Computer Security Is My Interest!

Soroush Dalili’s Weblog

Jul 01

IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

My Advisories, Security Posts No Comments »

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
- IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Tagged with: IIS5.1 Authentication Bypass

Jun 30

Crowzers or Carzy Browsers:

My Advisories, Security Posts No Comments »

I need to translate this word first:
Carzy Browsers = Crowsers

Now, I want to share some odd behaviour of browsers with you. Let’s make them Crazy!

1- First, we load a URL in an IFrame. Then, we load another website on the same frame. Now, by using “javascript:window.history.go(0)”, it will change the IFrame SRC to the first URL, but it keeps the 2nd website on the IFrame!

Try it here: http://0me.me/demo/crowzers/irsdl/addressbar_halt.html

Which Browsers?

- Mozilla Firefox 3.6.6

- IE7

- IE8

2- We want to lock the address bar in different browsers by using “onblur” and “onload” events with “this.focus()”.

Try it here: http://0me.me/demo/crowzers/irsdl/iframe_src_fool.html

Which Browsers?

- Mozilla Firefox 3.6.6

- IE7

- IE8

- Opera 10.54

3- We want to stop the browsers from working by using infinite loops and so on.

Try it here: http://0me.me/demo/crowzers/irsdl/halt.html

Which Browsers?

- Mozilla Firefox 3.6.6: Halted with Mozilla Crash Reporter

- IE7: Halted

- IE8: Halted

- Safari 5: Crashed on “javascriptcore.dll”

Good luck!

Tagged with: browser address bar lock • browser crash • fix iframe src

May 27

Cross Site URL Hijacking by using Error Object in Mozilla Firefox

My Advisories, Security Articles, Security Posts 2 Comments »

In this paper, I want to represent a method for performing Cross Site URL Hijacking (which we can call XSUH) by using the error object of Mozilla Firefox. XSUH attack is used to steal another website URL. This URL can show the client’s situation on that website, and it can contain confidential parameters such as session ID as well. There is another useful article with a similar purpose but with a different approach which is “XSHM” article of CHECKMARX , and reading this article is highly recommended to you as well.
As you might know, scripts error handling in Mozilla Firefox is quite useful for the developers as it can show the exact source of an error with some useful information. Now, this functionality can be misused to divulge the destination URL after the redirections (XSUH attack) which can lead to condition leakage or stealing some important parameters from the URL.

Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf

Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Note: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).

Tagged with: Cross Site URL Hijacking • Cross Site URL Hijacking by Error Object • XSUH by error object • XSUH in Mozilla Firefox

May 06

New Method: Role of the “/” character in mapping the website directories! – Webservers fault?

Security Articles, Security Posts No Comments »

One of the first steps of a black-box penetration testing of a website is mapping its files and directories. And in order to do that, security scanners crawl into the website first, and then try to guess the possible directories and files. These scanners use the response header or body of the page to investigate a valid file or directory. For instance, the header status “404” can be the sign of “File Not Found” and “200” can be the sign of a valid file. Also, the status “403 Forbidden” can be the sign of a valid directory without any index page. However, many websites such as Yahoo, Google, Facebook, Microsoft, and so on do not like to show the “403 Forbidden” errors for a valid directory, and instead, they show a “Page Not found” or another default page to the users. Although this functionality makes the website more user-friendly, it is not good for the scanners at all; as there is no difference between a valid and an invalid directory then.

Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.

Some examples:

Invalid Directory: http://www.microsoft.com/foobars

Valid Directory: http://www.microsoft.com/test

——–

Invalid Directory: http://code.google.com/foobars

Valid Directory: http://code.google.com/js

——–

Invalid Directory: http://www.facebook.com/foobars

Valid Directory: http://www.facebook.com/admin

——–

Invalid Directory: http://uk.yahoo.com/foobars

Valid Directory: http://uk.yahoo.com/private

——–

Cheers,

Soroush Dalili

Tagged with: Mapping directory • Mapping folder • Slash role • using slash as a signature

Mar 04

IE7-8 drive list enumeration!

My Advisories, Security Posts No Comments »

Iframe delay in loading the local drives in IE7 and IE8 can cause drive list enumeration!
Proof of Concept is available from this link:
http://plaincipher.com/demo/IE-Drive-Enum-Demo.html

Cheers,
Soroush Dalili

Previous Entries

Free WordPress Themes

Links

Symantec Security News

C++ Runtime Library error after installing SEP July 15, 2010
C++ Runtime Library error after installing SEP Installed MR5 client on an XP Desktop and got this error message after a couple of days. Microsoft Visual C++ Runtime Library Run Time error Program: C:\ProgramFiles\Symantec Antivirus\rtvscan.exe The application has requested the Runtime to terminate it in an unusual way. Please contact the application […]
Policy Scheduled Scan Not Running July 15, 2010
We are having an issue where certain clients are not running their scheduled scans that are set by the SEPM policies. If you open up the SEP client on the machine the scan schedule shows correct but it is like the scan is failing and shows the next scan time as the next montly. The last scanned time is months past. Anyone have any information on what could b […]
SEP - GUP Behavior July 15, 2010
I have a GUP assigned to a group. The group has computers from 2 different subnets. Subnet 1 has a GUP. Subnet 2 does not have a GUP. I installed the SEP client to Subnet 2 computers last night around 23:30. Subnet 1's definitions are currently up to date however, Subnet 2 (the subnet without the GUP) is still stuck with old definition files. From what […]

Google Reader

Facebook Vulnerability: Like Clickjacking July 15, 2010
Comments […]
Fuzzing talk at the Mozilla Summit July 14, 2010
At the 2010 Mozilla Summit, I talked about my JavaScript engine and DOM fuzzers, which have each found many hundreds of bugs. I also talked about the automations that keep me sane when I fuzz these complex components. My slides are in the S5 web-based presentation format. You can click the Ø button to view the presentation in "handout mode" and see […]
Developers just don’t go to security conferences July 13, 2010
OWASP has just announced their 2010 US Appsec conference. It looks like an interesting opportunity to explore the state of the art in software security. Last year, some of the leaders of this conference were concerned about how few software developers showed up for the sessions. I expect the same will happen this year: the audience will be made up of a self- […]

Computer Security Is My Interest!

IIS5.1 Directory Authentication Bypass by using “:$I30:$Index_Allocation”

Crowzers or Carzy Browsers:

Cross Site URL Hijacking by using Error Object in Mozilla Firefox

New Method: Role of the “/” character in mapping the website directories! – Webservers fault?

IE7-8 drive list enumeration!

Categories

Recent Posts

Links

Symantec Security News

Google Reader

New Vulnerabilities