spl0it.org

Moving my blog to http://blog.spl0it.org

I have decided to switch from simplephpblog to blogger. The blog will continue to be focused on Security, Perl, Open Source tools and a combination of all of the above. I will include information about presentations and papers, I'm working on. I hope you find it useful!

The new blog can be found at: http://blog.spl0it.org
Atom RSS: http://blog.spl0it.org/feeds/posts/default

Regards,
Jabra

Cowpatty 4.5 in Backtrack4

Josh Wright updated coWPAtty to version 4.5. This version includes some awesome new improvements:

* Fewer restrictions on collecting the data needed to mount an attack. The default behavior requires all 4 frames of the 4-way handshake to mount an attack. If you specify "-2" on the command-line, coWPAtty will only require frames 1 and 2 of the 4-way handshake to mount an attack.

* Validate that the needed information is present to mount an attack, without launching the attack (the "-c" option). This was requested by Pure Hate for an awesome project he gave me a preview on. I'm hoping details of this project will be public soon."
( More details can be found at http://www.willhackforsushi.com/?p=284 http://www.willhackforsushi.com/?p=284 )

The more interesting of these improvements, is removing the requirement for 4 frames. This means that you can crack the passphrases more easily, because you only need 2 frames to do it. coWPAtty FTW!

Josh, keep up the good work.

coWPAtty 4.5 has been added to BackTrack 4. Enjoy!

Regards,
Jabra

BackTrack 4 Pre-Final

If you want to get your hands on a copy of BackTrack 4 Pre-final just donate to Hackers for Charity and you can get a copy.

Here is some more information:

http://www.offensive-security.com/blog/ ... neak-peek/

Regards,
Jabra

BASE - 3 More Persistent Cross-Site Scripting Vulnerabilities

Recently, the BASE team released version 1.4.3 nicknamed "gabi". During a long night working on Backtrack 4, I started playing around with BASE 1.4.3. Within minutes I found 3 Persistent Cross-Site Scripting(XSS) vulnerabilities. For those who don't know, Cross-Site Scripting allows the attacker to inject Javascript to modify the functionality of the webpages. Since this vulnerability exists in BASE, this allows an attacker to drop alerts(all of them or specific alerts), modify user information including passwords, modify the configuration of BASE and many other tasks. The only limitation is the attacker's creativity.

The vulnerabilities exist in pages that use information from 3 different components of BASE including: alert groups, roles and user information.

For creating a user, the name field was found to be vulnerable. For the name field, I just injected Javascript and it was rendered!

For creating an alert group, we just need to include a closure for the html by using "> and add our Javascript afterwards. This causes the page that loads the name, to close the html and execute our Javascript! This is due to html encoding being used on the page.

For creating a role, both the name and the description field were vulnerable. The name field was limited to a specific number of characters. To verify I just injected XSS and verified it rendered properly. The description field was just straight Javascript.

As always here are the screenshots, since people like pretty pictures!!!

To all the BASE developers, I must say: "MOVE ZIG!!"

Regards,
Jabra

BASE - Persistent and Reflective XSS

** Update 05/31 **

Here are more details:

http://spl0it.org/files/BASE-XSS/Persistent-notes.txt
http://spl0it.org/files/BASE-XSS/Persis ... -notes.txt
http://spl0it.org/files/BASE-CSRF/notes.txt
http://spl0it.org/files/BASE-XSS/Reflective-notes.txt

Basic Analysis and Security Engine (BASE) is a well known PHP frontend to the Snort Intrusion Detection System. The latest version is 1.4.2. This version contains both Persistent and Reflective Cross-Site Scripting.

Examples:
http://spl0it.org/files/BASE-XSS/BASE-XSS-AddGroup.png
http://spl0it.org/files/BASE-XSS/BASE-X ... onfirm.png
http://spl0it.org/files/BASE-XSS/BASE-XSS-Search.png
http://spl0it.org/files/BASE-XSS/BASE-X ... onfirm.png

The issue is due to a lack of validation on the user input and likely affects other versions as well.

"All your BASE are belong to us."

It's funny, that this is actually true.

Regards,
Jabra

Backtrack4 + Snort

Collaboration with Gobby!

Peer-programming is one way that good software is developed. To do peer-programming, requires at least two people to focus on a problem and build the solution together. This can be done with a single computer and two chairs or vim + screen. Recently, I found a new program that provides the functionality of collaboration without the setup time of multi-user screen sessions. The program is called gobby. Gobby has both a server and client. This is ideal, since the information is kept on systems the users trust. Passwords can be required to access specific document and connections are made using TLS.

Here is an example:

The above screenshot shows a small Perl script with the syntax highlighting. Also, gobby allows each user to choose a background color that makes identifying the author of each line easy. Gobby even lets the user replace tabs with spaces. It even has the ability for users to chat with everyone working on the document. I think the best feature of gobby, is that multiple users can even edit the document at the same time!!!

On Ubuntu, gobby can be installed by using the following command:

sudo apt-get install gobby

Try out gobby and let me know what you think.

Regards,
Jabra

Blackhat 2008 and DojoSec Videos online

I just noticed the Blackhat 2008 and DojoSec videos are online.

https://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html

http://www.dojosec.com/?page_id=14

Regards,
Jabra

Cisco starts Patch Wednesday

"Starting on March 26, 2008, Cisco will release bundles of IOS Security Advisories on the fourth Wednesday of the month in March and September of each calendar year."

http://www.cisco.com/en/US/products/pro ... sting.html

Happy patching!

Regards,
Jabra

InfoSec World 2009 - Total Browser Pwnag3 Slides

I recorded the voiceovers for all of the demos today. I will post them sometime soon.

Regards,
Jabra