Saturday, July 21, 2012

SQLi with Web Services

Good old SQL injection is coming back... with Web Services.

A Web Service is a method of communication between two devices using SOAP messages.
SOAP relies on XML for its message format. It can be transferred over FTP, SMTP or HTTP.
In this way, Web Services are independent of the underlying network protocol!

Why using Web Services? With a Web Service it is possible to convert your 'older' application into a web application, which can publish its function or message to the rest of the world. Nice!

A Web Services Description Language or WSDL is used to describe the interfaces of a Web Service. It is an entry point based on the XML language. The WSDL point contains all the information your application needs to know to start communicating with the Web Service.

What to hack? Most of the web vulnerabilities are coming back with Web Services. Over the last years web developers have done a lot of effort in sanitizing all code going through their web applications. Maybe they just forgot to check their Web Services?!?

Using a search engine like Google you could find some Web Service WSDL entries:

inurl:wsdl site:example.com


The following URL could be a result of our search query:

http://www.example.com/soap/service.asmx?WSDL


Now we can explore the WSDL entry using a browser or a SOAP parser. After exploring the entry we know all the interfaces of the Web Service. We can start communicating with it!

In the next screenshots I'm illustrating this with WebGoat, a test platform for security testing.

The WSDL entry:

http://127.0.0.1:8080/webgoat/services/WsSqlInjection?WSDL


We can explore it with our browser:



With a SOAP parser we can generate the following request:



We found a very interesting operation getCreditCard, accepting a string as input and returning a string as output. The output string is the credit card number. What could be the input string?

After analyzing the web application source code we found the following SQL statement:

"SELECT * FROM user_data WHERE userid = " + accountNumber;

(by the way, this is a very dangerous SQL statement)


The underlying database engine is receiving a number (accountNumber) and giving us back all the records for the specific number. The accountNumber is definitely our input string that we will send with a SOAP request.

As a valid account number we can use 101.

The results from our SOAP parser with account number 101:



We have two valid credit card numbers for account number 101.
Do you want all the credit card numbers for all the accounts? Really?

We could enter the following:

101 or 1=1


Our database will interprete this as:

SELECT * FROM user_data WHERE userid = 101 or 1=1;


This will probably display all the records because we adjusted the SQL statement with our OR expression:





We have all the credit card numbers. This is jackpot!

We can conclude that our Web Service does not sanitize malicious code.
In the same way we could start other more advanced attacks using SQL injection, command injection or even Cross-Site Scripting (XSS),...

Friday, July 20, 2012

WUA force

Sometimes you want to install critical and security updates on a Windows machine using WSUS Server immediately.

Just restart the 'Automatic Update Service' you would think?



No way. You have to do a bit more...

This script forces the update detection from automatic update client (WUA) for updates on WSUS Server.

Copy and paste the code below into a text file and name it ForceUpdate.cmd:


@echo off

echo This script will force the update detection from the AU client:
echo 1. Stops the Automatic Updates Service (wuauserv)
echo 2. Deletes the LastWaitTimeout registry key (if it exists)
echo 3. Deletes the DetectionStartTime registry key (if it exists)
echo 4. Deletes the NextDetectionTime registry key (if it exists)
echo 5. Restart the Automatic Updates Service (wuauserv)
echo 6. Force the detection

pause

@echo on

net stop wuauserv

REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f


REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f

net start wuauserv

wuauclt /detectnow

@echo off

echo This AU client will now check for the Updates on the Local WSUS Server.

pause


Execute the ForceUpdate.cmd file and the magic happens.

Monday, July 16, 2012

SSH proxy tunnel

Recently I read an article about how to use a SSH client as a SOCKS proxy tunnel for Firefox.
Very nice article by the way.

I started thinking on how to use this SSH proxy as a tunnel for other TCP traffic.
It would be cool to do a remote portscan using this SSH tunnel or just to read your POP3 email and evading the firewall on your local site.

Let's do this...

