Monday, July 16, 2007

JavaScript Web Spider - Powered by Yahoo

pdp has released a proof-of-concept web spider written completely in JavaScript. It is a pure client-side tool, requiring no server support other than the Yahoo Site Explorer service it leverages. The spider is very efficient - it can index the files and directory structure of a web site within a few queries, making it very fast and efficient. The only limitation is that only can fetch pages already indexed by Yahoo.

As pdp points out in his writeup, it would be simple to modify this code to identify vulnerabilities in spidered sites and exploit them in real-time. We will almost certainly see XSS/AJAX worms leveraging this sort of technique to target and compromise other web applications, and they will be very difficult to block.

Thursday, July 12, 2007

Insecurity through stupidity - FTP servers expose DoD data

The Associated Press is running a story on how they discovered an extensive number of sensitive but unclassified military documents kept on unsecured FTP servers. Both government and contractor systems were found to allow anonymous access to goodies like project schematics, facility security information, building plans, and geological survey data. Some of the responses by the guilty parties are both hilarious and frightening. My favorite quote from the article [emphasis added]:

A spokeswoman for contractor SRA International Inc., where the AP found a document the Defense Department said could let hackers access military computer networks, said the company wasn't concerned because the unclassified file was on an FTP site that's not indexed by Internet search engines.
"The only way you could find it is by an awful lot of investigation."

Yeah, it's really no big deal, you never see port scanning or worms checking for anonymous FTP out on the Internet - it's far too much work. If the system isn't indexed on Google, no one will ever find it.

When I first started doing this kind of work, I couldn't believe how many high-profile clients had no grip on their Internet presence or systems therein. I eventually came to realize that it's a widespread problem, made even more problematic when companies have to track both in-house and outsourced systems and hosting. Every external penetration test we perform is preceded by a footprinting phase, where we identify the client's IP ranges and ensure we have approval to test them. Nine times out of ten, they end up shocked at what we discover. Clients often have no clue whether certain address ranges are actually theirs, never-mind what systems are on them or what services they run.

As much as I love tracking the bleeding edge in vulnerabilities and attack techniques, articles like this are a good reminder of how important it is to keep perspective, and recognize that many organizations are still struggling with the most fundamental aspects of IT security.

Oh, and one take-away question...why the hell were these FTP servers discovered by the Associated Press, and not agencies' own vulnerability scans or penetration tests? Either they're not being performed, or the people doing them are incompetent. Neither would surprise me.

Wednesday, July 11, 2007

How to NOT protect your site against SQL injection

Parameterized queries? Input validation? Pfft. Really secure sites don't need that kind of nonsense to protect against SQL injection attacks.  They just kindly ask that you avoid submitting values like "SELECT FROM" or "DROP".

Tuesday, July 10, 2007

HTTP proxying through XSS

RSnake's blog just turned me on to the release of XSSTunnel, a very slick project by Ferruh Mavituna. This .NET-based tool lets you leverage a cross-site scripting vulnerability into a full HTTP proxy. By using XSSTunnel in concert with Ferruh's XSS Shell, you can pipe any scanning tool that supports HTTP proxies to run through a victim's "infected" browser. The possibilities are endless: you could run your own web browser, SQL injection tools, Nikto, etc. through the tunnel.

The logistics of the attack are fairly simple. You need to host the XSS Shell components on an IIS server under your control, and configure XSSTunnel (which runs locally on your machine) with its location. Your cross-site scripting attack will load the code from the XSS Shell server into the victim's browser, either through a reflected or persistent vector. (It's worth noting that XSS Shell has some nasty attacks on its own, including key-logging, stealing cookies and clipboard contents, etc). Once everything is set up you can launch the tunnel, wait for your XSS attack to reach a victim, and then proxy to your heart's content.

Ferruh's Bugtraq post includes links to a video and whitepaper; the tool is also available at Portcullis-Security.

Monday, July 9, 2007

Stating the obvious - VNC is insecure

If you need to provide remote desktop access to your organization's Windows machines, and care even a little bit about IT security, do NOT use VNC. The Windows built-in Remote Assistance / Remote Desktop tools are a far better choice. This may seem obvious, but I still find organizations running VNC servers all over the place, usually for the helpdesk to provide users with remote troubleshooting. This can leave an environment ripe for compromise.

VNC has a few fundamental weaknesses:
  • Most implementations do not require a username for authentication, and the password is stored in the registry using a trivial hashing mechanism. VNCcrack or Cain will instantly crack these hashes.
  • There is typically no client-side confirmation or acknowledgment required for a VNC session to be established between a server and viewer, which can leave a user unaware that their activity is being monitored.
  • Most significantly, because there's no simple way to centrally manage VNC servers, administrators will typically use the same VNC password for every host to facilitate configuration and deployment. So if you compromise one Windows box through local vulnerabilities and gain access to its registry, you can obtain a VNC password that will work on every other machine in the environment. Not good.
For a pen-tester's perspective, let's throw a few other variables into the mix. Several Windows tools will scan a set of systems via NetBIOS and tell you which users are logged on to each. And if the domain controllers are configured to allow certain anonymous NetBIOS queries, you can enumerate all the members of key groups like "Domain Administrators". Analyze your scan results and combine the data to produce a list of workstations used by privileged domain accounts. VNC into each system and look for an opportunity to take control of the keyboard and mouse. (Yet another reason to lock your desktop when away from the keyboard!)

It takes less than 15 seconds to open the command shell, execute your "net user /add /domain", and close the window. Bam - you now have a domain account. Not exactly an elegant attack, but it gets the job done.

VNC is an excellent tool that can serve a number of purposes in both home and enterprise environments. However, it is not an ideal solution for remote access across a large number of Windows hosts. It often takes a good penetration test to drive that point home.