Ankit Kumar Agarwal » News

Wp-Fb Comments -The next generation Wp-Fb integration

Ankit Kumar Agarwal — Mon, 07 Mar 2011 10:37:34 +0000

A couple of months ago when i was working on integrating my blog with Facebook,I was forced to choose one from the inbuilt Wp comment system or the Facebook comment social plugin.What i wanted instead was something that can merge both the system and let me have synchronized comment system in both word press and facebook.Since i didn’t find anything that can do that,I decided to code one.And I am really glad to finally have completed and release the plugin.

You can find out the latest version HERE

So far the response has been awesome that is i received around 150 downloads in the first two days of release,that too considering the plugin is still in Beta stage!
Hope i would continue receiving such response on this

Please donot post any support issues in the comment section.
Post support issues here
P.S:-Another update is on its way!!

WordPress 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

Ankit Kumar Agarwal — Fri, 13 Nov 2009 16:11:16 +0000

Recently Dawid Golunski released a wp 2.8.5 exploit which let users to execute arbitatry PHP codes.

After i had a conversation with him it was concluded that this exploied is confiend to a few apchae servers only and other servers are safe!! Below is a copy of his discolsure and our conversation:-

Disclosure

==============================

===============
- Release date: November 11th, 2009
- Discovered by: Dawid Golunski
- Severity: Moderately High
=============================================

I. VULNERABILITY
————————-
WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution

II. BACKGROUND
————————-
WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards,
and usability. WordPress is both free and priceless at the same time. More simply, WordPress is
what you use when you want to work with your blogging software, not fight it.

III. DESCRIPTION
————————-

WordPress allows authorised users to add an attachment to a blog post.
It does not sanitize provided file properly before moving it to an uploads directory.

The part of the code responsible for uploading files looks as follows:

wp-admin/includes/file.php:
—[cut]—
line 217:
function wp_handle_upload( &$file, $overrides = false, $time = null ) {
—[cut]—
// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
—[cut]—

// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( ‘Specified file failed upload test.’ ));

// A correct MIME type will pass this test. Override $mimes or use the upload_mimes filter.
if ( $test_type ) {
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

extract( $wp_filetype );

if ( ( !$type || !$ext ) && !current_user_can( ‘unfiltered_upload’ ) )
return $upload_error_handler( $file,
__( ‘File type does not meet security guidelines. Try another.’ ));

if ( !$ext )
$ext = ltrim(strrchr($file['name'], ‘.’), ‘.’);

if ( !$type )
$type = $file['type'];
} else {
$type = ”;
}

// A writable uploads dir will pass this test. Again, there’s no point overriding this one.
if ( ! ( ( $uploads = wp_upload_dir($time) ) && false === $uploads['error'] ) )
return $upload_error_handler( $file, $uploads['error'] );

$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

// Move the file to the uploads dir
$new_file = $uploads['path'] . “/$filename”;
if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
return $upload_error_handler( $file,
sprintf( __(‘The uploaded file could not be moved to %s.’ ), $uploads['path'] ) );
}
—[cut ]—

From the above code we can see that provided filename gets checked with:
$wp_filetype = wp_check_filetype( $file['name'], $mimes );

Here is how the wp_check_filetype() function looks like:

wp-includes/functions.php:
—[cut]—
line 2228:

function wp_check_filetype( $filename, $mimes = null ) {
// Accepted MIME types are set here as PCRE unless provided.
$mimes = ( is_array( $mimes ) ) ? $mimes : apply_filters( ‘upload_mimes’, array(
‘jpg|jpeg|jpe’ => ‘image/jpeg’,
‘gif’ => ‘image/gif’,
‘png’ => ‘image/png’,
‘bmp’ => ‘image/bmp’,
‘tif|tiff’ => ‘image/tiff’,
‘ico’ => ‘image/x-icon’,
‘asf|asx|wax|wmv|wmx’ => ‘video/asf’,
‘avi’ => ‘video/avi’,

—[cut, more mime types]—
line 2279:

