Episode162

From Paul's Security Weekly
Revision as of 08:38, 27 June 2013 by Rkornmeyer (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 162 - August 6th, 2009

  • PaulDotCom will be running a Hacklab in Boston at SANS Boston 2009 hosted by strandjs this Friday August 7th from 6:00PM till ???. "Hack Naked" T-shirts will be on sale for $10! Get em' autographed by John Strand himself!

Episode Media

mp3

Interview: Renaud Deraison

Renaud Deraison is the primary author of the Nessus vulnerability scanner project. He has worked for SolSoft, and founded his own computing security consulting company, "Nessus Consulting S.A.R.L." Nessus has won numerous awards, most notably, the 2002 Network Computing 'Well Connected' award. Renaud has presented at a variety of security conferences including Black Hat and CanSecWest.

Questions:

  1. How did you get your start in information security?
  2. What prompted you to write Nessus?
  3. What languages and technologies did Nessus use in the beginning and why?
  4. Why did you choose to write NASL? How come not choose a more "open" language, like Perl, Python, Ruby, or LUA?
  5. What advantages and disadvantages does NASL provide?
  6. Why did you decide to transition Nessus from open source to closed source?
  7. What major changes has Nessus undergone from versions 2 -> 3 -> 4?
  8. What do you feel sets Nessus apart from other scanners?
  9. How did you meet Ron and start Tenable?
  10. How many people are working for Tenable writing plugins?
  11. How do you like living in NYC compared to France?
  12. Which city has better restaurants/cuisine? Name your favorite restaurant in each!
  13. What is your day to day like as a Chief Research Officer?
  14. If you had a magic wand and could fix one thing about information security, what would it be?
  15. What advice would you have for someone wishing to get into the info-sec field?

Tech Segment: Detecting phpMyAdmin

Technical Note: I am working on a blog post on this topic, keep an eye out on http://blog.tenablesecurity.com

There are times when you need to seek out, and possibly destroy, an application running in your environment. For example, when I worked for university I had to seek out machines that were missing the latest MS patches or they would fall victim to worms, PHP apps that contained file upload vulnerabilities or script kiddies would host viagra ads there, etc... Sometimes it was Symantec anti-virus, which maybe contained a remote command execution bug. This was very important to me that I find these flaws, it spoke volumes to evaluating and eliminating risk.

On To The Challenge

It was asked on the PaulDotcom mailing list the best way to detect phpMyAdmin, and even better, detect the vulnerabilities that are present. phpMyAdmin can be evil, it gives you access to the database. So, the mere presence of it could spell trouble, but consider the effects of the vulnerabilities:

  • XSS - If I can get code into phpMyAdmin then I can grab user's credentials and gain access to the database.
  • Command Injection - Being able to execute commands through phpMyAdmin certainly could grant me read access to the database, and the ability to execute commands as the web server.
  • Authentication Bypass - This one is really bad, as access to phpMyAdmin is the same as access to the SQL prompt! This can lead to shell. Also, if we're able to access phpMyAdmin, we can access all the databases (potentially) and grab data from the tables.

Using Nmap

Nmap version 5.00 stable did not contain functionality to detect phpMyAdmin. However, and NSE script or two could be useful in this area and would not be hard to write. You could certainly use Nmap to find out which OS its running on, look for port 3306 listening, and detect the web server port and type.

I did some digging around the svn version of Nmap, and they've added this:

# grep -i phpmyadmin *
http-enum.nse:    {checkdir="/phpmyadmin/", checkdesc="phpMyAdmin"},
http-enum.nse:    {checkdir="/phpMyAdmin/", checkdesc="phpMyAdmin"},

Using Nikto

Nikto provides a handful of checks by default for not only the existance of phpMyAdmin, but tests for certain vulnerabilities as well:

# ./nikto.pl -h 192.168.1.218
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP:          192.168.1.218
+ Target Hostname:    192.168.1.218
+ Target Port:        80
+ Start Time:         2009-08-08 3:21:03
---------------------------------------------------------------------------
+ Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ OSVDB-8450: GET /phpMyAdmin/db_details_importdocsql.php?submit_show=true&do=import&docpath=../../../../../../../etc : phpMyAdmin allows directory listings remotely. Upgrade to version 2.5.3 or higher. http://www.securityfocus.com/bid/7963.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3092: GET /phpMyAdmin/ : phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 7 item(s) reported on remote host
+ End Time:        2009-08-08 3:21:03 (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Test Options: -h 192.168.1.218
---------------------------------------------------------------------------

