Full Disclosure – How not to write a Forms Authentication Process

Liggat Authentication Fail

This post will be a disclosure on how to not design and implement a login processes.

Ligatt Security and Gregory Evans the main man behind Ligatt has come under quite a bit of flack recently for doing things like alegedly making threats to other researchers and also for alleged plagiarism .

While all of this Internal Security Industry bickering is beyond me and this post.  I would not trust a company with protecting my data if they can’t even protect their own.

And with that said.  / Month Of Full Disclosure item 3 = Ligatt Security and how not to write an Authentication Process.

Text Version Here

Ligatt Authentication_ByPass

Show me where that PC is

Full Disclosure – Multiple XSS holes in 1-click Retweet/Share/Like WordPress Plugin

Month Of Full Disclosure

1-Click Retweet/Share/Like Lets users Retweet, Share and Like pages from your site back to their Twitter followers and Facebook friends with just one click. The user experience is similar to Facebook Like button but expanded to Twitter and Facebook Share.
The above WordPress Plugin has multiple Cross Site Scripting (XSS) Bugs due to the “fc” the “fs” and also the “fblname” Parameters not correclty sanitising data input

This was discovered in a routine security check on my own site, where up until yesterday I was like hundreds of other wordpress sites running the above plugin.

The plugin does not integrate whoely with the worpress blog and instead it calls home via an IFrame which is where the XSS hole exists.

Every site which has this plugin would therefore call the vunerable URL however that URL due to being an Iframe exists on the vendors site. (http://www.linksalpha.com)

This mitigates the risk of the WordPress Plugin against the site hosting it. However due to poularity of the plugin, it is deemed still to be a medium risk issue. Plus the fact that there may and most likely are other issues with the plugin which I have not taken the time to research.

See below for the disclosure.

Text Version Here

XSS vulnerability in Links Alpha WordPress Plugin
————————————-
Vulnerability ID: Month Of Full Disclosure = MOFD2
————————————
Product:    1-click Retweet/Share/Like
————————————-
Vendor:    Links Alpha ( http://wordpress.org/extend/plugins/1-click-retweetsharelike/stats/
or http://www.linksalpha.com/)
————————————-
Vulnerable Version:    2.0.1 Which is current version and Probably Prior Versions
————————————-
Vendor Notification:    03 August 2010
Public Disclosure:    03 August 2010
————————————-
Vulnerability Type:    XSS (Cross Site Scripting)
————————————-
Status:    Public Disclosure – Not Fixed, Vendor Alerted,
Awaiting Vendor Response
————————————-
Risk level:    Medium
————————————-
Credit:    Martin Hall – TheTestManager
Site = http://www.thetestmanager.com
twitter = @thetestmanager
Vulnerability Details:
There exists multiple XSS errors in 1-click Retweet/Share/Like WordPress Plugin.
————————————-
Potential Users Affected = minimum = ??? users
It’s a WordPress Plugin which is installed to sites on average 300-400 times a week
————————————-
Dork to find Vulnerable Sites (2)
inurl:http://www.linksalpha.com/social?link=
or
src=”http://www.linksalpha.com/social?link=
Because it loads on sites in an Iframe the dork is not straight forward.
————————————-
Sample URL
http://www.linksalpha.com/social?link=http%3A%2F%2Fsimplestrength.com%2F2010%2F06%2Fwarriors-come-out-to-play%2F&fc=28a2ttm–%22%3E%3Cscript%3Ealert%28%22TheTestManager.com-%20Month%20of%20Full%20disclosure%22%29%3C/script%3E&fs=arial&fblname=like
————————————-
Solution:
Currently I’m not aware of any vendor-supplied patches or other solutions.
If you are aware of more recent information related to this issue please notify me at: martin@hb-help.com

Users are recommended to use NoScript or other XSS mitigating software
Admins are adviced to keep an eye out for an update to the plugin.
(Although as the issues affects code on LinksAlpha Site they should be able to fix the issue without a WordPress Plugin Update)
————————————-
Other Miscellany Information
N/A

And So it Begins. – August = Month of Full Disclosure

Month of Full Disclosure

As the main title of this post states, August 2010 will be a full disclosure month.

Normally within a month I may talk to around 20 or so organisations advising them of general bugs and security issues within their products or websites. The number varies as I do this as a hobby and not a full time job.

My main job is as a Systems Test Manager.

So I decided to see what happens if I take a month out from doing things the normal way of disclosing all issues to the site or software house first and only when fixes place advising the users.  So for August only I’ll be advising the public at the same time as advising the site / or software house involved.

All issues discovered before the month of August and any that are currently being discussed with sites or software houses are not included and will remain closed for public consumption until the issue is fixed and even then only if the company involves gives permission.

