WordPress plugin Asset manager upload.php Arbitrary Code Execution

The 'Inj3ct0r Team' compromised an ExploitHub.com database and released a file publicly which contained some of the data about the exploits that ExploitHub buy and sell. I saw the file yesterday, had a quick skim over it, but didn't think too much of it. That is until WPScan team member @gbrindisi pointed out that it contained 2 WordPress plugin vulnerabilities.

Introduction to the WordPress XML-RPC API

WordPress 3.5 was recently released which now comes with the WordPress API "always enabled". Personally I think this adds unnecessary risk by increasing the attack surface. How many WordPress user's actually use the API? I would put my money on it being a very small fraction, either way I'm sure the WordPress Core Development team had good reason to enable the API by default. After spending 5 minutes looking for where to turn the API off in WordPress 3.5 I gave up. Huh, I'll have another look sometime soon. I've had a play with the API in the past, however, I've always found it hard to get going as the information on how to interact with the API is a bit sparse. Having played with it for an hour or so this evening I thought I'd share some of the information on how to get started (as well as a self reminder ;). The latest API calls can be found on WordPress's Codex here. It doesn't list all available calls, to find these let's extract them from the 'wp-includes/class-wp-xmlrpc-server.php' file.

Female hackers at Abertay University

Having completed a similar course at a different university, it is great to see that Abertay is attracting female students.

Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities

This is the paper that I submitted for my undergraduate dissertation in Ethical Hacking for Computer Security. The title (a mouth full) 'Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'. The paper talks about software security, modern software development, software development life cycles, static code analysis and a lot more. Since submitting it I have noticed some mistakes so I'm not putting this out there as a 'perfect paper'.

The paper was the research and implementation of DevBug an online PHP Static Code Analysis tool written mostly in JavaScript.

Feel free to have a read through, I won't be making any future amendments as I was sick of looking at it by the time I submitted it but I thought I would put it out there incase it was useful to others in learning about software security. It is a bit dry in places, be warned!

Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities

Top 5 Blog Posts

I've been running this blog now since November 2008. As the blog's 4 year anniversary is approaching I thought I would share with you the 5 blog posts which have received the most hits within that time.

1. DropBox Security - 20,494 hits
2. Introducing WPScan – WordPress Security Scanner - 13,012 hits
3. Setting up Tor on BackTrack - 10,538 hits
4. WordPress Brute Force Tool - 10,017 hits
5. [Interview] The Jester - 7,475 hits

Probably not my personal top 5 blog posts but, nevertheless, the ones that get the most hits. If you would like to guest post on ethicalhack3r.co.uk in Spanish, English or French get in contact!

Concrete5 5.5.2.1 Multiple Authenticated Cross-Site Scripting (XSS)

# Exploit Title: Concrete5 5.5.2.1 Multiple Authenticated Cross-Site Scripting (XSS) # Date: 2012-08-25 # Author: Ryan 'ethicalhack3r' Dewhurst (www.ethicalhack3r.co.uk) # Software Link: http://sourceforge.net/projects/concretecms/files/concrete5/5.5.2.1/ # Version: 5.5.2.1 1.Vulnerability Description Multiple authenticated Cross-Site Scripting (XSS) vulnerabilities were identified within Concrete5 version 5.5.2.1. Also reported were some cookie security improvements. The first Concrete5 advisory can be found here [1]. 2.Software Description CMS made for Marketing but built for Geeks, concrete5 [0] is a content management system that is free and open source. 3. Vulnerability Information

Sunday Ruby Coding: Caesar Cipher (ROT) Encoder/Decoder

It has been a rainy Sunday so I wrote a Caesar Cipher (ROT) Encoder/Decoder in Ruby to ease the boredom.