$type = false;
$ext = false;

foreach ( $mimes as $ext_preg => $mime_match ) {
$ext_preg = ‘!\.(‘ . $ext_preg . ‘)$!i’;
if ( preg_match( $ext_preg, $filename, $ext_matches ) ) {
$type = $mime_match;
$ext = $ext_matches[1];
break;
}
}

return compact( ‘ext’, ‘type’ );
}

We can see that type of the file gets set to a predefined MIME type that matches supplied
extension, and that the extension is obtained from a regexp that matches a mime ext. string after
the LAST dot.
If extension is not on the list $type and $ext will be set to FALSE and wordpress will
produce an error (“File type does not meet security guidelines. Try another”).

Let’s look at the other check that is performed on the filename before a file gets uploaded,
that is a call to the following function:
$filename = wp_unique_filename( $uploads['path'], $file['name'], $unique_filename_callback );

wp-includes/functions.php:
line 2096:
function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) {
// sanitize the file name before we begin processing
$filename = sanitize_file_name($filename);

—[cut, code that only matters if uploaded file already exists]—
line 2126:
return $filename;
}

To have a complete view on file sanitization performed by wordpress we need to look into the
sanitize_file_name() function:

wp-includes/formatting.php:
line 601:
function sanitize_file_name( $filename ) {
$filename_raw = $filename;
$special_chars = array(“?”, “[", "]“, “/”, “\\”, “=”, “<”, “>”, “:”, “;”, “,”, “‘”, “\”",
“&”, “$”, “#”, “*”, “(“, “)”, “|”, “~”, “`”, “!”, “{“, “}”, chr(0));
$special_chars = apply_filters(‘sanitize_file_name_chars’, $special_chars, $filename_raw);
$filename = str_replace($special_chars, ”, $filename);
$filename = preg_replace(‘/[\s-]+/’, ‘-’, $filename);
$filename = trim($filename, ‘.-_’);
return apply_filters(‘sanitize_file_name’, $filename, $filename_raw);
}

This function removes special characters shown above, replaces spaces and consecutive dashes with
a single dash, trims period, dash and underscore from beginning and end of the filename.

The sanitization process appears quite extensive however it does not take into account files that
have multiple extensions.
It is possible to upload a file containing an arbitrary PHP script with an extension of ‘.php.jpg’
and execute it by requesting the uploaded file directly.

The execution of the PHP code despite the .php.jpg extension is possible because Apache
allows for multiple extensions. Here is a quote from Apache docs regarding this matter:

”
Files can have more than one extension, and the order of the extensions is normally irrelevant.
For example, if the file welcome.html.fr maps onto content type text/html and language French then
the file welcome.fr.html will map onto exactly the same information. If more than one extension is
given that maps onto the same type of meta-information, then the one to the right will be used,
except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif
and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with
the MIME-type text/html.

Care should be taken when a file with multiple extensions gets associated with both a MIME-type
and a handler. This will usually result in the request being handled by the module associated with
the handler. For example, if the .imap extension is mapped to the handler imap-file
(from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file
world.imap.html will be associated with both the imap-file handler and text/html MIME-type.
When it is processed, the imap-file handler will be used, and so it will be treated as a
mod_imagemap imagemap file.
”

IV. PROOF OF CONCEPT
————————-
Browser is enough to replicate this issue. Simply log in to your wordpress blog as a low privileged
user or admin. Create a new post and use the media file upload feature to upload a file:

test-image.php.jpg

containing the following code:

phpinfo();
?>

After the upload you should receive a positive response saying:

test-vuln.php.jpg
image/jpeg
2009-11-11

and it should be possible to request the uploaded file via a link:
http://link-to-our-wp-unsecured-blog.com/wp-content/uploads/2009/11/test-vuln.php.jpg

thus executing the PHP code it contains.

In the above code example, a php info page will be shown.

