Hacking fun!

SoapUI Code Execution Vulnerability – CVE-2014-1202

In this blog post I will discuss a vulnerability I’ve found in the SoapUI product before version 4.6.4 (CVE-2014-1202).

I discovered this vulnerability during a penetration test in which I saw that the SoapUI software allows the clients to execute a Java code on the local machine by putting a Java code inside the following tag:

${=JAVA CODE};

The vulnerability allows the attacker to execute the java code on the victim’s machine, thereby putting in danger the SoapUI users, including developers, penetration testers, etc.

Read more

Resident XSS – Reflected Becomes Stored Thanks to HTML5

HTML5 is the newest version of the HTML. It offers new features that enhance support for creating web applications that can interact with the user and his/her local data and servers. HTML5 successfully does this more easily and effectively than has previously been possible.

In this article we will focus on the new client storage offered by HTML5. The new HTML provides us with the Local & Session Storage, which can hold  15MB and more of client data. The differences between them is that the Local Storage can be accessed from any window, while the Session Storage can by read/modified by the same window only. Additionally, the data within the Session Storage will be automatically deleted when the window is closed, whilst deletion of the data in the Local Storage must be done manually.

Let’s say that the web application stores your account number, the SessionId, username, and some other data that will be read later on in order to display the data without sending requests to the server. The website takes the data it previously entered to the storage and displays it when the page renders. This is how the page looks normally, along with the original information stored in the sessionStorage:

ScreenShot138(Click on the image to enlarge)

Notice that the message within the speech bubble takes its information from the Session Storage, as can be seen in the above image, right below the page. You can access the page’s Resources tab using Chrome’s Developer tools (a.k.a Inspect Element).

We can assume that the page’s code behind it looks something like this when retrieving the data from the Session Storage:
<script>
   var username = window.sessionStorage.getItem(“username”);
   var speech = window.sessionStorage.getItem(“Speech-of-the-day”);
   var action = window.sessionStorage.getItem(“Random-action”);
</script>

If this website is vulnerable to a Reflected XSS (which in the regular case would be executed once on the response that includes it) and if the website does not perform client-side encoding (escaping), then this Reflected XSS can become a Stored XSS.

Read more

The reason why your exploit does not work

This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:

  • && dir
  • ; ls

 

There are two options for running a command:

  1. Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
  2. Split the words of the command into an array, execute the first word, and pass the rest as parameters.

 

The difference is when, for example, the command is:

Notepad.exe a.txt && dir

The first method will run both commands (open  Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as  parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.

This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.

Read more

Domain hijacking & Range attack by cPanel

cPanel navigates the requests that are sent to the server to the correct account according to domain. Of course, the account owner must declare that the domain belongs to him. In order to ensure that the domain does, in fact, belong to him, cPanel offers two options (without EPP code):

1. To refer the domain DNS to the DNS storage server.

2. To create a randomly-named file on the domain, created by cPanel, which is unique per-user.

cPanel assign domain options

I will go into some detail regarding the first option.

Read more