Time: Tuesday 19th April

Location:
Furniture Makers’ Hall, 12 Austin Friars, London, EC2N 2HE
(Nearest convenient tube: Bank, Moorgate, Liverpool Street)

More info:

Download the PDF with the invitation (as seen above) from here [invitation].

Please don't forget to confirm if you want to come: send the e-mail to pentestinfo(@)7safe.com /remove brackets of course/

C U there! :-)

A.

When:

• Weekend Training Session: July 30-31
• Weekday Training Session: August 1-2

Registration:
http://blackhat.com/...

More details:
7Safe together with Red-Database-Security will be delivering the two-day hands-on course at Blackhat 2011. The course will teach the audience the security problems related to Oracle database. The training covers a variety of security problems arising from flaws such as insecure design, insecure features/packages, insecure PL/SQL code, patch management, weak passwords etc. The second day will focus on securing and hardening databases using built-in oracle features along with a number of externally available scripts and tools. Implementing auditing solutions will also be a part of the training. The audience will have access to an infrastructure with a number of Oracle components deployed, and they will be encouraged to identify/exploit/patch security vulnerabilities as they learn them. The training will provide software developers understanding of writing secure PL/SQL code, DBAs the understanding of thorough auditing of the database and penetration testers the understanding of how to break the unbreakable Oracle.

I have the default system language in Windows set up as English, but the default one for the non-Unicode programs is set to Polish. Nothing wrong with it, right. So when I start Skype for the first time it happily detects this setting and switches its language accordingly to the Polish too. Chaaarming. ;-)

Now let's imagine that I want to change the default Skype's language permanently to English (well, I much prefer English UI in all apps, ok). Seems life is easy: click the main menu, then Tools --> Change language --> English ... and the language is changed. Now try to close Skype and open it again... What you you see: the application's language is immediately switched back to Polish! Ok, you may try to attack the problem from the different side: Tools --> Options --> Tab: General setting --> Languages combo: English, then Save. Unfortunately the effect is exactly the same: when Skype is restarted - it switches the language to the one set up as the default for non-Unicode programs (in my case: Polish). God knows why this proggy has such amazing feature, but believe me - to change the language manually after each restart is becoming pretty annoying after some time.

As usual, I google the problem and quickly found out that I am not alone: look here for example http://portableapps.com/node/21644. So can we do anything? Yes we can®! :-)

I wrote a small program which runs the Skype and then simulates mouse clicks on the main menu and kind of "pseudo-manually" switches the application's language to the default one (English). This is also a nice small example how you may access the main menu of the application "B" from the code of application "A" and execute some  functionality in application "B". No worries, we are not "literally" moving the mouse cursor the the menu, but issuing some appropriate system messages - so everything is pretty elegant.

Ok, if someone needs only executables here they are (with the source code in Delphi):

• The one should be used with the Skype Portable (recommended): http://itsecuritylab.eu/files/...
• The one may be used with the regular Skype: http://itsecuritylab.eu/files/...

Usage is very simple: extract the executable and put it to the same folder where your SkypePortable.exe or Skype.exe is located and then run. My little program runs Skype, waits until it is loaded and switches the language to English. Job done! :-)

Some technical background

Ok, so this is how it works. First of all we have to find the Skype window in the system (assure it exists, so we may get it's handle and access its child elements). This is rather trivial, so no need to explain anything. Once the window is found this is what we are doing:

var
  menu: HMenu;
  id: integer;
  s: Array[0..255] of char;
begin
  tmrMain.Enabled := false;

  h := findWindow(pchar('tSkMainForm.UnicodeClass'), nil);  //--- find Skype's window
  menu := getMenu(h); //--- find the main menu
  GetMenuString(menu, 5, @s[0], 255, MF_BYPOSITION); //--- get the text of 6th menu item (should be '&Help')

  if string(s) <> '&Help' then  //--- current language is NOT English
  begin
    menu := getMenu(h); //--- main menu
    menu := GetSubMenu(menu, 4); //--- find the 5th menu item

