that mean two cookies are replayed in HTTPS space, or that the HTTPS cookie always wins? Okay… let’s say it wins and the secure flag cookie cookie is the only one sent. Well let’s not forget about Jer’s cookie clobbering script.

When an attacker forces overwriting of the cookie jar, they get the exact same effect. Now the victim has no cookies secure or otherwise if the global cookie jar stays the same size and it remains a LIFO system. So now you’re saying, well the attacker can just use a SSL/TLS enabled cookie clobbering scripts - you’re right! So now there has to be a per-site container… or something - and doesn’t that completely defeat the purpose of the upper limits on cookies anyway? Now DoS conditions become an issue with overwriting the disc with tons of huge cookies, and so on. Anyway… this probably needs a lot more thought, and I’m certainly not advocating “fixing” this, just to end up with a worse situation than we already have. But certainly secure cookies shouldn’t be clobbered by HTTP cookies - in my opinion.

23 posts left…

It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. More importantly, HTTP cookies can overwrite HTTPS cookies, even if the cookies are marked as secure. I started thinking of a form of session fixation during our research that uses this to the attacker’s advantage. Let’s assume the attacker wants to get access to a user’s account that’s over SSL/TLS. Now let’s assume the website sets a session cookie prior to authentication and after authentication the site marks the cookie as valid for whatever username/password combo it receives.

First, the attacker goes to the website before the victim gets there so he can get a session cookie. Then, if the victim is still in HTTP for the same domain the attacker can set a cookie that will replay to the HTTPS website. So the attacker sets the same cookie that he just received into the victim’s browser. Once the victim authenticates, the cookie that the attacker gave the victim (and knows) is now valid for the victim’s account. Now if the victim was already authenticated or had already gotten a session token, no big deal. The attacker overwrites the cookie, which at worst logs the user out. Once the victim re-authenticates, voila - session fixation. Now all the attacker has to do is replay the same cookie in his own browser and he’s in the user’s account.

24 posts left…

When I told one of my guys about the double DNS rebinding attack, he said, “Well it’s a good thing I use perspectives.” So that was my clue that I had better get familiar with the plugin if people are seriously relying on it for security. In the process we found a number of potential issues. For those of you who aren’t super clued in about this tool it was originally designed to handle situations where governments are tapping people using things like Packet Forensics where a valid certificate authority is being used to man in the middle someone or a group of individuals.

First of all it’s easy to detect perspectives for a man in the middle. Perspectives sends a lot of HTTP traffic, which the attacker can easily read and figure out is related to perspectives. That may not seem important, because if an attacker knows that a user has it installed what can they really do? We’ll come back to this.

Embedded content is not verified by perspectives, only the parent window. Because most websites (even HTTPS) use third party service providers, caching servers or whatever for static content, the attacker will simply MitM’s the “static” servers serving up CSS, JavaScript or objects that are dynamic content once rendered. By modifying the response and including active content, anything that can be seen by the DOM is still accessible to the man in the middle. Kinda defeats the purpose of perspectives…

Using the fact that an attacker knows that someone is using perspectives (which they can determine by forcing someone through an SSL/TLS link), the attacker can simply MITM only the embedded content. Of course there are changes a user can make to the settings and options to reduce this risk, but like all options, they’re probably not changed often and the defaults really aren’t good.

Lastly, I tried perspectives against the double DNS rebinding issue, and unfortunately instead of the huge pop-down that would actually alert someone to the problem, because the attack uses a valid cert from a nearby sub-domain that perspectives has probably seen before it only gives the small warning that most people probably wouldn’t notice unless they were really paying attention.

25 posts left…

One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary. For example let’s say https://www.youtube.com/ which most technical people know belongs to Google and which, incidentally causes SSL/TLS mismatch errors because it’s mis-configured. Experts who see such an error and investigate will think it’s just a dumb (innocent) error. Non-experts will click through immediately, because they always do when they see such things.

By measuring the wait time the attacker can know which type of user the victim is - a technical one, or a novice. If the user is a novice the attacker knows they don’t have to worry anymore - they can deliver their snake oil cert later if the user goes through it “quickly” because that user’s behavior will most likely stay the same. Of course figuring out the timing might be a bit tricky because really new users will be awfully confused by cert warnings and will seem “slow” I’d bet. Anyway, something to investigate further.

В червні була виявлена Cross-Site Scripting уразливість в IPB. Це persistent XSS в календарі, що є стандартним модулем (який постачається разом з движком).

Якщо календар включений на форумі, то може бути проведена XSS атака. А враховуючи те, що календар може виводитися на кожній сторінці форуму, то відповідно код спрацює на кожній сторінці (де виводиться календар).

Уразливі Invision Power Board 3.0.5 та попередні версії.

• Invision Power Board - stored Cross site Scripting (деталі)

Як я протестував, в версії IPB 2.2.2 немає даної уразливості.

Виявлені численні уразливості безпеки в Adobe Shockwave Player.

Уразливі версії: Adobe Shockwave Player 11.5.

Численні пошкодження пам’яті.

• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2882 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2880 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2864 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2869 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2881 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability - CVE-2010-2868 (деталі)
• Adobe Shockwave Player Memory Corruption Vulnerability (деталі)
• Adobe Shockwave Player Director File FFFFFF88 Record Processing Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director tSAC Chunk Parsing Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director rcsL Chunk Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Player Director File FFFFFF45 Record Processing Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director mmap Trusted Chunk Size Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director tSAC Chunk Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave TextXtra Allocator Integer Overflow Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave Director rcsL Chunk Pointer Offset Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave CSWV Chunk Memory Corruption Remote Code Execution Vulnerability (деталі)
• Adobe Shockwave tSAC Chunk Invalid Seek Memory Corruption Remote Code Execution Vulnerability (деталі)
• Security update available for Shockwave Player (деталі)