Operation n

I came across TinyURL again with some recent comment spam; it was interesting that the spammer was using a single TinyURL as his/her webpage. This made me curious as to what was behind door number 1.

I initially planning to work out TinyURL’s encoding method and write a program to decode them (for fun); but soon lost interest when I saw that TinyURL already provide a “very cool” preview link; however, my initial TinyURL.com query script is here - for interested parties. I may still do some research in this area as a persistent XSS attack in the preview feature may leave the curious minded “owned”.

It isn’t new that TinyURL type sites can be used in phishing attacks; although I haven’t seen any of these myself. More interestingly was the article pdp released a short time ago: TinyURL as a storage house for mobile code. I thought this was an absolutely awesome idea.

In theory we can backdoor TinyURL with a plethora of web technologies using the ‘Data:’ URL scheme; however, in reality this doesn’t seem to work - atleast my tests proved unfruitful.

1. My test code for TinyURL:
<script>
alert(’test’);
</script>

2. We base64 encode it:
data:text/html;base64,PHNjcmlwdD4NCmFsZXJ0KCd0ZXN0Jyk7DQo8L3NjcmlwdD4=

3. We let TinyURL do it’s magin. We are left with:
http://tinyurl.com/ymcj59

Thats where the rabbit hole ended for me. This seems to be a Firefox restriction/bug rather than a TinyURL thing. To test this, I setup my own redirect; I got the exact same response as TinyURL. Link here if you want to try this yourself.

When in doubt keep it simple; simply creating a link to a malicious page will do. A 302 redirect attack could be used on the attacker controlled system in the event that the user is curious and previews our links.

To summarise, I agree with pdp. I can definately see potential for badness here. From a phishing and worm perspective. Since we can’t use ‘Data:’ to store mobile code: we can use TinyURL’s very own “preview” feature instead.

Generally speaking, organisations would be wise to add TinyURL type services to their spam blacklist. These services are useful but deceiving in my opinion. Would you walk down a dark alley?

#!/bin/sh
# tinyurl.sh
# Creates a URL at http://tinyurl.com and gets us the encoding.
# 21 Dec 06

# We can use a one line perl commands to play further:
# for ((i=1;i<=50;i++)) ; do echo -n "$i " ;
# ./tinyurl.sh `perl -e 'print "b"x'$i` ; sleep 1 ; done

if [ ! $BASH_ARGC ]; then
        echo "usage: $0 tinyarg"
        exit
fi

URL=$1
REQ="GET /create.php?url=$URL HTTP/1.1\\r\\n"
DATA="Host: tinyurl.com\\r\\n\\r\\nConnection: Close\\r\\n\\r\\n"

#echo "Sending: $REQ"
echo -en $REQ$DATA | nc tinyurl.com 80 | grep 'hidden name=tinyurl' \\
        | cut -d \\/ -f 4 | cut -d \" -f 1

Need more reliable business email hosting? Intermedia has exchange 2007 hosting for your outlook exchange.  Also, if you’d like to make a bit of money on the side, check out their exchange email outsourcing program.

Web Backdoor Compilation (wbc)
DK (http://michaeldaw.org)

Changelog

I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities
and others. I think a library like this may be useful in a variety of situations.

Understanding how these backdoors work can help security administrators
implement firewalling and security policies to mitigate obvious attacks.

The package includes:

Note: readme.txt is also included in this package but not listed here.

If you have contributions please let me know so that I can add them into a later
release.

Download here.

I released “CSRF in MSWord Part 1” a couple of weeks ago, where we utilise frames to backdoor Word documents. SANS Handlers commented on this find with some interesting points.

RSnake decided to play a little with this idea and has published “CSRF with MSWord Part II” where he has uncovered a really neat way to backdoor .doc files by adding HTML into the META section of the document. This reminds me alot of the technique used by pdp in Backdooring Quicktime. I haven’t tested this yet but am already getting ideas…

It is scary to see typical web application vulnerabilities spreading to Word and others. My “Backdooring PDF files” article also exploited web features within an application. These issues were all found within a matter of hours not days and certainly not weeks. Low hanging fruit…

I don’t know whether HomePlug networks are growing in use or not, but the following statements caught my attention:

“Officials at Intellon, the chip maker that developed the HomePlug spec, say that hacking into a HomePlug network would require cracking the government’s DES encryption standard.” - link

My favourite:

“HomePlug specification products also protect data by utilizing powerful DES encryption, which makes hacking into a HomePlug network virtually impossible.” - link

If you are not sure what a HomePlug network is then maybe the following diagram will help:

As you can see above, HomePlug’s in many cases can replace a Wireless infrastructure or work along side it (i.e. your house or office has thick walls weakening the signal). You simply plug it into your wall socket and attach a network lead to it.

