A Rojak of Singapore Web Exploits

A Rojak of Singapore Web Exploits

Ryan Baxendale – OWASP Singapore

14th November 2012

Who Am I?

I am Ryan

I live in Singapore

Security Consultant at Security-Assessment.com

I find bugs in web applications and hack things

Agenda

Today's rojak includes bugs in

1. Microsoft SharePoint (Top10-A6-Security Misconfiguration)

2. Administrative Interfaces (Top10-A6-Security Misconfiguration)

3. JavaScript Encryption (Top10-A3-Broken Authentication)

4. “Too” Factor Authentication (Top10-A3-Broken Authentication)

5. Password Reset (XSRF + Horrible password reset)

6. 2 Requests Are Better Than 1 (WAF Bypass)

Microsoft SharePoint

Intranet content management

and document management

SharePoint can be used to

provide:

intranet portals, document & file

management, collaboration, social

networks, extranets, websites,

enterprise search, and business

intelligence

'Publishing' feature can be used

to manage larger public website

You might not know that site xyz is

running on SharePoint


Intranet content management

and document management

SharePoint can be used to

provide:

intranet portals, document & file

management, collaboration, social

networks, extranets, websites,

enterprise search, and business

intelligence

'Publishing' feature can be used

to manage larger public website

You might not know that site xyz is

running on SharePoint


Find additional functionality through the SharePoint site

Try all the default or well know SharePoint pages:

/AllItems.aspx

/Common.aspx

/MyPage.aspx

/recyclebin.aspx

…

Nice list from

Stach&Liu – SharePoint Hacking Diggity Project

Also try to look for the admin web interface on a high port,

although probably not available over internet due to firewall


isaca.org/_layouts/mobile/mbllists.aspx

Username


Upload your own page, edit pages

The user that

created and

modified this

item

Links to internal

team sites and other

confidential things

Create a new

page, edit a

page


Find list of user accounts, guess passwords, get access

All the site content, pages,

things that should not be

seen by the public, etc

I want to hack

this account

This is the list of users

from Active Directory


Don’t have internal or confidential information on external

facing SharePoint sites

Firewall admin port

ACL to block external IP addresses

accessing SharePoint pages

Administrative Interfaces

Manage web applications and content

on web servers

Admin interfaces let you run your own web

shell

OWASP states the following objectives:

Administrator level functions are

appropriately segregated from user activity

Users cannot access or utilize administrator

functionality

(boring..) Provide necessary audit and

traceability of administrative functionality


Links to

admin

interfaces

Documentation,

if you need

help haxx0ring

Upload

metasploit

payload

Usually on port 8080 (Apache Tomcat)

Try default usernames and passwords (tomcat:tomcat,

admin:tomcat, both:tomcat, manager:tomcat, etc)


Create a metasploit payload

WAR file and upload



WAR file and upload



WAR file and upload


HTTP Methods (WebDAV)

PUT – Put a file on the server, a web shell perhaps?

DELETE – Delete a file

INDEX – List the files

PROPFIND – Find files, discover backup files

IIS 6.0

WebDAV by default only supports static Web pages, not dynamic

pages (ASP)


Generate metasploit payload

Fix the payload

Upload with Cadaver

Run the payload


Generate metasploit payload

Fix the payload

Upload with Cadaver

Run the payload


Guess usernames and

passwords with hydra/medusa

then “PUT” a web shell

Password protected WebDAV methods

Nobody knew that the server had this functionality

So nobody changed the password


Find WebDAV enabled servers with metasploit


Don’t let users connect to admin interfaces

Firewall rules

https://www.owasp.org/index.php/Administrative_Interface

JavaScript Encryption

JavaScript runs on the client side (browser)

<script> ... JavaScript ... </script>

JavaScript debuggers

Firebug (Firefox)

Chrome developer tools

Internet Explorer

View source


Client: “We don’t use SSL/TLS because we have

encrypted passwords”

Implemented in JavaScript

Takes the first character of the username/password ex. ‘a’ and

changes it to ‘23’

Separates characters with ‘0’

‘admin’ gets sent as ‘2305060340560’, ‘a’ = 23, ‘d’ = 5, ‘m’ = 6...

“admin”… Seems like the password starts with “admin” too..


I broke your JavaScript encryption with a l33t BlackHat

HaXx0r tool called...

Microsoft Excel


JavaScript with Public/Private key encryption Hey ;)

Here’s my public key

User : AsianGirl2012

Password: ChickenRice1

User : J#^ZML@)*FMA&

Password: acE($2mvT$^m!fG

Encrypt( Public Key , Credentials )

} {

??? Decrypt( Private Key , Credentials )

User : AsianGirl2012

Password: ChickenRice1 } { Where is the

chicken rice?


A substitution cipher is not encryption

JavaScript makes secret keys visible to the user

Use public/private key encryption in JavaScript

“Too” Factor Authentication

Two-factor authentication requires the use of two of the three

authentication factors:

Something the user knows (password, PIN);

Something the user has (ATM card, smart card); and

Something the user is (biometric characteristic, such as a fingerprint)

Most of the time it ends up being knows (password) and has

(token)

“Too” factor authentication is...


