Spinning –Defense in Depth

Details

Affected Software:Dojo Toolkit

Fixed in Version:1.4.1

Issue Type:Defense in Depth

Original Code: Found Here

Description

This was a vulnerability affecting the Dojo toolkit.   Apparently,the dojo toolkit shipped with a SWF file that had a few vulnerabilities.  This particular vulnerability affected one of those SWF files.  First,SWF files are compiled files,however they can be decompiled.  Unlike traditional server side web application languages (PHP,ASP,JSP…etc),SWF files are downloaded and rendered on the clientside.  Decompiling the SWF file gives the attacker full access to the ActionScript source code for the SWF application.

In this particular SWF file,we see that the developers explicitly set the Security.allowDomain to “*”.  This makes it so SWF flies from other,external domains can include the Dojo toolkit SWF file and script/access its internal functionality.

The Dojo toolkit devs fixed this particular issue by removing the allowDomain call and adding an Externalinterface call checking to see if a particular wrapper was available in HTML.  If you’re interested in Flash security,an excellent presentation on Flash security given by Stefano Di Paola can be found here:

http://www.slideshare.net/guestb0af15/owasp-wasc-app-sec2007-san-jose-finding-vulnsin-flash-apps

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
public class FLVideo extends Sprite {
private var videoUrl:String;
private var video:Video;
private var connection:NetConnection;
private var autoPlay:Boolean;
private var videoStream:NetStream;
private var videoWidth:Number;
private var videoHeight:Number;
private var _currentVideo:VideoContainer;
private var preview:VideoContainer;
private var currentVolume:Number = 1;
private var isFullscreen:Boolean = false;
private var playlist:VideoPlaylist;
private var hasPlaylist:Boolean = false;
private var mode:String = "preview";

public function FLVideo() {
-    Security.allowDomain("*");
+    var secure:* = ExternalInterface.call("swfIsInHTML");
+    if(secure !== true){
+        return;
+    }
+    //Security.allowDomain("*");

stage.scaleMode = StageScaleMode.NO_SCALE;
stage.align = StageAlign.TOP_LEFT;
stage.addEventListener(Event.RESIZE,onStageResize);
stage.addEventListener(FullScreenEvent.FULL_SCREEN ,onFullscreenChange);
stage.addEventListener(MouseEvent.CLICK,onClick);

var obj:Object = LoaderInfo(this.root.loaderInfo).parameters;
trace(obj)

if(!obj.videoUrl){
obj = {
autoPlay:true,
isDebug:true,
videoUrl:"demo_video.flv"
};
}


// ugh - booleans not coming through
if(obj.autoPlay===true || obj.autoPlay=="true"){
autoPlay = true;
}

if(obj.volume) {
currentVolume = obj.volume;
}

if(obj.isDebug===true || obj.isDebug=="true"){
console.isDebug(true);
Tracer.init({both:true})
Tracer.log("FLVideo initialized...")
}

+    Tracer.log("secure?::",secure)
MovieIdentity.identity = obj.id || "default";
this.playlist = new VideoPlaylist(autoPlay,currentVolume);

if(obj.videoUrl) {
videoUrl = obj.videoUrl;
}

preview = new VideoContainer(videoUrl,autoPlay,currentVolume);
addChild(preview);
provideCallbacks();
}


public function get currentVideo():VideoContainer{

if(mode=="playlist"&&hasPlaylist){
return this.playlist.current;
}else{
return preview;
}
}
August 27th,2010 | Tags:,,,,,,,,, | Category:ActionScript,All Software,Code Snippet,Defense In Depth,DoJo | Leave a comment

Learning - Insecure Logging (Defense in Depth)Learning –Insecure Logging (Defense in Depth)

Details

Affected Software:AskApache Password Protect

Fixed in Version: 4.3.2

Issue Type:Insecure Logging (Defense in Depth)

Original Code: Found Here

Description

This week’s bug was discovered in the AskApache Password Protect plugin for WordPress.  Once again,we are examining “security software” that is designed to provide various security protection mechanisms for a deployed WordPress blog.  The description for the AskApache security plug-in is as follows:

Advanced Security:Password Protection,Anti-Spam,Anti-Exploits,more to come

A very noble effort indeed :)