    //--- activate this (5th) menu item, so all subitems can be redrawn. This is IMPORTANT!
    SendMessage(h, WM_INITMENU, WPARAM(menu), 0);
    SendMessage(h, WM_INITMENUPOPUP, WPARAM(menu),0);

    menu := GetSubMenu(menu, 2); //--- find the 3rd submenu item

    id := GetMenuItemID(menu, 9); //--- 10th menu item (select "English")
    PostMessage(h, WM_COMMAND, id, 0); //--- click it! :-)
  end;

  SendMessage(h, WM_SYSCOMMAND, SC_MINIMIZE, 0);
  application.Terminate;
end;

So 1st thing we have to do - we have to check what language is set up currently. We are getting the text of the 6th menu item and checking if it is equal to "&Help" or not. Currently it's "&Pomoc", which means the current language is not English (yea, it's Polish actually).

This is the code used for checking:

  h := findWindow(pchar('tSkMainForm.UnicodeClass'), nil);  //--- find Skype's window
  menu := getMenu(h); //--- find the main menu
  GetMenuString(menu, 5, @s[0], 255, MF_BYPOSITION); //--- get the text of 6th menu item (should be '&Help')

  if string(s) <> '&Help' then  //--- current language is NOT English
  begin
  [...]
  end;

Now we have to iterate through the menus and sub-menus and run some action on the target item. Look at this code:

    menu := getMenu(h); //--- main menu
    menu := GetSubMenu(menu, 4); //--- find the 5th menu item

    //--- activate this (5th) menu item, so all subitems can be redrawn. This is IMPORTANT!
    SendMessage(h, WM_INITMENU, WPARAM(menu), 0);
    SendMessage(h, WM_INITMENUPOPUP, WPARAM(menu),0);

    menu := GetSubMenu(menu, 2); //--- find the 3rd submenu item

    id := GetMenuItemID(menu, 9); //--- 10th menu item (select "English")
    PostMessage(h, WM_COMMAND, id, 0); //--- click it! :-)

Important detail: look at strings highlighted in red: this is important element of the code as the sub-menu with the list of languages is generated "on-the-fly" once the parent menu item is activated. Without it: the 10th menu item (language "English") simply does not exist, (hence can't be called).

One more remark: the proposed solution requires Skype user interface (Visual Style of the window) get running in "Classic Windows" mode.

• Most important thing: now you can grab 3D frames (3D data + 2D mapping), save it and run on a computer without Kinect! No need to have any drivers installed. You can give this program to your friends and they will be able to see your 3D pictures! :-)
• 2D to 3D mapping is fixed. It's still not ideal, but much better then before.
• You can switch on/off 2D and3D viewing mode. Pretty handy.
• It is possible to manage motor and change tilt of the Kinect.
• Newest version of Kinect.pas is included (Simon J Stuart - thank you for the update! More info about TKinect project is here)
• Bug fixed here and there.

EXE is precompiled as usual, so can be used right away. Here is the link to EXE and the source code in Delphi:

http://itsecuritylab.eu/files/kinect/kinect_delphi_3dpoints.zip

To make yourself more familiar with what the story is about, I strongly encourage you to look through the previous post about the Kinect and see the movie.

How to save/load3D frame

It's pretty easy actually. Select Frame --> Save from the main menu (you didn't expected anything else, yea?), then give a name without file extension. Program will grab the current frame and create 2 BMP files: one for 2D and the other for the 3D data (yes, they are just regular BMP files).

Those files would have a special suffix inside. A keywords: _KinectRGB and _KinectDepth.

If you want to open a frame: go to Frame --> Load and point to any of those two files. Program would find it's way to load them properly :-)

3D view on/off

There is nothing to explain here really.

Some sample images are included in the package (e.g. a nice 3D view of my corridor) :-)

This is it. Have fun and definitely drink enough to celebrate a New Year properly!

