Installing Feng Office on OpenBSD 6.0

Feng Office is a Web project management application. It allows management of projects, tasks, documents and enables online collaboration with co-workers and other organizations. It can provide a multitude of business services including billing and scheduling among others. In the previous posts, we installed OpenBSD 6.0, setup our web server and then deployed WordPress on it. In this post, we continue to develop our web server by installing Feng Office.

Setting Up OpenBSD 6.0

Feng requires php-gd package for image processing. This package has dependencies on the xbase60.tgz OpenBSD package. If you did not install this set during the OpenBSD installation, you can do it now using these commands:

If you don’t have access to the Internet, you can simply use the archive from the OpenBSD 6.0 CD and unpack its contents using the command at the second line in the code listing above.

We can now proceed with installing the php-gd package. This can be done using the pkg_add application. When asked which version of the package you wish to download, select the same version as your current PHP installation. In this case, PHP 5.6.23 is installed. If you are unsure about yours, type  /usr/local/bin/php-5.6 --version to retrieve it.

Unlike Linux distributions, pkg_add does not automatically modify the required configuration files. As such, you need to manually modify the PHP configuration file to load the php-gd extension. Edit the php-5.6.ini with vi /etc/php-5.6.ini  file and add the following line in the extension section:

Since we modified the configuration file, we will need to restart the PHP service:

Now that we have setup OpenBSD to be compatible with Feng, we will configure the database and then move on to the actual install of the web application.

Setting Up the Database

In the previous posts, we installed MariaDB and set it up for a WordPress site. The same exact steps apply for the Feng Office application. Login into the MariaDB database with mysql -u root -p and follow these steps:

Create a database schema for the Feng Office application:

Then create a user for the application and select a strong password for it unlike the example below:

Afterwards, grant your new user the privileges require to modify your database. In this case, we allow the user all privileges on the db_feng database:

And then exit MariaDB by typing  quit . We are now ready to install the Feng Office application.

Installing Feng Office

You’ll first need to download the application from the Web using the ftp program. You’ll also need to install unzip since Feng Office uses a zip package. If you want to avoid installing the unzip package, you can always download Feng on another workstation, unzip it and repack it using tar. Then upload it to a third party location and re-download it using ftp. Otherwise install unzip with pkg_add unzip and then download Feng with ftp:

As we did in previous tutorial, we confirmed the integrity of the package. The MD5 hash is provided on the SourceForge website by clicking the “i” icon. We will now unzip Feng into its own directory on our web server:

Feng Office has quite a few files and after a few seconds, all files should be extracted. In order to run the installer, we first need to set specific permissions on some directories. As such, we’ll make sure the following directories are readable, writable and executable and change their ownership to the web server:

With this done, browse to your Feng Office home page from a remote workstation. You will be greeted by a welcome page which details the installation procedure. Click Next.

Welcome Page of the Feng Office Installer
The welcome page of the Feng Office 3.4.4.1 installer

The second page of the installer verifies if all requirements for the application are met. If there is an item highlighted in red, then you will not be able to proceed. The most likely issues are limited file permissions and missing PHP extensions. If everything is green, click Next.

Requirements Verification for Installing Feng Office
Feng Office verifies if all requirements are met to install and use the application.

The third step is where you provide the information about the database. Fill in the required information with the specific values for your database setup. An example of valid values for our example are:

  • Database Type: MySQL
  • Hostname: 127.0.0.1
  • Username: fg_user
  • Password: p1234
  • Database Name: db_feng

You can leave the remaining settings to their default values and once satisfied, click Next again. You then reach the last page of the installer, which You’ll reach the installation page and you should get a Succcess! message Click on Finish.

Feng Office Administrator Account Creation Form
Administrator account form for Feng Office 3.4.4.1

After clicking Finish, you’ll be immediately redirect to the user account creation form. This is the final step before using the application is to create an Administrator account. Fill in the form and click Submit. You will be redirected to the login page. Login and that’s it! Next steps include configuring your new Feng Office application by creating users and customizing it. You should also remove write permission to the /var/www/htdocs/feng/config and change the ownership back to root:daemon.