V. BUSINESS IMPACT
————————-
An attacker that has already obtained login details (for example by stealing user’s cookies with
an XSS attack) to the blog as one of the existing users could exploit this vulnerability to get
access to the system in the Apache user’s context.
From there he could use local bugs to further escalate the privileges. Apache account would be
enough in most cases to view the source codes and gain access to the databases.

Some wordpress users of the 2.8.5 release have reported that some php files have been added to
their wordpress directory. It could be possible that they have been hit by this bug. Therefore it
is important to take some countermeasures as soon as possible.

VI. SYSTEMS AFFECTED
————————-
Most likely all of the wordpress releases contain this bug. Including the current hardened stable
release 2.8.5 and the beta version.

VII. SOLUTION
————————-
Vendor has been informed about the bug. Currently wordpress developers and contributors are in
the process of bug hunting and fixing reported bugs in beta versions before the new stable release,
so hopefully it should not take long for them to take this problem into account.

You can apply the temporary solutions for this problem which I provide below before an official
patch is made.

You can create a .htaccess file in the uploads dir (wordpress/wp-content/uploads) with
the following content:

deny from all

order deny,allow
allow from all

Adjust allowed file extensions in the brackets if necessary.
This will prevent Apache from serving files with double extensions inside the uploads directory.

Alternatively you can try to patch the source code yourself by editing the
wp-admin/includes/file.php file and the wp_handle_upload() function it contains. An example patch
could be to add the following three lines of code at the line 260:

// Fix Unrestricted File Upload Arbitrary PHP Code Execution bug, return if more than 1 extension provided
if ( count(explode(‘.’, $file['name'])) > 2 );
return $upload_error_handler( $file, __( ‘File type does not meet security guidelines. Try another.’ ));

VIII. REFERENCES
————————-
http://www.wordpress.org
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

IX. CREDITS
————————-
This vulnerability has been discovered by Dawid Golunski
golunski (at) onet (dot) eu

Greetings go to: robxt, sajanek, xsoti, bart, falcon (for the old time’s sake and complexmind

X. REVISION HISTORY
————————-
November 11th, 2009: Initial release

XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of
use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

Counter question by me

Hi,
i was testing this and i get just the url echoed nothing else.The php info command didnt work.
am i missing something?
Morover

For example, if .gif maps to the MIME-type image/gif
and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with
the MIME-type text/html.

So doesnt that mean that the file will be associated with jpg only?
sorry if you think this noobis.But i am not able to figure it out.
Thanks

Ankit kumar agarwal

His reply

Hi,

Yes, you missed the other part of the quote from apache docs That is:

“Care should be taken when a file with multiple extensions gets associated with both a MIME-type

and a handler. This will usually result in the request being handled by the module associated with

the handler. For example, if the .imap extension is mapped to the handler imap-file

(from mod_imagemap) and the .html extension is mapped to the MIME-type text/html, then the file

world.imap.html will be associated with both the imap-file handler and text/html MIME-type.

When it is processed, the imap-file handler will be used, and so it will be treated as a

mod_imagemap imagemap file.”

A lot of systems that use apache/php have their apache configured so that it handles .php files via:

AddHandler php5-script .php

as opposed to :

AddType application/x-httpd-php .php (which is probably your case)

According to the above, handlers have priority over mime types thus .php.jpg will be executed as a php.

I’m going to clarify this on bugtraq soon so it is clear for others too.

Hope this clarifies it.

Take care,

Dawid

His public Explanation of what i asked

Hi,
Just wanted to add a quick update on affected systems since I forgot to mention webservers along with wordpress versions in my advisory.
Some people are wondering why the vulnerability doesn’t work on their system.

I’m pretty sure that the exploit won’t work on web servers other than Apache (as they probably won’t process extensions other than the last one). So not apache based servers are probably safe here.
Whether it will work on your Apache server or not depends on your mod_php configuration.
The exploit won’t work on servers where PHP scripts handling has been configured as follows:

SetHandler application/x-httpd-php

If the exploit doesn’t work for you this is most likely the case.

