If you travel a lot, especially for business, you are at one point probably concerned about the contents of your luggage. Usually, you find a possibility to lock it either with a padlock or with a number lock, TSA approved, or not. However, the following video shows that even secured luggage might not be as secure as it looks like.
Thanks to Norb, who sent us the link to the kipkay.com site, from where this video is originally from. So take what you send and how you secure your luggage, the next time.
Friday, December 30, 2011
Thursday, December 29, 2011
Know the platforms you use
The open source content management platform Drupal is widely used for both commercial and personal web pages. While using a ready-made content management system makes life easier by hiding some complexity, it also bears the risk that your web page has some functionality available you are not aware of and do not want to expose.
Many web pages based on Drupal are used as personal blogs or just offer some company information. In these cases, Drupal is more or less just used to "hide the HTML stuff underneath". Drupal (and add-ons), however, can offer far more functionality such as discussion boards or community management.
One common functionality is the user registration, by default available at the URL path "/user/register". A lot of these interfaces can be found by a simple Google search (click here). In the cases shown, this is most likely desired functionality, where users should be able to register their own accounts and (depending on their rights) create or alter web page contents.
Sometimes, however, user registration interfaces just have been forgotten and they were never disabled after the initial installation. Although they are not linked from the normal web page contents, the relevant pages are still present. In these cases, an attacker might simply register his own account and, for example, modify web page data. This simple example shows that it is always important to have knowledge about the platform you use - be it a content management system like Drupal or be it infrastructure components such as application servers (JBoss, Tomcat, etc.)
In order to automate the task of finding and reporting Drupal user registration interfaces during security assessments, I created a simple script that uses the nmap scripting engine. More information about the nmap scripting engine and all the ready-made scripts that already ship with your nmap installation can be found here.
Unfortunately, I cannot add attachments to this blog post, so I paste the script here at the end, which makes the whole message a bit lengthy...
Many web pages based on Drupal are used as personal blogs or just offer some company information. In these cases, Drupal is more or less just used to "hide the HTML stuff underneath". Drupal (and add-ons), however, can offer far more functionality such as discussion boards or community management.
One common functionality is the user registration, by default available at the URL path "/user/register". A lot of these interfaces can be found by a simple Google search (click here). In the cases shown, this is most likely desired functionality, where users should be able to register their own accounts and (depending on their rights) create or alter web page contents.
Sometimes, however, user registration interfaces just have been forgotten and they were never disabled after the initial installation. Although they are not linked from the normal web page contents, the relevant pages are still present. In these cases, an attacker might simply register his own account and, for example, modify web page data. This simple example shows that it is always important to have knowledge about the platform you use - be it a content management system like Drupal or be it infrastructure components such as application servers (JBoss, Tomcat, etc.)
In order to automate the task of finding and reporting Drupal user registration interfaces during security assessments, I created a simple script that uses the nmap scripting engine. More information about the nmap scripting engine and all the ready-made scripts that already ship with your nmap installation can be found here.
Unfortunately, I cannot add attachments to this blog post, so I paste the script here at the end, which makes the whole message a bit lengthy...
description = [[
Reports possible user registration pages of the Drupal CMS,
available at the URL path "/user/register". Some Drupal
installations have this functionalty unintentionally left open.
]]
---
-- @usage
-- nmap -p 80 --script drupal-registration-page.nse example.com
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | drupal-registration-page.nse: Possible CMS user registration
-- |_interface at: http://example.com:80/user/register
author = "mk"
license = "BSD license (3 clause)"
categories = {"safe", "discovery"}
require 'shortport'
require 'http'
require 'stdnse'
local url = "/user/register"
-- Strings that must be present in a working registration page
local positiveCriteria = {
"<form action=\"/user/register\"",
"<input type=\"text\" maxlength=\"64\" name=\"mail\""
}
-- Strings that must not be present in a working registration page
local negativeCriteria = {
"Access Denied",
"You are not authorized"
}
function portrule(host, port)
return shortport.http(host, port)
end
function action(host, port)
local httpResp
local msg = {}
-- Abort if the HTTP response is empty or not 200 OK
httpResp = http.get(host, port, url)
if httpResp.status ~= 200 or httpResp.body == "" then
return nil
end
-- Abort if known "access denied" strings are found
for k,v in pairs(negativeCriteria) do
if string.find(httpResp.body,v) then
return nil
end
end
-- Abort if known registration page strings cannot be found
for k,v in pairs(positiveCriteria) do
if not string.find(httpResp.body,v) then
return nil
end
end
-- Output message
msg[#msg+1] = "Possible CMS user registration interface at:"
msg[#msg+1] = port.service .. "://" .. host.targetname .. ":" ..
port.number .. url
return stdnse.strjoin("\n", msg)
end
Sunday, July 24, 2011
In case anybody is still wondering...
Given the media attention to recent hacks (Anonymous, AntiSec, NoNameCrew, etc) it is easy to observe how the public reacts to these incidents and read some comments on what people think about it. The most common reaction seems to be astonishment and a bit of surprise how apparent technical barriers can be circumvented.
Google dorks are by no means new, but do a good job in demonstrating how easy it could be sometimes. In the case of the German Customs Authority hack a misconfigured XAMPP installation seemed to be the gateway into the internal network. XAMPP is a preconfigured web development environment not intended for production use, as some security options are purposely turned off. Want some more XAMPP installations connected to the internet? Click here.
Looking for access to phpMyAdmin, a tool to administer web sever databases (and potentially to get full r/w access to several web sites at once)? Click here. Looking for user names and passwords of FTP logins, potentially used for web site administration? Click here. (By the way, a free online tool to decrypt these obfuscated passwords can be found here.)