I doubt if any humdingers will come out but you never know

If any issues are found which could affect a very high number of users data at risk then I will revert to responsible disclosure, and give the vendor time to fix the issue.

Martin Hall

cybersecuritychallenge cipher – A How To

Cyber Challenge

This is the total walk through and it wasn’t easy.

(1) first go to the main challenge page and then grab the cypher

https://cybersecuritychallenge.org.uk/docs/cybersecuritychallenge.txt

Now from looking at the text you can see the obvious thing and that is it looks like a base64 encode. This can be seen in the fact that base64 encodes will end in an equal sign if the total bits of data cannot be equally converted from 34 bits to 32 bits.

So we grab the text and run it through a base64 converter.

http://www.opinionatedgeek.com/dotnet/tools/base64decode/

This then give us a raw .bin file

I recommend using a Hex file viewer, however I used EditPlus Text Editor as it was closer to hand.

I saw what looked like a file header

it had EXIF (which I know to usually mean camera files).

and more importantly I also saw JFIF which is the JPEG File Interchange Format (JFIF)

From here I guessed that I would firstly grab EXIF Tool to decode and potential EXIF data as I thought it would have a message hidden in the camera name or something similar.

There was no interesting info so I just changed the file extension to JPG and thought I would check what I had and then I saw the XKCD comic.

Personally my fave one is

Exploits of a Mum

however you one is

Total Time Start to Finish = 12 minutes.

**EDIT**

I was informed this morning that I was not quite there. I got a tweet from@Cyberchallenge stating that if I sent my email about the cipher to a certain email address then I had got it wrong.

So I thought back to the drawing board and lets look again at the image. Firstly look in a Hex Editor and I saw what I thought was a phone number. 01444.’9=82<.342 = 01444-982-342 well it would seem that I was on the wrong track as that number is not in service.

So I then loaded up another EXIF viewer and again nothing.

I then looked at the original image on the XKCS site and I noticed that it was a PNG and not a JPG, if it was just a case of getting the normal image when why change its extension and also why all the extra white space.

I then carried out a quick check on TINEYE. (which is a great tool). however this also gave nothing except it did let me compare other images out there against the one I had earlier decoded and my image was the only one with the morse code around the edge.

I then looked a little closer and thought it was binary. Also like the pits used when burning the lead in section of a protected DVD / CD.

I then read up on hiding binary in images. – Suggested reads are.

http://terpconnect.umd.edu/~minwu/public_paper/Jnl/0408binwmk_IEEEfinal_TMM.pdf

http://figment.cse.usf.edu/~sfefilat/data/papers/TuBCT9.10.pdf

http://www.springerlink.com/content/k28787j31153565m/

I then loaded up Paint.Net and began to play.

Firstly looking at the Histograms. If you move them around you’ll see that the boarder is a different layer than the rest of the image.

This then confirmed to me it was binary and all I had to do was to try and count the pixels to see where a binary code started and ended.

Paint.Net has a Pixel grid so I loaded this up and began to count.

White Pixels = Zero and Black Pixels = One

010000110111100101110010011011100110011001110010001000000111001101100010011110010111100101100010 and so on and so on

I then grabbed the text and loaded that into a binary to string converter and this gave me garbled text.  = Cyrnfr sbyyb in the example above.

I then used google to check the text and I found only one result and it was 2007 on a site called Perl Monks

This thread has some one attempting to decode a piece of text and it has one of our words. = Cyrnfr

It was suggested Rotr13, so again I read up on Rotr13 and its a simple encryption where the letters are rotated 13 chars . So this gave me Please follo (looks like please follow)

I now knew that i was right about the binary and all I had to do is to count the whole image and then rotate each of the letter 13 places.

This then gave me

Please follow this link: https://cybersecuritychallenge.org.uk/834jtp.html https://cybersecuritychallenge.org.uk/834jtp.html

Game Over -  ** at least that’s what I thought **

I visited the URL and got a new code !! – this one although easier actually took longer as it was custom code and I didn’t bother to code a parser (which I now wish I had done) so I had to decode it all by hand.

