I came across this last week during teaching Sec542 in New York. A bunch of students, including myself, used the Verizon MiFi device for internet access [1]. Recently, a number of issues had been released with the Novatel version of the device [2].
I figured it would be a nice exercise to look at the Verizon version of the device. This device does not include a GPS as far as I know, so the Novatel GPS exploit would not work. However, I run into the other part of the issue: The device does require a password to log in and retrieve the setting page, but it does not require a password to submit new settings. This flaw allows an attacker to change settings on the device by simply tricking the browser to submit a “POST” request to the right URL. The only variable the attacker has to guess is the [...] Continue Reading…
At the Internet Storm Center, we feature a poll on our home page. As part of the poll, you will find a comment field. Sadly, this comment field is frequently abused for spam. Not that it does any good. The spam is easily filtered and all comments have to be approved anyway. But just today, we had a large number of hosts trying to post spam at a rate of several posts a minute. The timing suggests that all these hosts are part of a single bot net. The “attack” is ongoing as I type this.
Here is a captured full sample request (note that the upper case header names are an artifact of the collection)
POST /poll.html HTTP/1.1
HOST: isc.sans.org
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
REFERER: http://isc.sans.org/
USER-AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
COOKIE: dshield=a56291441771f2d3d948a383fe774889e2d2f018
COOKIE2: $Version=”1″
VIA: 1.1 hebergement.gratisim.fr
CONNECTION: Keep-Alive
Post Data:
token:
poll: 1
poll_comment: qYAV4f <a href=”http://vjrimatpckvt.com/”>vjrimatpckvt</a>, [url=http://zdzyzolzspzd.com/]zdzyzolzspzd[/url], [link=http://zloyarufkbun.com/]zloyarufkbun[/link], http://mlsorofkvzxa.com/
subject: NBxnTAriuXTkDjGJ
There are a couple of odd and [...] Continue Reading…
Today, we will take a quick look at remote file inclusion (RFI). Based on our web honeypot project, RFI is by far the most common exploit attempt. Most of the vulnerabilities exploited are rather old. But it appears still worthwhile to these attackers to give it a try.
There are a number of simple configuration choices which will prevent exploitation of most of these problems, even if the old software is still install. For example:
turn off register_globals
turn off allow_url_include
These settings are turned off by default in recent PHP versions. While they do not prevent all RFI exploits, they do prevent the exploits attempted by these simple scripts.
Basic vulnerable code looks like:
<?php
include($file);
?>
The reason for code like this is to provide a mechanism to include a customizable template or configuration file. For example, a user may switch a sites look to use a “green” template by calling the page with
http://example.com/page.php?file=green.php
If the file [...] Continue Reading…
I figured it may be nice to look at a days worth of logs from the Internet Storm Center, and to attempt an analysis to see what kind of attacks we are seeing. In order to do this, I am using my usual shell script tricks to get a handle on what is happening.
We don’t do a lot of filtering for our site. In part because we talk a lot about exploits, and would like people to send us information about them. Using standard filters doesn’t work well in this scenario.
I will publish a couple blog entries based on the file. There is just too much to talk about
In this “Part 1″, lets look at the unique HTTP methods used:
cut -f2 -d’”‘ access_log.1 | cut -f1 -d’ ‘ | sort | uniq -c | sort -nr
“GET”, “POST” and “OPTIONS” are of course by far the favorite once, but there [...] Continue Reading…
Posted by Frank Kim on January 12, 2010 – 6:42 am
I’m really looking forward to a webcast titled “The Porous Castle: Next Generation Application Attacks” by Nitesh Dhanjani. I spoke to Nitesh and he said it was OK for me to say that he’ll be revealing details of a very cool zero-day on an extremely well known web site.
