CVE-2011-3368 PoC - Apache Proxy Scanner

Monday, October 10th, 2011

A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network:

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

SECFORCE has developed a proof of concept for this vulnerability, available for download from our security tools section on our website. The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall.

The following output shows the usage of the tool:

python apache_proxy_scanner.py
CVE-2011-3368 proof of concept by Rodrigo Marcos
http://www.secforce.co.uk
usage():
python apache_scan.py [options]
 [options]
    -r: Remote Apache host
    -p: Remote Apache port (default is 80)
    -u: URL on the remote web server (default is /)
    -d: Host in the DMZ (default is 127.0.0.1)
    -e: Port in the DMZ (enables 'single port scan')
    -g: GET request to the host in the DMZ (default is /)
    -h: Help page
examples:
 - Port scan of the remote host
    python apache_scan.py -r www.example.com -u /img/test.gif
 - Port scan of a host in the DMZ
    python apache_scan.py -r www.example.com -u /img/test.gif
	-d internalhost.local
- Retrieve a resource from a host in the DMZ
    python apache_scan.py -r www.example.com -u /img/test.gif
	-d internalhost.local -e 80 -g /accounts/index.html

The tool can be used to perform a portscan of the target host in the following way:

python apache_proxy_scanner.py -r <target> -u <uri>

The following screenshot shows the result of the command above:

Apache proxy port scan results

The script can be used to perform a bounce scan of a host in the DMZ or in the Internet:

python apache_proxy_scanner.py -r 192.168.85.161
	-u /rewrite/test -d internalhost

python apache_proxy_scanner.py -r 192.168.85.161
	-u /rewrite/test -d www.example.com

Apache_proxy_scanner will report open/filtered/closed ports in internal and external hosts.

Tags: Apache, apache_proxy_scanner, CVE-2011-3368, mod_proxy, mod_rewrite, Penetration Testing, PoC, SECFORCE
Posted in Penetration Testing, Tools, Vulnerabilities | No Comments »

SECFORCE is now CREST certified

Monday, July 25th, 2011

As part of the SECFORCE commitment to ensuring the provision of high quality services, SECFORCE has now achieved CREST certification. This will further complement the strong existing methodology and work of ethics.

SECFORCE is already recognised as one of the leading penetration testing service providers in both the UK and Europe with the ability to demonstrate expertise and professionalism to ensure clients are totally satisfied.

CREST Penetration Testing

“CREST is a not for profit organisation which brings a demonstrable level of expertise and professionalism to security and penetration testing market. The bar for entry is set very high to protect the interests of the buying community and provide a clear differentiator for professional testing companies. There are very few companies in the UK who can meet the requirements of CREST and those that do, like SECFORCE, have had to demonstrated the processes they utilise for testing are sound, they have adopted industry best practice in their approach to testing and they handle sensitive client information in an appropriate manner.”

Ian Glover, President of CREST

The addition of CREST certification will provide further reassurance and confidence to the many clients where SECFORCE has already built a strong working relationship.

“We are really pleased that CREST certification has been achieved and view this as an important step forward in the continue enhancement of our service delivery”

Rodrigo Marcos, Technical Services Director

For more information about our CREST assessments and discover how we can benefit your organization, please visit our CREST penetration testing page.

Tags: CREST, CREST security, penetration test, Penetration Testing, SECFORCE
Posted in CREST, Penetration Testing, SECFORCE | No Comments »

SECFORCE achieves quality management ISO 9001 certification

Wednesday, April 6th, 2011

SECFORCE has achieved recognition for its quality management systems with the award of ISO 9001:2008.

The certification recognises the company’s commitment to quality management systems used in the delivery of IT security services to SECFORCE customers and to continuous improvement processes and procedures.

For customers this achievement will enhance their confidence in the high quality of SECFORCE’s services and will guarantee a more efficient and effective business operation, increasing customer satisfaction. As quality is constantly measured and procedures ensure corrective actions are taken whenever defects occur, our clients will be benefited by an ever increasing excellent service.

Certification was awarded by The British Assessment Bureau, a UKAS accredited authority, by a series of independent audits.

Tags: client satisfaction, ISO9001, quality management, SECFORCE
Posted in SECFORCE | No Comments »

Exploiting MS09-004 via SQL injection

Monday, January 24th, 2011

Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure.

Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise.

All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment.

This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf.

Penetration testing - SQL injection exploitation

The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit.

If interested, get the scripts from our security tools area.

Tags: exploitation, metasploit, MS09-004, SECFORCE, sql injection, Tools
Posted in Penetration Testing, Tools, exploit | No Comments »

Hackers in your network are closer than they appear

Thursday, January 22nd, 2009

Our marketing department did it again! This is what happens when marketing creatives and techies get together.

From this…

you get a monitor mirror with this design…

and then you get the real thing:

If you are one of our lucky clients, you will probably never look back again to check who is looking over your shoulder. If you are not then you don’t have the assurance of having the very best security consultants looking after your infrastructure and what is more important, you will need to keep looking back.

SECFORCE is an IT security consultancy specialized in providing penetration testing and IT security consultancy. Have a look to our website if you need to protect business assets.

Tags: hackers, marketing, monitor mirror, SECFORCE
Posted in Penetration Testing, SECFORCE | No Comments »