DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client 

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

Top 5 Hack Tools for Hackers to Investigate Computer System

 Hello Friends, today i will share with you top 5 hack tools for hackers to Investigate or Forensic their computer system or PC. Have you ever felt that your system is compromised or shared ? Do you think your system has unusual softwares or packages installed on it that sends your confidential or secret personal data to other Hackers? Always fears to test any hack tool that it contains viruses or malware or not? Wanna investigate your network that which application is sending which data to whom or where? 
If any of the question fits you then this post is for you. But if i speak by heart these tools are must for every normal users and hackers too to investigate their systems from boot to close. Today i am making you a real ethical hacker as today i will teach you how to investigate your system. And how to get rid of noobish antiviruses that do simply nothing on your PC just consumes resources of your system.


List of top 5 hack tools for hackers to Inverstigate or Forensic Computer system or PC:
1. Live View
2. Start up List
3. Open Files View
4. Wireshark
5. Helix 3


Working of above tools stepwise:
1. Live View
Live View is an open source utility that creates a virtual machine of the existing system. Live View creates a virtual disk out of the system that allows you to then safely investigate a copy of the system without interfering with anything installed. So you can easily investigate your system virtually without affecting the original system.
Now restart you PC for further investigations and tools to use.
You can download Live View for free here (Click here to download).


2. Start up List
Now you have a virtual copy of your system and now why you are waiting let's start investigating PC. So download the Start Up List (click here to download startup list).This is a great way to start the investigation of a system and determine what things might have potentially been put on the system to restart each time the system does. It will provide you the list of all programs that system use during the boot time. Great way to find the key-loggers and other remote monitoring tools as they are always added to start up. 
Now why i am saying this tool as you can directly do it using MSCONFIGcommand. Answer is as simple as question, msconfig only displays the list of programs that are attached to start up using registry keys. Normally what happens the viruses attach themself to some of the existing windows service so it will become difficult to identify its instances. Start up list displays all the back ground programs too.


3. Open Files View
The next step in investigating your computer is to find or determine which other files, other than usual are open. In Linux we can directly do this using the ISOF command in the terminal but there is no similar command in windows. Ahhah now what will you do to investigate this.. Don't worry OpenFilesView is there(click here to download openfileview). Openfilesview is a Windows executable that lists all the files and processes that are active currently – both local and network based – on the system. So you can easily identify which unusual file is opened or which unusual process is running. Now how it helps, all key-loggers or remote administration tools always maintains a temporary file on which they write their logs or other details. Now nothing is hidden from you. You can see each and everything and find out easily that which noob virus or keylogger is running on your system.


4. Wireshark
Mine favorite tool out of 5 tools. Now you have researched your system using above there tools, it time to investigate your network traffic. Several times it happens, when you install some software you doubt that it is sending your personal data or information to someone else. Wireshark is a tool that monitors your network packets and analyze them where its sending data. Now how its helpful for you, Most Trojans and key-loggers sends logs using network and upload them to FTP or send them to some email address. Using wireshark you can monitor what they are sending and even the username and password of FTP and email accounts on which it is sending. This is the most promising factor that makes to love wireshark more. So why waiting download the wireshark for free: (Click here to download Wireshark).


5. Helix 3
Now you all will be thinks we have done everything, investigating is done.but i am Destructive Mind. So few more things are striking my mind. What more i can investigate in the PC. Any guesses...
Damn.. i forgot i was teaching you.. 
Now how will you determine what the noob viruses has changed in your system, which files they have edited or attached their signatures to which of the programs and most important what they have edited or added. This you can do with the help of Helix 3. Helix 3, a newly updated version of the live Linux forensics tool, can be used to examine the disk safely to see what has been finally changed. So guys now how classy you think you have become. But sorry to inform you that its the first part of hacker's life and i guarantee 99.99% guys doesn't know these tools. Ahhh... If they know about these tools then they surely doesn't know how to use them and more important if they know that also they probably never used them as they are LAZY enough and leave everything on noob antiviruses.
(Click here to download helix3)  Its a 30 day trial version guys, as licensed version is for one system only. But i can tell you some awesome tricks to use it as much as you want. For downloading evaluation version again and again just register with new email ID and remove the previous version using WinXP manager which removes registry keys also.


