Coming into this and learning of DNS Rebinding I had decided I wanted to make my own attack platform,
After doing research it was apparent that this could be quite deadly getting a victim’s LAN IP is trivial, and port scanning from a browser is even more trivial via websockets.
Funny enough I feel that when I was more active in the information security industry / scene that XSS/CSRF were not taken seriously enough and I feel a lot of developers still do not take them seriously when it seems they can lead to full-scale network compromise and it’s been proven time and time again that if enough payloads were distributed for common networks you’d be able to achieve MITM attacks on routers, reverse-shells on insecure systems and more.
Some software and users seem to rely on the idea that if it’s running on the same system they’re accessing it on that authorization shouldn’t be needed (If they access from 127.0.0.1) with attacks like this however we overcome the fact that things are running on the in-side of the network so chaining things together such as CSRF and code exec issues in systems leads to actual network compromise.
Thanks to Kurt over at DWF I was able to get a CVE assigned for the OSSEC SQL-Injection detailed in my previous post CVE-2016-1000266 / CVE-2016-1000265
Was happy to help the guys over at OSSEC patch the problem and I’m glad it’s getting some acknowledgement.
Hijacking a Victim’s DNS with Anti DNS-Pinning(DNS Re-binding)
Last night I got on the kick of router/modem security considering the recent attacks we’ve had going on I thought it might be nice to jump on the bandwagon of researchers and check it out for myself.
With this I thought I’d simulate an attack I was able to perform in a penetration test because a router had remote management enabled, which was hijacking the victim’s DNS requests via DNSChef and getting a MITM to steal the victim’s credentials as they logged into a specific website.
That was all achieved by simply changing the victim’s DNS settings on their router,
So the question became what’s stopping me from doing this to my own modem via a web browser on an internet facing URL.
Immediately I started looking for any code which may not enforce the Same-origin policy to explain briefly the Same-origin policy was created to protect against attacks where web code attempts to make a request to a server where it’s unauthorized to do so (meaning local network resources as well like modems and routers).
First let me explain what OSSEC is and why a vulnerability in this system is important.
OSSEC is an host based open-source intrusion detection system…
Most recently there’s been a few vulnerabilities found and disclosed in it that have gotten rather concerning to me
These become a larger issue when the vulnerability I’ve found requires you to have access to the agent at a level where you can modify the configuration file, I consider what I’ve found to be slightly more severe in larger environments because depending on the configuration of the server system it could allow a full-scale breach instead of a single agent being compromised.
In theory once someone was to exploit/hack or gain access to an agent in any way the only thing you’re concerned with is that agent where the SQL injection takes place in the central server where the agents report to, in some cases this central server is within a corporate network that’s meant to be segregated from the rest of the agents… in theory once one was to compromise the central server of something like this access to additional systems or all of the systems/agents is to follow…
The idea of someone gaining access to an entire enterprise network, but because the system itself is meant to detect intrusions… with the SQL injection that I’ve discovered it would be possible to wipe evidence and make sure people weren’t able to see it given they weren’t recording to email regardless I feel it nearly renders the system useless in a sense.
More concerning is that a lot of people are recommended to use this system post-failure of PCI audits ( Meaning consumer credit card data should be protected by a system with vulnerabilities in it ).
I’ve also since writing this article submitted a pull-request to attempt to fix the vulnerability mentioned in this article (https://github.com/ossec/ossec-hids/pull/923), and requested a CVE which I’ll add to this article once I have it.
All of that aside…
A few days ago I’m upgrading OSSEC on some machines and install a non-stable development/release candidate on one of the systems connecting back to my 2.8.3 (Latest stable/release instance) immediately I notice that my agent isn’t reporting…
I check logs and notice SQL syntax errors, now at first I think nothing of this, it’s strange but not alarming yet….
Then I notice what the syntax errors are actually being caused by and I find that I’ve just discovered an SQL Injection in OSSEC’s server system when using a database (Yes this includes Postgresql).
2016/08/17 12:52:03 ossec-dbd(5203): ERROR: Error executing query ‘SELECT id FROM location WHERE name = ‘thedefaced->netstat -tan |grep LISTEN |grep -v ‘127.0.0.1’ | sort’ AND server_id = ‘1’ LIMIT 1′. Error: ‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘127.0.0.1’ | sort’ AND server_id = ‘1’ LIMIT 1′ at line 1′.
That being said I’ve done some research on this and even attempted exploiting it to gain a proof of concept considering the latest release candidate ships with the configuration file that caused this ordeal in the first place I would assume that the latest version is patched against this, yet was not back ported to the latest stable release…
To start lets discuss what could happen with this,
Continue reading »
I had recently been inspired by a video from a man who goes by the alias “Scamalot” in this video series he responds to spam emails and simply “trolls” the scammers, phishers, or spammers the series is great, and I highly recommend checking it out if you haven’t ( https://www.youtube.com/watch?v=dSoXEtFPTfI ).
Well due to being inspired by this I decided to take it upon myself to start attempting to “troll” or annoy these spammers, scammers, and phishers myself as it seemed to be my duty at this point considering the amount of spam I regularly receive it was a great idea.
Coming into this the last thing that I expected to do is take over a phish page and leave a warning for those who clicked on it in the future but, that’s exactly what I ended up doing….
Project Cartographer ( which I’m referring to as H2V:Online from here on ) now has a homepage where pretty soon you’ll be able to find a download link for the mod!
