Sunday, November 29, 2015

OSWP - A fun jaunt into Wireless Security


Worth the time if you have a few weekends to burn.

I was thoroughly impressed with OSCP and it's something I evangelize pretty frequently. Some invaluable lessons and skills are imparted, well worth the time commitment.

OSWP is a little outdated. It's mainly focused on WEP, then  goes over a few WPA/WPA2 techniques. There's not a ton you can do with WPA2 these days, but it's not uncharted territory. (WPS attacks aren't even mentioned)

The course will take you some time. You'll need to buy some hardware to make headway. I strongly suggest taking your time and reading the materials before you purchase.

Exam:

Exam was very easy, if you do the course. They give you 3 and a half hours. About 90 minutes in, I was submitting my report.

I think everyone has an issue with the labs. A quick reboot of my machine fixed an issue. Use multiple SSH sessions!

If you're curious about security, particularly wireless security.. this is a good starter cert.

Thursday, July 2, 2015

Update on CVE-2014-9141: Thomson Reuters Fixed Assets CS <= 13.1.4

Received notification from vendor today:

"We appreciate your report and attention on the connectbgdl.exe vulnerability.  We are scheduled to address this with our next major release, 2015.1.0, scheduled for November of 2015.  This will be our first opportunity to address it since it came to our attention following our last major release of 2014.1.0 in November of 2014.  As of this point in time, we have seen no reports of this vulnerability being exploited within our customers' systems."

This patch should be immediately applied when released. Steps to remediate this vulnerabilityshould be taken until the next major release.


Update on CVE-2015-2081 : Multiple Vulnerabilities in Datto Siris and Alto



Interesting post on the DATTO vulnerabilities we had discovered in February (and some additional items that were not covered in our post):
http://silentbreaksecurity.com/tearing-apart-a-datto/
Our investigation turned up a vulnerable webserver as well. As part of that, we investigated some of the pages and services available. We decided to keep these findings private with the vendor and publishing as a CVE at the time and we did so. As another security researcher has posted some of these findings as well and rooted the box publicly, we're releasing this as it's useful for remediation of additional issues that are present on the device.
The below pages and information were available from the webserver embedded, without authentication.

Potentially Dangerous Information Leakage:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42
 All of these help determine what is running the webserver and versioning behind it.



/admin.php
/test.php
/esx.php
/home.php
/tech.php
/network.php
/report.php
/filters.php
/test.php
/status.php
/ticket.php
/ajax.php
/virtualization.php
/logout.php
/agent.php
/permissions.php
/push.php 
Session Expired when visited. This suggests the request is processed and the server may be vulnerable to cookie stealing or session hijacking 
 

/includes
/scripts
/registration
Access is Forbidden. Not a internal message or error, suggests the same finding as above. 


/lib
/log
/sc
/api
/vendor
/junk
Significant amount of PHP scripts for launching just about any function on the device, unauthenticated. Extremely critical to fix. Can be used to establish a reverse shell, a foothold in the server or any number of attacks against the device and data.


/status
Processes, blank page.

/tmp
Temp directory, reveals sensitive information. For example, the desktop screenshot gives username, system name, OS version, internal directory structure and software information

/cgi-bin
Internal 500 error. Useful if structure can be determined.

/images
Useful for determining what software and attack surfaces are available. For example, Ajax is vulnerable and it can be determined with this directory that it's installed and available.

/scripts/jquery.js
/index.php
/scripts/jquery-ui.js
/scripts/prototype.js
/log/
/scripts/scriptaculous.js
/scripts/setup.js
/scripts/common.js
/scripts/network.js
/scripts/base64.js
/scripts/adminSettings.js
/scripts/ga_stats.js
Can view/download JavaScript code, extremely useful for any number of attacks.


/index2.php
Reveals a lot of private information about the box. May be by design.


/about (and its subdirectories)
Significant amount of useful information for determining software loads, versioning


/branding
Empty. Available to view

/debian
internal structure, software loads and setup scripting.

/css
All of the css sheets. Very useful for a number of attacks. 

The vendor was made aware of these issues in February and stated they were working on remediation.

