Bitdefender Total Security 2017 Unquoted Service Path Vulnerability

LOGO_bitdefender_white_red

Vulnerability Title: Bitdefender Total Security 2017 Unquoted Service Path Vulnerability

Affected Product: Bitdefender Total Security 2017

Homepage: https://www.bitdefender.com/

Status: Fixed

Severity: Medium

Description:

Bitdefender Total Security suffers from an unquoted service path vulnerability, which could allow an attacker to…Read More

Advertisements

USB Pratirodh XML External Entity Injection Vulnerability

Vulnerability Title: USB Pratirodh XML External Entity injection Vulnerability
Affected Product: USB Pratirodh
Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra
CVE-ID : CVE-2017-6895
Severity: Medium
Class: XXE  [CWE-611]
Impact: XML External Entity, Information Disclosure, Denial Of Service,
Author: Sachin Wagh (@tiger_tigerboy)

Description:

USB Pratirodh is prone to an XML External Entity injection vulnerability.
XXE attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Proof of Concept:

Added below code after xml tag in to the usb.xml file.

sachin_wagh_xxe

 Reference:

XML External Entity (XXE) Processing

XML External Entities

Credit:

Sachin Wagh (@tiger_tigerboy)

 

Nmap for Vulnerability Discovery

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts.

Nmap is a very powerful utility that can be used to:

  • Identify the open ports on the host (port discovery or enumeration)
  • Detect the live host on the network (host discovery)
  • Detect the software and the version to the respective port (service discovery)
  • FIREWALL/IDS EVASION AND SPOOFING
  • Identify the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)

Usage:

nmap [Scan Type(s)] [Options] {target specification}

 Overview of Basic Scanning Options:

This section will cover basic of network scanning with Nmap.

https://secur1tyadvisory.files.wordpress.com/2015/08/1-nmap-sachin_wagh2.png?w=700

Figure: Nmap Basic Scanning Option

https://secur1tyadvisory.files.wordpress.com/2015/08/2-nmap-sachin_wagh.png?w=462&h=285

Figure: Nmap Aggressive Scan

The aggressive scan selects some of the most commonly used options within Nmap. The -A parameter is a synonym for several advanced options (like -O -sC –traceroute) which can also be accessed individually.

Nmap Scan Types:

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS]. For more detail please visit http://nmap.org/book/man-port-scanning-techniques.html

https://secur1tyadvisory.files.wordpress.com/2015/08/3-nmap-sachin_wagh.png?w=700

Figure: Nmap Scan Types

TCP SYN Scan:

The TCP SYN scan is the default option. The default TCP SYN scan attempts to identify the 1000 most commonly used TCP ports by sending a SYN packet to the target and listening for a response. This type of scan is said to be stealthy because it does not attempt to open a full-fledged connection to the remote host. This prevents many systems from logging a connection attempt from your scan.

TCP Connect Scan:

TCP connect( ) port scanning is the most simple type of probe to launch. There is no stealth whatsoever involved in this form of scanning. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network.

Version Detection:

https://secur1tyadvisory.files.wordpress.com/2015/08/4-nmap-sachin_wagh.png?w=700

Figure : Version Detection

The -sV option will attempt to identify the vendor and software version for any open ports it detects. An interesting, relatively new feature in Nmap is its ability to attain version information for various TCP and UDP services on target machines. This is done in conjunction with whatever other scans you choose to run.

Overview of Port Scanning Options:

Sometimes, need to scan outside the default range of ports to look for uncommon services or ports. This section covers the options which allow this and other port specific features.

https://secur1tyadvisory.files.wordpress.com/2015/08/5-nmap-sachin_wagh.png?w=700

Figure: Port Scanning Options

Overview of Version Detection Options:

The process of identifying a target’s operating system and software versions is known as fingerprinting. This section covers the option which allows to do Operating system detection and service version detection.

https://secur1tyadvisory.files.wordpress.com/2015/08/6-nmap-sachin_wagh.png?w=700

Figure: Version Detection Options

Overview of Timing Options:

There are six templates (numbered 0-5) that can be used to speed up scanning (for faster results) or to slow down scanning (to evade firewalls). The table below describes each timing template.

https://secur1tyadvisory.files.wordpress.com/2015/08/7-nmap-sachin_wagh.png?w=700

Figure: Timing Options

Overview of Output Options:

Nmap offers several options for creating formatted output. In addition to displaying the standard output on a screen, nmap offers to save scan results in a text file, XML file, or a single line grepable file.

 https://secur1tyadvisory.files.wordpress.com/2015/08/8-nmap-sachin_wagh.png?w=700

Figure: Output Options

Conclusion:

In this article, we discussed in detail various NMAP scan types, and the practical use of these commands to scan various devices and networks. There are so many other things that you can do with the Nmap, and we will discuss them in the future articles.

Information Gathering – First Step of Hacking

INTRODUCTION

 Footprinting is an ethical hacking process of gathering information about the target and its environment.

This is a pre-attack stage and maximum efforts are deployed to ensure that the operations conducted are executed under stealth and target can’t trace back you. Footprinting is a first and the important step because after this a penetration tester knows how the hacker sees this network.

Good information gathering can make the difference between a successful pentest and one that has failed to provide maximum benefit to the client.

It includes

  • Registration details of the website, contact details.
  • Email harvesting,
  • Finding out the target IP address and determine network range
  • Identify active machine, DNS record , subdomains.
  • Operating system fingerprinting.
  • Finding login pages, sensitive directory
  • Find out any known vulnerability for that particular version.

