Re: Web App Script Capture

[Anthony Cicalla <anthony.cicalla () gmail com>]

it's really nice when you can use the traversal to just look at the
history file on a nix box and aquire the root login password as a
result. It can still be quite common which as stated before makes
owning the box pretty easy.

Anthony
On Thu, Oct 1, 2009 at 7:04 AM, Mike Duncan <Mike.Duncan () noaa gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jon Kibler wrote:
> > Mike Duncan wrote:
> > > What you have to worry about in these situations is information
> > > disclosure. Using the path traversal, an attacker can fingerprint the
> > > OS, applications/daemons installed,  and even the versions in some
> > > cases. Using this information, further attacks can be made on the system
> > > itself.
> >
> >
> > I know. In fact, with this particular app, I am able to upload arbitrary files
> > and get full system remote access with very little effort.
>
> Oh, I thought by your original message you meant that file uploading was
> not an option. I guess what you meant is that there is not actual form
> to upload a file.
>
> > However, since it is an open source app, I took a "short cut" by looking at the
> > code to see how session cookies are created, so I can hijack sessions to upload
> > files. I would like to use this vulnerable app as a demo, but I can readily
> > anticipate the feedback of "you cheated. you could never do this with a closed
> > source app."
>
> What would they say to you using OleDbg or gdb in your analysis of
> software? They are missing the point of Open Source if they are saying
> that you are cheating. The point IS to see the source and pass along the
> issues or fix them yourself. If it was a closed source application, then
> you are at the devices of the developer who may/not be around/care that
> you found the issue(s). Additionally, every other good attacker on the
> planet (like yourself) would use the same means.
>
> You do not need to see the source either to investigate how sessions are
> stored. Trial and error would definitely bring this issue to light (i.e.
> SQLi is normally trial and error in the beginning). Many dynamic
> analysis tools would most likely pick up on this issue as well. Maybe
> you could build on that too -- perhaps tell them how you can achieve the
> same goal without looking at the source.
>
> > What I want to demonstrate is that once I have path traversal, I can steal just
> > about anything -- except for script source code. I haven't figured out a
> > work-around for that problem (stealing source code). Thus, my question.
>
> You might wanna see if there is another application installed on the
> server which will allow you to accomplish your goals. By using
> traversal, you should be able to see what OS and application versions
> are installed and then you can work from there. Thus, demonstrating that
> path traversal is more dangerous than most of your audience thought. I
> am sure you will get feedback to the sound of "well, we will just patch
> everything else" leaving the attack vector open, but this is security
> through obscurity really.
>
> To further illustrate your point, point out videos or texts online
> showing the dangers of traversals or even examples.
>
> > Jon
>
> HTH.
>
> Mike Duncan
> ISSO, Application Security Specialist
> Government Contractor with STG, Inc.
> NOAA :: National Climatic Data Center
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrEtvYACgkQnvIkv6fg9hbKTQCfYprCfliOPqxDoEq3g/i8/l4C
> 7BEAn1R1pkg0a4QcG7eGJrUuF1T0srXW
> =Faf1
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



-- 
Anthony,

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------