Conclusion

Feng Office is widely used by multiple large public and private organizations and thus, is a fairly popular web application which like many others, fits perfectly with an OpenBSD 6.0 server. Like in the WordPress install, you should attempt to plug information leaks by removing README and CHANGELOG files and test your application via a rigorous penetration test. With a well-configured OpenBSD server and secure database, the likelihood a a major breach occurring is greatly reduced, but it always depends on how well or badly it’s configured and used.

References

See Also

Learn More

Installing WordPress on OpenBSD 6.0 with Httpd

Introduction

In the previous posts, we setup a minimal but secure web server using OpenBSD 6.0. In this post, we start from a fresh install with httpd, MariaDB and PHP 5.6.23 setup on the host. In most cases, you may now want to install a web application on it. One of the most popular is WordPress. If you have followed all the steps in the previous tutorial, installing WordPress will be fairly easy. However, because the web server is sand boxed in OpenBSD, many issues can arise. Additionally, introduction of new application may also introduce new security concerns. In this tutorial, we go through the basics of setting the database and configuring the application. We’ll also assume that you have the networking aspect configured and working. You can also consult the accompanying video.

Setting Up WordPress 4.7 on OpenBSD 6.0

To install WordPress on OpenBSD 6.0 using the native httpd web server requires quite a few steps, but most are straightforward and requires only some Linux command shell knowledge. It’s a good idea to be well-versed in the Bash scripting language and basic Linux/OpenBSD knowledge. In any case, following the steps below will get you going with your new WordPress blog in no time.

Downloading WordPress

Once validated, unzip and untar the archive into your web root directory, likely /var/www/htdocs using:

This will untar all files into /var/www/htdocs/wordpress. Feel free to rename the wordpress directory to anything you’d like.

Configuring the Database

In previous post, we installed MariaDB and thus this section will assume you have installed this database application. Otherwise, refer to the documentation of your database to use the proper SQL statements to create databases, users and manage permissions.

Log into the MariaDB database using  mysql -u root -p your_password . If you are logging from a remote location, use the  -h host argument. Once logged in, we will conduct 3 steps:

    1. Create a database for the WordPress application:

    1. Create a user for WordPress to use in order to connect to the database by using the following SQL statement:

    1. Grant permissions to the new user in order to edit the database and tables as required:

Now, the WordPress application has a place to store data on our database. Before we proceed thought, I encourage you to look at the ~/.mysql_history for a glimpse of what happened while you were doing the steps above. As you will see, the password for the user has been logged into this file. Remove this file with rm ~/.mysql_history  and let’s disable logging to prevent such leaks by adding this line in your rc.conf.local file:

Installing WordPress

From a remote host, use your favorite browser and go to https://<your_address>/wordpress/ and the installer should popup automatically. The first step is create the configuration file by filling information about the database. So gather the following information, which we have from the previous section and click “Let’s Go“:

  1. Database name: Database name use with the “CREATE DATABASE” SQL statement, i.e. “db_wordpress
  2. Database username: Username enter in the “CREATE USER” SQL statement, i.e. “wp_user
  3. Database password: type in your password;
  4. Database host; Enter 127.0.0.1 or ::1. Do not leave it as “localhost” as we want to use the sockets;
  5. Table prefix; Prefix for each table created. Unless you plan to have multiple WordPress sites, leave the default value.
Wordpress Installer Welcome Page
The WordPress Installer will guide you step-by-step on setting it up.

On the next page, enter the required data and click “Submit“. If every thing is setup right, you will be prompted to continue with the setup of the site. However, you may also get a blank “step2” page, i.e. the URL will be “setup-config.php?step=2” but nothing will show up. This problem can be caused by many different things. First, make sure you have setup PHP to use your MySQL database by enabling the proper extensions in the php-5.6.ini configuration file. See previous post for an explanation on how to do this.

Next issue you may encounter is a warning that WordPress cannot create the wp-config.php file. This is mostly due to permissions issues with /var/www/htdocs/wordpress/. The best option is to manually create the file by copy-pasting its contents. Another alternative is to temporarily change the permissions of the directory to allow write permissions with  chmod 777 /var/www/htdocs/wordpress for the installer to create the file. Doing so allows anyone to write and execute code to your directory and as such, it must be change immediately after you are finished installing and configuring WordPress.

