Comments for Computer Security Is My Interest! http://soroush.secproject.com/blog Soroush Dalili's Weblog Sun, 03 Jan 2010 16:37:53 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on Microsoft IIS Semi-Colon Vulnerability by Soroush Dalili http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4043 Soroush Dalili Sun, 03 Jan 2010 16:37:53 +0000 http://soroush.secproject.com/blog/?p=185#comment-4043 Please read: http://soroush.secproject.com/blog/2010/01/microsoft-contradiction/ Please read: http://soroush.secproject.com/blog/2010/01/microsoft-contradiction/

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Soroush Dalili http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4042 Soroush Dalili Sun, 03 Jan 2010 15:49:16 +0000 http://soroush.secproject.com/blog/?p=185#comment-4042 Dear Hamid, Thanks for your comment. Please contact me via my ymsgri ID (irsdl). I do not want to discuss it here more than this (because of some personal reasons). Dear Hamid,
Thanks for your comment. Please contact me via my ymsgri ID (irsdl). I do not want to discuss it here more than this (because of some personal reasons).

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Ottmar Freudenberger http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4037 Ottmar Freudenberger Wed, 30 Dec 2009 06:56:41 +0000 http://soroush.secproject.com/blog/?p=185#comment-4037 Well, you've noticed MS final(?) statement on the issue already, did you? <a href="http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx" rel="nofollow">MSRC Blog entry</a>: <cite>We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.[...] for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack</cite> And <a href="http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx" rel="nofollow">IIS Blog entry</a>: <cite>The issue in question affects only IIS 6 (Windows Server 2003) and arises when you send a URL with a semi-colon in it. IIS 6 uses the path before the semi-colon to determine the script handler for it.[...] In summary, there is a functionality issue here, but there is no security issue unless you already had a poorly configured server to begin with.</cite> Well, you’ve noticed MS final(?) statement on the issue already, did you?
MSRC Blog entry:
We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.[...]
for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack
And IIS Blog entry:
The issue in question affects only IIS 6 (Windows Server 2003) and arises when you send a URL with a semi-colon in it. IIS 6 uses the path before the semi-colon to determine the script handler for it.[...]
In summary, there is a functionality issue here, but there is no security issue unless you already had a poorly configured server to begin with.

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Hamid.k http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4032 Hamid.k Mon, 28 Dec 2009 08:33:43 +0000 http://soroush.secproject.com/blog/?p=185#comment-4032 Hi Soroush. Nice finding! I've checked out your advisory and also comments you've wrote following it but there are still some shady points remaining unclear to me. The nature of the vulnerability itself is clear and obvious, but.: It`s main dependency is lack of MIME/type validation of affected (wep)application. While it`s spreading the wrong way by many people that simply bypassing the file extension will do the job, the case in real-world is that many web-applications out there also validate the content too (by either checking size,header,etc...) . The other point as PhilG mentioned is that, having script execution access is the second dependency, on vulnerable target which is _usually_ considered when deploying application. And the question: You've mentioned in advisory that you've tested some applications and 70% of them (uploaders?) seems to be vulnerable to this specific type of attack (mix of IIS bug+flawed extension checking by web-app+flawed type validation) when hosted by IIS. If possible, I`d like to hear more accurate test results from you about your tests on the case: 1-Was it just testing uploaders, or entire web-applications being tested, which represented that result? 2-Is your estimation an educated guess based on OWASP yearly reports or it has been a personal test? 3-If it was a personal research, it would be great to know about number of tested cases. These would help me have more clear idea about true impact of this case in real-world , not just relaying on blind estimations or hypes. Hi Soroush.
Nice finding! I’ve checked out your advisory and also comments you’ve wrote following it but there are still some shady points remaining unclear to me.
The nature of the vulnerability itself is clear and obvious, but.:
It`s main dependency is lack of MIME/type validation of affected (wep)application. While it`s spreading the wrong way by many people that simply bypassing the file extension will do the job, the case in real-world is that many web-applications out there also validate the content too (by either checking size,header,etc…) .
The other point as PhilG mentioned is that, having script execution access is the second dependency, on vulnerable target which is _usually_ considered when deploying application.

And the question: You’ve mentioned in advisory that you’ve tested some applications and 70% of them (uploaders?) seems to be vulnerable to this specific type of attack (mix of IIS bug+flawed extension checking by web-app+flawed type validation) when hosted by IIS.

If possible, I`d like to hear more accurate test results from you about your tests on the case:
1-Was it just testing uploaders, or entire web-applications being tested, which represented that result?
2-Is your estimation an educated guess based on OWASP yearly reports or it has been a personal test?
3-If it was a personal research, it would be great to know about number of tested cases.