One more suggestion about these noob antiviruses, they detect only those viruses and Trojans that are in their database, if a new virus has come then you have to wait till next database upgrade for getting it detected.

Password Guessing

Password guessing attacks can be carried out manually or via automated tools.

Password guessing can be performed against all types of Web Authentication

The common passwords used are:

root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username]

Passwords are the principal means of authenticating users on the Web today. It is imperative that any Web site guard the passwords of its users carefully. This is especially important since users, when faced with many Web sites requiring passwords; tend to reuse passwords across sites. Compromise of a password completely compromises a user.

Attack Methods

Often Web sites advise users to choose memorable passwords such as birthdays, names of friends or family, or social security numbers. This is extremely poor advice, as such passwords are easily guessed by an attacker who knows the user. The most common way an attacker will try to obtain a password is through the dictionary attack'. In a dictionary attack, the attacker takes a dictionary of words and names, and tries each one to see if it is the require password. This can beautomated with programs which can guess hundreds or thousands of words per second. This makes it easy for attackers to try variations: word backwards, different capitalization, adding a digit to the end, and popular passwords.

Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Often people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "site"; second month password is "site2"; third month password is "site2"; and so on. A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password.

Hacking Tool: WebCracker

• 
  
  WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.
• 
  
  lt keys on "HTTP 302 Object Moved" response to indicate successful guess.
• 
  
  lt will find all successful guesses given in a username/password.

Webcracker allows the user to test a restricted-access website by testing id and password combinations on the web site.This program exploits a rather large hole in web site authentication methods. Password protected websites may be easily brute-force hacked, if there is no set limit on the number of times an incorrect password or User ID can be tried.WebCracker is a simple tool that takes text lists of usernames and passwords and uses them as dictionaries to implement Basic authentication password guessing.

• 
  
  It keys on "HTTP 302 Object Moved" response to indicate successful guess.
• 
  
  It will find all successful username/password given in the list.

Hacking Tool: Brutus

http://www.hoobie.net/brutus/

• 
  
  Brutus is a generic password guessing tool that cracks various authentication.
• 
  
  Brutus can perform both dictionary attacks and brute-force attacks where passwords are randomly generated from a given character.
• 
  
  Brutus can crack the following authentication types:
• 
  
  HTTP (Basic authentication, HTML Form/CGI); POP3; FTP; SMB; Telnet
  
  

Brutus is an online or remote password cracker. More specifically it is a remote interactive authentication agent. Brutus is used to recover valid access tokens (usually a username and password) for a given target system. Examples of a supported target system might be an FTP server, a password protected web page, a router console a POP3 server etc. It is used primarily in two ways: To obtain the valid access tokens for a particular user on a particular target. To obtain any valid access tokens on a particular target where only target penetration is required.

Brutus does very weak target verification before starting; in fact all it does is connect to the target on the specified port. In the context of Brutus, the target usually provides a service that allows a remote client to authenticate against the target using client supplied credentials. The user can define the form structure to Brutus of any given HTML form. This will include the various form fields, any cookies to be submitted in requests, the HTTP referrer field to send (if any) and of course the authentication response strings that Brutus uses to determine the outcome of an authentication attempt.

If Brutus can successfully read forms of the fetched HTML page then each form will be interpreted and the relevant fields for each form will be displayed. Any cookies received during the request will also be logged here. Brutus handles each authentication attempt as a series of stages, as each stage is completed the authentication attempt is progressed until either a positive or negative authentication result is returned at which point Brutus can either disconnect and retry or loop back to some stage within the authentication sequence.

Hacking Tool: ObiWan

http://www.phenoelit.de/obiwan/docu.html

• 
  
  ObiWan is a powerful Web password cracking tool. It can work through a proxy.
• 
  
  ObiWan uses wordlists and alternations of numeric or alpha-numeric characters as possible as passwords.
• 
  
  Since Webservers allow unlimited requests it is a question of time and bandwidth to break into a server system.

ObiWaN stands for "Operation burning insecure Web server against Netscape". It is called Project 2086 now, after 2068 the number of the RFC which describes the HTTP/1.1 protocol. 11.1 is the section which describes the basic authentication scheme. This is the mostly used authentication scheme for web server and used by ObiWaN.

