Cupfighter.net

Wrong Way ... Way Wrong a CC NC SA image from Bob.Fornal's Flickr stream

Virtualization aims to save money, make things simple and quick to deploy. Saving money and quick deployment are arch enemies of security

Virtualization products require security on the hypervisor level. Being able to hop from one virtual machine to another is not acceptable. Also there are a lot of products that focus on the security in the virtual machines, but virtualized infrastructure are complex by nature.

Relative lame bugs like XSS can be a big deal in virtualization infrastructures

Claudio demonstrates that live on stage, by exploiting a XSS bug in VMWare vCenter which took 1.5 years to patch.

Claudio showed us how an unprivileged user on the vCenter machine able to read a logfile contain the administrator SOAP session ID. Using this ID and Vasto administrator privileges where obtained. Until the last patch read-only access to vCenter meant that the user could take over the virtual infrastructure using standard tools.

Next attack demonstrated is against an Oracle virtual machine. Using standard “lame” exploits Claudio was able to hope from the application level administrator to the system root account.

So there are still some very simple vulnerabilities in this software.

Virtualization software is broken today, and we have to treat it accordingly. We have to make people aware that it is broken.

Virtualization infrastructures should be setup in such a way that a XSS in the management layer cannot lead to a disaster.

Read more…

Ghosts of Lake Sutherland a CC NC SA image from Wyrmworld's Flickr stream

DoS, making resources unavailable to others. Common motives are hacktivism, extortion and rivalry. Most big attacks are successful.

So what are the risks of being under DoS attack? Downtime, lost revenue, large bills from the cloud service providers.

What kinds of DoS attacks are there?

• Layer 3 – Muscle-based attacks, generating too much packets for the equipment or saturating the pipe.
• Layer 4 – Consumes more resources on the device., e.g. SYN flood, connection flood, concurrent connection exhaustion, garbage data.
• Layer 7 – Attacking the application. Trying to consume as much resources as possible. E.g. HTTP page flood, HTTP bandwidth consumption, DNS query flood, SIP INVITE flood. There attacks are low rate, high impact

So how do you mitigate DoS attacks?

Static thresholds work and put the operation team in control, however they require constant tuning and restrict the detection phase to a single-dimension (rate only).

Adaptive threshold, attempting the learn real traffic characteristics, which improves accuracy, however, natural traffic peaks like e.g. a Christmas peak may be blocked too.

Read more…

Cycle Garage a CC NC ND image from Ezu's Flickr stream

This talk focuses on ABAP, Advance Business Application Programming language from SAP.

ABAP:

• A proprietary language of which the exact specification is not freely available.
• It has platform independent code
• It has client separation built-in
• It has integrated auditing capabilities
• System-to-system calls via SAP RFC standard
• Built-in transportation system and version control
• Integrated platform-independent SQL Standard: Open SQL
• Built-in authentication, roles and (explicit) authorization model
• Thousands of well-known standard programs and database tables
• 150+ Million Line of Code in an ECC6.0 System

So what are the ABAP security risks?

• Back doors can be introduced, e.g. by a malicious developer.
• The program can have undesired side effect (e.g. SQL injection)
• Sub standard authentication used

Read more…

gluey harmony a CC NC ND image from giveawayboy's Flickr stream

SAP: Session (Fixation) Attacks and Protections (in Web Applications)

Raul Siles is @taddong on Twitter

Why do we need session management in Web Applications. HTTP is a stateless protocol so the application need to handle ourselves.

Sesion Fixations if different then session hijacking. In hijacking you will use somebody else’s session ID to become them. In session fixation the attacker fixes the session ID before he logins into the target application.

So what is the state of the art of session fixation 9 years after its discovery in 2002?

Like HTTP parameter pollution session IDs can also be accepted from multiple sources, even tough the application only uses a single method. E.g. the application may user GET parameters, but still accept session ID cookies.

So how does session fixation work? An attacker sets up a session with a website, but does not log on. He then tricks a user into log in using the same session ID. As the session gets elevated, both the attacker and victim get the authenticated state.

Session fixation does not require solcial engineering, but can also be obtained by e.g. Cross Site Scripting (XSS) or SQL injection.

In order to demonstrate the problem Raul shows the vulnerability as it existed in Joomla 1.5.x-1.5.15

HTTPS does not protect against session fixation vulnerabilities, neither does using MD5 values for the cookie ID or values.

Read more…

This

photo Eurofighter Typhoon Payload - A CC NC ND image from Stuart R Brown's Flickr stream

talk focuses on the w3af project, which has been Andres project for a long time, but is an open source project. It can be found at http://w3af.sourceforge.net/

Andres starts by giving an overview of w3af.

He then goes into a scenario which is common for a pentest. It starts with a pentester discovering a arbitrary file read vulnerability in a PHP application, but how to proceed to getting root? There appears to a shocking lack of post exploitation tools that can be applied to web application vulnerabilities.

Why is there such a lack of post exploitation tools for web applications?