These would help me have more clear idea about true impact of this case in real-world , not just relaying on blind estimations or hypes.

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Soroush Dalili http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4031 Soroush Dalili Mon, 28 Dec 2009 01:40:47 +0000 http://soroush.secproject.com/blog/?p=185#comment-4031 Hello, Thanks for your comment. I think you did not understand the purpose of this vulnerability. Although this vulnerability is because of IIS, its effect is on the web applications. As I had written in the PDF file: "Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.". It is obvious that there are many files which should be accessible by using the web URL directly, such as the images, flash files, java applets, and so on. The cost of putting these files out of the web folder directory and using a script to download them indirectly is not reasonable in most cases (Except for non-free materials). If you do a real penetration testing against some websites, you will realize the value of this vulnerability. You can find many of these web applications which are exploitable by using this vulnerability. For example, I want to refer to the DNN (Dot Net Nuke) application vulnerability in which an attacker could upload an image, a flash, or a document file on the system; and, by mixing with this vulnerability, an attacker could get a web-shell from the system. As another example, in some cases although you can gain access to the admin panel of the website, you can only upload some images. Now, perhaps you can bypass it and upload a web-shell to read all the source codes, download some important data, and so on. Those uploaders which checked the file’s header and source code of the file are already bypassed. And, by using this vulnerability, those checked the files’ extensions are also bypassed. You can read the “Fast Solution/Recommendation” section in the PDF file as the possible solutions for this vulnerability. Those who performed these solutions are secured not only against this weakness, but also against the entire file uploading vulnerabilities. Hello, Thanks for your comment. I think you did not understand the purpose of this vulnerability. Although this vulnerability is because of IIS, its effect is on the web applications. As I had written in the PDF file: “Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.”. It is obvious that there are many files which should be accessible by using the web URL directly, such as the images, flash files, java applets, and so on. The cost of putting these files out of the web folder directory and using a script to download them indirectly is not reasonable in most cases (Except for non-free materials).
If you do a real penetration testing against some websites, you will realize the value of this vulnerability. You can find many of these web applications which are exploitable by using this vulnerability. For example, I want to refer to the DNN (Dot Net Nuke) application vulnerability in which an attacker could upload an image, a flash, or a document file on the system; and, by mixing with this vulnerability, an attacker could get a web-shell from the system. As another example, in some cases although you can gain access to the admin panel of the website, you can only upload some images. Now, perhaps you can bypass it and upload a web-shell to read all the source codes, download some important data, and so on.
Those uploaders which checked the file’s header and source code of the file are already bypassed. And, by using this vulnerability, those checked the files’ extensions are also bypassed.
You can read the “Fast Solution/Recommendation” section in the PDF file as the possible solutions for this vulnerability. Those who performed these solutions are secured not only against this weakness, but also against the entire file uploading vulnerabilities.

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by PhilG http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4029 PhilG Sun, 27 Dec 2009 22:07:23 +0000 http://soroush.secproject.com/blog/?p=185#comment-4029 Hi Soroush, This error you reported on is a non-issue. Even with the basic default configuration in place, this does not produce an executable attack. It would require a very specific set of configuration errors (where most of the defaults were changed) to create an executable attack such as, Enabling execute on the upload folder, Putting the uploaded files in the web tree itself, The web application not performing any file type validation, Disabling built in input validation, The application not performing any input validation itself. While it is possible to create a scenario that would be exploitable, it would take a conscious effort to do so. Admittedly, if this was a web site running on IIS 5, built in the late 1990's you would be likely to find just such conditions, but any modern web site would be unlikely to be vulnerable to this unless the creator of the site did some very bad things intentionally. (albeit unknowingly) If you tried this on one of your sites and it worked, you might want to re-visit basic security practices and fix up your code. Thanks for sharing your findings. Hi Soroush,
This error you reported on is a non-issue. Even with the basic default configuration in place, this does not produce an executable attack. It would require a very specific set of configuration errors (where most of the defaults were changed) to create an executable attack such as,
Enabling execute on the upload folder,
Putting the uploaded files in the web tree itself,
The web application not performing any file type validation,
Disabling built in input validation,
The application not performing any input validation itself.

While it is possible to create a scenario that would be exploitable, it would take a conscious effort to do so. Admittedly, if this was a web site running on IIS 5, built in the late 1990’s you would be likely to find just such conditions, but any modern web site would be unlikely to be vulnerable to this unless the creator of the site did some very bad things intentionally. (albeit unknowingly)

If you tried this on one of your sites and it worked, you might want to re-visit basic security practices and fix up your code.