The exploit however will work on systems where php scripts are handled via the following setting in the php.conf:

AddHandler php5-script .php

which I think is quite common. For example Apache distributed in Red Hat based systems seem to have php configured in such a way.

Hope this clears the matter a bit.

Regards,
Dawid

Thats it..dont misuse above information!!

Next Email Revolution-Google Wave

Ankit Kumar Agarwal — Mon, 28 Sep 2009 07:41:23 +0000

Yes its correct!! Google wave is coming.The next revolution that’s gone change how emails work!!

NOTE:-If you have a weak heart DONT watch this.YOu wont be abel to control the excitation.

WINDOWS 7:worth installing?? (ch-2)

Ankit Kumar Agarwal — Wed, 04 Mar 2009 09:06:00 +0000

continued from chapter one.

Another addition to the Windows 7 taskbar is the jumplist. A jumplist is a personalized menu that may offer access to the program’s functions or recently/frequently used files. Since i’m talking about personalized menus, their content is, of course, decided by each application’s developer and will consequently vary. For example, while the Windows Explorer jumplist displays a list of frequently and recently accessed locations, the Internet Explorer jumplist will display your browser’s history.

As for new stylish elements in this operating system, I should mention that most progress bars will now be viewable from the taskbar, so you won’t need to focus on a window just to find out how much progress has been made. You will notice another eye-catching feature when hovering over the taskbar icon of an opened application – the lightning effect that highlights the pointer’s position.

Naturally, the taskbar and Start Menu properties haven’t been left unchanged either. Improvements have been made especially to the Start Menu options, which now allow you to customize it in a manner that, had it been available in previous Windows operating systems, it could have been achieved only through registry tweaks.

What’s in and what’s out

Fans of Windows Movie Maker will probably be surprised to find out that this component, along with Windows Mail and Windows Photo Gallery, is no longer bundled in Windows 7. Don’t worry, you can always download them from Windows Live.

Of course, Microsoft couldn’t have removed applications without adding a few new ones as well. A pretty useful software is Windows DVD Maker that allows you to create your very own multimedia DVD. Although the program is easy to use and offers a straightforward procedure for burning your video, music and graphic files to a DVD, it also enables you to customize various DVD settings, such as its menu, video format or DVD aspect ratio.

There are also a few other, smaller, additions like the Sticky Notes, Snipping Tool, and even a long awaited Disc Image Burning Tool. Unfortunately, none of these utilities is advanced, but if you’re looking for some basic operations, they are surely the handiest solution.

Changes in Windows programs

The basic changes that you can easily discover by just browsing for a few minutes are as follows. Wordpad and Paint have been enhanced a bit, in that they now employ the ribbon interface. You’ll be using the beta version of Internet Explorer 8 and a not-yet-released for download version 12 of Windows Media Player. Windows Calculator now features Programmer and Statistics modes, and includes date calculation and unit conversion functionality as well.

Windows Search functions on a much more improved engine, as compared to the one available at this moment in/for Vista. A less important optimization, but still worth mentioning, is the ability to resize the length of the search bar in Windows Explorer.
Last but not least in our list of changes that would probably interest any average user are the Control Panel additions. You’ll notice a few new items: ClearType Text Tuner, Credential Manager, Display Color Calibration Wizard, Gadgets, Location and Other Sensors, Recovery, System Icons, Troubleshooting, Workspaces Center, Biometric Devices, Windows Solution Center.

Windows Solution Center is the replacement of the Windows Security Center currently available in Windows Vista and XP. It will now provide access to the system’s security components (virus, network access and spyware protection, firewall, UAC, automatic updates, etc.), but also to maintenance tasks such as Windows Backup, System Restore or Troubleshooting.

Conclusion

After my quick tour in Windows 7, I find myself very enthusiastic about it. Unfortunately, there is always a “but” that follows this type of statements. Windows 7 improves or introduces cool, new features like jumplists and thumbnails, but you won’t be able to fully enjoy them on non-native Windows 7 applications. Don’t expect the tab trick to work on the current version of Firefox or Maxthon and, sadly, the same goes for the play control of Winamp, for example. Not yet, at least.

