Caja Granada ha Parcheado Su web

Wednesday, June 10, 2009
###################################
Caja Granada ha Parcheado Su web
vendor Url:http://caja.caja-granada.es/
###################################

La web de La entidad bancaria Caja granada bajo uno
de sus diferentes dominios,se vio afectada por una
serie de errores de validacion de tipo Cross-site
scripting (XSS) y de tipo (CSRF)

Estas vulnerabilidades fueron descubiertas y
estudiadas por mi hasta descubrir las vulnerabilidades
o vectores de ataque, en la parte externa de la web;es
decir en la parte no autentificada de la web.

Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,
despues del intercambio de unos mails, ha quedado parcheada
la parte mas critica de estas vulnerabilidades, la cual
permitia la inclusion de todo un sitio web bajo un frame
sobe el dominio principal de la entidad.



Caja Granada vuelve a ser segura en esos puntos reportados.
Ningun cliente de Caja granada pudo verse afectado , ya que
las comunicaciones se produjeron con absoluta discreccion
por ambas partes.

En el caso de la inclusion del sitio, ademas de haber sido
corregido , se nos muestra un mensage advirtiendonos de si
de verdad hemos accedido a esa url atraves del dominio de
caja Granada.



No se da ninguna prueba de cocepto por motivos evidentes.

Referencias :

http://caja.caja-granada.es

http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html

http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html



################## €nd ###################


Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Caixa Sabadell Parchea sus dominios web

Wednesday, June 03, 2009
#######################################
Caixa Sabadell Parchea sus dominios web
vendor: http://www.caixasabadell.es
#######################################


La web de Caixa Sabadell bajo dos de sus diferentes dominios,
se vio afectada por una serie de errores de validacion de tipo
Cross-site scripting (XSS).

Estas vulnerabilidades fueron descubiertas y estudiadas por mi
hasta descubrir las vulnerabilidades o vectores de ataque, en
la parte externa de la web;es decir en la parte no autentificada
de la web.

Las vulnerabilidades fueron reportados al equipo de seguridad
logica de La entidad, y al servicio de atencion al cliente,

Estas ediciones han sido solucionadas ya a dia de hoy, y asi
caixa Sabadell vuelve a ser segura en esos puntos reportados.

No se da ninguna prueba de cocepto por motivos evidentes.

Referencias :

http://www.caixasabadell.es

http://lostmon.blogspot.com/2009/01/la-banca-espaola-ante-el-phishing.html

http://lostmon.blogspot.com/2009/02/entidades-bancarias-espanolas-ante-el.html



################## €nd ###################


Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lost...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari 4 Automatic explorer.exe launch

Tuesday, May 12, 2009
###############################
Safari for windows automatic command line launch
advisory:http://lostmon.blogspot.com/
2009/05/safari-4-automatic-explorerexe-launch.html
vendor notify:yes
###############################

###########
Description
############

Safari 4 public beta (528.16) is prone vulnerable
to a local file comandline automatic launch.

I test it in windows vista & windows 7 rc

first take a look ..=>

http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#app_reg
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx#url_inv

In this documentation in "security alert" say :

"Applications handling URL protocols must be robust
in the face of malicious data.
Because handler applications receive data from untrusted
sources, the URL and other parameter values passed to
the application may contain malicious data attempting to
exploit the handling application. For this reason, handling
applications that could initiate unwanted actions based on
external data must first confirm those actions with the user"

Take a look, how to use search-ms protocol handler:

http://msdn.microsoft.com/en-us/library/bb266520.aspx

and

how to display windows objects in a command line :
http://www.codeproject.com/KB/system/ExplorerObjects.aspx


With all of this information a user can compose a html
document that call search-ms protocol handler , and use
some explorer objetcs.

########
testing
########

search-ms:query=microsoft&
search-ms:query=vacation&subquery=mydepartment.search-ms&
search-ms:query=seattle&crumb=kind:pics&
search-ms:query=seattle&crumb=folder:C:\MyFolder&

If you compose a html document with a iframe or a link that
contains any of those search-ms url firefox,google chrome,and
IE8 show a warning.( this is correct)but if you click in accept
it open explorer.exe and execute the search...

If you test the same with safari,this browser, opens
directly the iframe or the link without any prompt
or any warning.

If we look the implementation on this protocol handler,
and we look how to show explorer objects, we can compose
a "special" url that can contain explorer objects in
"location" parameter and we can launch explorer.exe that
can search in a determinate place of our machine.

for example :

search-ms:displayname=Search%20In%20Google.com&crumb=
location:%3A%3A{20D04FE0-3AEA-1069-A2D8-08002B30309D}
&stackedby=System.ItemTypeText&recurring:true

open explorer.exe , and close the tab where
explorer was called and close explorer.exe too

search-ms:displayname=Search%20In%20Google.com
&crumb=location:D%3A%5C&stackedby=System.ItemTypeText
&recurring:true

open explorer and explode the search box:

search-ms:displayname=%3D[]%20OR%20%3D%20OR%20%3D%20OR%20%3D&location:

the displayname param we can use it for spoof location,and
show for example in this case google.com (the victims can
think that the browser is searching in google.com)

If we put directly this url in the address bar of safari
this browser say , that it can´t open this url because
it don´t know the associate program.

But if we pass this ur in a iframe , safari don´t show
any warning and it execute this url and search withing
the files of the victim.

