HTTP Service running on port 8080, revealing the version information of the product in it banner.
The banner  revealed is Apache-Coyote/1.1.
This is the banner of the Apache Tomcat Web Server which runs on port 8080 by default.

Apache-Coyote/1.1 Version Disclosure

Now, as per good security practice, the banner should be removed or modified, so that it no longer reveals the version number.
This can be achieved by editing your server.xml configuration file found at the below location:

CATALINA_HOME/conf/server.xml

Original server.xml reveals version information

Modified server.xml

You may need to restart your server for the changes to reflect.
Once the Tomcat server is up, test the server to see if it shows the custom header.

> telnet localhost 8080
HEAD / HTTP/1.0
<CRLF>
<CRLF>

Web Server with Custom HTTP Banner

Hope this helps others who are looking for a solution to the banner version disclosure

Check out OWASP’s article on Securing Tomcat for more details.

–

Wasim

Just a quick post. Someone on the ‘NULL’ mailing asked for WebGoat alternatives to learning Web Application penetration testing. The reponse was amazing, with many applications being listed as vulnerable web applications designed for learning web-app pentest. I have collected  all vulnerable web applications and listed them below for reference:

If you know of any other vulnerable web applications (which can be used as a platform for learning web-app pentest), drop a line in the comments.Let me know if any of the links appear dead.

Update: Thanks to corelanc0d3r for pointing out that my script does not generate an output same as the metasploit and pvefindaddr scripts. This is useful, as pointed by him, to anyone wishing to mix the outputs/offsets between the tools. I have made relevant changes to the code and also fixed another bug which prevented all offsets from being calculated.

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register.

Metasploit (version 3.0+) has a tool for both:
1) to generate the string pattern (tools/pattern_create.rb)
2) to find the offset of the required pattern (tools/pattern_offset.rb)

These are amazing utilities and really helpful for exploit development. However, the scripts are based on Ruby (in the Metasploit Framework) and it may not be possible for someone to carry the entire MSF.
Now people have come up with many alternate solutions and have made their own ports to different scripting languages based on these 2 utilities. I have been getting my hand dirty with Perl for sometime now, and this served as a good project for me to learn Perl.

So I have also developed a Perl script which combines these two functionality (i.e. pattern generation and offset search) into one script. The code is available at the end of this post. It’s not a complete port, but it be should be able to do the job most of the time.

There are two modes of operation:
1) Only one argument is provided which is the length of the string to be generated
(./gspattern.pl [length of string])
2) Both length of string and pattern whose offset is to be found are provided
(./gspattern.pl [length of string] [pattern to search] )

The script can handle multiple occurrences of the pattern (this would happen in cases where the string length is very large)

(Let me know if you find any bugs in the code. I am no expert programmer. Just getting my hands dirty in Perl.The script can currently generate strings of length upto 20306 characters.)

Thanks !

#!/usr/bin/perl -w
use strict;

# Generate/Search Pattern (gspattern.pl) v0.2
# Scripted by Wasim Halani (washal)
# Visit me at http://securitythoughts.wordpress.com/
# Thanks to hdm and the Metasploit team
# Special thanks to Peter Van Eeckhoutte(corelanc0d3r) for his amazing Exploit Development tutorials
# This script is to be used for educational purposes only.

my $ustart = 65;
my $uend = 90;
my $lstart = 97;
my $lend = 122;
my $nstart = 0;
my $nend = 9;
my $length ;
my $string = "";
my ($upper, $lower, $num);
my $searchflag = 0;
my $searchstring;

sub credits(){
    print "\nGenerate/Search Pattern \n";
    print "Scripted by Wasim Halani (washal)\n";
    print "http://securitythoughts.wordpress.com/\n";
    print "Version 0.2\n\n";
}

sub usage(){
    credits();
    print " Usage: \n";
    print " gspattern.pl  \n";
    print "         Will generate a string of given length. \n";
    print "\n";
    print " gspattern.pl   \n";
    print "         Will generate a string of given length,\n";
    print "         and display the offsets of pattern found.\n";
}

sub generate(){
    credits();
    $length = $ARGV[0];
    #print "Generating string for length : " .$length . "\n";
    if(length($string) == $length){
		finish();
    }
    #looping for the uppercase
    for($upper = $ustart; $upper <= $uend;$upper++){
		$string =$string.chr($upper);
		if(length($string) == $length){
			finish();
		}
		#looping for the lowercase
		for($lower = $lstart; $lower <= $lend;$lower++){
			$string =$string.chr($lower);
            if(length($string) == $length){
                finish();
			}
            #looping for the numeral
            for($num = $nstart; $num <= $nend;$num++){
                $string = $string.$num;
                if(length($string) == $length){
                    finish();
				}
				$string = $string.chr($upper);
				if(length($string) == $length){
					finish();
				}
				if($num != $nend){
                    $string = $string.chr($lower);
				}
				if(length($string) == $length){
					finish();
				}
			}
		}
    }
}

sub search(){
    my $offset = index($string,$searchstring);
    if($offset == -1){
		print "Pattern '".$searchstring."' not found\n";
		exit(1);
    }
    else{
		print "Pattern '".$searchstring."' found at offset(s) : ";
    }
    my $count = $offset;
    print $count." ";

    while($length){
        $offset = index($string,$searchstring,$offset+1);
        if($offset == -1){
			print "\n";
			exit(1);
		}
		print $offset ." ";
		$count = $count + $offset;
    }
    print "\n";
    exit(1);
}

sub finish(){
    print "String is : \n".$string ."\n\n";
    if($searchflag){
        search();
    }
    exit(1);
}

if(!$ARGV[0]){
    usage();
    #print "Going into usage..";
}
elsif ($ARGV[1]){
    $searchflag = 1;
    $searchstring = $ARGV[1];
    generate();
    #print "Going into pattern search...";
}
else {
     generate();
     #print "Going into string generation...";
}

Rediffmail Plaintext credentails captured using wireshark

Rediff needs to get their act together !

————————————————-
Below is the original advisory:

About Rediff
Rediff.com (Nasdaq: REDF) is one of the premier worldwide online providers of news, information, communication, entertainment and shopping services.
Rediff.com provides a platform for Indians worldwide to connect with one another online. Rediff.com is committed to offering a personalized and a secure surfing and shopping environment.
Rediff.com additionally offers the Indian American community one of the oldest and largest Indian weekly newspapers, India Abroad.
Founded in 1996, Rediff.com is headquartered in Mumbai, India with offices in New Delhi, Bangalore, Chennai, Hyderabad and New York, USA.

Mission In The Internet Space
To provide world-class online consumer service offerings to Indians worldwide.

Vulnerability
Persistant XSS Vulnerability in Subject field of rediff
Vulnerability Reported on : Sat, Jan 23, 2010 at 1:23 AM
But they din’t even cared to respond back .

Credits
This Vulnerability was discovered and reported by w4rl0ck.d0wn and Rockey Killer of h4ck3r crew

POC

http://h4ck3r.in/Reported%20Vulnerabilities/rediff/

Rockey Killer
h4ck3r Crew

Windows Authentication

• When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. This means that the user identity is confirmed by Windows.
• SQL Server does not ask for the password, and does not perform the identity validation.
• Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.
• Windows Authentication
  • uses Kerberos security protocol,
  • provides password policy enforcement with regard to complexity validation for strong passwords,
  • provides support for account lockout,
  • and supports password expiration.
• A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.

SQL Authentication

• When using SQL Server Authentication, logins are created in SQL Server that are not based on Windows user accounts.
• Both the user name and the password are created by using SQL Server and stored in SQL Server.
• Users connecting using SQL Server Authentication must provide their credentials (login and password) every time that they connect.
• When using SQL Server Authentication, you must set strong passwords for all SQL Server accounts.
• Three optional password policies are available for SQL Server logins.
  • User must change password at next login
  • Enforce password expiration
  • Enforce password policy
• SQL Server Authentication cannot use Kerberos security protocol.
• Supports environments with mixed operating systems, where all users are not authenticated by a Windows domain.

Source: http://msdn.microsoft.com/en-us/library/ms144284.aspx

Highly recommended. You can find the article here. I’m also adding it to my Reading Room for future reference.

Some days back I was greeted by a Google Safe browsing warning when I tried visiting a ‘known’ site. As I was sure it was supposed to be clean and harmless site, I thought it would be good to dig further into this problem. The trail led to interesting amounts of codes, concepts and techniques.

Malware writers are very smart nowadays (haven’t they always been ?). They know that once their code is understood it most likely to be detected by anti-malware applications. To delay detection by such applications, they resort to a wide range of techniques. In this blog post I’ll be discussing the most potent and easily created malware.

Javascript has become the boon and bane of the Internet. It provides greater interactivity with the user but can also be used by malware writers to infect innocent users. Javascript is a client-side scripting technology which means the processing of the script is handled by the user’s browser.

Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret.

JavaScript is sometimes obfuscated to prevent users from easily understanding their functionality. ( Legitimate uses are to prevent stealing of code)

There may be many ways to obfuscate a code and similarly there may be multiple ways to de-obfuscate a code. What I’ve presented below is very raw and cannot be used to analyze many malicious JS. But since this is the beginning for me, I thought it may help others too.

Disclaimer: Links presented below are live at the time of writing this blog post. Please do not visit them if you do not know what you are getting into.

First thing first, we need to get the HTML source the malicious page. We can either use wget/curl or Malzilla, which is what I used. It was observed that this page is dependent on the HTTP referrer. So if the domain receives a request for the page without a ‘valid’ HTTP referrer page, the page is not returned.
We get the ‘bad’ HTML at http://mybetorwager.cn:8080/index.php with a valid HTTP referrer.

The complete HTML source can be viewed here

The code starts off with the following in the SCRIPT tag.

Vhotzdq(function(p,a,c,k,e,d)

This section of the code shows that the javascript has been packed by the popular Dean Edword JS Packer. This packer is available online as well as in download-able formats. We use a GreaseMonkey script “Decode It!” to enable the online ‘ Decoder‘ on the webpage.


