Wednesday, July 31, 2013

Ubuntu Forums has been pwned! (Part 2)

Ubuntu Forums resumed finally. Congrats! The forum admin, Elfy, posted a message about the attack. I quote here for your reference.

"As announced previously, there was a security breach on the Ubuntu Forums. What follows is a detailed post mortem of the breach and corrective actions taken by the Canonical IS team. In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings.

== What happened ==

At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.

This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.

The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.

One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.

Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.

Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the 'user' table to a file on disk which they then downloaded.

The attacker returned on 20 July to upload the defacement page.

== What the attacker could access ==

The attacker had full access to the vBulletin environment as an administrator and shell access as the 'www-data' user on the Forums app servers.

Having administrator access to the vBulletin environment means they were able to read and write to any table in the Forums database.

They used this access to download the 'user' table which contained user names, email addresses and salted and hashed (using MD5) passwords for 1.82 million users.

== What the attacker could not access ==

We believe the attacker was NOT able to escalate past the 'www-data' user (i.e. gain root) access on the Forums app servers.

We believe the attacker was NOT able to escalate past remote SQL access to the Forums database on the Forums database servers.

We believe the attacker did NOT gain any access at all to the Forums front end servers.

We believe the attacker was NOT able to gain any access to any other Canonical or Ubuntu services.

We know the attacker was NOT able to gain access to any Ubuntu code repository or update mechanism.

== What we don't know ==

We don't know how the attacker gained access to the moderator account used to start the attack.

The announcement the attacker posted was deleted by one of the Forum administrators so we don't know exactly what XSS attack was used.

== What we've done ==

Before bringing the Forums back online, we implemented a series of changes both designed to clean up after this attack and also to defend against and mitigate the fallout from possible attacks in the future.

=== Clean up ===

* We sent individual mails to all Forums users informing them of the breach and that they should consider their Forum password compromised. We advised them to change this password on any other systems where they may have re-used it.

* We backed up the servers running vBulletin, and then wiped them clean and rebuilt them from the ground up.

* We randomised all user passwords in the Forums.

* We reset all system and database passwords.

* We manually imported data into a fresh database after sanity checking each table.

=== Hardening ===

* We've removed the ability to modify or add new hooks except via root access to the database

* We've disabled all potential HTML posting avenues in the Forums for everyone but administrators.

* We've switched the Forums to use Ubuntu SSO for user authentication.

* We've implemented automated expiry of inactive moderator and administrator accounts.

* We've confined vBulletin with an AppArmor profile.

* We've reviewed and further hardened the firewalling around the Forums servers.

* We've reviewed and further hardened the PHP config on the server to close off some vectors used by the attacker.

* We've switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else

* We've improved escalation procedures for the Ubuntu Community members who graciously volunteer their time to administer and moderate the Forums.

* We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. The vBulletin support staff have been helpful and cooperative throughout this incident.

Finally, we'd like once again to apologize for the security breach, the data leak and downtime"


**************

After reading the above message, I think that the Ubuntu Forums is still under a high risk. Why?

It seems that they find out the cause of the attack and the way how the attacker attack. However, it is not.

They still do not know how the attacker gains access to one of the moderator accounts. Attacker gains access by SQLi? Or, by phishing? Who knows! Since the forums has changed the logic for OpenID login when it is upgraded in the early of this year, may be one of the attack vectors is there.

The login method is changed to Ubuntu One SSO. It seems okay. But, what if the Ubuntu One SSO login logic has vulnerability? Or, the attack is not via the login vulnerability?

They limited the HTML code in the forums and it seems good. However, the filters can be spoofed very easily for a skilled attacker. How about the attacker issue javascript?

If the forums still has vulnerability, the attacker can attack the forum admin or moderator accounts directly without escalation of any account.

The implementation of Apparmor is a good idea. However, the forums still can be defaced if the attacker gains the rights as the Apparmor will not block this kind of activities. Attacker can also access the database servers even it is remote.