Wordpress Fail to Create Wp-config.php
WordPress warns that it could not create the wp-config.file.

Quick Hardening

Before calling “Mission Accomplished”, take some time to test your new site and set the proper file permissions. Create a test post and try to upload an image to it. You may find that it fails, again because of permission issues. According to [1], you should have the following permissions for your WordPress install:

  • Folder set to 755;and
  • Files set to 644, except wp-config.php should be 440 or 400

This can be done with the following commands;

Furthermore, note the following quote from [1]:

No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.

Meaning that you should avoid the temptation to solve your uploads issues, or any other issues by setting full permissions, even the upload folder. Based on [2], all files outside the wp-content directory should be owned by your OpenBSD user account so they cannot be modified. The owner of the wp-content will be set to www and will be writable, allowing uploads of files themes and plugins. Note that once you chose your theme and plugins, you could further harden your blog by restricting the wp-content/themes and wp-content/plugins directories as some attackers hide web shells in those.

Retest to make sure it works.

Upload Failures due to Directory Permissions
Setting the minimal and proper permissions on the Uploads directory is critical.

One last quick thing you may want to do is delete unneeded installation files.  WordPress should have remove them for you, but just double check. You can also remove the readme.html and any release notes that may be present, this way, it will be harder for an attacker to find the version of your WordPress installation.

Conclusion

WordPress becomes insecure when adding plugins, which introduces the majority of new vulnerabilities. As such, attempt to avoid unnecessary plugins and themes and uninstall them once they are unneeded. Also enable auto-updates. There are quite further actions you can take to harden your WordPress install, and I’d recommend reading the reference at [1]. You can also review the database permissions you have granted to the “wp_user” in MariaDB, and possibly restrict them to simply INSERT/UPDATE/SELECT/DELETE instructions. Then test your installation with wp-scan, a great, free and open-source WordPress vulnerability assessment.

References

[1] Hardening WordPress, Core Directories/Files, WordPress.org, https://codex.wordpress.org/Hardening_WordPress (accessed on 2017-01-09)

[2] Correct File Permissions for WordPress, StackOverflow, http://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress, (accessed on 2017-01-16)

See Also

Secure WebServers with OpenBSD 6.0 – Setting Up Httpd, MariaDB and PHP

Introduction

In this tutorial, we setting up a web server on OpenBSD 6.0 using the native httpd web server, MariabDB and PHP. There can be quite a few issues popping up unlike other systems, mostly due to the fact that the web server is “chroot jailed” during execution. In other words, the web server is sandboxed and cannot access other parts of the operating system, which requires more work than other similar setups on other distributions. However, this greatly decreases the damages if your server gets whacked. In this post, we setup a minimal web server that will allow you to host simple web content. I’ll assume you have an OpenBSD 6.0 VM created with root access to it. From there, we will stand up our web server with HTTPS, install MariaDB and PHP. Please note that this tutorial is not meant for professional/commercial settings, but for personal and educational uses. A video version of this tutorial is also available.

Standing up a Minimal Web Server with Httpd

The strategy we will employ is to create a very minimal web server, test if it works as intended, and then enable additional features as we go along. So first, we’ll start by enabling the httpd daemon. To do so, first copy the httpd.conf file from /etc/examples/httpd.conf to /etc/ by typing  cp /etc/examples/httpd.conf /etc . Open the copied file as root using vi or another text editing tool if you have any install. In the file, you will delete all the examples provided and only keep the “minimal web server” and “types” sections:

Make sure you save your changes and now start your web server with the following command:  /etc/rc.d/httpd -f start . Make sure you include the  -f , other you may get an error message. We will fix this later. If everything goes well, you should get an “httpd(ok)” message. Otherwise, there is likely an error in your configuration file. You can confirm by using  httpd -n .

Let’s confirm everything works so far. Retrieve your IP address using  ifconfig em0 and using another host on your network, browse to http://<your_ip>. If everything works as expected, you will see something similar to the figure below:

OpenBSD WebServer - 403 Forbidden
Receiving a 403 Forbidden error from the OpenBSD web server.