First login/signup for “Too” factor

authentication Login with “Too” factor

authentication




authentication




authentication




authentication

Verbose error

message and step by

step authentication


Aban

Abbas

Abbud

Abbudin

Abdul

Abdel

Abdal

Abdul

Adl

Abdul-Ahad

Abdul-Alim

Abdul-Aliyy

Abdul-Azim

Abdul-Aziz

Find a list of common names for the typical customers

Burp Intruder

Send every name as the username

Look at the response

Now we know all the

usernames

Continue by doing the

same thing on the next

step of this broken

authentication


But wait there’s more…


Some things are just not the same

2FA is a combination of two: know, have, is

Password Reset

Password reset

Typically an admin function to change a user’s password to a randomly

generate password and securely transmit the new password to the

user

A typical reset password page for a user

Asks for email/username, maybe a secret question

Sends unique password reset link to email address

A typical change password page

Asks for old password, new password, confirm your new password

Password Reset

Once upon a time a lazy developer needed to create a reset

password page

“Lets just take the change password page and make a few changes”

Great idea!......for pen testers

If a typical change password page takes username (from

session), old password, new password and confirmed new

password as input...

Creating a password reset page would only need the following input:

username and new password

Password Reset

Password reset page accepted the following:

Hidden input, useraccount to administrator – because we are the

admin right?

Hidden input, oldPassword to administrator

Set Password and confirmpasswd to the new password

Set userID to the victim’s username

Lets get access to the admin account with Cross Site Request

Forgery (XSRF/CSRF)

Create a image tag with a request to change the password

<img

src="https://website/LoginServlet?action=resetpassword&user

account=administrator&oldPassword=administrator&Passwor

d=password4444&confirmpasswd=password4444&userID=ad

ministrator&CALLER=" />

Password Reset

To get it working:

Admin needs to view a page with the CSRF img tag

Must be logged into the application in the same web

browser

Possible ways to share your img tag

Web forum

Profile signature

Create a note with HTML editor (tinymce)

Send a personal message

You get to login as Administrator with password4444

Password Reset

Don’t be a lazy developer

2 Requests Are Better Than 1

One day I was testing a web application

It gets tested often

And by lots of different people/companies

So at this point its one of the most boring (secure)

applications a pen tester can come across


I found a directory traversal bug where I request for

/app/test../../../ and I get a directory listing

This wasn’t too interesting because I could only see the

directory listing, but never access those files or folders

Something strange was going on...


Then using Burp Intruder with a list of common files and

folders (such as the dirBuster wordlist)

Found /app/test../../../console


This bug was only in the UAT environment

I need to get this bug working in production

There's a web application firewall (WAF) that looks at all the

requests and decides if they should be forwarded on to the

web server

So how do we trick the WAF into forwarding anything

But the client has a WAF, so they’re safe right?...


There’s a strange bug in a few webservers

“… Reports indicate that Microsoft IIS 5.0 truncates requests that contain

a body of greater than 48 KB in length. After 49152 bytes of a request

body are handled, IIS terminates the request and starts to parse a new

request.” (1)

“… There appears to be a bug … strangely, IIS/5.0 silently truncates the

body after 48K (49,152 bytes) … we can smuggle a request in the last

x bytes of the body.” (2)

“If the size of the request exceeds a particular threshold (by default, 48

KB), then the ISAPI or CGI code to which the request is directed needs to

be aware of chunked-transfer encoding to process the request correctly.”

(3)

(1) - www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219

(2) - www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

(3) - hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219

http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf





http://hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html








A basic HTTP POST request before smuggling:

POST /crosstraining/aboutyou2.php HTTP/1.1

Host: www.webscantest.com

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en,en-us;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.webscantest.com/crosstraining/aboutyou2.php

Cookie: SESSIONID_VULN_SITE=4vdvho53o3vk9tjr94lks786q3

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

returnto=aboutyou2.php&fname=Ryan&nick=Security-Assessment&lname=OWASP&submit=submit

http://www.webscantest.com/

http://www.webscantest.com/crosstraining/aboutyou2.php


The idea is to send one big evil request, and a normal request

directly after it

The big evil request has to be more than 48kb

We have to include what we need to send (parameters etc)

Then fill the rest of the space with garbage

POST /test../../../console/adminlogin.jsp HTTP/1.1

Host: ….

Content-length: 49152

username=admin&password=admin&ThisIs48kbOfGarbage

ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage

ThisIs48kbOfGarbage……

GET /happy.nice.users.normal.page.jsp HTTP/1.1

Host:…


48kb in bytes is 49152.

The first request must be larger than

48kb, and the content-length must be

larger than 48kb

Uncheck “Update Content-Length”

We want to manually specify that it’s a

bit more than 48kb

This is our malicious request

Now we fill the request with

48kb of garbage -----------------------(snip)------------------------

This is our “normal” request that returns

404, but allows us to get our “evil”

request to the web server


Response from the server

As if we sent a normal request

Probably using IIS 5 or 6 with custom ISAPI filters or an

appliance such as CheckPoint FW-1 with “Web Intelligence”

Now lets login


Username and password to

login

Login error

Wrong user and password

Burp Intruder to the

rescue!

Brute force the

password for admin


Winning!

Lets deploy our own

web app and get shell :D


WAF

Don’t rely on a web app firewall (WAF) to fix web app vulnerabilities

Fix the code

Recap


Keep internal and external sites separate


Don’t let users connect to them, change default passwords


Don’t use your own encryption, use public/private key crypto


Remove verbosity from error messages, find out what 2FA is

Password Reset

Don’t be a lazy developer


A web app firewall (WAF) doesn’t fix broken code, fix the code

Questions? Comments

Contact:

[email protected]

Invite more people to OWASP meetings

Sign up and be active on the OWASP Singapore mailing

list

https://lists.owasp.org/mailman/listinfo/owasp-singapore

黑客 ? Think you can hack? Got talent?

We are hiring!

mailto:[email protected]






Documents

A Rojak of Singapore Web Exploits