68edcdec4e2c8eae8d2c8e2dedcd6e04d2042fedae52ceac04ccedaecd8c042ccd8c046

cedad0e8dac8eac8c048e0dac044aa82889046c0d2c8d8daccdecacc5042bedae4e04e

e2dcd046ced8cac042d6e04046c2f4c664ea76e666cae4e268e2f456c0d088d8d66cde

cac6546c6a506e6a546062606c504a141a1410a8dac2c6eac04acad2c2d8d048e0d2d

6e046ced8cac048eed04edae4e048eac2cad042c8e04adac8c2d2c086c2f4cac4e6eac

6cae4e2d8e2f6c0d2c8d8daccdecacc5ed4eecc5ae6dc50429cc042fedae524eac048e

0dac04cc2d4e6e8e040eac4e6eedcd048eed048ced046eed85042ccd8c046c2ccd0

40e4eedceac042fedae04adacac8e048e0dac04ac8d2dec2d4c2d8d2d8e2f046c4e2d

8eac4e2d2c0405484e2d8e2d6e0d046c2d8e2d4faccd046cae4e4eaccd8e8d2f044ea

c6e2d8caccd8e042dcd048e0dac04aa692504eeac04ee2d8d8d044cac042dcd048ee

dae6c0d048eed042c8cce2d6eac040dedee048eed046c8d2c2dad042fedae4e040e4e

2d4facc504eaac8d8d048cedcdac042ccd8c04eceded8c048dae6c6d042dcd048e0da

c04682f4cac4e046aac6cae4e2d8e2f04680d2c8d8daccdecac046cedad0eac8e2d8e2

dedcd6e048e2c6d2dcdec040e8d2c6cac048e0d4eedaeec0dedae8e048e0dac044eac

6e8e04edcc048e0dac042fac2c4ec5

The part that gave the code away was that I figured it would start with a well done message so I counted the chars and looked for well done or other words like congratulations. (it was all hex so it wasn’t too hard)  I was right about the congrats message plus the fact that the spaces were easy to guess.  I still ended up with a few question marks but I still got to the bottom of it.

see below for the key and the cracked code.

04 = space
0D = H
0E = P
08 = a
26 = i?
2B = y?
2C = A
2D = I
2F = Y
4C = B
4E = R
4F = Z
52 = ‘
66 = e?
68 = C
6c = c
6D = k
6E = s
8C = D
8D = L
8E = T
AC = E
AD = M
AE = U
C5 = fullstop
CC = F
CD = N
CE = V
D2 = A
ea = W
EC = G
ED = O
EE = w

a7 =?
45 = ?
65 = ?
46 = ?
c6 = ?
A1 = ?
41 = ?

congratulations a youve found and completed the ???? challenge.
your pin code is  cyber?security?challenge???????????. ?????lease
email this code to our team to media@Cybersecuritychallenge.org.uk

F YOU’re The First Person to do so and can prove you meet the eligibility
criteria ? ? British citizen currently resident in the ??? we will be in
touch to advise how to claim your prize.

Well done and good luck in the Cyber Security Challenge Competitions taking
place throughout the rest of the year.

Google.CN is no more. Redirecting to Google.com.hk (Google.cn moved Offshore)

Google.CN Moved to Hong Kong

As the title states Google.CN is moving all searches offshore to Hong Kong. Google.Com.HK

However the Google Domain is still live for other things like maps = Google Maps China

Is still live. As are Google Images and Google Products and Google Q & A all for China on the .CN domain.

And most important of all the firewall of china is now turned off according to Googles owns Blog.  It will be interesting to see how China reacts especially as officially Hong Kong is still on Chinese soil.

This all resolves from the Aurora Attacks.  Many big companies got hacked in those attacks but it was not Google’s own accounts being hacked that got its goat. It was however the accounts of many prominent Chineese human rights activists who had their Gmail details hacked.

In fact according to Google the hackers were after two things, firstly the accounts and details of the activists and then secondly the source code of many internal applications. They accessed the source code via source management systems.

What will be interesting is how the Chineese Government react to this change (especially if Google remove the censorship from searches). So far they have only stated that “There will be consequences”

And just to prove that the Google US Exec’s know how bad the human rights violations in China are they try and give their resident Chinese execs a get out of jail free card so the Ministry of State Secrets (MSS - Guojia Anquan Bu [Guoanbu])won’t come and round them up.

“Finally, we would like to make clear that all these decisions have been driven and implemented by our executives in the United States, and that none of our employees in China can, or should, be held responsible for them.”

Google’s Clock hits Zero

Google's New Year

Well Its now 2010 and the countdown clock on Google’s I’m Feeling Lucky site is displaying fireworks

Happy New Year Every One.

The URL for I’m feeling lucky is

http://www.google.co.uk/search?&btnI=3564&q=

Just type anything you want at the end of the query (q) parameter to be taken there by Google.

So how could this be used?

Well how about a simple Rick Roll

http://www.google.co.uk/search?&btnI=3564&q=Rick Astley Video

Lets change those words as they look too obvious.

Just a tiny bit of URL Encoding and we’re done

http://www.google.co.uk/search?&btnI=3564&q=%52%69%63%6b%20%41%73%74%6c%65%79%20%56%69%64%65%6f

Yep Looks like a normal Google Link to me. How many people would know that the above URL would get them Rick Rolled?