We paste the code from Vhotzdq(function(p,a,c,k,e,d) onwards till the end and rename the function name Vhotzdq to eval. This will help us decode and evaluate the result. The output of which can be found here

—————————————————-

Update 2: 16th September,2009
Seems like Dean Edwards had coded an UNPACKER as well. It can be accessed at http://dean.edwards.name/unpacker/. If using this tool, simply replace the Vhotzdq to eval and run the script. No additional GreaseMonkey scripts are necessary

—————————————————-

Unpacked Javascript using Dean Edwards Packer

As can be seen above, we need to unescape the code to get the decoded output. This can be done in multiple ways:

• Replace Vhotzdq as eval, and execute the script
• Use the Malzilla decoder feature “Decode UCS2 (%u)”
• Use an online encoder/decoder like PHP Charset Encoder/PHP String Encrypter

Using the 'unescape' feature provided by PHP Charset Encoder

The decoded output of the above step can be found here

Now the code is in a more human readable format. To further complicate analysis, the malware authors have implemented small amounts of string manipulations on the code. Also, the variables used have been obfuscated or mangled. This will not pose a problem to us as the variables can be given any names.

Note that there exists a certain amount of code-block which is still encoded.On decoding this further, I was presented with non-English language statement. I wasn’t able to figure out the use of this code. A guess would be that a message/error is inserted here. This would most likely be the malware authors original language. Another malware analysis shows this section as the Shellcode. I will update this as I get more information on how to decode it.

—————————————————-

Update 1: 14th September,2009
OK, it turns out that the segment was indeed the shellcode. Using the Malzilla tool we concatenate the variable “var unf57UBnT“
This presents us with an encoding which seems to be UCS2. Next, we can either use Malzilla to convert UCS2 to Hex (which does not provide reliable results) or use a shellcode to EXE converter available at http://sandsprite.com/shellcode_2_exe.php.

ShellCode 2 EXE

FileInsight - Shellcode.exe analysis

URLMON.DLL is a system DLL generally used by malwares to download files from online locations

—————————————————-
The next step is to execute the ‘replace’ functions which involve Regular Expressions to clean out the manipulated code.
As an example below is the line of code that we currently have in our decoded output.

rqeqG6Spq.setAttribute(‘i#)@d!’.replace(/\(|\!|&|\$|@|\^|\)|#/ig, ”),rqeqG6Spq);

Let’s take this code in detail:

After executing the replace() function, the output would look like this

rqeqG6Spq.setAttribute(‘id’,rqeqG6Spq);

Similar replace operations are performed at all other places, till we get the final output as shown here

NOTE: Your Anti-Malware may issue an alert when you try to visit the above link. I have modified the malicious URL a bit so the script won’t move ahead.

We are now at a stage where we can make a few observations on what the JavaScript does and how it works.
The original malicious domain is found to be http://3c8.ru:8080/welcome.php .This domain serves the malware payload.
The script tries to exploit a vulnerability in ActiveX which allows it to download and execute a malicious binary.
I haven’t had the chance to go deeper into the execution of the malware But once I get the time, I’ll look into analyzing the binary as well.

Before I end this long post, just a quick note that to automate this entire process, we can use an online tool called wepawet, which is a service for detecting and analyzing web-based malware. It currently handles Flash and JavaScript files.
You can find the result of the analysis of our malicious page at http://wepawet.iseclab.org/view.php?hash=07fc283602731721a97f196c3ab19092&type=js
It provides for a comprehensive analysis.

Also, do check out the VirusTotal scan results for the obfuscated and deobfuscated Javascript
Obfuscated Detection rate is 2/41
De-obfuscated Detection rate is 14/41

I guess that’s it. Hope you liked this basic tutorial. Do leave your feedback in the comments section below

After the last contest, I received my copy of Hakin9 in about 10 days and the issue was awesome. I can’t wait to check out the contents of the upcoming issues.

The current issue addresses advance hacking techniques like ASLR and Stack Canaries. The theme of the issue is “21st Century Hacking Techniques“

Head over to their website at http://www.hakin9.org/en to know more about the contest and the articles in the current issue.

Dhiraj has demonstrated an SQL injection in a Stored Procedure which has not been constructed properly.

The crux of the issue lies in using the system Stored Procedure sp_executesql which takes a string as parameter and executes it. The string is generally a SQL query. So the entire premise of using stored procedures to prevent query injections fails as the input is directly inserted into the SQL query.

Read the detailed example at http://dhirajranka.wordpress.com/2009/08/25/sql-injection-stored-procedure/

Another interesting account of improper usage of Stored Procedure is demonstrated at
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

Regards,

I’ve joined in as a member as it is a very interesting project and will provide for many learning opportunities.
I’ve even submitted a report on the initial setup and analysis that we’ve done at our office. You can check it out at
http://honeynet.org.in/projects_and_reports.htm

For further details about the initiative visit http://honeynet.org.in/index.htm