We received a 403 error because we do not have any web pages created yet and by default, httpd prevents directory listing – which is a good thing. So let’s create a quick index.html web page. Use the following command  vi /var/www/htdocs/index.html and type the following:

Save the file and point your browser to http://<your_ip>/index.html. You should see your web page. If not, make sure you created the file in /var/www/htdocs and you haven’t made a typo in your URL. Also note that if you go to http://<your_ip>/, you will also end up on your web page. By default httpd looks for “index.html” and serves this web page when none is specified.

Fantastic. We got ourselves a web server. But not a very secure or useful one unless you want to host Geocities-like webpages. Next, we will enable HTTPS on our web server and redirect all traffic to it. We’ll need to do this in 2 steps:

  1. Create a certificate for your web server; and
  2. Setup httpd to use your certificate and HTTPS

First, we’ll need to generate a SSL private key. This is straightforward by using openssl:

The server.key file is your private key and must be secured! It’s very important that nobody else other than you have access to it. Next, we will use this key to generate a self-signed certificate. This is also done by using openssl:

The command above basically requests OpenSSL to generate a certificate (server.crt) using our private key (server.key) that will be valid for 365 days. Afterwards, you will be asked a couple of questions to craft the certificate. Since this is self-signed, feel free to enter anything. Once done, the first step is completed. Next, we will modify our configuration file again and update out minimal web server to tell it to use HTTPS:

Every time your modify the httpd.conf file, you will need to restart your web server for the changes to take effect. Use  /etc/rc.d/httpd -f restart do so and test your website again, this time using https://<your_ip>. You should be greeted with a warning message fro your browser, warning you that it cannot validate the certificate. That’s because it is self-signed. Click on “Advanced” and add it to the exceptions. Afterwards, you will be serve our web page via an encrypted link.

Web Server Certificate Exception
Receiving a warning from the browser on self-signed certificate.

So at this point, we have a functioning web server over HTTPS. However, unencrypted communications are still enabled. We would like to have ALL users over HTTPS. This can be done by replacing this line in httpd.conf:

with

Anyone using http://<your_site> will be automatically redirected to https://<your_site>.

Setting Up MariaDB

Installing the database is quite simple in contrast with many other activities we need to do. First, we’ll need to download some packages, so make sure you have the PKG_PATH environment defined with a mirror containing the packages you need. If not, select a mirror on openbsd.org and define your variable:

And as root, install the mariadb-server package:

Once completed, install the database using the included script by typing  mysql_install_db and when completed, start the mysqld daemon:  /etc/rc.d/mysqld -f start . The last step is to configure it by running the  mysql_secure_installation . The script will ask you a couple of questions:

  1. First, it will ask you to set a password for root. Choose a good password. Long simple passwords can be more efficient than short complex one that you won’t remember;
  2. It will then ask if it should remove anonymous users. Select “Y” to remove them;
  3. When asked if it should disallow remote root access, answer by the positive to prevent root access from remote hosts;
  4. Choose to remove all test databases; and
  5. Press “Y” to reload all privileges in the database application.

You are now done with installing the database. Before moving on to the next section, confirm that everything is working by login into MariaDB:

If everything went fine, you will be given access to the database engine. Type  quit; to exit the application.

Setting Up PHP

The last step of this tutorial involve downloading and install PHP. Very few webpages nowadays rely solely on static HTML, and I suspect most will want to install web applications later on, so let’s setup PHP. First, download some of the required packages. Note that additional packages may be needed depending on the web applications you wish to install later on, but for now, let’s setup the core PHP packages:

There are several versions of PHP available on the OpenBSD repository. What is important is that you select the same version for all packages you install. For example, at the time of writing version 5.6.23 and 7.0.8 were available, but php-mysql 7.0.8 was not, thus we select 5.6.23 for all PHP packages to prevent issues later one. Dismiss any packages ending with “-ap2” as these are for the Apache web server. For the purpose of this tutorial, we will select version 5.6.23 every time we are asked.