This vulnerability was in the aa_pp_hashit() function. The aa_pp_hashit() function takes three arguments:$format,$user,and $pass.  The aa_pp_hashit() function then attempts to create a hash containing the creds.  Whenever I see functions utilizing crypto,I’m always reminded of this scene in Office Space .  In this particular patch,vulnerability was in this line:

aa_pp_mess(‘Created ‘.$format.’Hash for ‘.$user.’with Password ‘.$pass);

The aa_pp_mess() function actually logged the clear text username and password before putting it through a hashing function.  There is rarely a need to log a clear text password… in fact,I’m going to go out on a limb here and say there is NEVER a good time when you should log a clear text password.  Even password hashes or other weird representations of passwords shouldn’t be logged.  Logging sensitive data is always tricky.  If you’re logging sensitive data please consider the permissions required to access that sensitive data,ensure the file is properly ACL’d and conduct regular audits of log file access.  Most importantly,ask yourself:  Why do I need to log this data?

The vulnerability was fixed by removing references to user password (and even references to the user that called the function).  Now I just have to figure out why the AskApache devs are passing a default value for $pass :)

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
// aa_pp_hashit
//-------------------------------------------------------------------------------------------
function aa_pp_hashit($format,$user='',$pass=''){
        global $aa_PP;
-   aa_pp_mess('Created '.$format.' Hash for '.$user.' with Password '.$pass);
+   aa_pp_mess('Created '.$format.' Hash');
    $hash='';
    switch ($format){
        case 'TEST':
                $hash=array();
                foreach($aa_PP['algorithms'] as $key=>$value)$hash[]=aa_pp_hashit($key,"test{$key}","test{$key}");
        return $hash;
        break;
        case 'PLAIN':
        $hash=$user.':'.$pass;
        break;
        case 'CRYPT':
        $seed = NULL;
        for ($i = 0;$i <8;$i++) {$seed .= substr('0123456789abcdef',rand(0,15),1);}
        $hash=$user.':'.crypt($pass,"$1$".$seed);
        break;
        case 'SHA1':
        $hash=$user.':{SHA}'.base64_encode(pack("H*",sha1($pass)));
        break;
        case 'MD5':// php.net/crypt.php#73619
        $saltt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"),0,8);
        $len = strlen($pass);$text = $pass.'$apr1$'.$saltt;$bin = pack("H32",md5($pass.$saltt.$pass));
        for($i = $len;$i >0;$i -= 16) { $text .= substr($bin,0,min(16,$i));}
        for($i = $len;$i >0;$i >>= 1) { $text .= ($i &1) ? chr(0):$pass{0};}
        $bin = pack("H32",md5($text));
        for($i=0;$i<1000;$i++) { $new = ($i &1) ? $pass:$bin;if ($i % 3) $new .= $saltt;if ($i % 7) $new .= $pass;$new .= ($i &1) ? $bin:$pass;$bin = pack("H32",md5($new));}
        for($i=0;$i<5;$i++) { $k = $i + 6;$j=$i + 12;if($j==16){ $j = 5;} $TRp = $bin[$i].$bin[$k].$bin[$j].$TRp;}
        $TRp = chr(0).chr(0).$bin[11].$TRp;
        $TRp = strtr(strrev(substr(base64_encode($TRp),2)),"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
        "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
        $hash="$user:$"."apr1"."$".$saltt."$".$TRp;
        break;
    }

    return $hash;
}//=========================================================================================================================
// aa_pp_show_encryptions
//-------------------------------------------------------------------------------------------
function aa_pp_show_encryptions($label,$type=0){
    global $aa_PP;
  
    if($type==0)
        {
        ?>
        <p><label><?php _e($label);?><br />
        <select name="aapassformat"id="aapassformat">
        <?php foreach($aa_PP['algorithms'] as $key=>$value){?>
                <option value="<?php echo $key;?>"<?php if($aa_PP['format']==$key)echo ' selected="selected"';elseif($aa_PP['algorithms'][$key]['enabled']!='1')echo ' disabled="disabled"';?>><?php echo $key;?>   </option>
        <?php }?>
        </select>
        </label></p>
     <?php
     }
         elseif($type==3)
         {
     ?>
        <p><label><?php _e($label);?><br />
        <input id="aapassformat"name="aapassformat"type="hidden"value="<?php echo $aa_PP['format'];?>"/></label></p>
        <ul>
        <?php foreach($aa_PP['algorithms'] as $key=>$value){?>
                <li><label><input name="aapassformat"id="aapassformat<?php echo strtolower($key);?>"type="radio"value="<?php echo $key;?>"<?php if($aa_PP['format']==$key)echo 'checked="checked"';
                elseif($aa_PP['algorithms'][$key]['enabled']!='1')echo 'disabled="disabled"';?>/><strong><?php echo $key;?></strong>-
            <?php echo $aa_PP['algorithms'][$key]['desc'];?></label></li>
        <?php }?>
        </ul>
    <?php
    }
    else if($type==4)
        {
     ?>
        <h4><?php _e($label);?></h4>
        <?php foreach($aa_PP['algorithms'] as $key=>$value){?>
                <p><strong><?php echo $key;?></strong>- <?php echo $aa_PP['algorithms'][$key]['desc'];?></p>
        <?php }?>
        <hr style="visibility:hidden;padding-top:.25em;clear:both;"/>
    <?php
    }
}//=========================================================================================================================

