Defining Chaos In Order

I’m lacking time to update, so I’ll just pretend to have an active blog by posting an interesting link: Top 25 Most Dangerous Programming Errors.

Matti Security, programming

Haven’t updated this blog in a while, so here’s a minor update; The BackTrack 4 Final Release is out! If you’re not entirely sure what it is, read up on the website of this fabulous pentesting toolkit.

I’ll be testing it over the next few weeks, see if I can write up some interesting pieces on how to use it.

Matti Security backtrack, pentesting

I’ve just read 2 very interesting articles on NetBIOS poisoning I feel like sharing.

• nbtool: netbios manipulation + “how netbios works” intro
• how to exploit netbios requests using nbtool & nbpoison

Since those 2 links explain it all, I can only recommend reading them. Thoroughly. :-)

Matti Security exploit, nbtool, netbios, poisoning

Ever heard of MetaData? Wikipedia describes it best:

Metadata (meta data, or sometimes metainformation) is “data about data”, of any sort in any media.

So I hear you thinking: who cares? Well, for starters: you should.

MetaData contains a lot more information than “data about data”. Documents such as .PDF, .DOC, .XLS, .PPT, … contain information such as

• Revision history of files (in case of Word documents)
• Usernames of the person creating/editing the file
• Paths to where the file was/is located
• Software version used (Word 5.0, Word 10.0, …)
• Public network shares
• …

If you’re still saying “so what?“, ask yourself the following question: should this data really be public? Should everyone really know my username to my computer? Or everyone who contributed to a certain file? Or where I saved it, and what software I used?

If I were a malicious person, I could use that information for a targetted attack: I can send you a phishing e-mail, with the name of some of your colleagues in it, or one of those names as the FROM-address, so it looks legitimate. I could use that software version number to attach a very specific software exploit, so I can gain control over your system. I can use your username to brute-force your password.

See a trend there? The MetaData is giving out a lot of info that can be abused, and there are plenty of ways to get it. Consider our good friend Google for a second, they have some very nifty filters you can use in order to search efficiently. Ever searched for the string “site:microsoft.com filetype:doc“? It gives you a list of all .DOC files, found on the microsoft.com site.

Guess what information is in those files?

Revision info, for everyone who worked on a file:

revision history – Revision #7: Author ‘benjaxxx’ worked on ”
revision history – Revision #6: Author ‘waly xxx’ worked on ”
revision history – Revision #5: Author ‘Steve xxx’ worked on ”
revision history – Revision #4: Author ‘waly xxx’ worked on ”
revision history – Revision #3: Author ‘waly xxx’ worked on ”
revision history – Revision #2: Author ‘waly xxx’ worked on ”
revision history – Revision #1: Author ‘waly xxx’ worked on ”
revision history – Revision #0: Author ‘waly xxx’ worked on ”

Paths used in that computer:

H:\SQL\SQL70_sp2\Langs\Spanish\updated_Readme_Localised\test\
\\MULTIMED-SERVER\WWWROOT\Peru\ftpfiles\
C:\WINDOWS\TEMP\
\\Dolphin\adcu\IDEAS\

And the list goes on!

By using publicly available information, I can get enough information to get an idea of the internal layout of a company. And I haven’t even set foot inside it yet. Tools such as Metagoofil simplify the act of getting this information, by searching Google for you – and extracting the metadata.

H:\SQL\SQL70_sp2\Langs\Spanish\updated_Readme_Localised\test\
\\MULTIMED-SERVER\WWWROOT\Peru\ftpfiles\
C:\WINDOWS\TEMP\
\\Dolphin\adcu\IDEAS\

Matti Security information, metadata, Privacy, risk, Security

A new way of DoS attack has been released recently, called the Slowloris HTTP DoS, dubbed “the low bandwidth, yet greedy and poisonous HTTP client“.

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets.

But the brilliance of the attack, is in the next part.

Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won’t be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might be watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That’s unavoidable as Slowloris sites today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn’t yet do that.

While there are already work-arounds available, I can see this spread major havoc among large websites, especially for the small footprint this attack leaves behind. It’s virtually impossible to detect immediately.

Matti Security attack, dos, http, slowloris

Remember clickjacking? Well, first estimates say we can abuse that until somewhere in 2017, when it _might_ get fixed.

[snip]… it takes somewhere between 6 and 9 years for the bad guys to scale their exploits and cause enough damage where defenders are compelled to react. For example, Aleph One’s “Smashing The Stack For Fun And Profit” was published in 1996, but it wasn’t until 2002 that Microsoft’s then CEO Bill Gates issued the famous “TrustWorthy Computing Memo.” A six year gap sparking the software security revolution. XSS experimentation began around 1997 with few appreciating its true power until 2005 (8 years). The Samy Worm, the first mass scale JavaScript malware Web Worm, infected over 1 million MySpace users in under 24 hours. In 1998 rain.forest.puppy published the first research into SQL Injection. Nine years later marked the beginning of mass Web page malware infections proving how truly vulnerable websites were. The first CSRF papers began appearing around the turn of the century, but no convincingly evidence of catastrophic attacks has yet to appear justifying remediation investment. So we wait, knowing full well it is only a matter of time.

The gap between discovering a leak, having it exploited by criminals (+ 9 years) and having it fixed (another couple of years) seems to only grow in size …

Matti Security clickjacking, exploit, sqli, xss

*Edit: It’s a false alarm. The CSS files that were included belonged to Facebook, but apparantly the domain they reside on (fbcdn.net) got tagged as “Phishing Site”. The notifications are gone from FireFox & Google’s Chrome.

It seems as if Facebook has been compromised, and is serving several .CSS files that have been identified as “Phishing Sites“.

Google Chrome users will see a message, similar to this one (but probably in their own language).

Facebook Phishing

There seems to be some malicious javascript code on the homepage, as well as several very weird .CSS includes (carefull when you try to load these!).

<link type=”text/css” rel=”stylesheet” href=”http://static.ak.fbcdn.net/rsrc.php/< INSERT RANDOM GIBBERISH CODE HERE>.css” /> 

The .CSS files are loaded from a static website: http://static.ak.fbcdn.net/
The main domain,  http://fbcdn.net/, is already reported. Both links will alert FireFox & Chrome users of the Phishing Site.

If you want to see the source code, I suggest you browse to Facebook with Google’s Chrome, and upon seeing the message shown above click on the shortcut “CTRL + U” (View Source). This trick doesn’t work in FireFox.

Matti Security facebook, phishing, Security

While the idea of clickjacking isn’t new at all, I’m only just starting to get into the details of it – and by the looks if it, it’s absolutely brilliant. In fact, I’m surprised it hasn’t been done before. Read more…

Matti Security clickjacking, malware, threat

The problem with current web-security lies in different levels, both in the application-layer as well as the actual networking – data transferred in the background.

As it is now, it requires an HTTPs-connection to have an encrypted data-transfer, and while it’s widely available for everyone to use – not everyone chooses to adopt it. Each can have their reasons; heavier server load due to encrypting/decrypting, requires extra set-up, not every proxy-server supports HTTPs traffic and thus blocks the site, … Read more…

Matti Security google, obfuscated, tcp

Here’s an awesome animated gif that’ll show you how to bypass the security system on a Windows ‘98. How easy can it be? This would’ve been worth gold back in ‘98! Read more…

Matti Security 98, breach, hack, Security, Windows