Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
- IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Now, I want to share some odd behaviour of browsers with you. Let’s make them Crazy!

 1- First, we load a URL in an IFrame. Then, we load another website on the same frame. Now, by using “javascript:window.history.go(0)”, it will change the IFrame SRC to the first URL,  but it keeps the 2nd website on the IFrame!

 Try it here: http://0me.me/demo/crowzers/irsdl/addressbar_halt.html

 Which Browsers?

  - Mozilla Firefox 3.6.6

  - IE7

  - IE8

 2- We want to lock the address bar in different browsers by using “onblur” and “onload” events with “this.focus()”.

 Try it here: http://0me.me/demo/crowzers/irsdl/iframe_src_fool.html

 Which Browsers?

  - Mozilla Firefox 3.6.6

  - IE7

  - IE8

  - Opera 10.54

 3- We want to stop the browsers from working by using infinite loops and so on.

 Try it here: http://0me.me/demo/crowzers/irsdl/halt.html

 Which Browsers?

  - Mozilla Firefox 3.6.6: Halted with Mozilla Crash Reporter

  - IE7: Halted

  - IE8: Halted

  - Safari 5: Crashed on “javascriptcore.dll”

Good luck!

Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf

Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Note:  This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).

Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.

Some examples:

Invalid Directory: http://www.microsoft.com/foobars

Valid Directory: http://www.microsoft.com/test

——–

Invalid Directory: http://code.google.com/foobars

Valid Directory: http://code.google.com/js

——–

Invalid Directory: http://www.facebook.com/foobars

Valid Directory: http://www.facebook.com/admin

——–

Invalid Directory: http://uk.yahoo.com/foobars

Valid Directory: http://uk.yahoo.com/private

——–

Cheers,

Soroush Dalili

Cheers,
Soroush Dalili

The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0.

You can read more information from these links: http://projects.webappsec.org/Threat-Classification and http://projects.webappsec.org/f/WASC-TC-v2_0.pdf

Cheers,

Soroush

I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.

They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?

I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.

Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”.  I think they should look at the shared servers default configurations as well as the dedicated ones.

Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.

PS:

You can also look at these links:

-          http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/

-          http://www.esecurityplanet.com/trends/article.php/3855936/article.htm

-          http://www.securityfocus.com/bid/37460/references

<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>

Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.

The result was too simple, but interesting! I need only a semicolon between the “.asp” and the “.jpg” to execute an ASP file. So, the answer was “myfilename.asp;,jpg”. I have written some information about this vulnerability in:

http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

I’ll try to update this PDF file if there was a need to add or change some information.

Description of this vulnerability from Secunia.com is:

Description:
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.

The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.

The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.

There are also several websites which wrote about this weakness:

1. Secunia Advisory: Microsoft IIS ASP Multiple Extensions Security Bypass

2. Securityfocus: Microsoft IIS Malformed Local Filename Security Bypass Vulnerability

3. The Register: Microsoft IIS vuln leaves users open to remote attack

4. VUPEN Security: Microsoft IIS File Extension Processing Security Bypass Vulnerability

5. Securitytracker: Microsoft Internet Information Services (IIS) Filename Extension Parsing Flaw May Let Users Bypass Security Controls

I reported these two vulns. to its website just for having more security. And, I think these two vulnerabilities are fixed now.

However, I believe that still 70% of webistes are vulnerable against the OWASP TOP 10!

Also, I think you should read “Survey: Majority of Web sites vulnerable” as well.

Cheers,

Soroush

]]> http://soroush.secproject.com/blog/2009/11/my-belief-70-of-websites-are-vulnerable/feed/ 0 http://soroush.secproject.com/blog/2009/11/travian-game-vulnerabilities-in-progress/ http://soroush.secproject.com/blog/2009/11/travian-game-vulnerabilities-in-progress/#comments Sun, 29 Nov 2009 14:54:08 +0000 Soroush Dalili http://soroush.secproject.com/blog/?p=176 3 weeks ago, I sent an email about some small but effective vulnerabilities in Travian online game to its providers. By using these vulnerabilities a player can make several accounts by the same email address (because of a logical flaw), and also, he/she can login to other players’ accounts (by using an XSS vulnerability which is completely proved).

Now, I’m still waiting for their final response as I don’t want to be harmful for them!

I hope you enjoy :)

Click here to download this mini-article!

Cheers,

Soroush

I reported them to the computer support section, and all of them are solved now.
The vulnerabilities were:
1- File uploading attack (In WWW, attacker could upload a php file and execute it.)
2- Directory traversal (In WWW, attacker could see the files and directories of the server and download the web files via the browser)
3- Local file inclusion (In Supportweb, attacker could use LFI techniques to do some malicious works)
4- Critical XSS attack in Gate Keeper’s Login (In Both, attacker could steal all the usernames and passwords of the users by using some simple social engineering techniques.)

Most of these vulnerabilities were because of the old part of the website.

Cheers.

Creator: killerguppy101

Part1 (http://aria-security.persiangig.com/video/sqltut-Part1.rar)

——-

Part2.1 (http://aria-security.persiangig.com/video/sqltut-Part2.1.rar)

Part2.2 (http://aria-security.persiangig.com/video/sqltut-Part2.2.rar)

——-

Part3 (http://aria-security.persiangig.com/video/sqltut-Part3.rar)

Thanks from aria-security.com, Secr00t3r, ali_aria

Copy/Paste these links in your browser if they don’t work by clicking.

http://www.forcehacker.kit.net/videos.html

1. (Easy level) some hosts add the advs. after your html codes which can be closed easily by adding some tags such as:
<noscript> , <embed>, <object>, <!–, <script>, and …
at the end of your html page. For instance:
I tested it in GoDaddy free web hosting by adding <noscript> tag and it works successfully: [http://www.plaincipher.com/welcome.html] (6 Jan. 2009) see its source code for more details.
However, hosting can neutralize this way easily by adding some close tags before starting its advs. such as:
</noscript>, </embed>, </object>, –>, </script>, and …

2. (Medium level) some host’s advertisements can be closed by calling their close function in their JavaScript. For instance I tested this code:

<script>document.getElementById(‘divADV’).style.visible=’hidden’;window.setInterval(‘closeWindow()’,0);closeWindow();</script>

at PersianBlog.ir’s weblogs and it works successfully: see [error404.persianblog.ir] (6 Jan. 2009).