Thursday, February 26, 2015

CVE-2015-2081: Multiple Vulnerabilities in DATTO Siris and Alto

# Exploit Title: Multiple Vulnerabilities in DATTO Siris and Alto

# Date: 2/26/15
# Exploit Author: singularitysec@gmail.com
# Vendor Homepage: http://www.datto.com
# Version: Siris and Alto Products
# Tested on: N/A
# CVE : 2015-2081


Product Affected:
Datto Siris and Datto Alto Physical and Virtual Devices
 

These vulnerabilities have been reference checked against multiple installs. This configuration was identical across all systems and each version encountered.

Vulnerabilities:


1. VNC is enabled on the devices by default and has a static password used by the vendor.


Update: Vendor acknowledges this issue and has stated that the end users can (and should) change the VNC password inside of the administration console.

2. The version of PHP installed on the devices is a known vulnerable install with multiple vulnerabilities and vectors for attack. (PHP 5.3.2)


Update: Vendor acknowledges this issue and has stated that the versions in use are being addressed in a future release.

3. Multiple Web Virtual Directories leak sensitive information about data,  software versions, virtual machines running on the devices and configuration information via unauthenticated access to the installed webserver.


Update: Working with vendor on this issue.

4. Remote Code Execution can be accomplished by executing PHP scripts available to an unauthenticated user accessing the vulnerable webserver.


Update: Working with vendor on this issue.

5. Device/VM restore mount points allow unauthenticated access to them by default, allowing a remote attacker to access sensitive information and data.


Update: Vendor acknowledges this issue and has stated that the end users can (and should) apply an ACL to the folders created inside of the administration console.


Vendor Alerted 2-26-15 


Vendor Contact 2-26-15 to address issues and handoff initial findings.


Remediation:

Working with vendor on remediation for multiple issues.

1. Change the password for the VNC server to a suitably complex password or disable the service.

2. Implement complementary controls to detect or prevent attacks against the vulnerable attack service.
3. No update. Apply vendor patch when it is distributed.
4. No update. Apply vendor patch when it is distributed.
5. Apply an Access Control List to the folders during/after creation and restoration.Note: Information on these vulnerabilities will be updated as communication with the vendor continues.                                                                                   

Website: www.information-paradox.net

This vulnerability was discovered by singularitysec@gmail.com. Please credit the author in all references to this exploit.

Thursday, January 22, 2015

OCLHASHCAT - Cracking passwords with a low-cost GPU - Preview

This was all done with a low-cost GPU (graphics card), a dictionary list and a laptop.

I benchmarked the stats on a standard mobile workstation as well, these are the results from an MD5 password list:

Dictionary Attack:

Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: File (/****/Desktop/rockyou.txt)
Hash.Target....: File (/****/Desktop/hashes)
Hash.Type......: MD5
Time.Started...: Mon Jan 19 19:13:41 2015 (4 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:  3631.2 kH/s
Recovered......: 11/12 (91.67%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343297/14343297 (100.00%)
Skipped........: 0/14343297 (0.00%)
Rejected.......: 1599/14343297 (0.01%)
HWMon.GPU.#1...:  0% Util, 60c Temp, 48% Fan


11/12 passwords in 4 seconds, all from a commonly used password list that was hashed and the standard "rockyou.txt" dictionary file that is widely distributed.

Brute Force


Session.Name...: oclHashcat
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2) [6]
Hash.Target....: File (/****/Desktop/hashes)
Hash.Type......: MD5
Time.Started...: Mon Jan 21 19:15:33 2015 (18 secs)
Time.Estimated.: Wed Jan 21 19:16:11 2015 (14 secs)
Speed.GPU.#1...:   114.5 MH/s
Recovered......: 4/12 (33.33%) Digests, 0/1 (0.00%) Salts
Progress.......: 2101215232/3748902912 (56.05%)
Skipped........: 0/2101215232 (0.00%)
Rejected.......: 0/2101215232 (0.00%)
HWMon.GPU.#1...: 94% Util, 61c Temp, 50% Fan

4 passwords from the same list in 18 seconds using brute force and the same password list.

Most of the others finished in under an hour or so, longer passwords took under 4 hours.

I'll be posting more detailed data shortly, along with a detailed post about this. It's nothing new or groundbreaking, just an example of how easy it is to defeat password encryption these days. You can do the same for PDF documents and ZIP files, amongst others.

Most sites use MD5 or SHA1 to hash their passwords. Of those, quite a few are using unsalted hashes.

If you're not using stronger hash algorithms, it's an invitation for disaster.