Altering the PHP config file and enhance the firewall will not do much improvement. Since firewall is handling or controlling the Network Layer but the attack may be targeted to Layer 7 - Application Layer. Meanwhile, PHP config enhancement will not prevent from being attack or gain access to the web application.

In my opinion, I suggest the forum admins consider to do penetration testing on the vBulletin although there is no exploit for vBulletin 4.2.1 in the wild so far. However, who knows there will be some unknown exploits for vBulletin 4.2.1?

As far as I know, most forum admins are still in old school security mindset. They need to learn more and new. Otherwise, the next attack is awaiting. Clients (customers) always losers in the cyber attack.

That's all! See you.

Catch Me If You Can

As a malicious hacker, you are required to hide yourself before attack. If you failed to do so, you will be caught. Most malicious hackers will hide themselves by using botnets, Tor or proxies, or similar. However, I would like to introduce a new way to hide yourself when doing evil things in the internet.

In our country, you are not required to register your personal particulars to purchase 3G/4G pre-paid SIM card. In other countries, you may required to do so.

In the early morning, you can on board a public transportation, such as bus, and pay with non-traceable payment method, such as cash. Open your laptop and plugin your 3G/4G mobile dougle. You are using a pre-paid SIM card and you are on a moving public transportation as well as paid by non-traceable payment method. You fake your MAC address with macchanger.

You search for a target in the Google with dorks. Once you find a target, you can go ahead to attack it without worrying about to hide yourself. After several commands issued, you get a shell and compromised the target. You leave a backdoor for further access.

After that, you make sure to drop the pre-paid SIM card to the rubbish bin that out of your living area after your successful attack.

Next time, you take another route of the public transportation to access the compromised target or to seek another target with another pre-paid SIM card.

Now, you are fully untraceable.

That's all! See you.

See Also

Catch Me If You Can 2
Catch Me If You Can 3
Catch Me If You Can 4

NATO Review - Cyber Attacks

The followings are the NATO Review for Cyber Attacks recently.

Cyber attacks : How can they hurt us?



Cyberwar - does it exist?



Cyber Attacks and Angry Birds



Hackers for hire



That's all! See you.

Saturday, July 27, 2013

HOWTO : WebGoat 5.4 on Ubuntu Server 12.04 LTS

Step 1 :

Install Ubuntu Server 12.04 LTS as usual. Select OpenSSH server and Tomcat Server at the end of the installer.

Step 2 :

Download the WebGoat 5.4.

wget http://webgoat.googlecode.com/files/WebGoat-5.4.war

Step 3 :

Copy the WebGoat.war to the Tomcat directory.

mv WebGoat-5.4.war WebGoat.war
sudo cp WebGoat.war /var/lib/tomcat6/webapps/


Step 4 :

Edit the tomcat-users.xml for the WebGoat 5.4.

sudo nano /etc/tomcat6/tomcat-users.xml

Insert the following before </tomcat-users> tag :

<role rolename="webgoat_basic"/>
<role rolename="webgoat_admin"/>
<role rolename="webgoat_user"/>
<role rolename="tomcat"/>
<user password="webgoat" roles="webgoat_admin" username="webgoat"/>
<user password="basic" roles="webgoat_user,webgoat_basic" username="basic"/>
<user password="tomcat" roles="tomcat" username="tomcat"/>
<user password="guest" roles="webgoat_user" username="guest"/>


Step 5 :

Restart Tomcat.

sudo /etc/init.d/tomcat6 restart

Step 6 :

Open a browser (e.g. Firefox) and point to the WebGoat (e.g. 192.168.56.102).

http://192.168.56.102:8080/WebGoat/attack

Enter the username and password for both as "guest".

Tutorial

OWASP WebGoat v5.4 Web Hacking Simulation WalkThrough Series

That's all! See you.

Sunday, July 21, 2013

Ubuntu Forums has been pwned!

According to the Ubuntu Forums, the forums has been defaced at 2011 hours on July 20, 2013 (UTC). The defacement page is same as this and the source code of the page is here. It also plays a music too.