Before starting up PHP, we have a couple of things to do. First, we need to tell httpd to send PHP pages to the PHP processor. We also need to specify the PHP processor that we have a database it needs to be aware of. So let’s start by modifying our httpd.conf file again by adding a section about .php files. Also, we’ll add a “directory” section to tell the web server to look for “index.php” files first instead of “index.html“:

Next, let’s modify the PHP configuration file to enable MySQL. We do so by adding extensions to the /etc/php5.6.ini file. Open this file as root and add the following lines under the “Dynamic Extensions” section:

Since we modified configuration files, we’ll need to restart the httpd and php-fpm daemons. Do so with  /etc/rc.d/httpd -f restart and  /etc/rc.d/php56-fpm start . Hopefully, you will get “httpd(ok)” and “php56_fpm(ok)”. Otherwise, you may have introduce a typo in your configuration files or some packages may have not downloaded/installed properly.

Wrapping Up

One last thing we will do before calling it quit for today, is to make sure the httpd, php56-fpm and mysqld services are started on bootup of OpenBSD. To do so create a new rc.conf.local file in /etc/ using  vi /etc/rc.conf.local and type the following in it:

At startup, OpenBSD will use this file to initiate the services and the PKG_PATH environment variable. You will not have to use the  -f anymore when restarting the httpd daemon.

Conclusion

So in this post, we have enabled a HTTPS web server, along with a MariaDB and PHP, allowing use to serve dynamic content on a OpenBSD 6.0 machine. At this point, you should be able to host basic dynamic content. However, if you try to install more complex web applications, you will need an extra few steps in many cases. Sometimes, you will need additional packages and extra work to connect to the database via your web application. In the next tutorial, we will install WordPress to show some of the difficulties you may encounter with the chroot jail and file permissions of the web root.

See Also

Starting in Exploit Writing – Day 05

Today we’ll be studying “egg hunters” as of part 4 of the FuzzySecurity tutorials. Basically this technique is useful when the buffer remaining for your shell code is too small to do anything useful. So far we’ve been lucky and we had huge buffers to inject the shell code, but some time, you may be left with a couple of bytes only. With a “egg hunter”, instead of storing your shell code, you store a small function that will look for “magic bytes” in memory. Your shell code somewhere else in executable memory and tagged with these “magic bytes” so that your egg hunter finds it and executes it. Pretty straight forward.

Exploiting Kolibri Web Server

So my goal today was to test out the egg hunter example from the tutorial. However I got cocky and try to exploit the web server by smashing SEH rather than a normal buffer overflow. Everything went fine until I had to call the address containing the POP-POP-RET.

SEH Exploitation of the Kolibri Web Server
Exploitation of Kolibiri Web Server using the SEH Techique

The problem I’m running into is when looking for a “POP POP RET”, all the results are within Kolibri.exe, and all addresses starts with a null byte, i.e. “\x08\x89\x51\x00”. That means our payload will terminate at the null byte. I thought this wouldn’t be much of a problem, since [SEH] is an address anyway, the only difficulty would be that I may have to put the payload in the buffer prior to the [nSEH], and have a short jmp into the buffer placed into the [nSEH]. Now for some reason, it seems that SEH catches the exception, but never jumps to my POP-POP-RET address; it just terminates the program.

Pop-Pop-Ret Instructions from Kolibri Web Server
All the Pop-pop-ret instructions are located in Kolibri.exe and contains a null byte.

So I got stuck here for today. More to follow tomorrow

Phusking PhotoBucket and Other Pictures Sharing Sites

Fusking picture sharing sites in order to retrieve pictures from private album.

It came to me while I was reading an article on Slashdot about sites popping up, offering the customer to hack into a Facebook, MySpace or other social site for 75$ to 100$. EWeek as a similar article[1]. Seems like those sites mostly use social engineering by sending grammatically deficient e-mail to the victim and somehow, still working most of the time. Most of the time, the goal is to get access to private pictures or information. Hacking Facebook and MySpace accounts is the new “How do I hack Hotmail accounts” of the decade. Just search Google for “facebook hacking service” and plenty of website will be returned.

Same thing with pictures from services like PhotoBucket or Flickr and such. Getting pictures from private albums is much more easier thought and is done thru fusking. The goal is simply to access directly pictures from the private album by guessing the filename of the picture.

