Command Injection Without Spaces

I came across a nice little command injection vulnerability while doing a bug bounty recently. The only catch was that I couldn't use any spaces in the commands. Let me go into the details...

Note: I can't post any details about the application as it was a private bounty program.

It all began with the page providing an input box for doing 'nslookup' of a domain or IP entered by the user.
A page like this always excites a bug bounty hunter as the application has to pass user's input to underlying system command to perform nslookup and present the output of that command in the browser. If the developer has made any mistake in validating and sanitizing the input, they inadvertently open the doors to attackers misusing this feature to execute arbitrary commands on the server.

So, when I saw the input box I started to explore and try to force the application in executing arbitrary commands.
I began with simple input google.com

My next automatic try was to input google.com && ls
This returned same output as above, meaning the application ignored additional command provided by me. The same story continued for all my tries such as google.com || ls
When I tried input google.com>/tmp/test.txt the output window came blank which was strange. This suggested maybe the application is filtering spaces so I tried the same commands but without spaces and...

Success!

But the problem with spaces was still not solved. For the input google.com&&cat /etc/passwd the application again ignored anything after the space.

:(

Then my next obvious move was to search on Google for this issue because if I am facing this issue, somebody must have already faced similar situation. Needless to say, Google didn't disappoint.

Enter "Bash Brace Expansion". 

According to this, if you provide input like following on the bash terminal: {echo,hello,world} it will execute the command echo hello world

That was neat and TIL moment for me.

I tried it in my application but that didn't succeed. Maybe because the application I was targeting was an embedded device and the shell was a busybox shell. On more Googling, my doubt was confirmed.

So I was again back to Google looking for different solution. Then I came across this thread - http://seclists.org/pauldotcom/2012/q2/200

According to this, you can execute commands without spaces like this: CMD=$'\x20a\x20b\x20c';echo$CMD

Look at the cleverness of that! More TIL!

Here, CMD is an environment variable containing encoded spaces. On running that we get echo a b c

Now, I tried that in my application with little modification CMD=$'\x20a\x20b\x20c'&&echo$CMD

Bingo!

From here, executing arbitrary commands was a cakewalk. Input google.com&&CMD=$'\x20/etc/passwd'&&cat$CMD

/etc/passwd

Curious case of Yammer XSS

Microsoft recently (finally!!) started with their bug bounty program for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.

To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. 

Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.

Apps can be created from https://www.yammer.com/client_applications.
When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to their Yammer account"

I put javascript:alert(document.cookie)// as the redirect URI.

In such cases, browser does a 302 redirect to this Redirect URI. Due of security measures in browsers, it is not generally possible to abuse 302 redirects for XSS by redirecting to javascript or data URIs. Browsers won't redirect to javascript URIs even if it is in the Location header of the response. 

In case of Yammer, something strange was happening. When a user tried to use the app in Internet Explorer, browser was properly doing a 302 redirect hence blocking my javascript but in Chrome and Firefox, a 200 OK response was returned with my redirect URI in response body. The browser would then try to load that URI and BINGO!! Javascript executed successfully!

Watch the video below for complete demonstration of attack.

(I originally recorded the video in swf and now I couldn't find a decent swf to video converter so I recorded the video of the video :-D)

Microsoft fixed this issue pretty quickly and also added my name to the Bounty Honor Roll. Thats all for now. Over n out.

Facebook, Only Me... really??

In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. 

This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.

First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".

Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the victim, anything can work.

Third, attacker goes to update his profile. When he clicks on the textbox to enter the information, Facebook, trying to be helpful, conveniently displays suggestions which are nothing but the values which victim has entered and kept private even from his friends. TADA! Privacy violations!!

Sometimes being helpful does not mean being nice. 

No matter how lame, it was privacy violation. Facebook accepted it and fixed it. Kudos to them. No such helpful suggestions are shown if your privacy settings are set to "Only Me".

