Jan 25, 2011

Information security sucks (Part I)

This will be a series of short blog posts describing why I think information security sucks.

Security software sucks:
There are security software for any security need (or not), most of these software are not mature enough, they are plagued by security vulnerabilities and they can barely provide all the vendor claimed functionality. Most vendors invest more on marketing than in making the products more secure. If you think about this, for a business standpoint makes sense, since security is a feeling that companies are eager to get and with good marketing vendors can provide the heroin needed by companies. You buy X software and you think you are protected and the chances that the software X will be blamed for a compromise are really low. In case there is a compromise and you were using X software vendor won’t be liable and one less customer won’t affect vendor reputation, there will be always more customers in the pipeline. So vendors can build some crappy software, roll out some cool marketing campaign and star selling the software, when they get enough customers maybe they will start adding the marketing promised functionality, but not security, this is something that vendors “provide” but not care about.

Basically we are protecting our assets with insecure software.

Most people know that security software have vulnerabilities, every day there is a new vulnerability in an antivirus product, etc. But let’s talk about appliances, some people say that nowadays perimeters are secure that most compromises are because of client side exploits, etc. Networks and servers (email, database, web, etc.) are protected by costly appliances, we are talking about $25k, $50k and more depending on company size, the product itself, etc. If an attacker wants to get in a network protected by X appliance he only needs to get one and find the vulnerabilities, that’s it. The problem for a regular attacker is how to get the appliance because the costs and logistics, but government agencies, criminal organizations, etc. can get them and hack them. All those networks and servers using these appliances are just protected against poor hackers.

I challenge all security vendors to expose their appliances for a security community testing if they think they are secure and they are providing real protection to their customers. Who will be the first to stand out?

Jan 26, 2010

Google Chrome Drag and Drop fun

You must be browsing this page with Google Chrome, if so, open any website (www.google.com will work fine) in another tab and then drag the Windows 3.1 image (below) and drop it over the other website tab, you should get Windows 3.1 running there (Iframe). You can also inject Microsoft web site doing the same with the other image.

With Google Chrome any code can be injected from a website to another website by drag and drop. This feature is not available in Firefox, Internet Explorer and Safari.

I wonder if this can be abused in some way?

Blogger allows to run arbitrary Javascript

I guess this is a known issue since it's so simple to do it, anyways I think people should be aware of this.
Editing a blog post I realized that Blogger allows to run arbitrary Javascript in the blogs, this is good and bad. It's good because you can post demo code and run it, track users, modify the web pages at will, etc. But it's bad because it can be used as a malware distributing system, to steal information from blog visitors, to exploit browser vulnerabilities, etc.

Naif demo: Click here

BTW: It's not possible to steal Blogger cookies if you are logged since Blogger cookies are used only on Blogger.com and not on *.blogspot.com.

Jan 9, 2010

Little bug in Safari and Google Chrome

I guess a bug in Safari it's not a surprise at all but Google Chrome seems to be a more secure product. Anyways this little bug is not big deal but maybe combined with other bug it could be more dangerous.

<link rel="stylesheet" type="text/css" href="http://www.yahoo.com">
<script language="javascript">
setTimeout("alert(document.styleSheets[0].href)", 10000);
//setTimeout is used just to wait for page loading

The code above should display the same href value as in the LINK tag but it displays the final URL if there is a redirection, here in my country when you browse to http://www.yahoo.com/ you get redirected to http://ar.yahoo.com/?p=us so the above code displays this last URL.

Why this is an issue?
-There are some websites that put user session ids on the URL querystrings the same for tokens used for CSRF protection, if an attacker can get a user browsing his website then he can use the above code to reference a URL of a website the user is logged on that will be redirected to another URL that could have a session id or token in the querystring and then use this information for more dangerous attacks. Some websites could also have in the querystring some other useful information that could be used for further attacks. Websites putting session ids, tokens, etc. in querystings are already not secure but this issue helps in exploiting them.

-An attacker can also use this issue to determine if a user is logged in or not by comparing if the original URL is the same as the final one when trying to access a feature thar requires to be logged in.

-Maybe there are other possible ways of abusing this issue that I'm not aware right now.

Microsoft Internet Explorer and Mozilla Firefox are not vulnerable to this.


Dec 31, 2009

8 years hacking Microsoft stuff, +50 vulnerabilities found

2009 is ending and I thought it would be nice to write down my personal record on Microsoft vulnerabilities. I started finding vulns in MS products in 2002 and these are most of them:

-Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
-Microsoft Biztalk Server DTA vulnerable to SQL injection

-Microsoft Commerce Server 2002 Weak Registry Key Permissions Weakness

-Microsoft Active Server Pages Cookie Retrieval Issue

-Microsoft Windows LPC heap overflow

-Microsoft Windows Utility Manager Local Elevation of Privileges

-Microsoft Windows Utility Manager Local Elevation of Privileges II

-Microsoft Windows Improper Token Validation

-Microsoft Windows GDI Kernel Local Privilege Escalation Vulnerability

-Microsoft MSDTC COM+ Remote Code Execution Vulnerability

-Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer Overflow Vulnerability

-Microsoft Windows COM Structured Storage Local Privilege Escalation Vulnerability

-Microsoft Windows Thread Pool ACL Local Privilege Escalation Vulnerability
-Microsoft Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
-Microsoft Windows MSDTC Service Isolation Vulnerability
-Microsoft Windows WMI Service Isolation Local Privilege Escalation Vulnerability

-Microsoft Windows Shell Could Allow Remote Code Execution (2 vulns)

-Microsoft SQL Server Heterogenous Queries Buffer Overflow

-Microsoft SQL Server xp_dirtree Buffer Overflow

-Microsoft SQL Server Buffer Overflows in numerous extended stored procedures (17 vulns)

-Microsoft SQL Server encoded password written by service pack

-Microsoft SQL Server BULK INSERT buffer overflow

-Microsoft SQL Server multiple buffer overflows in DBCC and SQL Injections (6 vulns)

-Microsoft SQL Server multiple vulnerabilities (5 vulns)


If you count them, they are 50 vulnerabilities in total, 14 are Microsoft Windows specific. Actually the real count should be +50, few not mentioned vulnerabilities were patched in service packs, new versions, not acknoledged by MS as vulnerabilities, etc.
Of course I'm not mentioning there the 0days I have, with them the count is >50, reaching 20 specific to MS Windows.

Microsoft should give me a prize someday ;)

Oct 27, 2009

Token Kidnapping's Revenge

Finally I got some free time to take a look at Windows for security issues, I was initialy amazed with Windows 7 and Windows 2008 R2 they looked really solid but after some time I started to find some issues.
These issues are not really dangerous (depending on the scenario) but allow to continue exploiting Windows using a new attack vector to perform Token Kidnapping (http://www.argeniss.com/research/TokenKidnapping.pdf) .
Don't get me wrong MS properly fixed the issues (http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx) detailed in Token Kidnapping presentation but they didn't find/fix all the attack vectors.
With this new attack vector it's still possible to elevate privileges to Local System account from almost any process that has impersonation rights bypassing new Windows services protections such as Per service SID, Write restricted token, etc
Probably I will be presenting the findings at Hackers to Hackers Conference in Brazil (http://www.h2hc.com.br/) in a couple of weeks.

Apr 7, 2009

Opening Intranets to attacks by using Internet Explorer

I just released a whitepaper titled: Opening Intranets to attacks by using Internet Explorer, I hope you find it interesting, you can find it here http://www.argeniss.com/research/HackingIntranets.pdf