As you might know, most cameras have a default naming convention, i.e DSC0001.jpg, Picture0001.jpg etc… (see then end of this article for a complete list) and humans, being lazy as they are, don’t bother renaming them. Since I believe that a example is the best way to learn than 30 pages of detailed explanation, here how it’s done.

Let’s create an account on PhotoBucket first. I used a username I always take everywhere, but it seems that Photobucket didn’t liked it:

PhotoBucket New Account Error
PhotoBucket didn't like me the first time...

Anyway, just deleting the Photobucket cookie solve the problem. Registered using brand new data. Small tips, if you are looking for zip code, try this page: Find A Zip, it has about every zip code for every town in the US (I haven’t verified but looks like it…).

Once in, I created a private album and put two pictures in it; one I renamed and the other I left with a camera default filename.

PhotoBucket Private Album Creation
Private album I created in Photobucket

I named one of those pictures DSC0005.jpg and the other an uncommon name:

PhotoBucket Private Pictures
Private pictures I put into my private album

The URL of my private album is

http://s991.photobucket.com/albums/af33/Cheetah897/Real%20Private%20Album/

The filename is

DSC0005.jpg

So just to try out the concept,  I signed out and look if, with the album’s URL and the filename, could access the picture. Oh ! Look at that:

PhotoBucket Private Picture Direct Link
Accessing a private picture thru a direct link

So you should be able to guess the rest from here. Nevertheless, there are tools out there to even do the guessing work for you. The one I will use is PHUSK. It’s especially done for PhotoBucket and is for Windows. This shouldn’t be hard to program for another website and another platform.

PHUSK 1.5 Main Window
PHUSK 1.5 Main Window

There is really not much to explain, just type the username of the victim and set up any properties you want (which are pretty much self explanatory). On the first try, it didn’t found any private album, so I had to specify it by selecting “advanced mode” which show this window:

PHUSK 1.5 Advanced Mode Windows
PHUSK 1.5 Advanced Mode Windows

Select “Add Album”, type the album name and then it will appear in the list of albums (which is ordered).

PHUSK 1.5 Add Album Name
PHUSK 1.5 Added Album Name in the List

Started PHUSK again and this time it found the private album, it will then try to brute force filenames, which might take a while.

PHUSK 1.5 Result Window
My private picture with a default filename has been found !

I changed the default lists to make it faster, otherwise it might take a long time (411 albums name X 439 filenames X ~9999 file numbers each…).

Here is a list of filenames used by PHUSK. This can be use to build your own list.