Web servers with simple challenge-response authentication mechanism mostly have no switches to set up intruder lockout or delay timings for wrong passwords. Every user with a HTTP connection to a host with basic authentication can try username-password combinations as long as he/she like it. This allows the attacker to prod the system as long as he wants to.

Like other programs for UNIX system passwords (crack) or NT passwords (lophtcrack) ObiWaN uses wordlists and alternations of numeric or alpha-numeric characters as possible passwords. Since web servers allow unlimited requests it is a question of time and bandwidth to break in a server system. The first way is to run ObiWaN more than once. The following example tries to crack username eccouncil on the intranet.

./ObiWaN -h intranet -a eccouncil -w list.txt 

To run it with alphanumeric variation with a depth of 2

./ObiWaN -h intranet -a eccouncil -w list.txt -A 2 

To run it in brute force loop mode

./ObiWaN -h intranet -a eccouncil -w list.txt -b 6 -B 8 

Hacking Tool: Munga Bunga

Munga Bunga's HTTP Brute Forcer is a utility utilizing the HTTP protocol to brute force into any login mechanism/system that requires a username and password, on a web page (or HTML form). To recap - A password usually only contains letters. In such a case the quantity of characters in a charset is 26 or 52, depending on usage of registers - both of them or just one. Some systems (Windows, for example) don't make any difference between lower-case and uppercase letters. With an 8-characters' long password the difference would amount to 256 times, which is really significant.

Brute force method can sometimes be very effective when it is combined with the functionality of the program. Munga Bunga is a tool which can be used for breaking into emails, affiliate programs, web sites, any web based accounts, launching DoS attacks, flooding emails, flooding forms, flooding databases and much more; though DoS attacks and flooding activity are not supported or documented in the documentation. Apart from this, the attacker can write definition files. These are files ending in the .def extension, and contain information about a particular server, and the data to submit to it. They are used to extend the power and capability of the program, based on the user's own definitions. The software comes bundled with some definition

The tool claims to be capable of brute forcing, any thing that can be entered via a HTML form with a password and username. The attack methodology goes as follows: The attacker uses a password file in order for the program to attempt and enter the account(s), with the specified passwords. In addition, he can write a definition file for the form he wants to crack into.

Hacking Tool: PassList

Passlist is another character based password generator.

Passlist is a character based password generator that implements a small routine which automates the task of creating a "passlist.txt" file for any brute force tool. The program does not require much information to work. The tool allows the user to specify the generation of passwords based on any given parameter. For instance, if the user knows that the target system's password starts with a particular phrase or number, he can specify this. This makes the list more meaningful to the user and easier for the brute forcer. He can also specify the length required such as the maximum number of random characters per password, apart from the maximum number of random

A partial list is given below.

• 
  
  Refiner is used to generate a wordlist containing all possible combinations of a partial password, which an attacker may have obtained by other means. Refiner will then generate a text file containing all possible combinations.
• 
  
  WeirdWordz allows the user to just select an input file and as an output file, makes all sorts of combinations of the lines/words in the input file.
• 
  
  Raptor 1.4.6 - creates words using many different filters from html files to create a wordlist.
• 
  
  PASS-PARSE V1.2 - Pass-parse will take any file and turn all the words into a standard type password list, while stripping anything that's not alphanumeric. The main idea behind it is that while trying to crack the password of a personal website, the password may appear on the site when the person describes their interests. This will parse through an html file and create a list of words from that page to try as passwords.

Port Scanner in C (with Translation of Functions)

#include                                             //standard library function
#include                                      //for socket n networking functions
#include                                     //for socket function
#include                                      //for networking
#include                                          //for database......... not required........ here
#include                                            //stad library function hope u guys know abt this
#include 