Installing VMWare Player / Workstation on Kali Linux

This guide is for installing VMware Player or Workstation on Kali Linux. Although this is a simple task, I faced an issue with the kernel headers when launching VMware Player, hence this blog post.

I did these steps with VMware Player but same steps can be followed for Workstation.

1. First of all, download the VMware Player from https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0

2. Make the downloaded file executable by navigating to the directory where you downloaded the bundle and execute:
chmod +x VMware-Player-5.0.1-894247.x86_64.bundle

3. Open Terminal and install the packages needed by VMware Player

apt-get install build-essential linux-headers-`uname -r`

This will install the kernel headers of your current Linux kernel version.

4.After packages are installed, start the VMware Player installer

./VMware-Player-5.0.1-894247.x86_64.bundle

This is pretty much it.

5.Launch the VMware Player by navigating to it from the main menu.

At this stage, I got an error saying that "Kernel headers for kernel version 3.7-trunk-amd64 could not be found."

That was strange, because I had the kernel headers for this version already installed.

After a little looking around, I found the solution.
To solve this issue, do the following steps:

cd /lib/modules/$(uname -r)/build/include/linux 

sudo ln -s ../generated/utsrelease.h

sudo ln -s ../generated/autoconf.h

sudo ln -s ../generated/uapi/linux/version.h

Hopefully someone will find this solution useful.

Passively Monitoring Network Traffic On Wireless Networks

Many times, during penetration tests, we have to monitor the data flowing inside the network. Achieving this on an Ethernet network is simple as we can just connect a network cable and be a part of the target network.  But that makes us accountable and someone from the network can find out that someone is monitoring the traffic.

In wireless networks, we have an advantage of monitoring the network traffic passively.  The packets are freely flowing over the air and we just need to be able to see them.

To be able to monitor network traffic, we must put our wireless adapter in Monitor mode.

airmon-ng start wlan0

This will start the monitor mode on a virtual interface such as “mon0”

To start dumping data from the target network, we need to know following things:

1. BSSID – MAC address of the Access Point
2. Channel on which the Access Point working

To find out these things, we can run airodump on all the channels. This will list all available wireless networks with various pieces of information for each network.

We can start dumping the data from target network using airodump-ng utility from aircrack-ng suite.

airodump-ng --bssid 90:F6:52:30:24:17 -w test_dump -c 1 mon0

This will start monitoring traffic on Access Point with BSSID = 90:F6:52:30:24:17 and channel =1 and the packets will be stored in a file named “test_dump”

After we have captured enough packets we can move on to extract data from the packets.

But this task is not as easy as it sounds.

The packets that are flowing through the air are encrypted and they must be decrypted for making them readable by other programs.

If we already know the passphrase for the network, we can decrypt the network traffic right away. In case we don’t know the password for the networks, we may have to take the following steps.

In case of WEP networks, the packets are simply encrypted using the passphrase as the key. We can easily find the key using aircrack-ng program if we have captured enough IVs and then move on to decrypt the packets.

There are many tutorials on how to crack WEP key, like this one

In case of WPA/WPA2 networks, the key is never transmitted over the air. This makes it a little difficult to attack. The key to finding the passphrase of WPA/WPA2 network is in the 4-way handshake which happens when a new client is connected to the network. If we have captured the 4-way handshake, we are good to go and crack the passphrase using aircrack-ng utility. If you haven’t captured a handshake, learn how to do that.

Assuming we have found the passphrase, we can decrypt the network traffic captured earlier using utility called airdecap-ng.

For WEP networks,

airdecap-ng -w <passphrase> test_dump-01.cap

For WPA/WPA2 networks,

airdecap-ng -p <passphrase> test_dump-01.cap

This will create a file with name test_dump-01-dec.cap which contains all the decrypted packets!

Now we can use this file and extract juicy data from it using tools like xplico, chaosreader, tcpxtract etc.

Thats all for passively capturing data over a wireless network. We can do much more when we have all the packets in our hands. More on that later.