There’s still tons of things that can be done and I plan to write about and release tons more information on this project as well as put more time and effort into improving the overall game play experience as much as I can, In other news FishPhD is now in charge of coding the launcher for the game and the ‘official’ community of Project Cartographer Aka H2V:Online is now halo.cafe.
You can find the new H2V:Online homepage here.
A long time ago a friend(DarkCoder) and I embarked on attempting to turn a (random) game into a multiplayer Online one, the original intention was to find a single player only game and determine how we could make it into a multiplayer online game instead.
While searching for a game to do this with we ran into Turok 4: Evolution and thus began T4MP remnants of such can still be seen here
Development didn’t get very far though we had a lot of the basic bugs fixed, we had most of the player data structures reverse engineered and the data was syncing between the games.
There were still a ton of issues for starters we had no idea how the hell to program a Multiplayer game at the time so most of our data sending was based on loops which constantly updated the information on the clients about the players.
Now that you know the history of the project I’m glad to say I’ve decided to start working on it again and I’ve made minor progress reverse engineering the event/cause/links/scripts inside of the ati files of the game and have got the game going back into the local multiplayer split-screen mode again.
I’ve had to start over completely as I’ve lost my original code.
But here’s a video demonstrating progress so far,
And here’s one showing issues with the depth buffering that I’m currently attempting to fix,
After long hours of sitting around reversing script functions and getting help from both kornman00 and xbox7887 on various research they had from xbox versions of the game,
I managed to complete a simple quick gun game setup as a first attempt at creating a custom game type, right now it’s all written in the C but the idea is to add lua support to things and actually re-write it in lua as a PoC as what will be possible with the extended external scripting of the game.
The main issue here is determining when to load these scripts (most likely we’ll have options to do it when a specific variant is selected),
The idea is to allow anyone to actually make similar crazy game types for the game and allow people with even no programming experience to help make the game better.
I leave you with a quick video of us testing out gun-game.
The network handling code has been re-written from the ground up on the client side and it seems to have eliminated all performance issues I also eliminated some memory leaks that were present before and I’m happy to say, The state of project Cartographer is STABLE!.
So what’s next on the agenda?
Let’s take a look at what’s currently done.
During my previous fix I changed things around so much that I actually introduced major performance issues the processing time of each packet went up and part of which seemed to also have introduced some sort of memory leak.
Over all the current state of project cartographer is unplayable and unstable with that said we still need people to test once in awhile and lately it’s been hard finding anyone around (in Teamspeak) enough to do so we have 1 or 2 dedicated people willing to test through the agony of lag, crashes, and random other events with us.
Right now what needs to happen is a complete re-write of all packet handling systems there’s tons of inefficient and poorly done things which I’m just now re-thinking and re-structuring.
What I’m constantly seeing from people though is the misunderstanding that this project is currently in a state where we’re even looking for bug reports, or that you can even use it.
If you download this to test with us please do not report things like,
“I crash”,”It doesn’t work”, “It’s laggy”,”Help me”.
These things do not help us improve the code for you and the rest of the community these things only begin to frustrate me and misdirect my attention to issues other then what’s important which is creating a playable stable solution for everyone to play their games with.
Hopefully I have more news soon for the community and here’s to it being good news once I complete this re-write of the whole user handling system, another late night in coming.
So originally you were unable to run 2 clients or 1 client and a server on the same network or same machine,
Now I’ve come up with some what of a fix and it’s pretty messy but it works!
Basically the way I was handling things previously you couldn’t run multiple clients on the same network or same PC even due to the fact that everything was binding to the same port and there were tons of comparisons and identification systems which would identify people based on their WAN IP address instead of some other unique identifier.
Now that I’ve changed the code to identify people differently and added a “server” option to the INI which you’re expected to set in one client/server on the network it will re-bind ports differently.
To explain if I want to run a server on my network I’ll leave it as “server = 0”, I know it’s kind of backwards…
This will cause my server to bind to standard ports 1000,1001,1005,1006.
Now when I launch my client and I set “server = 1”,
My client will bind to 1100,1101,1105,1106 and the rest of the network code in every other client and server will handle this appropriately based on data of where they receive the connection from, what this may break however is the ability to make a lobby due to the fact naturally when trying to connect to lobbies clients will attempt to use the standard ports.
So essentially you can only have 1 host per network at the moment, though this needs to be looked into in a less messy/sloppy manner so that we can run multiple instances of a dedicated server on a single system.
The only idea that I have to brain storm on with this is sending the port with the broadcast packets and having each client read/understand this,
The problem is at this point this is becoming less Universal and more geared towards Halo 2 which isn’t necessarily a horrible thing, just requires a lot of re-coding of the base.
And may mean that in the future I will have two separate versions one specifically geared towards Halo 2 and another which is universal for all XLive games.
For those who understand python read on…
There were also minor modifications I’ve had to make to the master server list which changed how users were stored,
Originally I stored users when they initially made a halo 2 specific “broadcast-search” packet.
In general this is the way LAN configurations in games should work…
Client->Broadcast to 255.255.255.255 (Entire Local Network) -> Server gets packet and sends reply with information.
Right now the way the code works on this end is simply replacing 255.255.255.255 with the “broadcast server” or “master server list”.
The way I stored the users was based on their remote IP without their port, now we just store the self.client_address tuple into the dict and use that.
Basically since each user would be now using a different port we combine the two to uniquely identify them, the way I was doing things previously would overwrite their user in the dict causing them not to be able to see the server… just a lesson to myself in bad programming practices attempting to identify people by IP addresses which I did a lot starting out with this project.