Now I didn’t really spend ages on coming up with advanced hacking techniques for these things. It would be overkill me thinks. These devices are insecure in their default state. They are also insecure in their “secured” state.

So lets put our attack together:
1. HomePlug Detection & Enumeration
2. Exploitation in its default state
3. Exploitation in its “secured” state
4. Hacker Countermeasures

1. HomePlug Enumeration

You need a compatible HomePlug to start. A single plug can cost between £20 - £30. Ensure that the plug is HomePlug v1.0 certified or you will most likely fail in your endeavor.

You will then require a target, testing your own network is easy enough, attackers will most likely test your network from an outside wall socket.

Install the software that comes with the plug - this software was exactly same with both my HomePlug makes (other then a few logo changes). Plug your HomePlug into the wall socket of the network you what to connect to. Load up the software and simply click “Scan Powerlines Network”. You could also just load a sniffer and check if your rogue plug has already joined the network.

2. Exploitation in its default state

I couldn’t find the v1.0 specification rfc, but it was trivial to work out that all these devices use a default network key of “HomePlug” to start with. Obviously this was done to allow for plug and play. Load up your sniffer and monitor network traffic. If the default key is used you should see NetBIOS broadcasts etc. Job done.

3. Exploitation in its “secured” state

56-bit DES encryption may have been considered cryptographically strong in the stone ages but not today.

Even though 56-Bit DES encryption (2^56 possible keys) is breakable, it may take a fair chunk of time to crack - although Rainbowtables has made this alot easier. Personally, I would try some weak passwords to begin with.

4. Hacker Countermeasures

Do the obvious. Use a very strong key to secure your HomePlug’s. Ensure thats your network devices are firewalled. Hopefully the newer versions will provide stronger encryption options.

Attacks involving remote exploitation of servers and networks have been greatly mitigated by the advent of Firewalling technology. They are the network sentries. Statefully inspected firewalls understand network and application protocols (we hope). They can pass, reject, deny, log or modify passing traffic.

A typical network configuration will include a router(s), firewall(s), DMZ or demilitarised-zone, and LAN(s) (Local Area Network). This is typical three-tier architecture. In firewall configurations, less is always better. Less rules means less configuration, which means less potential for human error. Less services or restricted services means less surface area, which ultimately means less for an attacker to play with. Firewalls have become critical in securing our perimiters.

The most common Internet facing services are, “Mail (SMTP, POP3 etc), DNS and HTTP(s)”. Usually, an administrator will allow remote access via a VPN type solution. This mostly includes, “IKE, SSL or SSH”. As a potential attacker, this leaves very little to work with, which is why firewalling has become so popular. In short, as said before, it reduces the external attack surface.

As we think about the above-mentioned, we begin painting a picture as to why client-side hacking (which has been around for ages, usually in the form of Malware) is becoming so popular. Why play in a limited world, a firewalled world, a server-side world when we can go straight to the source, the client-side frontier.

Internal users are often in a relationship of trust with their surrounding network. Client-side hacking involves expanding the functionality of a service in the environment with which the user is already involved. We present “valid” code and the user executes it for us, effectively utilising the user’s circle of trust.

It is interesting to see all these zero-day MS Word vulnerabilities being found “all of a sudden”. How long have these vulnerabilities been around? Are they only being released now because MS Word 2007 is coming out along with Windows Vista so attackers are trying to infect as many systems as possible before the upgrade?

Security has developed and moved forward and made tremendous strides in many areas. However, I agree with Ed Skoudis who mentions in his “Malware” book that very little work has done in relation to Malware prevention. Both myself and pdp (arcitect) have recently found or reported serious malware potential in Quicktime, MP3, PDF, Flash and RSS to name a few.

I know some work has been done in these areas with regards to testing. For example, I know of security testers who have tested what files will be permitted through our mail filters, or what encoding types will bypass our anti-virus applications, but how often have you heard of this type of work actually being performed?

I quoted David Maynor in my previous post and I do it again: “The OS vendors have been hardening the operating system a lot, so now attackers have two choices. They can go up to the application level, or they can go lower to the device driver level..”. This is where attackers are going, but are we as the security community moving with these trends?

– David Kierznowski 09 Sep 2006