Operation n

I have been pre-occupied the last 2 weeks, developing an automated security framework for Technika.

Technika is a Firefox plugin that myself and pdp was toying with some months back. The original idea behind this project was to provide independent self-contained security tools based on JavaScript which can be loaded and executed from the browser. TS Framework v1.0 is almost ready for release.

If you haven’t already checked it out, get more info here.

Also, I just finished a write up on some of my thoughts around automated web application tools, now that I’ve started writing one. It’ll most likely be published on GNUCITIZEN tomorrow.

WordPress Securify Plugin (WPSec)

Table of Contents:
Introduction
Installation
Development Documentation
Download

Introduction

WordPress has become one of the the most popular open source blogging software packages on the net. One of the reasons for its popularity is its powerful plugin API.

WordPress Securify (WPSec) is a security plugin for WordPress. Every hour the tests specified within WPSec will be executed. A count of “warnings” is displayed in the top right of the WordPress Admin panel. The security feature list currently supports 3 tests:

• WordPress Version Check
• Admin Panel SSL Check
• WordPress Default Admin username check

It is fairly trivial to add security tests to this project. I am sure the project will move quickly as feedback and new tests are submitted and contributed. The first version of this plugin is mainly to get the framework working (although useful nonetheless). The next release will include an email alert system.

As a side note this plugin was already really useful with the recent WordPress version release fun.

Intallation

NOTE: Please perform backups before you do anything. This is a BETA release meaning it may contain bugs. I do not recommend running this plugin unless you are a fairly advanced user.
To install WPSec, simply untar the package in the wp-content/plugins directory (eg: tar -zxvf wp-securify.tar.gz)

Development Documentation

Writing additional tests for WPSec
WPSec was designed to be modular; meaning that you can contribute additional “securify tests” without to much hastle. In fact, I would encourage it. If the test is useful it will be added to a later release. The author has the option to take credit for the test or to remain anonymous.

Basic WPSec test layout
A WPSec test consists of:

• The actual test code ([plugins-dir]/securify/tests/wps-$TESTNAME)
  • It must contain a WPSec database entry to allow other features of WPSec to function.
  • The database entry must include values: (test,testval) where test is the testname and testval is either ‘true’ (securified) or ‘false’ (vulnerable).
• Add the test into securify.php

Note: When in doubt use the existing tests as a guideline.

Download

The package can be downloaded here.

Need more reliable business email hosting? Intermedia has exchange 2007 hosting for your outlook exchange.  Also, if you’d like to make a bit of money on the side, check out their exchange email outsourcing program.

Web Backdoor Compilation (wbc)
DK (http://michaeldaw.org)

Changelog

Date	Change
24 Apr 07	Anti-Virus Capabilities (Work done by Dancho Danchev)
14 Apr 07	Version 1b (pre 1.2 release): perlcmd.cgi, cfexec.cfm, cmdasp.aspx
Dec/06	Version 1 release.

I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities
and others. I think a library like this may be useful in a variety of situations.

Understanding how these backdoors work can help security administrators
implement firewalling and security policies to mitigate obvious attacks.

The package includes:

Filename	Contributer	MD5	Anti-Virus Detection	Risk
cmd-asp-5.1.asp	Brett Moore	8baa99666bf3734cbdfdd10088e0cd9f	Webwasher-Gateway 6.0.1/20070419	HIGH
cmdasp.asp	Maceo	57b51418a799d2d016be546f399c2e9b	Authentium 4.93.8 04.14.2007 Avast 4.7.981.0 04.16.2007 BitDefender 7.2 04.16.2007 ClamAV devel-20070312 04.16.2007 DrWeb 4.33 04.16.2007 Ewido 4.0 04.16.2007 F-Prot 4.3.2.48 04.13.2007 F-Secure 6.70.13030.0 04.16.2007 Kaspersky 4.0.2.24 04.16.2007 Microsoft 1.2405 04.16.2007 Symantec 10 04.16.2007 VBA32 3.11.3 04.14.2007 Webwasher-Gateway 6.0.1 04.16.2007	Low
cmdasp.aspx	Dominic Chell	5e83b6ed422399de04408b80f3e5470e	None	CRITICAL
cmdjsp.jsp	Unknown	b815611cc39f17f05a73444d699341d4	None	CRITICAL
jsp-reverse.jsp	Tan Chew Keong	8b0e6779f25a17f0ffb3df14122ba594	None	CRITICAL
php-backdoor.php	z0mbie	2b5cb105c4ea9b5ebc64705b4bd86bf7	AhnLab-V3 2007.4.19.1/20070419 AntiVir 7.3.1.53/20070419 Authentium 4.93.8/20070418 AVG 7.5.0.464/20070419 BitDefender 7.2/20070419 F-Prot 4.3.2.48/20070418 F-Secure 6.70.13030.0/20070419 Ikarus T3.1.1.5/20070419 Kaspersky 4.0.2.24/20070420 McAfee 5013/20070419 Microsoft 1.2405/20070419 NOD32v2 2205/20070419 Norman 5.80.02/20070419 VBA32 3.11.3/20070419 Webwasher-Gateway 6.0.1/20070419	Low
simple-backdoor.php	David Kierznowski	f091d1b9274c881f8e41b2f96e6b9936	None	CRITICAL
perlcmd.cgi	David Kierznowski	97ae7222d7f13e908c6d7f563cb1e72b	None	CRITICAL
cfexec.cfm	Kurt Grutzmacher	bd04f47283c53ca0ce6436a79ccd600f	None	CRITICAL

Note: readme.txt is also included in this package but not listed here.