Well how about I now go out and buy myself I nice IDN Domain which looks exactly like Google.Com but no matter what you type in I return all pay-per-click ads (remeber the site would look exactly like Google.com).

I’m sure you now get the idea that just because someone posts a google link and it could even be a Real Google Link like I used above in my examples, it doesn’t mean that you are not going to get sent to a virus site or a site you did not intend to visit.

BeSafe and Once again Happy New Year

Google Fireworks

Google’s new year count down clock

New Google Easter Egg - Feeling Lucky

Well it seems that Google has placed an new easter egg on its main site for UK searches.

If you click on the I’m Feeling Lucky Button you will be taken to a count down clock.

There was a lot of speculation about what the countdown timer meant.

But it seems quite obvious that it is the New Year Count Down Clock. (Nice Touch).

In the past they have had other strange Easter eggs (Aliens /Crop Circles, Infinite Loops and the famous Konami Code)

All good fun and its nice to break  up the monotony of carrying out tons of searches.

If you’ve found any interesting easter eggs in any of the major search engines then feel free to post below in the comments.

Stanford Found – Today’s News

Directory Browsing

Background Story

Sir Alan Stanford who is believed to be involved in one of the biggest banking frauds has been found by FBI Agents in America.

It was originally thought that he was hiding out in the Caribbean.

The fraud has global issues for not only the main Stanford Bank but also all of his other corporations and those who have invested in him. There has been a “Run” on the bank in the past couple of days as investors have sought toattempt to get at their cash.

BBC News Link

Site = SIB DIRECT

Defect Found = Open Directory Browsing

Time Taken to find from arriving at homepage =  about 10 minutes.

As always Site Admins notified.

Now as  this is an online bank I decided to hold the post back a few days. Its now 00:40am 20th Feb 2009 and I’ll keep the post on hold for 5 days for them to fix the issue.

It should just be a quick 5 minute fix, but as we all know even a 5 minute code fix still can take a day or two to test. For me its the deploys to the Test, Staging and then Production environments and not the actual Testing of code that takes the time in issues like this.

***************EDIT***************

Even after the 5 days, which is the length of time the post was delayed for the issue is not resolved. I’ve also not heard back from anyone at Stanford.

***************EDIT N02 -  25th Feb 2008 ***************

The Receivers have been called in and the links are no longer working

which is a good thing for security of the users but a bad thing, as they

have most likely lost their deposits.

Geertwilders – Today’s News

Nasty Man

Not a nice guy.

(Even so I’ve still notified the Site Admin in question)

Background story.

He’s a right-wing Dutch MP who has made a very one sided mockumentary about Muslims and how he thinks that the Qur’an only preaches death and killing. I’m not religious at all, however I do know that virtually any person can take the text from any religious doctrine and use that text to prove any point they may wish to make.

He was invited to the UK by some other right-wing MPs (UKIP Party) and he was thankfully turned down by our government on the grounds that they deemed him to a person who spreads race hate.

This lead to a welcome debate of the validity of freedom of speech.

BBC New Link

Site = http://www.geertwilders.nl

Defect Found = Open Log and Stats File

Time Taken to find from arriving at homepage =  about 32 minutes.

This was a hard one due to his site using off the shelf secure software (Mambo I think)  and also using Google for all searching which meant I knew XSS was a no go from the start. I then looked for subdomains and although I found many all were 401′s. I tried a few other things and then just when I thought that this site would beat me I gave a quick check of common directories and came up with “TMP” I then looked for common file names and came up with “log.txt” and hence the site error.

Remember that the reason for the “Today’s News” section is to attempt to prove that virtually all sites out there have some error in them of some kind that affects either the websites security, usability or maybe a business logic flaw.

some people may think that this is low hanging fruit type stuff and they may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.

Today’s News FSA Boss Quits

I’ve decided to do a new piece called Today’s News,

What I’ll do is take a quick look on the Television news stations to work out what is the top news story and then I’ll give the website of the company or organisation a quick test. I’ll also state how long it too me to find the issue.

The site will be notified of course and I’ll update the blog post with any updates and responses from the site admin.

This will most likely be based on a Web Application Security (WebAppSec) test. I’ll leave out all of the 404′s and orphaned links etc.

Today’s major story was that the head of the FSA and a close advisor to Gordon Brown resigned.

FSA

http://news.bbc.co.uk/1/hi/business/7883409.stm

Site = http://www.fsa.gov.uk/

Defect Found =XSS

Time Taken to find from arriving at homepage = 3minutes and 12 seconds.

Now some people may think that this is low hanging fruit type stuff and you may be correct, however as these sites in question will be all over the TV today and front page on tomorrows papers they are easy targets for potential hackers and Seo BalackHats alike.

Tags: Testing, Today's News, WebAppSec, XSS