Ubuntu Forums also stated that the website's database has been downloaded by attacker and it is also confirmed by the attacker. However, the attacker stated that s/he will not leak the database to the public or take advantage of it.

The Ubuntu Forums use vBulletin PHP software. The forums has been updated or upgraded in the early of this year. According to Exploit Database that the latest exploit is dated on March 25, 2013 (not talking about the exploit in July, 2013 as it is already updated/upgraded). If the update/upgrade is included these bugs fix, there would be no known exploit for the vBulletin in the wild.

However, the forums has looked for PHP developers to assist to implement the OpenID for the forums update/upgrade on January 23, 2012 (please see here).

If the custom changed vBulletin do not have audit or penetration test, it may contain bugs or vulnerabilities. The custom change of vBulletin may lead to the attack success.

I think that the attack technique in this case is SQL Injection.

The forums is still down at the time of this writing (July 21, 2013 1340 UTC).

Remark : please refer to this link for my information gathering.

That's all! See you.

UPDATE : Part 2

Friday, July 19, 2013

Coming Soon : Bugtroid

Bugtraq for Android is coming soon. It is not running in virtualization technology.



That's all! See you.

HOWTO : Update Vega on Bugtraq 2 Black Widow

When you run Vega Webscanner, you will find a pop up for the update. I am going to tell you how to update yourself instead via the official Hammer System Manager of Bugtraq 2.

Be keep in mind that you are not required to use "sudo".

Download the latest version - 1.0 build 96.

32-bit :

wget http://subgraph.com/downloads/VegaBuild-linux.gtk.x86.zip

64-bit :

wget http://subgraph.com/downloads/VegaBuild-linux.gtk.x86_64.zip

Extract the zip file :

unzip VegaBuild-linux.gtk.x86.zip

or

unzip VegaBuild-linux.gtk.x86_64.zip

Backup the current Vega :

mv /bugtraq/tools/web_audit/web_analisys/vega /bugtraq/tools/web_audit/web_analisys/vega-bak

Copy the extracted directory to the destination :

cp -R vega/ /bugtraq/tools/web_audit/web_analisys/

That's all! See you.

Thursday, July 18, 2013

Bug Fix : Bugtraq 2 XFce 64-bit with Paralles Tools on Mac OS X 10.8.4

You need to do the following at the guest (Bugtraq 2 XFce 64-bit) on Paralles 8 before installing the Paralles Tools.

sudo ln -s /usr/lib/insserv/insserv /sbin/insserv

Otherwise, the Paralles Tools cannot be installed properly.

That's all! See you.

Tuesday, July 16, 2013

REVIEW : Bugtraq 2 Black Widow Final

Bugtraq 2 Black Widow Final builds on Ubuntu, Debian and OpenSuse. Each distribution comes with XFce, Gnome and KDE Window Manager. They all also come with 32-bit and 64-bit. A total of 18 copies that the Bugtraq Team needs to maintain.

Bugtraq 2 Black Widow pre-installed and configured some useful Penetration Testing tools that others Pentesting Linux distributions lack of. It also includes smartphone pentesting tools. It will be sweet if Bugtraq 2 can pre-installed Immunity Debugger and edb-debugger as well as T50 and mona.py.

The Conky displays a lot of useful information on the screen that most hackers will think fit. However, the Conky script is designed for 4-core (or 2-core with Hyper-threading). If you have 2-core, you need to change the /bugtraq/scripts/conky/conky-app.sh. Replace "conky -c /bugtraq/scripts/conky/.conkyrc &" with "conky -c /bugtraq/scripts/conky/.conkyrc2 &". Otherwise, the Conky will not loaded.

Bugtraq 2 is also lack of documentation like others. However, you can find a lot of demo video at her official site. There are some interesting demo video, such as bonet setting.

Bugtraq 2 is working well on virtual machine, such as VirtualBox and Parallels (Mac OSX). I tested on Lenovo ThinkPad X201s and find no problem with Ubuntu XFce and Gnome versions.

Bugtraq Team comes from Spain and the Bugtraq 2 Black Widow is default to Spain language and Spain keyboard layout. When you install Bugtraq 2 Black Widow, you need to set the language to English and keyboard layout to "English (US)" or your country setting. The default username is "bugtraq" and password is "123456". Make sure you set your password after install.

I tested Ubuntu Gnome and XFce copies and find that XFce version has lesser bugs. I think that the team is developed from Ubuntu XFce and then build for others based on it. Therefore, I suggest you to download Ubuntu XFce version.

Bugtraq 2 Black Widow comes with Services Administrator GUI and Databases GUI as well as Conky Manager. However, there are some bugs on those programs. The 2 GUI are situated at "Applications -- System Services".

I prepared an auto-run script to fix the bugs on those programs and you can download it at here. it works well on 32-bit and 64-bit Ubuntu Gnome and XFce version. Others not tested but it may works.

The bugfix script is intended to fix the bugs on the Sagui and DBgui. However, it also fix some minor bugs on Conky. Be keep in mind that the official Conky is written for wireless device (wlan0) while my bugfix script is also written for wlan0. If you are using ethernet device, you need to change the "wlan0" to "eth0" (or any device that fits) on the "+.conkyrc" and "proxys.conf" scripts in the "bugtraq-2-gnome-x32-bugix" directory. Make sure you change it before running the bugfix script. In addition, the script will install some missing packages too.

Extract it with the following command :

tar -xvzf bugtraq-2-gnome-x32-bugfix.tar.gz

To run it :

cd bugtraq-2-gnome-x32-bugfix
./auto-bugfix.sh


In addition, there are some bugs on Hammer System Manager and it requires the team to fix.

After the install, you need to update your box. You can do that with the following commands. Or, you can build a script for that too.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get --purge autoclean
sudo apt-get --purge auto remove


Conclusion

Highly recommended. Bugtraq 2 Black Widow will give you a new user experience. You will love it. Believe me!

UPDATE

The auto-run script has been updated for minor bug fix on Conky script, you can download at here



That's all! See you.

Monday, July 15, 2013

Bug Fix : Bugtraq 2 Black Widow Final (Gnome)

Bugtraq 2 Black Widow Final builds on Ubuntu, Debian and OpenSuse. Each distribution comes with XFce, Gnome and KDE Window Manager. They all also come with 32-bit and 64-bit. A total of 18 copies that the Bugtraq Team needs to maintain.

I downloaded Ubuntu Gnome 32-bit and 64-bit version as I like Gnome Classic very much. After boot up, you need to set "Session" to "Gnome Classic" from the login screen of the Live DVD. The username is "bugtraq" and the password is "123456". The installation program is situated at "Applications -- System Tools -- Administration -- Install RELEASE" on 32-bit version. The installation program for 64-bit is on the Desktop.

The installation on my Parallels (Mac OS X Virtualization program) is smooth. I suggest you to select to download the update and 3rd party programs when install. For the first login of the installed copy, you need to set the "Session" to "Gnome Classic" and also makes it to default.

Bugtraq 2 comes with Services Administrator GUI and Databases GUI as well as Conky. However, there are some bugs on those programs. I am now going to fix it. The 2 GUI are situated at "Applications -- System Services".

I prepared a auto-run script to fix the bugs on the those programs and you can download it at here. It works well on 32-bit and 64-bit Ubuntu Gnome version.

The bugfix script is intended to fix the bugs on the Sagui and DBgui. However, it also fix some minor bugs on Conky. Be keep in mind that the official Conky is written for wireless device (wlan0) while my bugfix script is also written for wlan0. If you are using ethernet device, you need to change the "wlan0" to "eth0" (or any device that fits) on the "+.conkyrc" and "proxys.conf" scripts in the "bugtraq-2-gnome-x32-bugix" directory. Make sure you change it before running the bugfix script. In addition, the script will install some missing packages too.

WARNING : This bugfix script may damage your system or computer. You take care of the risk while using it.

Extract it with the following command :

tar -xvzf bugtraq-2-gnome-x32-bugfix.tar.gz

To run it :

cd bugtraq-2-gnome-x32-bugfix
./auto-bugfix.sh


UPDATE

The auto-run script has been updated for minor bug fix on Conky script, you can download at here



That's all! See you.

