1

CVE-2010-0684

-

There was a persistent cross-site scripting (XSS) vulnerability in Apache ActiveMQ console that could be triggered by an anonymous user. The stored XSS issues tend to be worse that reflected ones because they necessarily do not need any social engineering. Especially, in cases where an anonymous user can inject the payloads.
The link to the advisory is here.
Update April 8, 2010:
It turns out that there were many more variables vulnerable to the XSS attacks and not all the issues had been fixed. Dejan Bosanac (the ActiveMQ developer) has now put in more fixes to close out the issue.

0

Ratproxy on Cygwin

-

I have used Michal Zalewski’s Ratproxy on Google code. I like it a lot. But I also like to have it on Windows. But it seems that the makefile that comes with ratproxy is not really compatible with cygwin.
If you have the gcc, make, openssl, openssl-dev packages installed on cygwin, all you need to do is remove the -Wno-pointer flag from the CFLAGS entry from the Makefile.
So my Makefile’s CFLAGS line looks like:

CFLAGS  = -Wall -O3 -D_GNU_SOURCE

I also replaced $(CC) with gcc just because I felt like it. 🙂
Compile it with make command.
Do not forget to dos2unix the ratproxy-report.sh otherwise you will get some errors with ‘\r’ and some other random stuff when you run the report generator shell scripts.
Run ratproxy as :
c:\tools\ratproxy>ratproxy.exe -p 8000 -v c:\testdir -w ratlog -d example.com -extifscfjmXCk
Once you have the log to generate a nice looking pretty report:
bash$ ./ratproxy-report.sh ratlog >reportname.html

Update 06/20/2012:
If you get the error shown below:
ratproxy.c: In function `listen_loop':
ratproxy.c:1635:5: error: incompatible type for argument 2 of `waitpid'
/usr/include/sys/wait.h:43:7: note: expected `__wait_status_ptr_t' but argument
is of type `unsigned int *'
Makefile:30: recipe for target `ratproxy' failed
make: *** [ratproxy] Error 1

Do the following:
1. Go to line # 1635 and change the line to while (waitpid(-1,(int*)&x,WNOHANG) > 0);
2. Goto the command line and type

make

You should be able to compile ratproxy.

0

404 Errors – Do I need to know what I requested?

-

A very typical scenario is that by default the Tomcat Servers tend to have a 404 Error page that displays the name of the file that was requested and not found. It seems to me that though display of such pages might be considered as merely an informational item for the purpose of any security test…this definitely presents a risk.
E.g., take this scenario.
1. The attackers has a SQL injection vulnerability in an application
2. The App server and DB can reach each other
3. The DB cannot directly reach the attacker and his system (on any port outbound)
4. The app server issues 404 error messages with the name of the file being disclosed in the 404 error message (e.g., The requested resource indexblah.html was not found).
5. The attacker can see the responses to the injected SQL queries (i.e., the injection is not blind).

Assuming that the DB accesses have been tightly controlled and you can’t get much access to any tables except the current one. This can be exploited as follows:
Invoke a SQL query (in the injection string) on the DB to request a page from the app server based on the contents of the DB such as send me /blahusername, /blahpassword where /blah is a string the attacker’s put in to make sure that such a resource doesn’t actually exist on the app server and username and password are columns or DB names from the DB. These error messages will be reflected in the response to the SQL query to the attacker. This could create an interesting side-channel attack whereby even though the data from the DB doesn’t actually reach the attacker, it can be inferred from the 404 – error messages.


___________ ______________ __________
| Attacker| <===> | App server | <=====>| DB |
___________ ______________ __________
1 ----------> 2 -----------------> 3
5 <---------------- 4
6 -----------------> 7
10 <---------- 9 <----------------- 8
1. Attacker sends sql to make the db query the app server for a non-existent page
2. The app server sends this sql query to the DB
3. The DB receives this SQL query and acts on it
4. The HTTP query for a missing resource is sent to the app server
5. App server looks up the resource and can't find it
6. The App server responds with a 404 /blahusername not found
7. The response recd is put in the SQL query response
8. The SQL query response is sent to the app server
9. The App server received the SQL query response (404 /blahusername not found as a line in there)
10. The attacker receives the 404 response with the data from the username in the 404 error message

An interesting attack vector to say the least!

0

Converting Java Key Store into X.509 certificates

-

Web services security has been very much talked about in the recent times. Especially, with the Service Oriented Architecture (SOA) gaining increasing importance. One of the interesting ways to protect these web services encapsulated in SOAP (Simple Object Access Protocol) is using digital client-side authentication certificates. Programmers typically use Java Key Store (.JKS) files to establish connectivity to these applications. However, if we want to create a custom client using some scripting it creates an issue as we tend to use languages such as perl, bash, etc. to create connectivity. So I ran into this excellent tool called KeyTool IUI. This tool helps you import the Java Key Store (Tools -> Keystore Manager -> JKS Keystore) and export it in the PKCS#12, X.509 PEM, and DER formats. You can further use OpenSSL to change the formats as you please or separate out the components of the certificates.
You could even take these certificates in X.509 or PFX formats and convert into JCEKS, JKS formats! Pretty cool huh? 🙂 Nice software!

1

CVE-2007-3101

-

I finally got a candidate on the Common Vulnerabilities & Exposures (CVE) list. Apache Tomahawk also released a critical security update due to my disclosure to iDefense. In case, people are wondering I did not get any money for the disclosure to iDefense. It was just a case of responsible disclosure.
The advisory can be found at:
http://seclists.org/fulldisclosure/2007/Jun/0305.html.

0

Using cURL as a SOAP client

-

cURL (groks URL) can be used as a SOAP client to send XML SOAP requests to web services. But the problems that I was facing in sending the data directly with the -d switch of curl is that DOS command shell would greet me with an error message:

< was unexpected at this time.

But there is a great way to send data in the POST requests by using the -d switch with the @ symbol. For example to send the xml data in the xmlfilewithdata.xml in the POST request to http://www.somesite.com/thewebservice you could use the following command:
curl -d @xmlfilewithdata.xml http://www.somesite.com/thewebservice

Off go all the errors and there it is …. your SOAP client – cURL!