Exploiting Wildcards On Linux/Unix

Standard

From: http://beta.slashdot.org/story/203895


DefenseCode released an advisory in which researcher Leon Juranic details security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug.

There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress out the risks accompanying practice of using the * wildcard with Linux/Unix commands.

The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users – root as well.

One of the examples provided is the tar arbitrary command execution. The binary has two options that can be used for poisoning:

–checkpoint[=NUMBER]
display progress messages every NUMBERth record (default 10)

–checkpoint-action=ACTION
execute ACTION on each checkpoint

By using tar with these options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.

Running tar cf archive.tar * on a folder with these files seems pretty straightforward and benign.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php

The problem arises if the user created a couple of fake files and a shell script that contains any arbitrary command.

[root@defensecode public]# ls -al
drwxrwxrwx. 2 user user 4096 Oct 28 19:34 .
drwx——. 24 user user 4096 Oct 28 18:32 ..
-rw-rw-r–. 1 user user 20480 Oct 28 19:13 admin.php
-rw-rw-r–. 1 user user 34 Oct 28 17:47 ado.php
-rw-r–r–. 1 leon leon 0 Oct 28 19:19 –checkpoint=1
-rw-r–r–. 1 leon leon 0 Oct 28 19:17 –checkpoint-action=exec=sh shell.sh
-rw-rw-r–. 1 user user 187 Oct 28 17:44 db.php
-rw-rw-r–. 1 user user 201 Oct 28 17:43 download.php
-rwxr-xr-x. 1 leon leon 12 Oct 28 19:17 shell.sh

By using the * wildcard in the tar command, these files will be understood as passed options to the tar binary and shell.sh will be executed as root.

The advisory in question details other similar exploitation methods. Also, around the same time when Mr. Juranic informed us about his work, another researcher posted to the Full Disclosure mailing list a similarly themed research focused on exploiting wildcards.

Is there a workaround? To quote the most upvoted post on a recent Reddit thread regarding wildcard exploitation: “./* Done”.

603 total views, no views today

Hacked Via RDP: Really Dumb Passwords

Standard

From: http://krebsonsecurity.com/2013/12/hacked-via-rdp-really-dumb-passwords/

Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.
Continue reading

738 total views, no views today

Bypassing Seagate ATA Security Lock

Standard

From: http://feedproxy.google.com/~r/hackaday/LgoM/~3/2sk-aqNfkZ0/


Bypassing Seagate ATA Security Lock

November 29, 2013 by  15 Comments

seagate

Here’s a common story when it comes to password retrieval: guy sets up a PC, and being very security-conscious, puts a password on his Seagate hard drive. Fast forward a few months, and the password is, of course, forgotten. Hard drive gets shuffled around between a few ‘computer experts’ in an attempt to solve the problem, and eventually winds up on [blacklotus89]‘s workbench. Here’s how he solved this problem.

What followed is a walk down Hackaday posts from years ago. [blacklotus] originally foundone of our posts regarding the ATA password lock on a hard drive. After downloading the required tool, he found it only worked on WD hard drives, and not the Seagate sitting lifeless on his desk. Another Hackaday post proved to be more promising. By accessing the hard drive controller’s serial port, [blacklotus] was able to see the first few lines of the memory and the buffer.

Two hours and two Python scripts later, [blacklotus] was able to dump the contents of his drive. He then took another Seagate drive, locked it, dumped it, and analyzed the data coming from this new locked drive. He found his old password and used the same method to look for the password on the old, previously impenetrable drive. It turns out the password for the old drive was set to ’0000′, an apparently highly secure password.

In going through a few forums, [blacklotus] found a lot of people asking for help with the same problem, and a lot of replies saying. ‘we don’t know if this hard drive is yours so we can’t help you.’ It appears those code junkies didn’t know how to unlock a hard drive ether, so [blacklotus] put all his tools up on GitHub. Great work, and something that didn’t end up as a Hackaday Fail of the Week as [blacklotus] originally expected.

587 total views, no views today

How to Hack Wifi (and how to avoid being hacked): WEP/WPA/WPA2 | CodeBangers

Standard

From: http://codebangers.com/?p=249

 

This guide is meant to show how easy it is to hack wireless networks if the proper security measures are not in place. First I will show how to hack a WEP or WPA/WPA2 Network and then I will give tips on how to avoid getting hacked.

This is important information in our techno-savy culture. If your wireless network is compromised you can be liable for any illegal activity on it. There are numerous stories of child pornographers and black-hat hackers using other peoples wireless networks.

NOTE: Hacking your neighbors or anyone else’s Wifi without their permission is ILLEGAL. Be smart!
Continue reading

647 total views, no views today