ush.it - a beautiful place

Detect NoScript POC

October 11, 2007 at 6:40 pm - Filed under Hacks, Language EN - 816 words, reading time ~2 minutes - Permalink - Comments

I was looking for a NoScript detector, something that could tell me if the user has JS disabled in the Firefox preferences or by the NoScript plugin written by Maone, and found nothing. To repair this i wrote this trivial POC that is able to accomplish the task, it performs fingerprinting based on the behavior of the browser under the different possible conditions and is really reliable from the measurements done until now.

Skype 1.4.118 for Linux = Panacea

October 7, 2007 at 4:01 pm - Filed under Insecurity, Language EN - 318 words, reading time ~1 minutes - Permalink - Comments

Few moments ago i was reading the Skype 1.4.118 for Linux changelog and noticed a new feature named "Auto-accept file transfers". Damn i thought, if it's by default an issue found accidentally some time ago is now fully weaponized: Skype 1.4.0.74 (probably also others) happily overwrites files without asking!

GreenSQL, a MySQL firewall, bypassed.

October 4, 2007 at 6:17 pm - Filed under Hacks, Language EN - 546 words, reading time ~1 minutes - Permalink - Comments

Today on the ml one of our pupils, remix, posted about GreenSQL, "an Open Source database firewall used to protect databases from SQL injection attacks". In other words something that stands to SQL as mod_security stands to HTTP.

Original Photo Gallery Remote Command Execution

October 2, 2007 at 9:54 pm - Filed under Hacks, Language EN - 666 words, reading time ~2 minutes - Permalink - Comments

We found a severe vulnerability in the Original script, a photo gallery software. Remote command (directly into an exec()) execution is possible with register globals on regardless the PHP version.

Scanning DMZ hosts with remote file opening

August 29, 2007 at 8:03 pm - Filed under Hacks, Language EN - 886 words, reading time ~2 minutes - Permalink - Comments

Today Stefano had a nice idea on how to (ab)use remote furl enabled functions that normally could lead to a mere DoS. Options are Drive By Pharming, Bruteforcing routers and http based authentications and Full Lan Scan. Sounds interesting? It is.

Architecture detection by PHP anomaly

August 22, 2007 at 1:09 am - Filed under Hacks, Language EN - 595 words, reading time ~1 minutes - Permalink - Comments

Sometimes it's right to enjoy a more relaxed entry.

Why the Skype 0day exploit is a fake

August 18, 2007 at 12:10 pm - Filed under Insecurity, Language EN - 1523 words, reading time ~5 minutes - Permalink - Comments

A lot of people contacted me about my post on FD. No, I have no clue of what's really going and I can happily live believing the official reports (http://heartbeat.skype.com/) on the issue. This is the complete message I posted to FD in reply to Valery Marchuk (http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065343.html):

Clientside security: Hardening Mozilla Firefox

July 25, 2007 at 9:55 pm - Filed under Reports, Language EN - 652 words, reading time ~2 minutes - Permalink - Comments

I'm sure you have already heard of the many external protocol handling vulnerabilities that hitted Firefox lately. Normally on this site you read about "in-security", this article is a little exception since it contains some tips that anybody can adopt to harden his preferred http/https client, also named Mozilla Firefox, thought the about:config interface.

Flash Player/Plugin Video file parsing Remote Code Execution

July 13, 2007 at 5:28 pm - Filed under Insecurity, Language EN - 216 words, reading time ~0 minutes - Permalink - Comments

Stefano Di Paola with contribution from Giorgio Fedon (both from a brand new security research company, MindedSecurity) and Elia Florio have just released the details about a Remote Code Execution flaw in Flash Plugin 9 independent from the OS. Parsing a flv with adobe flash player it's possible to trigger an exploitable integer overflow.

XSS Cheat Sheet: two stage payloads

June 27, 2007 at 12:34 am - Filed under Hacks, Language EN - 2093 words, reading time ~6 minutes - Permalink - Comments

When exploiting XSS holes often you find yourself working around size/length and characters limitations. To avoid this type of problems a technique called "two stage payloads" comes to help. It's generally used when exploiting memory management vulnerabilities but applies to the XSS world too. The very basic idea is to have the payload divided in two parts: one that has to be injected in the entry point (PAY_ENTRY) and one that contains the actual data (PAY_DATA).

XSS Cheat Sheet: the PLAINTEXT tag

June 10, 2007 at 10:21 pm - Filed under Hacks, Language EN - 775 words, reading time ~2 minutes - Permalink - Comments

When performing XSS attacks often happens that the payload is displayed, and executed, multiple times occurring in unwanted and unexpected behaviors. This can be avoided in many ways, for example using global variables in JS (eg: window['started'] = true;) and checking for the variable existence at the very beginning of the payload, but when the filters are crazy and every char requires a notable effort (or when you are just hurry) one cheat gets the job done: the <PLAINTEXT> tag.

Linuxpersec2 a Verona (16/17 Giugno)

June 10, 2007 at 3:57 pm - Filed under Team, Reports, Language IT - 436 words, reading time ~1 minutes - Permalink - Comments

Sabato 17 Giugno a Verona presso l'Itis G. Marconi (Piazzale Guardini 1) si terra' Linuxpersec2 (Conosciamo altri modi... per proteggerlo!) con vari interventi sulla Sicurezza personale e Linux. La manifestazione e' gratuita e ovviamente siete tutti invitati :D

Install Firefox XPI without whitelist

June 4, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 824 words, reading time ~2 minutes - Permalink - Comments

Today I was reading Firefox XPI Install Prevention Bypass (http://www.0x000000.com/?i=329) and while it's not what it promised to be (there is no Install Prevention Bypass) it contained useful informations that helped me elaborate two distinct thoughts.