Thanks for sharing your findings.

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Denis http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4028 Denis Sun, 27 Dec 2009 20:42:04 +0000 http://soroush.secproject.com/blog/?p=185#comment-4028 Thank you for the answer and good work ! Thank you for the answer and good work !

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Soroush Dalili http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4027 Soroush Dalili Sun, 27 Dec 2009 20:02:07 +0000 http://soroush.secproject.com/blog/?p=185#comment-4027 Thanks for the question. Unfortunately, I was too busy at that time. And, I wanted to publish it after getting my MSc. degree ;) Thanks for the question.
Unfortunately, I was too busy at that time. And, I wanted to publish it after getting my MSc. degree ;)

]]> Comment on Google captured my privacy! by Soroush Dalili http://soroush.secproject.com/blog/2009/12/google-captured-my-privacy/comment-page-1/#comment-4026 Soroush Dalili Sun, 27 Dec 2009 19:46:35 +0000 http://soroush.secproject.com/blog/?p=183#comment-4026 You are right. But, according to "http://www.mozilla.com/en-US/firefox/phishing-protection/": "Before blocking the site, Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update. In both cases, existing cookies you have from google.com, our list provider, may also be sent." Google has this chance to write down the name of the website which has been blocked such as "milw0rm.com" and we want to visit it. And, perhaps an especial website can be inserted in this list intently, and then it can be discarded during the second check. So, no one can realize it... You are right. But, according to “http://www.mozilla.com/en-US/firefox/phishing-protection/”:
“Before blocking the site, Firefox will request a double-check to ensure that the reported site has not been removed from the list since your last update. In both cases, existing cookies you have from google.com, our list provider, may also be sent.”
Google has this chance to write down the name of the website which has been blocked such as “milw0rm.com” and we want to visit it. And, perhaps an especial website can be inserted in this list intently, and then it can be discarded during the second check. So, no one can realize it…

]]> Comment on Microsoft IIS Semi-Colon Vulnerability by Denis http://soroush.secproject.com/blog/2009/12/microsoft-iis-semi-colon-vulnerability/comment-page-1/#comment-4025 Denis Sun, 27 Dec 2009 15:46:01 +0000 http://soroush.secproject.com/blog/?p=185#comment-4025 Hello, I read in your document : "Finding Date: April 2008 Report Date: Dec. 2009" Why wait so long before reporting ? Hello,

I read in your document :
“Finding Date: April 2008
Report Date: Dec. 2009″

Why wait so long before reporting ?

]]> Comment on Google captured my privacy! by xanda http://soroush.secproject.com/blog/2009/12/google-captured-my-privacy/comment-page-1/#comment-4024 xanda Sun, 27 Dec 2009 11:16:19 +0000 http://soroush.secproject.com/blog/?p=183#comment-4024 “Browsers use Google to detect web forgery -> So, a browser send a request to Google before openning a website for you! … <= Hi, from my understanding, firefox will download the hash from Google Safe Browsing API and stored locally, URL will be compared locally instead of send the request to Google ;) more info: http://code.google.com/apis/safebrowsing/developers_guide.html “Browsers use Google to detect web forgery -> So, a browser send a request to Google before openning a website for you! … <= Hi, from my understanding, firefox will download the hash from Google Safe Browsing API and stored locally, URL will be compared locally instead of send the request to Google ;)

more info: http://code.google.com/apis/safebrowsing/developers_guide.html

]]> Comment on How to prevent phishing attacks? ‐ In 3 Pages ‐ by Soroush Dalili http://soroush.secproject.com/blog/2009/11/how-to-prevent-phishing-attacks-%e2%80%90-in-3-pages-%e2%80%90/comment-page-1/#comment-3969 Soroush Dalili Sun, 29 Nov 2009 22:11:43 +0000 http://soroush.secproject.com/blog/?p=166#comment-3969 The body I mean buddy ;) The body I mean buddy ;)

]]> Comment on How to stop hardware key-loggers by Shaghayegh http://soroush.secproject.com/blog/2009/11/how-to-stop-hardware-key-loggers/comment-page-1/#comment-3968 Shaghayegh Sun, 29 Nov 2009 20:59:39 +0000 http://soroush.secproject.com/blog/?p=171#comment-3968 Wow! Wow!