/* Main programs starts*/
int main(int argc, char **argv)                                   //argc
{
   int   sd;         //socket descriptor
   int    port;         //port number
   int   start;         //start port
   int    end;         //end port
   int    rval;         //socket descriptor for connect
   char    response[1024];      //to receive data
   char   *message="shell";       //data to send
   struct hostent *hostaddr;   //To be used for IPaddress
   struct sockaddr_in servaddr;   //socket structure

   if (argc < 4 )
   {
      printf("------Created By www.Softhardware.co.uk-----------\n");
      printf("--------------------------------------------------\n");
      printf("Usage: ./tscan \n");
      printf("--------------------------------------------------\n");
      return (EINVAL);
   }
   start = atoi(argv[2]);                                                           //Takes the starting port number to scan from
   end   = atoi(argv[3]);                                                          // FOr last port number that has to be scanned

   for (port=start; port<=end; port++)
   {

         //portno is ascii to int second argument

   sd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); //created the tcp socket // PF_INET==family name AF_INET can also be used, SOCK_STREAM is how data bytes have to be sent, IPPRPTP_TCP== which protocol to follow, UDP or TCP

   if (sd == -1) // THis fucntion checks for the socket creation, if socket is created successful then continue else....                         print error
   {
     perror("Socket()\n");
     return (errno);
   }

   memset( &servaddr, 0, sizeof(servaddr));

   servaddr.sin_family = AF_INET;  //FAMILY NAME
   servaddr.sin_port = htons(port); //set the portno

   hostaddr = gethostbyname( argv[1] ); //get the ip 1st argument

   memcpy(&servaddr.sin_addr, hostaddr->h_addr, hostaddr->h_length);

   //below connects to the specified ip in hostaddr

   rval = connect(sd, (struct sockaddr *) &servaddr, sizeof(servaddr));
   if (rval == -1)
   {
   printf("Port %d is closed\n", port);
   close(sd);
   }
   else
   printf("Port %d is open\n",port);

   close(sd);         //socket descriptor
   }

}

[for unix platform]

Open Port Check Tool..

CanYouSeeMe.org - Open Port Check Tool

http://canyouseeme.org/

Google XSS Flaw in Website Optimizer Scripts explained !

This week thousands of system administrators who make use of Goolge products will open their inbox to see an email from Google explaining that their Web Optimizer product contains an Cross-site scripting flaw that allows hackers to inject scripts into their Google Optimized web pages.

A part of this email follows:

“you are using a control script that could allow an attacker to execute malicious code on your site. To fix the vulnerable section of code, you should immediately either replace the control scripts in your affected experiments or stop the affected experiments and start new experiments”

On receiving this notification I quickly scrambled to my web sites to immediately implement the fix recommended by Google. Later on in the day I had time to to dig deeper into the problem and analyse the security flaw in more detail. What I found is a multi-staged attack that relies on cookie injection, improper text parsing and DOM script injection code.

I have documented my research in this article, and I hope that it will be of use to you. There is a lot to learn from other people’s mistakes, especially when those people are Google themselves.

The flaw exists in Googles Web Optimizer, which is a series of scripts that web administrators use to gain insight into how their web sites are navigated by online customers.

Below is a segment of the the flawed code.

<!-- Google Website Optimizer Control Script -->
<script>
function utmx_section(){}function utmx(){}
(function(){var k='XXXXXXXXXX',d=document,l=d.location,c=d.cookie;function f(n){
if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n.
length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash;
d.write('<sc'+'ript src="'+
'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com'
+'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime='
+new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+
'" type="text/javascript" charset="utf-8"></sc'+'ript>')})();
</script><script>utmx("url",'A/B');</script>
<!-- End of Google Website Optimizer Control Script -->

This Website Optimizer Control Script is embedded within your web page to track it. It will be run on the user’s end, and under a successful attack it will extract a malicious script from their cookie and execute it in their browser.

The code above is standard JavaScript however it is not easy to read. There are two reasons for this; firstly, like most Google client side scripts, it is obfuscated, purposely making it cryptic. Secondly it was designed to work fast and efficiently, and not to be easily understood.

I manually de-obfuscated this code, and whilst doing that, I re-factored it to make it easy to understand. The code below should be easy enough to read by anyone with JavaScript knowledge, yet it fulfills the same function as the cryptic code provided by Google.

