Category Archives: Training

Bypassing PHP Null Byte Injection protections – Part II – CTF Write-up


August 19, 2016

Update: Below is a list of people who solved the CTF. Congrats folks!

  • Dixie Flatline
  • AhnMo
  • Cernica Ionut
  • jinmo123
  • noproto
  • perzik
  • XeR
  • Rev
  • mphx2
  • [ace]
  • menztrual
  • simon
  • Dario D. Goddin

Overview

This post is the second part of the Bypassing PHP Null Byte injection protections blogpost. If you want to try the CTF first before going through the write up, head to the link first. Otherwise, keep on reading :)

The main trick described in this write-up relies on the fact that a Local File Include (LFI) vulnerability is exploitable but with some restrictions imposed by the code. Among these restrictions, there is some active filtering on Path Traversal. Name;u, an image file extension (.png) is always appended to the successfully uploaded files. In addition, the server is running an up to date version of PHP which is not vulnerable to the well known Null Byte Injection trick.

To bypass these restrictions and successfully achieve Remote Code Execution chaining through the aforementioned LFI vulnerability, one can use one of the built-in PHP Wrappers as described in detail on the next section of this write-up.

Description

When visiting the URL of the vulnerable application one can see that it is a web app for uploading pictures:

 

Following the normal application flow first, I tried to understand how the application behaves and how the uploaded files are being parsed by the code with some simple tests:

Continue reading

Simple MySQL Backdoor using User Defined Functions (UDF)


August 10, 2016

So what is a UDF? It is a way to extend MySQL with a new function that works like a native (built-in) MySQL function; i.e., by using a UDF you can create native code to be executed on the server from inside MySQL. To do this you need to write a library (shared object in Linux, or DLL in Windows), put it into a system directory, then create the functions in MySQL. Usually people write UDFs using C/C++, but you can really use any language you want since you are creating a shared object. This has the advantage of being simple to write while also being highly portable.  The real benefit is that you don’t need to access or modify the source code of MySQL, and after the UDF is installed you can update the DBMS without the need to make any changes to your code (i.e., it is transparent).

Continue reading

Are Padding Oracles still a concern?


August 05, 2016

The very fact this article came to be implies the answer – yes, they are. Readers who are interested in knowing the rationale behind this statement are encouraged to continue reading.

The main motivation behind writing this article was a padding oracle vulnerability (CVE-2016-2107) found on May 2016 in a popular OpenSSL cryptographic toolkit. Authors of this article decided that it is a great occasion to revisit this area and to refresh information about the padding oracles.

In 1998 Daniel Bleichenbacher first demonstrated a practical adaptive chosen-ciphertext attack. Four years later in 2002 Serge Vaudenay presented the very first practical padding oracle attack. Since that time notable vulnerabilities belonging to this category were also discovered, e.g. CVE-2013-0169 (Lucky13) and CVE-2014-3566 (POODLE), to name the most recognized ones.
After some time, some people even started to believe that this type of attack is no longer a problem (i.e. no longer considered a threat in real-life). Despite this and similar opinions, we can observe that new padding oracle vulnerabilities are continuously discovered by security researchers and 14 years after the first practical attack was presented, they still pose a very real security threat.

What is padding oracle? What can happen if someone finds this vulnerability in my application and will be able to exploit it? How can I test, identify and avoid this type of attack? Let’s address these and other questions in the following sections.

Refresher

First things first. Let’s refresh on what the padding oracle attack is. The definition according to MITRE states:

“An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext.

In addition to performing decryption, an attacker is also able to produce valid ciphertexts
(i.e., perform encryption) by using the padding oracle, all without knowing the encryption key”.

Source: https://capec.mitre.org/data/definitions/463.html

For readers who would like to refresh information about the padding oracles, please refer to the following materials:

Continue reading

Practical Security: Browser Security Settings


August 06, 2014

By Norman Yue (CTO)
Originally published: http://advancedpersistentjest.com/2014/07/22/practical-security-browser-security-settings/

This series of blog posts will aim to look at some “quick wins”, which an organisation or a security team (or even interested users) can realistically put into place immediately, what they are, and how they impact both security and usability.

This is not aimed at being remotely comprehensive, or reaching a “perfect” state of security – while a few people might browse the Internet with non-HTML non-image content off by default, we realize this probably isn’t feasible for most users, and having an actual Security Policy based on what you actually need is a Really Good Idea [tm].

While most people (and by extension, organisations) simply take their browser for granted, modern browsers typically have a slew of settings (not necessarily explicitly related to security) which can impact the security context for end-users. Here are a few “quick win” solutions which can easily be put in place, with minimal impact for users. Continue reading

The Anatomy of a Security Breach.


January 16, 2014

Securus Global’s approach to minimising your risks…

By now, you have probably read about the Target security breach: (Nothing new… this happens all the time).
http://www.marketwatch.com/story/traffic-at-target-stores-down-after-data-breach-2013-12-22-174855718?reflink=MW_news_stmp
http://www.usatoday.com/story/money/business/2013/12/22/target-breach-suits-and-investigations/4167977/

At Securus Global, we are frequently asked by our clients how hackers compromise companies and in turn, what can be done to minimise the risk of it happening to their own organisation.

By hiring the likes of Securus Global to test your systems in testing, pre-production and/or post production, we’ll be able to highlight any potential exposures you have and issue advice on how to fix them and ways to make you more resistant to such breaches all together.

Better yet, we would rather help you be in a position that your risks are identified beforehand, or even not to be there in the first place.

This is why in early 2014, we’re offering client workshops to explain the anatomy of such attacks and how the hackers are attaining this information from your companies.

These are 1-2 hour informal sessions (no cost), where we talk about what we have seen in the last 10 years, how the attacks are planned and take place but most importantly, what you can do to minimise the chances of this happening to your company. Continue reading