WHOIS Database Lookup

WHOIS allows us to access information about the target including Registration Detail, IP address, contact information containing the address, Email ID, phone number. It also also displays domain owner and domain registrar.

https://secur1tyadvisory.files.wordpress.com/2015/07/1-whois1.jpg?w=473&h=285Figure: WHOIS

WHOIS Lookup Websites:

Email Harvesting

The theharvester tool available in Kali-Linux is an e-mail accounts, username, and hostname/ subdomains gathering tool.

As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, following is the appropriate command:

 #./theHarvester.py -d targetdomain -l 100 -b google

https://secur1tyadvisory.files.wordpress.com/2015/07/emailll.jpg?w=430&h=285Figure: Email Harvesting

Email harvesting can be used by hackers to carry out a phishing campaign against an entire organization. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers.

 Search Engines Hacking

Marking a search query against your target in search engines (Google, Yahoo & Bing etc.) can also reveal great amount of information if used properly. Google Advance search or Google Hacking can help to locate more detailed information like company policies, employee’s details & online hidden pages etc. Google Hacking Database is a database of queries that identify sensitive information.

https://secur1tyadvisory.files.wordpress.com/2015/07/goo.png?w=406&h=285

Traceroute

Traceroute is using UDP or ICMP ECHO to send out the packet with a Time To Live (TTL)  of one, and incrementing it until reaching the target, the tcptraceroute is using TCP SYN to send out the packet to the target.

tcptraceroute will receive a SYN/ACK packet if the port is open, and it will receive a RST packet if the port is closed.

https://secur1tyadvisory.files.wordpress.com/2015/07/traceroute.jpg?w=404&h=285Figure:Traceroute

After route number 17, we are no longer able to get the route information. Usually this           is because our traceroute is being blocked by a filtering device.

 DNS Reconnaissance

We can interact with a DNS server using various DNS clients such as host, nslookup, dig,etc.

nslookup is a computer program used in Windows and Unix to query Domain Name System(DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means “name server lookup”.

https://secur1tyadvisory.files.wordpress.com/2015/07/nslookup.png?w=700Figure: Nslookup

The above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim.

Before going ahead try to understand some DNS records. For more details please visit https://en.wikipedia.org/wiki/List_of_DNS_record_types

– A – Points to host  IP address
– MX – Points to domain mail server.
– NS- Points to host name server
– CNAME-Canonical naming allowing aliases to host.
– SOA- Indicate authority for domain.
– SRV-Service Record.
– PTR-Maps IP address to hostname.
– RP-Responsible Person.
– INFO- Host Information.

In order to retrieve mail server information we can use the following commands

https://secur1tyadvisory.files.wordpress.com/2015/07/12.jpg?w=700Figure: Nslookup query for mail server

While gathering information can divided into 3 main techniques:-

  1. Forward lookup bruteforce
  2. Reverse lookup bruteforce
  3. Verifying  SPF Record
  4. Zone transfers

1. Forward lookup bruteforce

The main idea behind this technique is to guess correct valid server names of organization. We can try this using the host command. The output gave us an IP address of the server.

https://secur1tyadvisory.files.wordpress.com/2015/07/fww.jpg?w=700Figure: Forward lookup

2. Reverse lookup bruteforce

This is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organization.

https://secur1tyadvisory.files.wordpress.com/2015/07/rv1.jpg?w=700Figure: Reverse lookup

3. Verifying  SPF Record

An SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.

https://secur1tyadvisory.files.wordpress.com/2015/07/spf.png?w=700Figure: Verifying spf record

The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

4. Zone transfers

DNS Zone Transfer is generally used for DNS database replications and backups. The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.

https://secur1tyadvisory.files.wordpress.com/2015/07/name.jpg?w=700Figure: Query for name server

The above image shows the how to get the dns server names.

https://secur1tyadvisory.files.wordpress.com/2015/07/name-2.jpg?w=669&h=285Figure: Zone Transfer Failed

As the response to our query is been failed thus we can say that zone transfer is configured properly

 CONCLUSION

Hopefully this article has demonstrated some of the ways in which passive reconnaissance can be useful as part of your security testing activities. It’s obviously not a replacement for active testing and only scratches the surface when it comes to discovering vulnerabilities but it can certainly provide some valuable information to help scope your testing efforts.

 REFERENCES

[1] https://en.wikipedia.org/wiki/List_of_DNS_record_types
[2] http://www.pearsonitcertification.com/articles/article.aspx?p=472323&seqNum=5
[3] http://www.hackersforcharity.org/ghdb

PRTG Network Monitor Tool – Cross Site Scripting Vulnerability

Vulnerable Version : 15.1.15.2021
Vendor Patch : 2-June-2015
CVE-ID : 2015-3445
Vendor Notification : 3-June-2015
Vulnerability Type : Cross Site Scripting Vulnerability
Risk Level : Critical
Reported By – Sachin wagh (@tiger_tigerboy)
Email : wsachin092@gmail.com

PRTG Network Monitor is prone to Multiple a Cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.

Vulnerable URLs :

  1. http://127.0.0.1/error.htm?errormsg=
  2. http://127.0.0.1/group.htm?id=2009&tabid=9

XSS Payload :

‘ “><img src=a onerror=prompt(document.domain);>

PRTG XSSFigure : Cross Site Scripting

PRTG Network Monitor 15.1.15.2021+ is vulnerable. It is recommended to check your PRTG Installation for this Version, via the Auto Update dialog.For more detail please contact the vendor.