###.jpg Unknown-#.jpg Me.jpg
##.jpg Untitled-###.jpg ME.jpg
#.jpg Untitled-##.jpg mygirls.jpg
Picture###.jpg Untitled-#.jpg Mygirls.jpg
Picture##.jpg untitled-###.jpg MYGIRLS.jpg
Picture#.jpg untitled-##.jpg fine.jpg
Photo###.jpg untitled-#.jpg Fine.jpg
Photo##.jpg stuff###.jpg FINE.jpg
Photo#.jpg stuff##.jpg sexy.jpg
#####.jpg stuff#.jpg Sexy.jpg
####.jpg Stuff###.jpg SEXY.jpg
CIMG####.jpg Stuff##.jpg hot.jpg
CIMG####.JPG Stuff#.jpg Hot.jpg
DSCN####.jpg stuff-###.jpg HOT.jpg
PICT####.jpg stuff-##.jpg hott.jpg
DSC_####.jpg stuff-#.jpg Hott.jpg
DSC0####.jpg mycamerapics###.jpg HOTT.jpg
Image###.jpg mycamerapics##.jpg really.jpg
Image##.jpg mycamerapics#.jpg Really.jpg
Image##.JPG mypics###.jpg REALLY.jpg
Image#.jpg mypics##.jpg ass.jpg
PICT####.JPG mypics#.jpg Ass.jpg
IMG_####.jpg Misc-###.jpg ASS.jpg
_MG_####.jpg Misc-##.jpg bad.jpg
000_####.jpg Misc-#.jpg Bad.jpg
001_####.jpg misc###.jpg BAD.jpg
100_####.jpg misc##.jpg face.jpg
100-####.jpg misc#.jpg Face.jpg
100-####_IMG.jpg misc-new###.jpg FACE.jpg
101_####.jpg misc-new##.jpg page.jpg
101-####.jpg misc-new#.jpg Page.jpg
101-####_IMG.jpg New###.jpg PAGE.jpg
102_####.jpg New##.jpg tits.jpg
102-####.jpg New#.jpg Tits.jpg
102-####_IMG.jpg New-###.jpg TITS.jpg
103-####.jpg New-##.jpg boobs.jpg
103_####.jpg New-#.jpg Boobs.jpg
0##########.jpg new###.jpg BOOBS.jpg
1##########.jpg new##.jpg breasts.jpg
0########.jpg new#.jpg Breasts.jpg
1########.jpg new-###.jpg BREASTS.jpg
########.jpg new-##.jpg naughty.jpg
#######.jpg new-#.jpg Naughty.jpg
######.jpg Old###.jpg NAUGHTY.jpg
Cimg####.jpg Old##.jpg smile.jpg
DCAM####.jpg Old#.jpg Smile.jpg
DC####S.jpg old###.jpg SMILE.jpg
DCFN####.jpg old##.jpg light.jpg
DCP_####.jpg old#.jpg Light.jpg
DCP0####.jpg nude###.jpg LIGHT.jpg
dsc#####.jpg nude##.jpg kiss.jpg
DSC#####.jpg nude#.jpg Kiss.jpg
DSC####.jpg Nude###.jpg KISS.jpg
dsc0####.jpg Nude##.jpg kisses.jpg
DSCF####.jpg Nude#.jpg Kisses.jpg
DSCF####.JPG Sexy###.jpg KISSES.jpg
dscf####.jpg Sexy##.jpg muah.jpg
DSCI####.jpg Sexy#.jpg Muah.jpg
DSCI####.JPG sexy###.jpg MUAH.jpg
dscn####.jpg sexy##.jpg mwah.jpg
EX00####.jpg sexy#.jpg Mwah.jpg
HPIM####.jpg sexxy###.jpg MWAH.jpg
IM00####.jpg sexxy##.jpg drunk.jpg
IMAG####.jpg sexxy#.jpg Drunk.jpg
IMAGE_####.jpg pictures###.jpg DRUNK.jpg
IMAGE####.jpg pictures##.jpg drunken.jpg
IMG0####.jpg pictures#.jpg Drunken.jpg
IMG####.jpg Pictures###.jpg DRUNKEN.jpg
Img#####.jpg Pictures##.jpg sleep.jpg
IMG_00####.jpg Pictures#.jpg Sleep.jpg
IMG_#####.jpg sexypic###.jpg SLEEP.jpg
IMG_####.JPG sexypic##.jpg sleeping.jpg
IMGA####.JPG sexypic#.jpg Sleeping.jpg
IMGP####.JPG sexypics###.jpg SLEEPING.jpg
IMGP####.jpg sexypics##.jpg tongue.jpg
IMPG####.jpg sexypics#.jpg Tongue.jpg
KIF_####.jpg Smile###.jpg TONGUE.jpg
mvc#####.jpg Smile##.jpg cute.jpg
MVC0####.jpg Smile#.jpg Cute.jpg
MVC-####.jpg smile###.jpg CUTE.jpg
MYDC####.jpg smile##.jpg hehe.jpg
P00#####.jpg smile#.jpg Hehe.jpg
P10#####.jpg mirror###.jpg HEHE.jpg
P101####.jpg mirror##.jpg us.jpg
PC00####.jpg mirror#.jpg Us.jpg
PANA####.JPG single###.jpg US.jpg
PDR_####.JPG single##.jpg mesexy.jpg
PDR_####.jpg single#.jpg Mesexy.jpg
PDRM####.JPG Happy###.jpg MESEXY.jpg