If you have contributions please let me know so that I can add them into a later
release.

Download here.

Load Balancer Enumeration
author: david.kierznowski_at_gmail.com
http://michaeldaw.org

Table of Contents:
0. Introduction
1. Dynamic DNS
2. Proxies
2a. Cookie Analysis
2b. Web Server Configuration issues
2c. Using the TCP/IP Stack
2d. Using HTTP Date: field
3. References

0. Introduction

Load balancing (performed by a load balancer) is a type of service performed by a computer that assigns work loads to a set of networked computer servers in such a manner that the computing resources are used in an optimal manner - wikipedia

As touched upon in “http://michaeldaw.org/news/news-091006-0/”, detecting load balancing is crucial to the security of any web application, yet I have heard very little by way of security testing in this area.

This article will discuss some ideas around detecting load balancers but more importantly I will share some techniques to enumerate the web servers behind these load balancers. None of the ideas in this article are new, but offer a collection of techniques that I have often found useful.

Note: I do not presume this article to be the end all on the subject, but I hope to encourage the reader to find new and effective techniques to not only detect load balancers, but also to be able to distinctly identify the targets behind the load balancer.

1. Dynamic DNS Load Balancing

./check-dns.sh
Connecting to [www.google.com] [20] times
www.l.google.com has address 64.233.183.103
www.l.google.com has address 64.233.183.104
www.l.google.com has address 64.233.183.147
www.l.google.com has address 64.233.183.99
www.l.google.com has address 66.249.85.104
www.l.google.com has address 66.249.85.99

check-dns.sh source here.

As seen above, DNS load balancing is the easiest to spot. It is also one of the easiest to test for as each web server has an external IP address.

2. Proxies

Proxy type load balancers (i.e. Apache Tomcat, F5’s BIG-IP) typically forward connections to a cluster of web servers. This can be done sequentially, randomly or by more advanced methods such as by bandwidth utilisation etc.

Unlike DNS load balancing, proxies require a method to maintain state (as HTTP is stateless). It is because of this that our techniques in load balancing enumeration once again branch off. These include:
a. Cookie Analysis
b. Web Server Configuration issues
c. Using the TCP/IP Stack
d. Using HTTP Date: Field

2a. Cookie Analysis

This is fairly straight forward. A number of popular load balancers use cookies to maintain state and ultimately manage its connections.

F5’s BIG-IP Load Balancer demonstrates this nicely:

Set-Cookie:BIGipServer[poolname]=336268299.20480.0000;expires=Sat,01-Jan-200200:00:00
GMT;path=/

The [poolname] variable above represents an encoding (d*(256^3)+c*(256^2)+b*256+a) of the IP address and port of the server.
See http://www.nessus.org/plugins/index.php?view=viewsrc&id=20089

2b. Web Server Configuration issues

Web server configuration vulnerabilities can be used to detect load balancing and determine the internal IP addresses (in some cases) of the internal web servers. The following example demonstrates this:

GET / HTTP/1.0

HTTP/1.1 302 Object Moved
Location: http://172.16.14.25/
Server: Microsoft-IIS/5.0
Content-Type: text/html
Content-Length: 148

--snip--
This document may be found
<a HREF="http://172.16.25.140/pdf/";>here</a>
--snip--

2c. Using the TCP/IP Stack

Observing and watching IPID increments can often tip you off that multiple stacks are being used.
Example:

$ hping2 *hidden* -S -p 80 -i u1000 -c 30
HPING *hidden* (eth0 x.x.x.x): S set, 40 headers + 0 data bytes
len=46 ip=*hidden* ttl=51 DF id=58489 sport=80 flags=SA seq=0 win=24656 rtt=203.9 ms
len=46 ip=*hidden* ttl=51 DF id=16912 sport=80 flags=SA seq=2 win=24656 rtt=200.1 ms
len=46 ip=*hidden* ttl=51 DF id=58490 sport=80 flags=SA seq=3 win=24656 rtt=197.2 ms
len=46 ip=*hidden* ttl=51 DF id=16913 sport=80 flags=SA seq=4 win=24656 rtt=194.2 ms
len=46 ip=*hidden* ttl=51 DF id=58491 sport=80 flags=SA seq=5 win=24656 rtt=204.0 ms
len=46 ip=*hidden* ttl=51 DF id=16914 sport=80 flags=SA seq=7 win=24656 rtt=199.1 ms