• Buffer overflows used to be more common then web application flaws
• Web applications only allow you to interact with the system in a specific (restircted) manner

Post exploitation of web applications requires a new mindset, because you are often restricted to one or a few functions, e.g. read files with restricted privileges or write files to specific areas.

Read more…

Fog | Power Plant - A CC NC SA image from fxp's Flickr stream

Marco’s (embyte@iseclab.org) research focuses on the first automated approach to detect PHP parameter pollution.

(Slide deck)

What is parameter pollution?

In http it is allow to provide a parameter via GET and via POST. You can also provide a parameter twice. Some application do not handle this very well and interpret both, the first or the second.

E.g. will the url http://somesite.com/vote.jpt?pool_id=4568&candidate=green&candidate=white vote for Mr. Green or Mr. White? Since PHP always opts for the first parameter the vote will go to Mr. Green.

Since parameters in a get request overwrite the parameters in the post request, An attacker can pollute http parameters without manipulating the page itself.

Marco has built a system that can automatically test HTTP parameter pollution for both problems:

P-Scan scans for Parameter precedence.

It performs three tests:

• Error Test – Test if the application crashes if a parameter is repeated twice
• Identity test – Is a second parameter considered by the application
• Base test – Assume that pre-filtering works

V-Scan tests for actual http parameter pollution vulnerabilities. When it is determined that pages reactive differently when parameter pollution is applied. V-Scan eliminates those cases where these differences are not a vulnerability.

These tests are implemented in a tool called PAPAS.

Marco proceeds to present the results of deploying PAPAS against about 5,000 popular websites. The sites that appeared to vulnerable in more vulnerable where inspected in more detail.

Read more…

WhiteRabbits - A CC NC SA Image from Halans Photo Stream

Subtitle: Theory, Design and Implementation of Complex Systems for Testing Application Logic

Rafal works at HP (blog).

The talk is step up as a three act play.

Act 1 – Definition

What is “application logic”?. Rafal is trying to discover the definition to “application logic”, via and interactive process with the audience.

He starts of by showing a business flow for ordering items online as well as adding loyalty points. If the business flow is not implemented correctly, loyalty points get added without the transaction being completed. This means you can get hacked without your infrastructure being compromised.

The difference between flaw in the business logic instead of a flaw in the application logic, is that the latter can be patched, while the first requires a redesign of the program.

How is this different then e.g. the OWASP top 10? The closest match we have is the MITRE CWE Top 25.

Act 2 – Types of defects

There are basically two types of these attacks:

• Privilege manipulation
• Transaction control manipulation

Read more…

The MSS: settings used to be here...

I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for Internet Security (CIS).

We decided on the following approach:

• Based on the CIS templates we created a baseline document specific to our company
• I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
• The windows administrator created GPOs to apply the settings.

When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.

This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?

The settings are not irrelevant, as e.g. Peter van Eeckhoutte’s blog points out. Windows 2008 does not forward IPv4 packets that have source routing on them,  but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

So if the settings are not irrelevant, how can we apply them if they are not in the Group Policy Editor? For this purpose we created an .adm file, which can be loaded into the Group Policy editor as a Classic Administrative template. Read more…

Logo 2.0 Part I

Sharon works as a social engineer in London for First Defence. As social engineer she breaks into buildings, lies to people and pretends to be other people. It was a trade that she started young and later found out that she could earn a living and she has been doing it for over ten years. Social networks has influenced social engineering and made it a lot easier.

Social engineering is used for both good and bad, even tough the bad use gets a lot more attention then the good uses. All advertising is a form of social engineering.

If hackers are using social engineering they are effectively hacking the human firewall in stead of the technical firewall.

Why does it work?

• People have a tendency to trust
• People want to help
• People respect authorities
• It is easier to give people information then to get rid of them
• People don’t like confrontations
• Social engineers invoke emotion

Why do Social Engineering and Social Networking combine so “well”? Social engineering exploits trust, and social networks are built on trust. Read more…

Last Friday I had the pleasure of discussing security software with Zate, the author of the Nessus Bridge for the Metasploit framework. During the conversions we both agreed that it would be very practical if there was a way to make various security tools interchange vulnerability information more easily and openly. During this discussion IVIL was born, the Intermediary Vulnerability Information Language.

IVIL is an XML schema to feed vulnerability information that is the output of a tool like e.g. Nessus, Nikto or OpenVAS into a tool to further use this information like e.g. Seccubus.

We felt that there is a need for an open, non-proprietary language that is lean and mean even though a lot of tools offer a native XML output because such a solution has a number of advantages.

• Not need to modify the receiving tool. Having an intermediary language means that a new tool can be integrated into an existing tool without the need to make modification to the tool receiving the information.
• Support for home brew tools. The open format makes it possible to integrate home brew tools with other tools without the need for the original author to put effort into supporting a tool “nobody uses”.
• Programming language independent. There is no need for anybody that want to integrate two tools be master the programming languages these tools where written in.

We felt we needed to share this work on IVIL to get the widest possible basis for adoption.

During our initial call we came up with this initial version of the XML schema:

Read more…