]]> Comment on How to prevent phishing attacks? ‐ In 3 Pages ‐ by Shaghayegh http://soroush.secproject.com/blog/2009/11/how-to-prevent-phishing-attacks-%e2%80%90-in-3-pages-%e2%80%90/comment-page-1/#comment-3967 Shaghayegh Sun, 29 Nov 2009 20:52:57 +0000 http://soroush.secproject.com/blog/?p=166#comment-3967 It's 7 pages! :D :P It’s 7 pages! :D :P

]]> Comment on SQL Injection Tutorial Video by irsdl http://soroush.secproject.com/blog/2009/01/sql-injection-tutorial-video/comment-page-1/#comment-3962 irsdl Mon, 09 Nov 2009 22:50:59 +0000 http://soroush.secproject.com/blog/?p=143#comment-3962 I'm sorry for long delay. You should open it with a browser and click on the download link. I’m sorry for long delay. You should open it with a browser and click on the download link.

]]> Comment on SQL Injection Tutorial Video by Fred http://soroush.secproject.com/blog/2009/01/sql-injection-tutorial-video/comment-page-1/#comment-3954 Fred Tue, 20 Oct 2009 02:40:58 +0000 http://soroush.secproject.com/blog/?p=143#comment-3954 upon extracting Part2.2, I get the error message "Data error ... File is broken". upon extracting Part2.2, I get the error message “Data error … File is broken”.

]]> Comment on Vote in Toluna.com with a Script Automatically! by Ysinotelodigo http://soroush.secproject.com/blog/2009/01/vote-in-tolunacom-with-a-script-automatically/comment-page-1/#comment-3931 Ysinotelodigo Sat, 22 Aug 2009 23:21:40 +0000 http://soroush.secproject.com/blog/?p=112#comment-3931 Hey! The link is breaked. Are you earn discount with this system? Sorry to write bad. I'm Spanish. Good-Bye Hey!

The link is breaked. Are you earn discount with this system?

Sorry to write bad. I’m Spanish.
Good-Bye

]]> Comment on Critical vulnerabilities in the website of my department! … were solved! by Pouya http://soroush.secproject.com/blog/2009/02/critical-vulnerabilities-in-the-website-of-my-department-were-solved/comment-page-1/#comment-3930 Pouya Wed, 12 Aug 2009 02:56:33 +0000 http://soroush.secproject.com/blog/?p=155#comment-3930 ! :D belakhare in az iran baz ! :D ! :D
belakhare in az iran baz ! :D

]]> Comment on March 2009 Updated: FaceBook Automatic Friends Adder from the Apllications’ Walls by Meta http://soroush.secproject.com/blog/2009/01/facebook-automatic-friends-adder-from-the-apllications-walls/comment-page-1/#comment-3894 Meta Tue, 21 Apr 2009 08:08:28 +0000 http://soroush.secproject.com/blog/?p=134#comment-3894 Thanks for this nice script Could you make oen for adding friends of friends too or members of a grupe . woud be too great ;-) One question woud be what are the FB limits of adding not too much Friends at one time .Get a abused account Thanks for sharing this Thanks for this nice script
Could you make oen for adding friends of friends too or members of a grupe .
woud be too great ;-)
One question woud be what are the FB limits of adding not too much Friends at one time .Get a abused account
Thanks for sharing this

]]> Comment on March 2009 Updated: FaceBook Automatic Friends Adder from the Apllications’ Walls by john http://soroush.secproject.com/blog/2009/01/facebook-automatic-friends-adder-from-the-apllications-walls/comment-page-1/#comment-3888 john Sat, 18 Apr 2009 14:34:47 +0000 http://soroush.secproject.com/blog/?p=134#comment-3888 nice code thanks. i have a question, i'm trying to say "add me" or something on the wall but imacros won't let me send the text.. here's what i record modified with a wildcard(*): TAB T=1 URL GOTO=http://apps.facebook.com/guerra-de-pandillas/discussion.php TAG POS=1 TYPE=TEXTAREA FORM=ACTION:http://www.facebook.com/wallpost.php ATTR=ID:wall_text_* CONTENT=ADDME imacros fills the textarea but it won't press the send button.. what am i doing wrong? thanks in advance nice code thanks.

i have a question, i’m trying to say “add me” or something on the wall but imacros won’t let me send the text.. here’s what i record modified with a wildcard(*):

TAB T=1
URL GOTO=http://apps.facebook.com/guerra-de-pandillas/discussion.php
TAG POS=1 TYPE=TEXTAREA FORM=ACTION:http://www.facebook.com/wallpost.php ATTR=ID:wall_text_* CONTENT=ADDME

imacros fills the textarea but it won’t press the send button.. what am i doing wrong?
thanks in advance

]]>