#!/usr/bin/env ruby

#
# Caesar Cipher (ROT) Encoder/Decoder - Ryan 'ethicalhack3r' Dewhurst - 05.08.2012
#

@alphabet = ('a'..'z').to_a

def encode(plaintext)
  plaintext = plaintext.gsub(/\s+/, '').downcase

  @alphabet.each do |letter|
    encoded_forward = ''

    plaintext_position = @alphabet.index(plaintext[0].chr)
    cipher_position = @alphabet.index(letter)
    position_difference = plaintext_position - cipher_position

    plaintext.split('').each do |char|
      encoded_forward += @alphabet.at(position_forward_count(@alphabet.index(char), position_difference)).to_s
    end

    puts "Shifted #{position_difference} to '#{letter}' - #{encoded_forward}"
  end

end

def decode(cipher)
  cipher = cipher.gsub(/\s+/, '').downcase

  @alphabet.each do |letter|
    deciphered_forward = ''

    cipher_position = @alphabet.index(cipher[0].chr)
    clear_position = @alphabet.index(letter)
    position_difference = cipher_position - clear_position

    cipher.split('').each do |char|
      deciphered_forward += @alphabet.at(position_forward_count(@alphabet.index(char), position_difference)).to_s
    end

    puts "Shifted #{position_difference} to '#{letter}' - #{deciphered_forward}"
  end

end

def position_forward_count(current_position, position_difference)
  position_total = (current_position + position_difference)
  position_total > 25 ? position_total - 25 : position_total
end

puts '[Decode]'
decode('W KHTXLFNEUZQ IRA MXPSVR  YHU WKH ODCB GRJ')
puts '[Encode]'
encode('plaintext')

Freedom of Speech on Social Media

There have been many cases recently where people in the UK have been arrested under the Malicious Communications Act 1988 as well as others such as the Communications Act of 2003 and the Terrorism Act 2006 for what they have said on social media web sites such as Twitter or Facebook. Paul Chambers seems to have been the first in the UK to be arrested for what he said on Twitter in 2010. He later appealed and recently had his conviction quashed. Some of these UK cases include: Tom Daley Twitter abuse: Police arrest boy in Weymouth Man arrested after airport bomb joke on Twitter Twitter users in incitement arrest warning after riots Cyber cops arrest man, 61, for menacing chick-lit MP UK Riots 2011: Police Arrest Three Individuals For Attempting to Incite New Riot Flash mobs or splash mob? UK man arrested for planning water pistol fight. Tory is arrested for Twitter call to kill columnist Scottish teens arrested for posting on Facebook

StaticBurp - Burp Suite potential DOM XSS Analysis

A few weeks a go I had an idea. When I get ideas that I think have something worth while in them I note them down for future reference. The three main points to get this working were:
  • Take Burp response body.
  • Extract JavaScript.
  • Perform Taint Analysis.
  • The first step was to somehow extract HTML responses from Burp Suite, luckily someone had already written a Ruby Burp extender called Buby. I followed this awesome series of blog posts to get myself aquatinted with Buby. The next step is to extract the JavaScript from the HTML responses, this is quite trivial to do with the Nokogiri Ruby gem. The third step is to analyse the extracted JavaScript for Sinks, Sources and Securing functions (Taint Analysis). This was the hard part, for me at least. Finding this information proved to be hard, I did find some data, however, in the end this is where I stopped pursuing my idea.

    DevBug - PHP Static Code Analysis

    My final year university dissertation was on the topic of Static Code Analysis, specifically the integration of IDEs (Integrated Development Environments) with Static Code Analysis. The idea was to make Static Code Analysis accesible to the developer, without them having to install and use additional specialist Static Code Analysis software. Due to my familiarity with PHP and its lack of interpreter taint analysis I decided that I would write a PHP Static Code Analysis application. The PHP Static Code Analysis tool I developed is called DevBug, it is an online PHP Static Code Analysis tool written mostly in JavaScript (jQuery). The Static Code Analysis engine uses the sources, securing functions and sinks data from the awesome RIPS Static Code Analysis tool to identify specific PHP functions that can cause or remediate user input caused vulnerabilities. DevBug uses Taint Analysis to identify tainted variables, follows the tainted variables through the code, untaints the variables if they are secured and finally detects whether or not tainted variables end up in in sensitive sinks. The IDE used is called CodeMirror that provides a code editing area, syntax highlighting, line numbering and an API. CodeMirror was slightly modified to detect deprecated PHP functions and highlight them.