It's not like I am trying to reinvent the wheel (there are plenty of applications using Kinect on PC), but recently I did not find any nice examples of how this incredibly cool thing can be used with Delphi. And you don't think I can leave it "just like that", don't you? ;-) So see the results below (video) and so more technical details of both applications (2D and 3D visualization). So as for today there will be no hacking, boys and girls, but just pure awesome 3D-virtual-reality joy... :-)

Ok, so you want to try to get those samples tweak them probably and run your own code? There is nothing more simple:

Prerequisits:

• Computer (PC) with hardware accelerated graphic card (anything with OPENGL hardware rendering).
• Kinect controller :-)
• Kinect windows drivers (NUI Group) http://nuigroup.com/...
• Simon J Stuart's TKinect component for Delphi taken from here: http://www.lakraven.com/... (you did EXCELLENT work, dude!)
• Super fast Delphi 2D Image processing library graphics32: http://www.graphics32.org/...
• GLScene (Delphi OPENGL library): http://glscene.sourceforge.net/...

Everything is installing like a charm. Some subtle obstacles with GLScene, but nothing too complicated to be mentioned really. Important: Before you run anything - be sure that the Kinect device is recognizable by your computer (check it in you Device Management panel).

Ach, almost forgotten: take the source files of my applications from here:

• 2D data visualization: http://itsecuritylab.eu/files/kinect/kinect_delphi_2d.zip
• 3D data visualization: http://itsecuritylab.eu/files/kinect/kinect_delphi_3dpoints.zip

Running all that stuff

Now you can try to compile and test both applications. More details about how those application can be used you have already seeing in the movie. Pre-compiled exe files are already included into ZIP packages, just for your convenience. So at the end this is what we have:

2D data visualization

The experiment showing how to collect, process and draw the Kinect's data on the screen. Rather typical,- you've seen it before for sure. Additional challenge was to write a function which would be able to "track  blobs" - areas on the screen with similar pixels. This is needed to track your hands, fingers, nose or whatever you want to use. It is far far from ideal, but surprisingly works!

One more remark: this DOF function, selecting pixels in certain 3D range - is a part of the application, not the Kinect hardware.

I also hope you will forgive me such eeee... "untypical" way of getting depth data from pixel's color by such innocent transformation: RGB -> HLS -> [custom function] -> range [0..255]

3D data visualization

You can see my room (and actually yours too) in 3D in wobbling 3D virtual screen, containing tiny colorful dots :-) Do you like my Xmass tree?

So you see, Delphi is so nice and (important!) easy language (appropriate for lazy coders), so even writing pretty complex applications can take you just couple of hours. I also hope now even more people will start playing with Kinect and do some cool things, [so more happiness will come on Earth this Christmas, etc, etc.]. Remember: You are the controller®. Amen. :-)

Special thanks for Simon J Stuart for his TKinect Delphi component
and for Jet Noir (http://soundcloud.com/jet-noir) for her music for the video!

This is it. Let me know it you like those crazy apps, and well... Have a nice Christmas and a happy New Year! :-)

Create a batch (.bat) file with the following content and execute!:

/*
@echo off && cls
set WinDirNet=%WinDir%\Microsoft.NET\Framework
IF EXIST "%WinDirNet%\v2.0.50727\csc.exe" set csc="%WinDirNet%\v2.0.50727\csc.exe"
IF EXIST "%WinDirNet%\v3.5\csc.exe" set csc="%WinDirNet%\v3.5\csc.exe"
IF EXIST "%WinDirNet%\v4.0.30319\csc.exe" set csc="%WinDirNet%\v4.0.30319\csc.exe"
%csc% /nologo /out:"%~0.exe" %0
"%~0.exe"
del "%~0.exe"
exit
*/

class HelloWorld
{
static void Main()
{
System.Console.WriteLine("Greetings from IT Security Lab!");
System.Console.WriteLine("-------------------------------");
System.Console.WriteLine("RTM: " + System.Environment.Version);
System.Console.WriteLine("User: " + System.Environment.UserName);
System.Console.WriteLine("Machine name: " + System.Environment.MachineName);
System.Console.WriteLine("OS version: " + System.Environment.OSVersion);
System.Console.WriteLine("Stack trace: " + System.Environment.StackTrace);
System.Console.ReadLine();
}
}

I was absolutely amazed. The implications for security are... well... pretty complex. You are clever boys and girls, so you already know what can be done with it, right...

Found here: http://forum.antichat.ru/

I also had incredible opportunity to spend couple of days making the intro (last time I was playing with 3d modeling and video editing was... oh my god, probably couple of years ago). So it was definitely good to recall some old (but not forgotten) skills. Anyway have fun! :-) Let me know what do you think about the video and if you have any ideas about the next ones.