If we pass this url to Firefox , it show a warning , and
if we click in allow , this search is executed,if we pass
the url in a link or in a iframe the result is the same.

With Google Chrome if we pass the url to address bar,
Chrome search this url in google ( not affected directly)
but if we pass the url in a iframe or in a link , it show
a warning , click in allow and the search is executed.

with IE8 show a warning , but the search isn´t executed,
because it is incorrect to explorer, we can compose others
one. (it works too)

Wen explorer.exe is launching , the process is called with
this params:

this "injection" executes at commandline level =>
c:\windows\explorer.exe /separate,/idlist,%1,%L

I'm doing several test and try to obtain this other command line =>

c:\windows\explorer.exe /N,%windir%\system32,
/select,%windir%\system32\calc.exe

but at this moment i can't pass this command line in a
iframe with search-ms protocol.


¿ a remote user can collect the result of this local search ??
i don,t know any way to do it; but for example we can cause a
DoS to explorer if compose a HTML document with tree or four
iframes that call search-ms and it can use tu turn slow the
PC or for abuse of te search indexer or explorer.exe

A link with only put the protocol search-ms: with tree
or four explorer windows , it can be abuse of memory ,
and in some cases eplorer.exe crashes.

I exchange some mails whith MSRC (microsoft) and
the and i in the final conclusion , we think that at
this moment this not supose a security vulnerability
in IE8 , because it show the warnig , and we don´t have
found a vector to attack or to bypass the restrintions on
the search-ms implementation to turn it in a Remote command
execution or remote code execution.

This is the final response from Microsoft:
#######################################

We have completed our investigation into this issue
and believe there is not a security issue here for
Microsoft to address. Our investigation has not shown
any method whereby a search-ms URL could either execute
arbitrary code or return search results to a third party.
Although additional search windows can be generated from
multiple iframe on a web page, this is a temporary DoS
condition. We can find no security issue with the search-ms
protocol itself. As such, this is not something MSRC would track.

Please let me know if you feel we have missed something
in our analysis. Otherwise, I will be closing the MSRC
case down. I do appreciate you taking the time to report
this to us and working with us throughout the investigation.
########################################

but if we remember wen we call search-ms protocol
in a web page it executes this:
c:\windows\explorer.exe /separate,/idlist,%1,%L

them .. at this moment it isn´t a vulnerability in IE
but i think that this issue need to be track ...

###############€nd#####################

Thnx to estrella to be my ligth
Thnx to all Lostmon Team !!
Thnx The Microsoft Research Security Center
for their support. http://blogs.technet.com/msrc/
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Comtrend HG536+ vulnerabilities

Monday, April 27, 2009
##########################################
Comtrend HG536+ vulnerabilities
Vendor url:www.comtrend.com
Advisore Url:http://lostmon.blogspot.com/2009/04/
comtrend-hg536-vulnerabilities.html
Vendor notify: NO
#########################################

These Flaws are discovered before by Isecauditors
see http://www.securityfocus.com/bid/32975

sorry for the inconvenience...
#####################
Description By vendor
#####################

The HG536+ is an 802.11g (54Mbps) wireless and wired
Local Area Network (WLAN) ADSL router. Four 10/100
Base-T Ethernet ports provide wired LAN connectivity
with an integrated 802.11g WiFi WLAN Access Point for
wireless connectivity.

################
Vulnerabilities
################

this device is by default with this settings:

==========================================
l LAN port IP address: 192.168.1.1
l Local administrator account name: admin
l Local administrator account password: admin
l Local non- administrator account name: user
l Local non- administrator account password: user
l Remote WAN access: disabled
l Remote WAN access account name: support
l Remote WAN access account password: support
l NAT: enable and firewall: disable
l DHCP server on LAN interface: enable
l WAN IP address: none
============================================

All Of this flaws are because the access control
is based in a ineffective javascript control in
'menuBcm.js' file that enables or disables view
items in the menu.html file, according of user
was logged in.

For this reason a minimal user , can call directly
all pages,that are parts of the web interface
bypassing the "pseudo restrictions" access role.

for exploit all flaws , a minimal account credentials
are required.

Vuln 1 => access Control error

if a user has access to non administrator user
by entering username "user" and password "user"
with this user only can update the firmware , manage
SNMP ,and view some status in the router ,and do
diagnostics , about adsl connectivity.This user
aparently is "restricted" to take some actions.

This router in this firmware version , has a
access control error and a user without privileges
( user-user) can access to all functions if he
make a direct request to the interested file or
functions.

example :

this user has no access to manage the setup of router
but by entering http://192.168.1.1/wancfg.cmd
he can configure the WAN settings.

download the config =>
http://192.168.1.1/backupsettings.html

view wireless key =>
http://192.168.1.1/wlsecurity.html



Vuln 2 => clear text admin passwords disclosure.

login in the router with user -user account
and open http://192.168.1.1/password.html
try to view the source code...

in the source we found :

=======================
pwdAdmin = 'admin';
pwdSupport = 'support;
pwdUser = 'user';
=======================


###############
versions
###############

Comtrend HG536+
firmware A101-302JAZ-C03_R14.A2pB021g.d15h

##############
Solution
#############

No solution was available at this time.

by default this router is configured for
denied the access from WAN connections
But this style attack can be done if any
user is inside the LAN or if enable the
access from WAN.

configure to deny Wan connections and
Grant access to device ,only to trust users.

################# €nd #############
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends