Primary Content: Home

Staying Safe Online: Privacy

Criminals try to gather information about us online in order to scam us and steal our identities. In America in 2012, identity theft cost the average victim $365 and 12 hours of work to rectify. In 2013 there were 13.1 million U.S. adult victims, that’s nearly one victim every two seconds! That figure represents 5.5% of U.S. adults. This is why being savvy with our online privacy is important!

Continue reading: Staying Safe Online: Privacy

Path Traversal Cheat Sheet: Windows

Got a path/directory traversal or file disclosure vulnerability on a Windows-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know! Are you on a Linux server? Try this one instead: Path Traversal Cheat Sheet: Linux

Continue reading: Path Traversal Cheat Sheet: Windows

From Network boot to Local Admin: PXE Booting

Pre-Execution Boot, or PXE, is a method of booting a workstation machine by loading an operating system across the network. If PXE boot can be enabled (often it is enabled by default, even when machines are restricted from booting CDs or USB Devices) then an stripped down Linux operating system can be loaded over the network and used to compromise the target.

Continue reading: From Network boot to Local Admin: PXE Booting

A Vulnerability in Apache Struts

CVE-2014-0094 and CVE-2014-0050

Struts is an extensible framework used for creating enterprise Java Web Applications.

In Struts 1.x there is a problem related to how the ActionForm bean population machanism works, whereas in Struts 2.x there is an issue in how ParametersInterceptor allows access to the ‘class’ parameter that is directly mapped to the getClass() method and allows ClassLoader manipulation. Long story short, this can allow attackers to execute arbitrary Java code remotely.

This issue was believed fixed in March 2014 (Apache Struts Security Bulletin S20-020), however on April 24, 2014, the Apache Software Foundation released an announcement warning that the original issued patch for the vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability.

Affected

Apache Struts <= 1.3.10 and 2.0.0 – 2.3.16.1

Proof-of-Concept

One way to manually discover this vulnerability is to attempt to cause a strong class error in the parser, this should not cause any harm to the server but should prove the existence of this issue, by showing a 500 error. The following payloads can be supplied to GET and POST parameters:

 

Tomcat 7: “Class[‘classLoader’][‘resources’][‘dirContext’][‘cacheTTL’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”

Alternatively, the following payload will have a similar effect:

Tomcat 7: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘context’][‘effectiveMajorVersion’]=foo”

 

Further Reading

http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://struts.apache.org/announce.html#a20140424

 

CRIME against TLS?

Compression Ratio Info-leak Made Easy

CRIME is an attack against SSL, like Heartbleed, but it has a much smaller probability of exploitation. The authors of CRIME also wrote the BEAST attack. The attack can allow an attacker to recover web cookies and thereby perform session hijacking attacks, much like BEAST and the specific restrictions for the attack are similar. The attacker requires the ability to repeatedly inject predictable data whilst monitoring the resulting encrypted traffic. This requires the attacker to achieve two main prerequisites before the attack is possible: the attacker must be able to observe network traffic and manipulate the victim’s browser to submit requests to the target site.

The manipulation could be possible through Cross-site scripting attacks; JavaScript is not required and an attack could be possible with HTML Injection alone however it would be less efficient.

For CRIME to be possible the server must support compression of the request before encryption. TLS supports DEFLATE which is vulnerable, as is SPDY. The client must also support compression but only a small percentage of browsers do.