More info about the event on the 7Safe's web page: http://penetration-testing.7safe.com/...

Btw, I also recommend you to look through the video prepared for the same event by a colleague of mine running http://commonexploits.com (you've been there already, right). So this is a hacking presentation demonstrating client side exploits, pivot attacks using Metasploit. Really cool stuff.

http://10.10.1.1/login?user=0045f2&password=806361&popup=false
&dst=http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php?nasIp=10.10.1.1
&nasId=fitio&loginIp=10.10.1.1:80&vlan=bridge1&macAddress=00:21:6B:15:E3:70
&ipAddress=10.10.1.95&loginPort=&urlPostLogin=http://itsecuritylab.eu/index.php/2010/09/26/pentesting-privilege-escalation-in-web-applications/

So what can I find here? Oh God...

• URL to the Network provider: http://hcrservermirror.ecnex.com/hccrs/fitio/clogin.php
• Someone's internal IPs disclosure: 10.10.1.1, 10.10.1.95
• Login IP and port: 10.10.1.1:80
• MAC address: 00:21:6B:15:E3:70
• Someone's credentials: user=0045f2, password=806361
• NAS ID: fitio
• VLAN name: bridge1

What else I already know (from geolocation info):

• Connection from IP: 189.223.43.88.dsl.dyn.telnor.net
• Country : Mexico
• City : Tijuana

Definitely I will try to mess with this VLAN next time I will be in Tijuana! One thing is clear: if the next time I would get something like this - I should not be surprised at all... ;-)

...http://besure.bank.com/login?user=crazyUser&password=Tijuana12345&popup=false&account=1652635-1232-12312&lastTransaction=moneyTransf&targetAccount=123123-0000-0734&success=true&vlan=bridge1...

I think you are already big boys and girls, so think twice what sensitive information about you may leak out, in what weird and unusual way. Make conclusion by yourself and well... Beware! ;-)

Background of the problem

Let's imagine that we have a web application to test, so have (at least) two sets of credentials: for a high-privileged user and low-privilege one. When we log-in as high-privileged user (e.g.: admin) - we obviously have access to much more information (more menu items, more functionality, etc.). Now what we want to know - if those items may be accessed directly by low-privileged user. It is clear that if you just would click "here and there" manually (or even copy some URLs) as low-privileged user - you still may omit something important very easily. So the question is: how we may be sure that all combination are checked?

Proposed solution

The whole idea is quite simple:

1. We have to spider the application from the perspective of high-privileged user. You may use any tools you like (e.g.: Burp Suite, DirBuster, Paros, etc.). Important is to have the whole list of visited URLs written in simple text file.
2. We have to log-in as a low-privileged user and get a copy of sample GET request with appropriate cookie (e.g.: Burp, Paros or Fiddler may be used for it).
3. We may use Burp's "Intruder" module and re-issue the captured header (with cookie appropriate for low-privileged user) and automatically replace URL with ones from our list.
4. We should carefully examine results and look for all discrepancies (e.g.: when unexpectedly status is "200 OK" when it should be an error or redirection).

Illustration

Assume you have the following URL to test: http://vulnerableapp.com This is the sample list of URLs you may get from your spidering tools being authenticated as high-privileged user:

...
/admin/edit_my_details.asp
/admin/my_folders.asp
/admin/list_suggestions.asp
/admin/list_asset.asp
/admin/my_assets.asp
/admin/usage_category.asp
/admin/upload_file.asp
/admin/list_category.asp
/admin/bulk_copy.asp
/admin/list_users.asp
/admin/list_subcategory.asp
/admin/list_logged_in_users.asp
/admin/list_company.asp
/admin/manage_project.asp
/admin/manage_intro.asp
/admin/manage_contacts.asp
/admin/manage_event_types.asp
...

So it does mean you were able successfully navigate there from the perspective of high-privileged user. Let's check how far the low-privileged user may go. :-)

Log-in to the system as low-privileged user and copy sample GET request to "Intruder".

In Intruder we must set up the "fuzzing point":

Now use our saved list of URLs as the payload:

Finally, run Intruder and see what happened:

Now all points where low-privileged user have access are clearly visible. The next step would be only to open those URLs in a web browser and check if this user really should be able to access it.