PDRM####.jpg Happy##.jpg underwear.jpg
pdrm####.jpg Happy#.jpg Underwear.jpg
pict####.jpg happy###.jpg UNDERWEAR.jpg
Picture#####.jpg happy##.jpg thong.jpg
Picture####.jpg happy#.jpg Thong.jpg
Picture###-1.jpg picture###.jpg THONG.jpg
Picture##-1.jpg picture##.jpg panties.jpg
Picture#-1.jpg picture#.jpg Panties.jpg
Picture###-2.jpg cute###.jpg PANTIES.jpg
Picture##-2.jpg cute##.jpg bra.jpg
Picture#-2.jpg cute#.jpg Bra.jpg
Photo####.jpg xxx###.jpg BRA.jpg
Photo###-1.jpg xxx##.jpg costume.jpg
Photo##-1.jpg xxx#.jpg Costume.jpg
Photo#-1.jpg delete###.jpg COSTUME.jpg
S#######.jpg delete##.jpg heart.jpg
S######.jpg delete#.jpg Heart.jpg
S#####.jpg Halloween###.jpg HEART.jpg
S####.jpg Halloween##.jpg bed.jpg
SANY####.jpg Halloween#.jpg Bed.jpg
SDC#####.jpg halloween###.jpg BED.jpg
scan#####.jpg halloween##.jpg shower.jpg
SPA#####.jpg halloween#.jpg Shower.jpg
ST@_#####.jpg Me###.jpg SHOWER.jpg
STA#####.jpg Me##.jpg bath.jpg
STP#####.jpg Me#.jpg Bath.jpg
PANA###.jpg ME###.jpg BATH.jpg
{user}#.jpg ME##.jpg closet.jpg
DSCI###.jpg ME#.jpg Closet.jpg
DigitalCamera###.jpg me###.jpg CLOSET.jpg
Image(##).jpg me##.jpg kitchen.jpg
Image(##).JPG me#.jpg Kitchen.jpg
mvc-###.jpg 1-###.jpg KITCHEN.jpg
MVC-###.jpg 1-##.jpg fridge.jpg
Sony#.jpg 1-#.jpg Fridge.jpg
PhotoMoto_####.jpg IMG_###.jpg FRIDGE.jpg
###-1.jpg IMG_##.jpg table.jpg
##-1.jpg IMG_#.jpg Table.jpg
#-1.jpg naughty###.jpg TABLE.jpg
Picture###.png naughty##.jpg risque.jpg
Picture##.png naughty#.jpg Risque.jpg
Picture#.png Naughty###.jpg RISQUE.jpg
stuff###.jpg Naughty##.jpg new.jpg
stuff##.jpg Naughty#.jpg New.jpg
stuff#.jpg ass###.jpg NEW.jpg
stuff-#.jpg ass##.jpg old.jpg
S###.jpg ass#.jpg Old.jpg
S##.jpg Ass###.jpg OLD.jpg
S#.jpg Ass##.jpg halloween.jpg
s###.jpg Ass#.jpg Halloween.jpg
s##.jpg Pic###.jpg HALLOWEEN.jpg
s#.jpg Pic##.jpg cleavage.jpg
unknown-###.jpg Pic#.jpg Cleavage.jpg
unknown-##.jpg pic###.jpg CLEAVAGE.jpg
unknown-#.jpg pic##.jpg pic.jpg
Unknown-###.jpg pic#.jpg Pic.jpg
Unknown-##.jpg me.jpg PIC.jpg

So basically, the way out of phuskers is only to rename your files so that it won’t fit any of the above masks. So a simple description (3-5 words) on what’s on the picture might be able to defeat most of these software.

So here you have it how to get pictures from Photobucket.  Although I haven’t shown it here, this concept can be used for other picture sharing sites. As in anything that ever existed, this can be used for good and evil purposes. I started to get interested in computer security by reading that stuff when I was young so my goal here is to do the same, knowing that some script kiddies will probably use this.

Sayonnara


1 Security Researchers Find Alleged Facebook Hacking Service ”, Brian Prince, eWeek, September 18, 2009,http://www.eweek.com/c/a/Security/Security-Researchers-Find-Alleged-Facebook-Hacking-Service-358854/ 2009-12-29

RAAF website defaced

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months
Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

Firefox Javascript Vulnerability

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15


1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15