Sunday, July 29, 2007

Oracle 9i/10g Views exploit

A quick one for the weekend: Rawlab released a nice little SQL exploit for a recently-patched Oracle 9i/10g vulnerability involving specially crafted Views. This flaw gives database users the ability to update/insert/delete records with SYSTEM privileges. The exploit updates a specified user account in SYS.USER$ with a new password; the code is straightforward enough to be easily modified if you wanted to mess with other records in system tables. I've hit a streak of insecure Oracle databases over the last few pen-tests, so this might be a useful tool to add to my collection.

Wednesday, July 25, 2007

Dangerous links: Mozilla URI handler exploits

There has been a lot of recent activity among security blogs covering serious new vulnerabilities in Mozilla's URI protocol handling.  This is a significant issue because it is easily exploitable and yields remote command execution on a victim's PC: an attacker only needs to lead the user to a maliciously crafted link.
The root of this flaw lies in how Mozilla handles URIs that are opened by other applications (such as mailto://, aim://, etc.).  These links are designed to pass specific parameters to the external application - for example, a mailto: link typically launches your e-mail client, and composes a new message with a specified "To: address.  Mozilla does not sufficiently parse these URIs; as a result, it is possible to inject characters and change the execution path.  
To make matters worse, the browser does not prompt the user before handling URIs for “mailto”, “news”, “nntp” and “snews”, so this attack can be launched without any interaction.  Yesterday, Billy Rios posted a simple exploit that executes commands through these URIs without any user warning.  However, it only works if the victim has no applications registered to the URIs, which is fairly uncommon (Outlook Express handles them by default, and is installed on most Windows systems).
The latest and most comprehensive vulnerability report was released today by Thor Larholm, and includes several proof-of-concept demos for Firefox, Thunderbird, and the mailto: protocol.  He goes into a lot of detail - it's a great read and a slick hack.
So an important moral to this story is that registering a URI handler really exposes an application to significant risk of attacks originating from the browser.  This is nothing new: for example, there have been numerous buffer overflows affecting AOL Instant Messenger that can be triggered by crafted URIs.  However, when you combine them with widespread cross-site scripting vulnerabilities and something like this URI handling flaw, you can see that a lot of interesting attack vectors are possible.  It is likely that we'll see variations on these theme affecting multiple browser platforms and used in a variety of exploit scenarios.
One last thing - a good post on details how you can disable unnecessary external protocol handlers to harden your browser. 
Firefox and Thunderbird are vulnerable; this will be patched in the soon-to-be-released Firefox

Tuesday, July 24, 2007

More on Flash hacking

A quick follow-up to my previous post on testing Flash sites: Stefano Di Paola recently delivered a superbly comprehensive presentation on Flash application security during this year's OWASP conference in Milan. It goes into great detail on the ActionScript security model, how Flash applications are sandboxed, and a variety of client-side attack vectors. The resulting exploits include classic cross-site scripting issues, as well as a variation known as cross-site "flashing". Stefano also covers a few concepts for more advanced hacks, and plans to release testing tools and additional whitepapers soon. You can check out his web-log at

Wednesday, July 18, 2007

Threat analysis: Fast-Flux Service Networks

Ever wonder how phishing and malware sites manage to stay online? Through their analysis of botnets and infected hosts, the HoneyNet Project has documented an increasingly widespread technique used by online criminals: "Fast-Flux Service Networks". It's an admittedly clever and approach that makes it much harder to shut down malicious operations.

The premise behind fast-flux service networks is simple: attackers register a fully qualified domain name, and then rotate hundreds or thousands of IP addresses that are assigned to it. A DNS name may only be mapped to a particular IP for a few minutes. Each IP is an infected member of a botnet - but they are not the source of content, such as a virus or a scam web-site. Instead, they simply act as proxies, redirecting to one or more "mothership" servers that actually host the content. A more complex variation, "double-flux" service networks, implement additional misdirection by also rotating the authoritative name servers.

Like most of the HoneyNet Project's work, the whitepaper is very well-written and includes a case study with real-world examples. Definitely worth checking out if you're interested in how the more sinister side of the Internet underground operates.

Tuesday, July 17, 2007

Decompiling and testing Flash-based web sites

I've recently been evaluating several tools to help our team perform security assessments on Flash-based web applications. We occasionally have to test client sites that are almost entirely written in Flash, and they can be even more annoying to assess than they are to use. I have never really worked with the language from a developer's perspective, so it's been a good learning experience.

I was first interested in decompilers, thinking that certain poorly-coded applications might have hard-coded host information, credentials, or other potentially sensitive information. I found that Flare is an effective (and free) tool for extracting ActionScript from SWF files. However, after using it on a number of projects I've come to realize that there's rarely much of interest in the ActionScript. (There are a few horribly coded Flash login portals that store passwords in the source code, but I've never seen them used in a "professional" client application. Google for "login.swf", and decompile a few of the results to see what I mean.)

Ordinary proxy tools like Paros or Burp will catch any inbound or outbound HTTP requests issued by a Flash application. However, some applications talk to the server using a SOAP-like messaging protocol known as Flash Remoting, in which messages are binary encoded in "Action Message Format" (AMF). Neither Paros nor Burp will decode AMF, making it difficult to analyze the transactions. However, there are a few applications that can: ServiceCapture and Charles Debugging Proxy are two of the more popular and well-regarded tools. Below are a few screenshots of a binary AMF response as seen in Paros, versus the same response decoded in ServiceCapture:

Binary AMF response in Paros

Decoded AMF response in ServiceCapture

As you can see, deserializing Flash Remoting traffic can provide a lot of information about an application, and even identify targets for parameter manipulation or SQL injection attacks.

Unfortunately, I haven't been able to find any free tools with this capability. ServiceCapture and Charles offer downloadable trials, but require a reasonable license fee for continued use. The Burp Proxy team is soliciting requested features for their next update, so I will be sure to submit this as a recommendation.