Friday, July 12, 2013

Friday, July 05, 2013

HOWTO : Burp Suite with Tor on Mac OS X 10.8.4

Step 1 :

Go to the Burp Suite official site to download the free edition.

Then save it to Documents folder.

Step 2 :

Open a terminal.

nano burpsuite_free.sh

java -jar /Users/samiux/Documents/burpsuite_free_v1.5.jar


Replace "samiux" with your user name.

Step 3 :

Go to Java official site to download Java JRE

Step 4 :

Go to Tor official website to download and install "Tor Browser Bundle for 64-Bit Mac".

Step 5 :

Go to Privoxy official site to download Privoxy 3.0.21 64 bit.pkg and install.

Step 6 :

Open a terminal.

nano /usr/local/etc/privoxy/config

Append the following lines :

forward-socks5 / 127.0.0.1:9150 .
forward 192.168.*.*/ .


Restart the Mac.

Step 7 :

Open a terminal and go to the Documents folder.

./burpsuite_free.sh

Options >> Upstream Proxy Servers >> Add >> Proxy host >> 127.0.0.1
Options >> Upstream Proxy Servers >> Add >> Proxy port >> 8118

Step 8 :

Start "TorBrowser_en-US". The TorBrowser will launch.

ToBrowser >> Preferences >> Advanced >> Connection >> Settings

Select "Manual proxy configuration:".

HTTP Proxy >> 127.0.0.1 >> Port >> 8080
SOCKS Host >> 127.0.0.1 >> Port >> 9150

Step 9 :

Make sure Burp Suite is behind the Tor my visiting cmyip.com

Remarks :

To install in Ubuntu 12.04 LTS is similar. However, the port 9150 will be port 9050.

That's all! See you.

HOWTO : LimeChat with Tor on Mac OS X 10.8.4

UPDATE on Jan 4, 2015 : Change the Tor addresses


Step 1 :

Download and install the LimeChat from Apple Apps Store on you Mac.

Step 2 :

LimeChat >> Preferences >> Interface >> Layout of the main window >> 3 Columns
LimeChat >> Server >> Server Properties >> General >> Network name -- TorifiedFreenode
LimeChat >> Server >> Server Properties >> General >> Server -- 10.40.40.40
LimeChat >> Server >> Server Properties >> General >> Port -- 6667
LimeChat >> Server >> Server Properties >> General >> Nickserv Pasword -- [your SASL password]
LimeChat >> Server >> Server Properties >> General >> Use SASL >> selected

LimeChat >> Server >> Server Properties >> Details >> Proxy >> SOCKS 5 proxy
LimeChat >> Server >> Server Properties >> Details >> Homename >> 127.0.0.1
LimeChat >> Server >> Server Properties >> Details >> Port >> 9150

LimeChat >> Server >> Server Properties >> On Login >> #infosec-ninjas [add some channels]

Step 3 :

Go to Tor official website to download and install "Tor Browser Bundle for 64-Bit Mac".

Step 4 :

Run "TorBrowser_en-US".

Vidalia Control Panel >> Settings >> Advanced >> Edit current torrc

Append the following :

MapAddress 10.40.40.40 p4fsi4ockecnea7l.onion

Since Tor servers for TOR has been updated. The previous .onion address is no longer working. Please use one of the following addresses :

frxleqtzgvwkv7oz.onion
p567hbjdstqvg7xw.onion
2hktdmgt6bg2hjuc.onion
l4wvhvf666nifnpg.onion


Select it and then "Apply selection only" >> OK

Sometimes, the address will be too busy for login, so, you need to toggle between the addresses to see if it can login or not.

Or, you can append all the above addresses and do not select "Apply selection only". (However, it is not tested.)

Step 5 :

Close LimeChat and Stop Tor as well as close Vidalia Control Panel.

Then restart Vidalia Control Panel and LimeChat. TorBrowser will start up too.

That's all! See you.