01.  function AB_Analysis(){
02.     var k='YOURTACKINGNUMBER'
03.     var d=document;
04.     var l=d.location;
05.     var h=l.hash;
06.     var injectionvector1 = ReadFromCookie('__utmx');
07.     var injectionvector2 = ReadFromCookie('__utmxx');
08.     d.write
09.     ('<script src=http://www.google-analytics.com/siteopt.js?v=1&utmxkey='+k
10.     +'&utmx=' + injectionvector1
11.     +'&utmxx='+ injectionvector2
12.     +'&utmxtime=' + new Date().valueOf()
13.     +(h?'&utmxhash='+escape(h.substr(1)):'')
14.     + '" type="text/javascript" charset="utf-8"></script>')
15.  }
16.
17.   function ReadFromCookie(field_name){
18.     var c = document.cookie;
19.     var start = c.indexOf(field_name+'=');
20.     var end = c.indexOf(';',start);
21.     return c.substring(start + field_name.length + 1, end);
22.   }
23.

The security flaw starts in lines 06 and 07:

06.     var injectionvector1 = ReadFromCookie('__utmx');

07.     var injectionvector2 = ReadFromCookie('__utmxx');

Both these lines call into the function ReadFromCookie which parses the headers of a cookie file without sanitising the input. The lack of sanitation is on line 21:

21. return c.substring(start + field_name.length + 1, end);

Over here we can see a classic mistake – data is blindly read from an untrusted source. The substring function reads from the start of the field’s data all the way till the fist semicolon. What it reads should be a tracking number, but in this case it is a specifically planted ‘dormant’ script. It is dormant because it resides inside a cookie and not inside the HTML of the web page itself. The lines 10 and 11 are where the real trouble begins to show. The extracted and potentially dangerous script is injected into the user’s DOM:


08.     d.write
09.     ('<script src=http://www.google-analytics.com/siteopt.js?v=1&utmxkey='+k
10.     +'&utmx=' + injectionvector1
11.     +'&utmxx='+ injectionvector2
12.     +'&utmxtime=' + new Date().valueOf()
13.     +(h?'&utmxhash='+escape(h.substr(1)):'')
14.     + '" type="text/javascript" charset="utf-8"></script>')


The code above is the one responsible for the fatal injection. There is some irony here. In the same statement of  code there exists some protection against XSS, but it does not go far enough.

Look at line 13:

13. +(h?'&utmxhash='+escape(h.substr(1)):'')
This code correctly treats the DOM hash (variable h) as untrusted because it can be manipulated in a similar way as the cookie can. The lines before it, however omit calling the escape() function that effectively sanitises code against XSS and similar attacks. Its a typical case of ‘so close, yet so far away’.

For those who find it hard to read JavaScript, I have included a flow chart showing the two functions, AB_Analysis and ReadFromCookie.

AB Analysis Function

The diagram above is a flowchart for the AB_Analysis script. This script is embedded on pages by web developers who are making use of the Google Web Site Optimiser. The red processes are where data is read from the cookie and added to a script, which is in turn injected into the DOM.

ReadFromCookie flowchart

Above is a flowchart for the ReadFromCookie function. There is no actual flaw here, except maybe that there is no limit to how much data is read out of the cookie. Also, the end of record detection is rather crude – simply looking for a semicolon in the data.

Below is how a normal cookie might look. Cookies are not very sophisticated and are generally described as simple text files on the user’s computer. In HTML5 cookies have been replaced by a full blown relational database.

Normal Cookie Example
BEGIN COOKIE
umtx: some_value;
umtxx: some_other_value;
END COOKIE
The compromised cookie below contains script inside the umtx and umtxx fields. This script is not active and therefore not dangerous. However, when the AB_Analysis script is executed, the umtx script gets activated through this XSS attack.

Compromised Cookie Example

BEGIN COOKIE
umtx: <<malicious script goes here>>;
umtxx: <<malicious script goes here>>;
END COOKIE
An attack is two staged; first the malicious script has to be injected into a cookie on the victim’s browser. After that, the user must visit a web page. containing the Google AB_Analysis script. The attack can be summarised in the diagram below.

Attack on Google Web Optimizer

Google was fast to react and provide a fix however this fix needs to be deployed by every web site administrator that uses Google Web Optimiser. This applies to hundreds of thousands of web pages globally.

I hope that administrators are quick to fix this problem as it could easily result in an XSS attack against their site if targeted.

Full instructions on different options on applying the fix can be found on the official Google support page.

Thanks For Reading The Article...