Firefox <= 2.0.0.3 DOM Keylogger (bypass same-origin policy)

June 3, 2007 at 9:20 pm - Filed under Hacks, Language EN - 542 words, reading time ~1 minutes - Permalink - Comments

On 30 May Mozilla Foundation announced in its MFSA (Mozilla Foundation Security Advisory) 2007-16 a bug discovered by moz_bug_r_a4 able to bypass the same-origin policy using the addEventListener helper. Needless to say you can do really nasty things by exploiting this hole, ranging from xss attacks to keystrokes logging, with no same origin limitation. If you are impatient jump directly to the demo DOM Event Keylogger.

Reflection on Stefano Di Paola

May 29, 2007 at 12:37 am - Filed under Team, Reports, Language EN - 728 words, reading time ~2 minutes - Permalink - Comments

Anurag Agarwal has published a reflection on our friend Stefano Di Paola. The interview contains a condensed auto-biography (nice reading, thanks Stefano!); integral text follows.

Shadowpage vulnerability: the page that doesn't exists (Multiple browsers affected)

May 7, 2007 at 12:15 pm - Filed under Hacks, Language EN - 179 words, reading time ~0 minutes - Permalink - Comments

Yesterday I (Francesco `ascii` Ongaro) found a low impact bug: basically it is possible to make the user visit a page that is not listed in the back/next button history. The fun happens when self.location.replace() is pointing to a page that issues an HTTP/1.x 302 Redirect + Location. Both initial and redirect page will not be listed.

Interview with Rain Forest Puppy

May 1, 2007 at 9:09 pm - Filed under Reports, Language EN - 3236 words, reading time ~10 minutes - Permalink - Comments

Antonio `s4tan` Parata, software security researcher and member of the ush team interviews Rain Forest Puppy, famous bug hunter, specialized in web application assessment. It's a pleasure for us to publish the full interview, in this case talk is not cheap.

Free Temporary and Anonymous email address providers

April 30, 2007 at 1:15 pm - Filed under Reports, Language EN - 186 words, reading time ~0 minutes - Permalink - Comments

IE 7 and Firefox Digest Authentication Request Splitting

April 25, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 204 words, reading time ~0 minutes - Permalink - Comments

Stefano `wisec` Di Paola has just released a new advisory IE 7 and Firefox Browsers Digest Authentication Request Splitting, basically using the user field an attacker is able to split the request injecting arbitrary chars.

PHP import_request_variables() arbitrary variable overwrite

March 9, 2007 at 3:29 am - Filed under Hacks, Language EN - 1401 words, reading time ~4 minutes - Permalink - Comments

My friend Stefano di Paola and I have discovered that a PHP function used to emulate register_globals on is able to overwrite any variable (also $_SESSION and $_SERVER) with the exception of $GLOBALS. Naturally during the Month of PHP bugs :)

Php Nuke wild POST XSS

March 9, 2007 at 12:47 am - Filed under Hacks, Language EN - 1530 words, reading time ~5 minutes - Permalink - Comments

To demonstrate the import_request_variables() bug i've exploited a XSS flaw in PHP NUKE 8.0 that has an anti-CSRF routine. The import_request_variables() vulnerability will permit you to exploit a wide range of vectors (XSS, remote file inclusion, remote code execution, SQL injections, etc.) on software that makes use of it.

Bad url redirections (AKA: Many thanks to our partners!)

January 30, 2007 at 1:36 am - Filed under Hacks, Language EN - 724 words, reading time ~2 minutes - Permalink - Comments

This story is mostly funsec, if you can't handle funsec stop reading :) You have just developed you brand new application, it's name is EVIL.EXE. It's a very good application but nobody will install it without good partners.. You need somebody trusted from users that is willing to distribuite it. So.. Let's go! Find out some good partners.

Pseudo threading with BASH

January 27, 2007 at 7:17 pm - Filed under Hacks, Language EN - 567 words, reading time ~1 minutes - Permalink - Comments

This night i was in the process of mirroring all the tmbo.org daily pics for fast viewing. Their site has to be hosted on an ADSL link (like ush.it, hey this site is on a 200kbs/300kbs link, very unprofessional but no one can raid [stupid wordpress plug-in, this is not RAID in the sense of Redundant Disk Array but raid the verb] our server without our knowledge, think about the autistici/inventati aruba raid for example).

Adobe Acrobat Reader Plugin: Multiple Vulnerabilities

January 4, 2007 at 3:09 am - Filed under Insecurity, Language EN - 262 words, reading time ~0 minutes - Permalink - Comments

From 23 to 31 December i was in Berlin for the CCC congress with other Italian security researchers and friends. We had good time enjoying Berlin, drinking beer and exchanging informations. Also Stefano Di Paola and Giorgio Fedon disclosed some Adobe Acrobat Reader bugs in a larger talk titled Subverting AJAX.

Adobe Acrobat Reader Plugin: Multiple Vulnerabilities

January 4, 2007 at 1:56 am - Filed under Insecurity, Language EN - 993 words, reading time ~3 minutes - Permalink - Comments

At CCC my friends Stefano Di Paola and Giorgio Fedon releades some of their latest findings, note that this is a translation in italiano of the original advisory aviable on wisec.it (http://www.wisec.it/vulns.php?page=9) that of course is in english. The advisory is focused on some specific bugs, one of these is called UXSS (Universal Cross Site Scripting) in PDF files.

THP USH Wisec DigitalBullets