Nitesh will discuss the impact of some emerging application level attacks including the following:
* Setting the stage for Inside-Out attacks: Cross Site Request Forgery
* The web browser as the new operating system and what it means to application security
* Case Study: Safari Carpet Bomb and file stealing
* Cloud computing and web application security
* Case Study: The Amazon EC2 platform
* Mashup galore: The next generation web platforms
* Case Study: Facebook API security vulnerability
Sign up here!
https://www.sans.org/webcasts/-porous-castle-next-generation-application-attacks-93123
I said it before, and will say it again: All users are evil. Case in point: The recent secure USB key vulnerability.
These USB keys encrypt data stored on the USB key. Great idea! So now, if you loose the key, you no longer have to worry about your top secret image collection getting viewed by minors.
What was the flaw in the implementation? In order to unlock the device, you have to enter your password into software installed on your laptop / desktop. You would expect the software hashes or encrypts the password, sends it to the device, the device uses the hash to decrypt the files stored on the device. WRONG.
In this case, the client software validates the password by encrypting a specific block of data on the drive. Sadly, this block doesn’t change. So these researchers replaced the software with their own tool that just sends this fixed [...] Continue Reading…
I wrote up a quick after action report with details about the little DoS attack that hit us. I figure that it may be handy for others to know about it.For the full report see http://isc.sans.org/presentations/jan4ddos.pdf
I mention in the report that simple shell scripts are helpful to quickly get a look at your logs while under attack. So here for the appsec streetfighters out there, some of the shell scripts I keep around to summarize my logs in a case like that:
Most recent top referrers.Defaults to last 10000 lines, but you can override that via a command line parameter.
#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f4 -d’”‘ \
| egrep -v ‘http[s]?:\/\/isc[12]?\.sans\.org’ \
| grep -v ‘http:\/\/www.dshield.org\/’ | sort | uniq -c | sort -n
Top hosts accessing the site:
#!/bin/sh
r=$1
if [[ $r -lt 1 ]]; then
r=10000
fi
tail -$r access_log | cut -f1 -d’ ‘ [...] Continue Reading…
The IIS semicolon file extension issue prompted me to jot down some of the rules to implement file uploads securely. This is in particular complex as there is usually no easy way to validate the content of the file.
The overall goal is to build a set of defensive layers that tightly control the process of uploading the file and later retrieval of the file. The user will always interact indirectly with the file and never directly access the file system without application control.
1. Create a new file name
Do not use the user supplied file name as a file name on your local system. Instead, create your own unpredictable file name. Something like a hash (md5/sha1) works as it is easily validated (it is just a hex number). Maybe add a serial number or a time stamp to avoid accidental collisions. You may add a secret to the name to [...] Continue Reading…
For my own PHP work, I am using a relatively nimble but effective set of libraries. They have shown to be effective, but are in need of a “redo. “ I released pieces of it in the past, but none of it is actually terribly useful to the public as it is written for me/by me.
Last week, I received some code that someone wrote for us, which is in bad need of a simple API like that to make it workable (= “secure”). So I am thinking about about wrapping up a “PHP Streetfighter API”. Here are some initial thoughts:
Can’t take more then 24 hrs to write
A coder should be able to understand / use it in less then 1 hr
should force the coder to use prepared statements, proper input validation and avoid XSS
maybe some protection against XSRF
maybe some anti-pentesting / honeytoken features
Can this be done? Should I [...] Continue Reading…
Filed under defense, ipv6
I am just writing a few slides about IPv6 for our expanded defending web application class. For about 2 years now, the SANS Internet Storm Center is reachable via IPv6. Here are a couple ideas to consider as you move your web application to IPv6:
Configuring the server
This is the easy part. Apache/IIS or whatever server you are using is most likely already IPv6 ready. All it takes is enabling it in your configuration. Maybe you got it already turned on without using it 
.
User tracking
IPv6 will allow you to “track” a user using the last 64 bits of the IP address. However, be careful. First of all, the IP could be spoofed just as likely as an IPv4 address. Secondly, there are two schemes to derive the last 64 bits of the IP address: (a) EUI64, which means derive it from the systems MAC address, or (b) privacy enhanced, [...] Continue Reading…