    Old School hacking

    Back in the late nineties, around 1999, my mother bought me my first computer. Around this time The Matrix movie was released which as a young boy with a new computer had me Yahoo'ing (Google was largely unknown) for the term 'hacking'. Back then Yahoo! Chat was still around and had a chat room called the 'Hackers Lounge', everyone in there was talking about all sorts of cool things you could do with computers that I had never heard of before. With hindsight, most of the people in the chat room were script kiddies who knew how to run a few Windows GUI 'hacking' tools and largely acting like they were the kings of the Internet. At the time I wanted to learn about all of the cool things they knew. I started downloading and learning how to use these 'hacking' tools by the use of my guinea pig friends and family (my siblings soon grew tired of me remotely opening and closing their CD-ROM drives). Some of these tools are still actively developed and used today, invaluable to conducting modern Penetration Testing and security audits. For the sake of nostalgia, I present to you some of the coolest most 1337 'hacking' tools that I and others used 'back in the day'. Warning: Download links not verified. Legion by Rhino9 Use: Windows Null Session share scanner. Released: 1999 Platform: Windows Further Info: http://www.informit.com/articles/article.aspx?p=26263&seqNum=5 Download: http://packetstormsecurity.org/files/14711/legion.zip.html Legion Rhino9

    Wireless Man In The Middle (MITM)

    This is a recent piece I did for the BBC Inside Out program that originally aired on February 6th. In the video I demonstrate a wireless Main In The Middle (MITM) attack in a coffee shop using a FON+ wireless router, Karma and Jasager. Oh, and they're the ones who call me an 'expert', personally, I hate the term and would never call myself one.

    Prevention of unwanted telemarketing calls

    I am tired of receiving multiple telemarketing calls per day, I'm tired of the Telephone Preference Service (TPS) not having an affect and I'm tired of telecommunication companies charging for prevention features which should be free.

    I came across an e-petition that was setup by a Rob Whitelock, it is not perfect in its recommendations but certainly puts the general point across.

    e-petitions is an easy way for you to influence government policy in the UK. You can create an e-petition about anything that the government is responsible for and if it gets at least 100,000 signatures, it will be eligible for debate in the House of Commons.

    You can help by signing the petition here;
    http://epetitions.direct.gov.uk/petitions/17324

    WordPress 3.3 Cross-Site Scripting (XSS)

    Yesterday two Indian security researchers, Aditya Modha & Samir Shah, released an advisory outlining a Cross-Site Scripting (XSS) vulnerability within the latest version (at the time of writing) of WordPress 3.3. Many people started re-tweeting the news (including myself) and blogging about it. The problem came when I tried to reproduce the vulnerability, I couldn't. I started to think that the vulnerability was a miss-understanding or publicity stunt and was getting annoyed at the many people who were spreading miss-information. I contacted the researchers over Twitter and told them that I was unable to reproduce the vulnerability in any browser or on any WordPress installation including vanilla installs. The researchers got back in touch with a link to a WordPress installation on which the vulnerability worked. The URL they gave me was an IP address. Within their environment the XSS worked. At this point I think even the researchers were puzzled. They sent me this code that they believed was the function causing the XSS within wp-includes/functions.php http://pastebin.com/iBnpN8Zm.

    WordPress Plugin Disqus Comment System XSS

    # Exploit Title: WordPress Plugin Disqus Comment System < = 2.68 Reflected Cross-Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/disqus-comment-system/ # Date: 11.12.11 # Author: Ryan Dewhurst (@ethicalhack3r) # Software Link: http://downloads.wordpress.org/plugin/disqus-comment-system.2.68.zip # Version: 2.68 # Tested on: Cross-Platform ** Vulnerability Description ** The WordPress Disqus Commment System version 2.68 was found to be effected by Reflected Cross-Site Scripting (XSS). At the time of writing the plugin (not version) had been downloaded 504,746 times. [0]