Archive for the Programming Category

Path Traverser – a new Path Traversal tool

Posted in Application, Programming, Valnurability with tags , , , on June 17, 2012 by keizer

New development by me ūüôā

Path Traverser is a tool for security testing of web applications. It operates as a middleman between your web application to its host server, giving you the abillity to test the actual files as found in your host server against the application, according to their relevant path.

How does it work?

After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out (ls -R) the list of files.

Then, it will manipulate the list taken from the file system so it will fit the web application by changing their path. How? Lets say that your application could be found at: http://mysrvr:777/home and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion. Each file in the files system will receive its relevant path, so the files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under /myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc.

After that, the Path Traverser will start sending these requests one by one. You will be able to follow via the progress bar or the log file. If something goes worng, go to the Log Tab and try to figure up what when wrong, or contact me at: pt@appsec.it – I will gladly help!
Now its time to view the results, that could be found in the Results Tab. Each request that received one of the selected response codes from the server, will be displayed next to the code in the Results Tab. e.g.: [200]   http://http://mysrvr:777/home/../1.1/actions.log. They could also be found under in the file holding the relevant response code.

Where? appsec.it/pt – for more information!

for help: appsec.it/pt/help.html


Here are some screenshots:





Of course, all features and assistant could be found in the Path Traverser website:

http://appsec.it/pt

Advertisements

RSA SecurID is compromised

Posted in Application, Encryption, Programming, Valnurability on June 27, 2011 by keizer

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

This admission puts paid to RSA’s initial claims that the hack would not allow any “direct attack” on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.

As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.

RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA’s customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do¬†anyway‚ÄĒfailing to properly disclose the true nature of the attack served only to mislead RSA’s customers about the risks they faced.

RSA is working with other customers believed to have been attacked as a result of the SecurID compromise, though it has not named any. Defense contractors Northrop Grumman and L-3 Communications are both rumored to have faced similar attacks, with claims that Northrop suspended all remote access to its network last week.

(Thanks to: arstechnica.com¬†and some friends in RSA…)

(another) Facebook Scam – “dislike” Button

Posted in Malware, Programming, Scams with tags , on May 24, 2011 by keizer

Have you seen this post around?

A messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls…

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.

Although, researchers from Sophos have spotted a currently circulating¬†‚ÄúEnable Dislike Button‚ÄĚ Facebook scam.

a ‚ÄúFollow the steps below to get the Dislike button‚ÄĚ instructions page similar to the one seen in the¬†Osama Execution video scam¬†published by ZDNet is next:

However, clicking on it will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile,¬†but also run obfuscated Javascript on your computer.

Once the users copy and paste the obfuscated javascript in their browsers, all of their friends will be spamvertised with a wall post about the non-existent Dislike feature. The campaigners appear to be monetizing the campaign through a survey scam.


For the time being, no “dislike” button¬†provided by Facebook and there isn’t ever likely to be.

But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.

and surprise… here’s the¬†JavaScript Sourcecode:¬†http://pastebin.com/uzCkfFQ4

Evil evil facebook…. ūüėČ

…and Go! (null pointer dereference)

Posted in Programming, Valnurability on May 18, 2011 by keizer

Hello World…

Since this is my first On-Air blog, and the name of it is ‘Null Pointer’¬†I¬†think it would be appropriate to actually write about it, and explain what’s lying behind the name:

The name nu11p0inter was taken from the vulnerability – Null Pointer Dereference:

A null pointer dereference occurs when a pointer with a value of NULL is used when the program attempts to read/write to a valid memory area, causing an immediate segmentation fault error.

Some call it a crash, some a security bug…

You ask why?

One could say that if a program attempts to dereference a NULL pointer, the program will always terminate with a segmentation fault error and a crash of the process.
Another will say- unless exception handling is invoked…

But even then, a little can be done to salvage the process, so i guess its only a matter of the security policy where it found.

Of course, i will not leave you without a code sample of a null pointer dereference:

int main(int argc, char ** argv) {  

 char buf[255]; char *ptr = NULL; // NULL is assigned 

 if ( argc>1 ) {

 ptr = argv[1]; } strcpy(str,ptr); // pointer is dereferenced 

 return 0;
}

How to avoid it? it is very simple:

1. Before using a pointer, ensure that it is not equal to NULL:

if ( ptr != NULL ) {
 /* use pointer... */
 /* ... */
}

2. When freeing pointers, ensure they are not set to NULL, and be sure to set them to NULL once they are freed:

if ( ptr != NULL ) {
 free(ptr);
 ptr = NULL;
}

…and now you know what’s behind the mind!