2d. Using HTTP Date: field

Discrepancies in the web server’s ‘Date:’ field.
Example:

# ./check-date.sh
Connecting to [*hidden*] [10] times
Date: Mon, 20 Nov 2006 21:30:30 GMT
Date: Mon, 20 Nov 2006 21:28:22 GMT
Date: Mon, 20 Nov 2006 21:28:23 GMT
Date: Mon, 20 Nov 2006 21:28:24 GMT
Date: Mon, 20 Nov 2006 21:30:43 GMT
Date: Mon, 20 Nov 2006 21:30:44 GMT
Date: Mon, 20 Nov 2006 21:30:45 GMT
Date: Mon, 20 Nov 2006 21:30:45 GMT
Date: Mon, 20 Nov 2006 21:30:46 GMT
Date: Mon, 20 Nov 2006 21:30:47 GMT

check-date.sh source here.

3. References:

http://content.websitegear.com/article/load_balance_dns.htm
http://en.wikipedia.org/wiki/Load_balancer
http://michaeldaw.org/news/news-091006-0/
http://www.nessus.org/plugins/index.php?view=viewsrc&id=20089
F5’s BIG-IP Load Balancer
http://www.hping.org/

Appendix

check-dns.sh Source:

#!/bin/sh

# PoC: DNS Load Balancer Check

TARGET="www.google.com"
TIMES=20

echo "Connecting to [$TARGET] [$TIMES] times";

for ((i=0; i<$TIMES; i++)); do
 host www.google.com | grep address >> ,dns.txt;
done

 cat ,dns.txt | sort -u

check-date.sh Source:

#!/bin/sh

# PoC: Grab 'Date:' field from web server

TARGET="www.microsoft.com"
TIMES=10

echo "Connecting to [$TARGET] [$TIMES] times";

for ((i=0; i<$TIMES; i++)); do
 echo -e 'HEAD / HTTP/1.0\r\n\r\n' | nc $TARGET 80 | grep 'Date:';
done

Update: 17/Jan/06 - WordPress Securify Plugin Released.
Update: 18/Nov/06 - Wordpress Securify v1.0b released
Changes include:
- Added Pre-Check functions to prevent overwriting important values.
- Added file/directory permission check
- Added function to change filenames with wp- extension.
- Added additional sanitity checks.

On the 11/11/06 _ANtrAX_ released a post on full-disclosure regarding a “Remote File Inclusion” vulnerability in WordPress 2.0.5 (Latest version). This vulnerability (in theory) would allow an attacker to gain access to just about any WordPress web application on the Internet. Getting worried?

Securityfocus has recently disregarded this vulnerability. They explain:
“The vulnerability described in this BID is not exploitable, as the parameter specified can not contain user-specified data. This BID is therefore being retired.”

I thought about how widely used WordPress is. The WordPress website claims: “join 473 thousand other bloggers…”. The question is what are some small things we can do to mitigate zero day vulnerabilities?

I have written a simple shell script called, “WordPress Securify v1.0a” to increase security for WordPress users but also to demonstrate some basic best practise guidelines for implementing web applications of this nature.

Let us look at what WordPress Securify currently supports:
[Step 1] Removing .txt/.html/import*.php/install*.php/upgrade*.php files…
[Step 2] Renaming default directories…
[Step 3] Changing filename wp-admin.css to $NEW_ADM_DIR.css ”
[Step 4] Remove WordPress Version

** Step 1
This step removes default content not required by WordPress following the installation or upgrade. Many web servers have been compromised in the past due to a lone script left after the installation process.

** Step 2
WordPress installations uses 3 main directories: “wp-login, wp-admin, wp-content”. Worms and trojans can easily identify and propogate when default directories like these are left unchanged. WordPress Securify allows you to choose new directories… it will then change these for you.

** Step 3
Not important from a security point of view.

** Step 4
Attackers will always seek after software types and versions for obvious reasons. It allows them to quickly Google search for vulnerabilities with your specific version. WordPress gives out this information by default. Its interesting to note that phpBB use to do this. In a later version of 2.0 the version was removed for the purposes discussed above. I would not be surprised if the WordPress developers do the same thing in a future release.

WordPress Securify currently only removes the version and not the software type. I have left this for two reasons… primarily because its late (or early) and I actually need some sleep.

Future versions of WordPress Securify will include:
>> Removing the software type
>> Rename filenames “wp-filename” to “random_filename”. (Done in v1.0b)
>> Check file and directory permissions. (Done in v1.0b)

Download WordPress Securify v1.0a.

DISCLAIMER:
This is BETA software use it at your own risk.
It is recommended that you backup your WordPress
directory before using this tool. Also note, I have only tested this with default installs of WordPress 2.0.5.

Credits:
Kafkaesqui
- http://wordpress.org/support/topic/32764#post-185346