Using Nessus

Okay, I know, I'm biased, but Nessus does the best job of detecting and enumerating vulnerabilities of specific web apps like phpMyAdmin. It contains 19 different vulnerability checks, including the detection of it and if authentication is being used or not. We added this plugin after the CTF event, realizing that phpMyAdmin exposed without a username and password prompt was really bad and led to shell (its the same as TELNET without a password).

I came up with some cool command line stuff to detect it:

find . -iname 'phpmyadmin*.nasl' -print0 | xargs -0 grep -i "script_id"
| cut -d\( -f2 | cut -d\) -f1 | tr '\n' ','

That command finds all the plugins that relate to phpMyAdmin, and this command runs Nessus to test them:

/opt/nessus/bin/nessuscmd -o "Global variable settings[checkbox]:Enable
CGI scanning=yes" -o "Global variable settings[checkbox]:Thorough tests (slow)=yes"-U -p 80,443 -V -i
15770,15948,17689,22512,11116,11761,17221,40352,36083,15478,20088,36170,17219,22124,36171,19519,19950,12041,17220
192.168.1.245

Nessus can also log into the local system and look for the distributions patches and see if phpMyAdmin is up-to-date. You can also use the configuration auditing feature to look through all of your Apache configuration files and detect the presence of phpmyadmin (provided they reference "phpmyadmin" in the apache config).

Stories For Discussion

  1. Fed's RFID pwnage - [Larry] - Here's a story of a fed that went to defcon, and had is RFID enabled credentials scanned. At the same time, his picture was taken so that it would be easier to identify. Some of the feds interviewed said "Wow, we didn't even think of that...". Also looks like some new gear to be in the works soon...
  2. Owned via Firmware - on your KEYBOARD - [Larry] - Wow, this is an elegant hack. Researcher K. Chen created his own firmware for apple keyboards and used Apple's HID update tool to load the firmware to the keyboard - this new firmware contained a key logger, which is almost impossible to remove, once added and locked...in only 8K of flash, and 256 bytes of RAM.
  3. URL blocking the Fail Whale way - [Larry] - Twitter has implemented some url filtering - you post a url to a "known" malicious site, they warn you and your post is deleted. So, how to get around it? Use a URL shortener, especially those is so many of the API clients.
  4. OSX Rootkit - [Larry] - Yup, one is here, from Dino Dai Zovi. FRom this work, we was able to develop a meterpreter version for OSX! Unfortunately, neither demo work at con, but he says he'll be releasing soon.
  5. iPhone SMS attacks - [Larry] While a little bit older news, I wanted to bring it up to confirm or deny rumors. I didn't make it to the talk, but I heard that the tack is only exploitable locally to the phone itself. I also heard that this is because AT&T throttles SMS data, and during testing, Charlie was able to crash the cell tower....
  6. Twitter DOS - [PDC forums - Vincent Lape] - The denial-of-service attack coincides with the launch of Koobface run using Twitter as a distribution vector for fake security software.
  7. The more secure something is, the less secure it will become - [Pauldotcom] - we've all seen it, door propped open, user's passwords under keyboard, I think this really speaks towards user education in place of too strict security controls.
  8. Cracking WPA with video cards - [pauldotcom] - so what used to take 15-20 hours, now takes 1 hour. this is big! why don't people pay attention to wireless security anymore? I mean, what used to be almost not worth it, now can be done in the time it takes me to ssh to a remote server, copy in some packets, and sip my latte!
  9. LoJack for your laptop - [pauldotcom] - turns out its a rootkit!
  10. car cigarette lighter gps jammer - [pauldotcom] - ha, and my wife and the gov't think they can track me wherever I go! not anymore!
  11. hacking defcon with a t-shirt - [pauldotcom] - this is yet another reason why i love i-hacked!

Other Stories For Discussion