Looking for access to the JMXConsole, an administrative interface of the JBoss application server that potentially allows you to upload your own applications and execute arbitrary operating system commands? Click here.
All in all, from my point of view, chances that a person with little knowledge can easily carry out an attack that gets media attention are quite high, if the attack process is turned around: Don't pick a juicy target and search for vulnerabilities - instead take a vulnerability or misconfiguration and search for a well-known target.
Google dorks are by no means new, but do a good job in demonstrating how easy it could be sometimes. In the case of the German Customs Authority hack a misconfigured XAMPP installation seemed to be the gateway into the internal network. XAMPP is a preconfigured web development environment not intended for production use, as some security options are purposely turned off. Want some more XAMPP installations connected to the internet? Click here.
Looking for access to phpMyAdmin, a tool to administer web sever databases (and potentially to get full r/w access to several web sites at once)? Click here. Looking for user names and passwords of FTP logins, potentially used for web site administration? Click here. (By the way, a free online tool to decrypt these obfuscated passwords can be found here.)
Looking for access to the JMXConsole, an administrative interface of the JBoss application server that potentially allows you to upload your own applications and execute arbitrary operating system commands? Click here.
All in all, from my point of view, chances that a person with little knowledge can easily carry out an attack that gets media attention are quite high, if the attack process is turned around: Don't pick a juicy target and search for vulnerabilities - instead take a vulnerability or misconfiguration and search for a well-known target.
Saturday, June 25, 2011
What login screens reveal
This picture was sent to us by Flo just a couple of days ago. Thanks buddy, keep being that active! What it shows is a company's desktop background. We don't have much more information on that but we can tell from experience that you find such screens a lot more often than you would think.
Administrators in big companies tend to use the desktop background to include detailled information on (most likely server) systems they use. This if of course helpful if you do a lot of remote work and don't wanna accidentally reconfigure a wrong server. However, as practical as it might be for admins, as practical is it for remote (or even local) attackers.
There is some information anonymised on this picture, but I'm sure you get that there are a lot of questions that can be answered just by looking at this picture. You can probably derive the server's role in the network from its hostname. IP address info gives you more knowledge about the network - how a local user could connect or in which address space the servers reside in. You get information about which domain the server belongs to and even get alrady a valid administrator username! You don't have to do any OS recon anymore, do you? Just start preparing your exploints right away. And if you are not sure if a DoS attack would be viable - just have a short look at its cpu, memory, volumes and free space.
Decide yourself if you wanna give all this information to strangers in your network, but probably you do better with increasing the awareness of your admins.
Administrators in big companies tend to use the desktop background to include detailled information on (most likely server) systems they use. This if of course helpful if you do a lot of remote work and don't wanna accidentally reconfigure a wrong server. However, as practical as it might be for admins, as practical is it for remote (or even local) attackers.
Decide yourself if you wanna give all this information to strangers in your network, but probably you do better with increasing the awareness of your admins.
Thursday, June 23, 2011
Information disclosure classic
A few days ago, I spent a couple of hours on a train which by chance lead me to the following information disclosure classic. The person in front of me did some work on his notebook and obviously was not aware that someone might be watching. He was editing a cooperation aggreement that of course showed the involved parties on its first page and allowed me to read some details.
I googled the companies (mostly in the field of smoke detectors and facility management) and from what I saw, they are not really "big players". But I am pretty sure a lot of large companies also fail in protecting their internal information in these situations. A simple screen privacy filter would have done the job. :-)
Thursday, June 2, 2011
Insecure Key Switch and Full Mailbox
Being very active we got another hint from Flo, who shot the following two pictures during a physical assessment. He posted those pictures on his own blog dosbartjones.org, so we will just keep his text and pictures in original and wanna refer to his own blog entry at this point. Thanks for your contribution to the project, Flo.
Easy access to your mailbox
This image has been taken while performing a physical security assessment and shows the vulnerability of a stuffed mailbox. This mailbox has not been emptied in a while and can easily be accessed by outsiders. It was not even necessary to pick locks.
Insecure key switch
The following image displays an insecure key switch. This switch in particular controls the access to a company building. Although an attacker might try to break the lock, a screwdriver is everything one would need to gain entry.
Sunday, May 22, 2011
Police in Paris probably doesn't have ISO 27001 in place
It is already three years ago that Flo was wandering through the streets of Paris. Thanks to him that he didn't forget to send us his observations from this tour through the city of love. The pictures he sent us have nothing to do with love, though.
What he discovered was this police station in the heart of the city. It looks quite fine at first, but an expert eye probably instantly sees what is wrong in this picture.
Chapter 9.2.3 "Cabling Security" of ISO 27002 states: "Power and telecommunications cabling carrying data or supporting information services should be protected from interception or damage."
I agree that the cable coming from inside the building, hanging just besides the video camera near the entrance is in a height that a 1,60 m tall woman or man cannot instantly catch it and get some data or video feeds. But, letting this cable reside on a nevertheless easy to reach position outside of the building is definitely a breach according to the above stated paragraph in ISO 27002.
So we might come to the conclusion that the police in Paris has not implemented ISO 27001 in their information security system. Probably they have, but then they should probably re-think their security strategy.
What he discovered was this police station in the heart of the city. It looks quite fine at first, but an expert eye probably instantly sees what is wrong in this picture.
I agree that the cable coming from inside the building, hanging just besides the video camera near the entrance is in a height that a 1,60 m tall woman or man cannot instantly catch it and get some data or video feeds. But, letting this cable reside on a nevertheless easy to reach position outside of the building is definitely a breach according to the above stated paragraph in ISO 27002.
So we might come to the conclusion that the police in Paris has not implemented ISO 27001 in their information security system. Probably they have, but then they should probably re-think their security strategy.
Subscribe to:
Posts (Atom)