Oh yes, you can also repeat the same trick without cookie at all, so then you may easily check what functionality may be accessed for unauthenticated user.

It's a really nice tool, and recently I had an opportunity to improve TinyWeb server a little bit, so want to share it with you. Obviously this is still not such a full-featured server as Wamp, but it is tiny, handy and can be a significant part of your "pocket hacking toolset". How to use it for your own benefit - I would leave it to you. :-)

So what functionality I added

• TinyWeb supports PHP (Yeeeeaa!). (Can you imagine a web server without PHP? I can't.) Surprisingly, original version of the server had some difficulties running PHP. Now source code is slightly changed, so everything works smoothly. Note: PHP is running as CGI.
• The server is 100% portable now! No need for installation or configuration: just copy it to any folder, make a single click and voila! everything is configured and running immediately (yes, PHP is also configured automatically).
• PHP files may be placed in any folder inside \wwwroot (note that in original TinyWeb server - CGI is handled only in \wwwroot\cgi-bin folder).

Looks good? Och, believe me, it is. Let's see what this little beast can do for us, but "first things first": see what you may download:

Download binaries:

• TinyWeb Portable - web server with PHP support (binaries only, most recent PHP is included, CGI demo included) - recommended for download (about 9 MB).
• TinyWeb Portable - web server with PHP support (binaries only, CGI demo included).
• TinyWeb Portable - web  server with SSL support (binaries only, SSL fully configured, CGI demo included).

Download source code:

• TinyWeb Portable - web server source code (with my modifications needed to support PHP, also includes the source code for "run_web_server.exe" utility) .
• Run_web_server.exe (the utility, source code only).
• Original TinyWeb 1.93 source code (from RitLabs).

Note that author (Maxim Masiutin) kindly published the source code of standard TinyWeb server only (without SSL support), so this is the only version which is modified by me now (hence supports PHP).

Running the little daemon

Ok, in our first example we will be using the version of the server with PHP support. Download it and unzip to any folder in you PC (you already did it, yea?). Now run the file "run_web_server.exe". Important: you must run it as Administrator. Same application may be used for both versions of TinyWeb: with and without SSL support. Once you have it running - everything should be self-explanatory (not much to configure really):

If you will be using the TinyWeb version with SSL - you would see the following info at the bottom:

Once we have the port chosen: press [RUN] button. Note that LPORT field is grayed now and button [RUN] is also disabled. Our server is running!

Now you can close this application completely, the TinyWeb server would be happily running in the background. How to stop the server? Oh I don't know, try to guess... ;-)

Is it really working?

Ok, the server is running, now let's browse the structure of our folders:

wwwroot
¦   index.htm
¦   index.php
¦   login.htm
¦
+---cgi-bin
        login.exe
        shell.php
        test.cmd
        test.php
        test.pl

Those files will be available "on-line" under following URLs:

http://localhost:81/index.htm

http://localhost:81/index.php

http://localhost:81/login.htm

http://localhost:81/cgi-bin/shell.php

http://localhost:81/cgi-bin/test.cmd

http://localhost:81/cgi-bin/test.php

http://localhost:81/cgi-bin/test.pl <-- to run this you must have Perl installed

Try to open it in your browser and see what would happen. :-) Actually any console program with stdIN and stdOUT may be easily handled by TinyWeb server (which is really handy).

Imagine that you have the following batch file:

When you navigate to the following URL: http://localhost:81/cgi-bin/test.cmd you can see in your browser something like this:

Nice, isn't it! :-)

Remember one important thing: PHP is supported in \wwwroot (also in any nested subfolder inside). CGI is handled only in \wwwroot\cgi-bin folder and any subfolders.

Couple of words about TinyWeb with SSL support

This is the original version of TinyWeb binary with SSL support, compiled by Maxim Masiutin. Source code unfortunately is not available, so I may not make necessary modifications, hence PHP is not supported. Sad but true.

Anyway you may download it from here along with sample SSL certificates (and of course with run_web_server.exe) and in fully portable form. So again -  nothing to configure. Just unzip, and run!