First of all, create the SSH proxy tunnel.
On your *nix box start a SSH connection to your remote SSH server with the following options:

ssh -D 0.0.0.0:5200 -p 443 root@remotehost.org



The -D option starts the SOCKS proxy listener, listening on your interface on port 5200 (just a random port).

The other options... yeah right, this makes the tunnel to your remote host.
My remote SSH server is listening on port 443.

Now you can start and configure your Firefox browser using the SOCKS v5 proxy option. Don't forget to change the listening port to 5200!



Point your browser to http://www.whatismyip.com/ and you will see that you are surfing with the IP address of your remote SSH server.

All HTTP traffic is now encrypted using your SSH tunnel. The HTTP is actually encapsulated in the SSH session. So I'm evading the firewall logs on my local site? Yes you are!

What about other traffic, can we also tunnel other traffic?
Sure, I will demonstrate this with a portscan using nmap.

To tunnel other traffic through the SSH proxy tunnel I use a program called proxychain.
After installing the program you can find the config file in our Linux /etc directory,
it's called proxychain.config

Edit this file with your favorite editor.
Go to the end of the file and adjust the following setting:



Start your program that you want to tunnel using proxychains.

You can do a nmap portscan using the following syntax:
proxychains nmap -sTV www.google.be -p 80 -P0

Don't forget to use the -sT option, this starts a TCP three-way handshake scan.
Only valid TCP-connections are allowed using the SOCKS Proxy.
By default nmap is using a SYN scan.



You can read your POP3 email using the following syntax:
proxychains telnet in.telenet.be 110



You are bypassing local firewall and ISP limitations!

Sunday, July 15, 2012

Welcome

My first post on this blog... just me in Orlando attending a SANS GPEN training. I'm an early bird :)

O yeah... who am I? Well my name is Malik.
An IT security consultant working for my own company MME.
We are performing security audits, including penetration testing and vulnerability assessments, for medium and large-sized companies.

I'm also working as an IT trainer. I'm holding the Microsoft Certified Trainer (MCT) certificate and I'm a local mentor for the SANS Institute. I'm mentoring the SANS "SEC 560 - Network Penetration Testing and Ethical Hacking" course. During the weekly sessions, I act as a coach to assist students in comprehending the SANS materials.

Recently I started with a new project: ITSEC GAMES. A fun approach to IT security education.
IT security, ethical hacking, training and fun... all mixed together.
In each game you have to complete multiple challenges in a simulated live environment.
My mission is to teach you something about ITSEC in an interactive way through games.

Welcome to my blog!

See you soon for some great ITSEC articles.

Classroom training

Besides audits and security, we also provide IT security classroom training.

Our courses can be held in our own training room or on location.
We can also provide security courses custom tailored to your needs.

The primary emphasis of our training is to obtain practical hands-on skills supplemented by the necessary theory. Each participant gets the opportunity to setup and configure his own test environment.

MME is also coaching the official SANS SEC560: Network Penetration and Ethical Hacking course.
During these weekly sessions, we act as a mentor to assist students in comprehending the SANS materials.


 
 
 
The following courses can be scheduled:


See you soon!

RDP flaw

In march 2012 a security vulnerability, MS12-020, has been detected in the famous Microsoft RDP
protocol. Everyone using the RDP protocol should be aware of the damage it can cause!

Targets:

Microsoft Windows servers / clients with RDP enabled.

Attack surface:

DoS and Remote Code Execution (not in the wild).
Researchers have been working on developing a working remote code execution exploit for the bug,
but none has been published yet.

Your Risk:

A simple program 'with some exploit code' can crash your Windows Server on the RDP port.
If you publish your RDP servers over the Internet you are a BIG target.

Proof of Concept:

A Windows Server 2008 R2 (x64) with RDP enabled.




When launching a program with the concerning exploit code the following happens:



This is really NOT GOOD !

Solutions:
  • Don't use RDP :) (or try a least the RD Gateway)
  • Allow only 'Remote Desktop with Network Level Authentication'.
  • Patch your RDP servers.