// aa_pp_mess
//-------------------------------------------------------------------------------------------
function aa_pp_mess($message=''){
        if(@defined('AA_PP_DEBUG_LOGFILE'))error_log($message,3,AA_PP_DEBUG_LOGFILE);
-        else error_log($message);
+  else if(AA_PP_DEBUG)error_log($message)
    if(AA_PP_DEBUG){ ?><div id="message"style="margin:1em auto;"><p><?php echo $message;?></p></div><?php }
}//=========================================================================================================================
 
June 4th,2010 | Tags:,,,,,,,,,,,,,, | Category:Defense In Depth,PHP,Solution,Wordpress | Leave a comment

More Than One Night - Defense in DepthMore Than One Night – Defense in Depth

Details

Affected Software:WordPress

Fixed in Version:2.1

Issue Type:Defense in Depth

Original Code: Found Here

Description

I found this issue interesting for a couple reasons. Upon first glance,the patch appears to be a defense against SQL Injection and in essence,it is. It seems that the $q[‘cat’] value is controlled by the user and is eventually used to help build a SQL statement. Before the $q[‘cat’] value is used in a SQL statement,it is actually sanitized by the following lines:

$q['cat'] = ”.urldecode($q['cat']).”;

$q['cat'] = addslashes_gpc($q['cat']);

Once the value is sanitized,it is used to build various SQL statements. Now this particular patch was developed by the WordPress team because they discovered that when a user/attacker passes a “.” (period character) to $q[‘cat’],it would cause a SQL error which would be displayed to the user. While a single period character doesn’t give the attacker the ability to execute arbitrary SQL,it does give the attacker an information disclosure bug. In an academic sense however,the attacker has convinced the database that their provided value should be interpreted as code as opposed to data (ala SQL Injection). The reason the period character slips through is because it is not defined as a special character in the addslashes() php function… this could be useful in other situations.

The WordPress prevented the information leak by checking to see if $q[‘cat’] is an integer value. The patch here is a single line fix.

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// Category stuff

if ((empty($q['cat'])) || ($q['cat'] == '0') ||

// Bypass cat checks if fetching specific posts

( $this->is_single || $this->is_page )) {

$whichcat='';

} else {

$q['cat'] = ''.urldecode($q['cat']).'';

$q['cat'] = addslashes_gpc($q['cat']);

$join = "LEFT JOIN $wpdb->post2cat ON ($wpdb->posts.ID = $wpdb->post2cat.post_id) ";

$cat_array = preg_split('/[,\s]+/',$q['cat']);

$in_cats = $out_cats = '';

foreach ( $cat_array as $cat ) {

+ $cat = intval($cat);

$in = strstr($cat,'-') ? false:true;

$cat = trim($cat,'-');

if ( $in )

$in_cats .= "$cat,". get_category_children($cat,'',',');

else

$out_cats .= "$cat,". get_category_children($cat,'',',');

}

$in_cats = substr($in_cats,0,-2);

$out_cats = substr($out_cats,0,-2);

if ( strlen($in_cats) >0 )

$in_cats = "AND category_id IN ($in_cats)";

if ( strlen($out_cats) >0 )

$out_cats = "AND category_id NOT IN ($out_cats)";

$whichcat = $in_cats . $out_cats;

$distinct = 'DISTINCT';

}

// Category stuff for nice URIs

global $cache_categories;

if ('' != $q['category_name']) {
April 2nd,2010 | Tags:,,,,, | Category:Defense In Depth,PHP,Solution,SQL Injection,Wordpress | Leave a comment