3. (Hard level) some host’s advs. are very complicated in code, but they can also be closed by some tricks in neutralizing their frames and their JavaScript functions! I will write about some tricks after finishing this part.
For instance I tested this code:

<script language=”JavaScript”>
var settelingTime = 100;
var check4closing = 4;
function testjavascript()
{

window.setTimeout(“testjavascript()”, settelingTime);
if(top.d.getElementById(“FR”) && check4closing!=0){
if(check4closing==1)
alert(‘Bye yahoo advertisement! my new homepage is: soroush.secproject.com\nI will write there after that.’);
eval(‘top.d.getElementById(“FR”).setAttribute(“cols”,”*,0,0″);’);
check4closing–;
settelingTime = 1000;
}
}
</script>

at GeoCities.com and it works successfully: see [http://geocities.com/irsdl/blog/](6 Jan. 2009).

Now these are some techniques which I use them in neutralizing the JavaScript’s codes:
1. Make a function with the same name of advertisement’s function to change its behavior and overwrite it!
2. Change value of JavaScript’s global variables if they are important for advs.
2. Using some Ajax methods to find and replace some html tags by my new parameters.
3. Using some recursive loops too neutralize the advs. function during the time.
4. Using some XSS methods to do some magic such as: true=false!

I think you can find your methods to close the advs. too ;)

BTW, do not forget my copyright rules. Thank you very much :)

So, if I execute Index.asp, I will execute all 3 other files which I mentioned too.

Question: What will happen if I point to the Main.asp or Header.asp directly without using the Index.asp?
Answer: If Main.asp or Header.asp does not include Check.asp, attacker can see the admin page without having the administrator credential!
Result: I see a lot of web application which had this problem!

Now assume that Check.asp is something like this:
———– Begin Check.asp ———–
some lines of codes blah blah blah
<%
‘ Get an input from the user
1 Input_CurrentFolder = Request(“currentFolder”)

2 ‘ in order to get the root directory we must set an admin session
3 session(“admin”)=true

4 directory = GetDirectory(Input_CurrentFolder)

‘Terminate admin session for the security!
5 session(“admin”)=false

%>
some lines of codes blah blah blah
———– End Check.asp ———–

I want to speak about the session. What do you think about these codes? Is there any security problem?

Question1: How can a user keep session(“admin”)=true for him/herself?
Answer1: In order to do that, user needs to stop execution on line 4!
Question2: Now, how can a user stop execution on line 4?
Answer2: User must stop running the program on line 4. So, he/she must create an error on that line! So, actually it depends on some factors. And, I want to show you 2 of them which the first one is related to subject of this article.

1- First situation: Check.asp does not contain “GetDirectory” function and this function is in Header.asp. Now if attacker point directly to the Check.asp, he/she can get the admin session! Because the program will be crashed on line 4!
2- Another situation: the “GetDirectory” function must not work with each “Input_CurrentFolder”. In other words, “GetDirectory” function must crash because of some value of “Input_CurrentFolder”.
Note: we must not have something like “On error resume next” which force the program to continue.
Result: I think this vulnerability is not a strange one; However, it is not very common. I had seen this vulnerability in some programs such as the old version of “hosting controller”!
———– End Example1 ———–
———– Begin Example2 ———–
Example2. (PHP, ?)
This is not new example but it is related to this subject.
Assume that we have:
1. SessionControl.php ->(Secured) which control the user’s session
2. EditContent.php -> by using this file, administrator can edit the website’s pages
3. AdminContent.php -> (Secured) which includes SessionControl.php and EditContent.php.

And assume that EditContent.php is something like this:
———– Begin EditContent.php ———–
<?
if (!isset($_SESSION['Level'])) exit();
if ($_SESSION['Level']==’admin’)
{
some lines of codes only for admin blah blah blah
}
?>
———– End EditContent.php ———–

You can easily see that EditContent.php is insecure because there is not any session_start() in it and everyone can set $_SESSION['Level']. Just like this: http://[something]/EditContent.php?_SESSION[Level]=admin
Note: php global variables must be on.
———– End Example2 ———–

So, you saw that the catastrophic vulnerability can easily create by the bad usage of “include” techniques.

ravand.com

florists.com

itiran.com

careers.yahoo.com

:)

for .PPT (Powerpoint) file click here.

for .PPTx (Powerpoint 2007) file click here.

External Link: To see this PDF file click here.

I do not have my handnotes now ;)

I will put them here as soon as I find them.

<Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi|\.spc|\.jsp|\.cfm|\.passwd)$”>
order deny,allow
deny from all
</Files>

But I think, this code is not secure at all. I bypass it by uploading a file with this name: “testpage.PhP”. (I tested it on my web hosting)

The problem is:

This code has a case sensitive regular expression.

Note: <FilesMatch> is similar to <Files> with this problem

One solution: use this code instead of that code:

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Useful links:

http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html

http://blog.differentpixel.com/archives/198-Lots-of-.htaccess-tips,-tricks-and-hacks.html

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

Cheers