Homegroups are a great way to share files, but please remember they are a Windows 7 feature, so you won’t be able to use them with your friends and colleagues using Vista or XP.

Last but not least in our list of changes that would probably interest any average user are the Control Panel additions. You’ll notice a few new items: ClearType Text Tuner, Credential Manager, Display Color Calibration Wizard, Gadgets, Location and Other Sensors, Recovery, System Icons, Troubleshooting, Workspaces Center, Biometric Devices, Windows Solution Center.

WINDOWS 7:worth installing?? (ch-1)
WINDOWS 7:worth installing?? (ch-2)

WINDOWS 7:worth installing?? (ch-1)

Ankit Kumar Agarwal — Wed, 04 Mar 2009 08:51:00 +0000

As you probably know by now, a beta version of Microsoft’s future operating system, Windows 7, has been leaked to the “masses.” Of course, i couldn’t let such an opportunity pass by, and decided to take a quick tour of this release, so i could come up with an answer to the most relevant question of all: is it worth it? Is Windows 7 worth installing? Therefore, i decided to have a look at the most common Windows locations, functions and utilities that the average user might access or use, see to what extent this operating system was any different from its predecessor and, thus, answer the above question.

Installation

As a starting note, i should state that Windows 7 was installed on a Vista-compatible laptop, and, therefore, performance was not an issue. As for the installation process, it lasted approximately 25 minutes and was almost identical to the one found in Windows Vista. You must have noticed that I said “almost.” The addition of homegroups is a difference between the two operating systems that you will surely notice even during the installation process – at the end of it, you will receive a password that will later allow you to access this facility.

Getting started

When the setup process was finished, I headed to the Getting started window to see the new functionalities in Windows that I should be concentrating on. Since i’m talking about a beta version, this didn’t turn out to be a very wise decision: the What’s New headlines were missing. Instead, Item 1, Item 2 and Item 3 were displayed. Still, included in this window is a See more new features button that leads to the section in Windows Help with all the new features I was looking for: Specialized for laptops, Optimized for entertainment, Designed for services, etc.

Highlights

Specialized for laptops, unfortunately, does not mean in any way that, by installing Windows 7 on a laptop, you’ll be able to use it a lot longer by running just on your battery. The power consumption is, at best, the same as in Windows Vista. However, Windows 7 does include more advanced power options and power plans that might help you squeeze just a little bit more juice out of your battery.
In this version of Microsoft Windows, Media Player finally has its own sets of codecs, which will allow you to view videos, movies and clips without having to search the Internet for codec packs. Furthermore, Windows Media Center has been “pimped” to ensure that Windows 7 really is optimized for entertainment. The downside in this case is that, during my testing of Windows Media Player, the application froze repeatedly and, to cap it all off, so did the entire system with it (thus forcing the user to reboot in order to get back control).

I think it’s safe to say that designing Windows 7 for services most probably brought the coolest new concepts in looks and maneuverability of windows. Therefore, in order to make this operating system from a touch screen extremely easy to use, several new, interesting and very useful features have been implemented. Aside from the Superbar you’ve probably heard of – that, in a way, uses the concept of mac docks – another addition, which, although potentially useful to the average user, I doubt was designed especially for them, is the “shake” functionality that allows them to minimize all windows behind a window that is shaken a bit using its title bar.

Last but not least, you’ll be able to maximize a window by just dragging it to the top of the screen, or to resize its width to the width of the screen by either dragging its title bar to the right/left edge of the screen, or the resize arrows to the top/bottom of the screen. As a side note, similar actions have been assigned through the usage of the Windows and directional keys: Windows Key + Up = Maximize, Windows Key + Down = Minimize, Windows Key + Left = The window will occupy the entire left side of the screen, Windows Key + Right = The window will occupy the entire right side of the screen.
Start Menu and Taskbar
Since i’m talking about useful changes brought to the operating system’s look, I must also mention the improved tray. First of all, to the right of the clock, you can now observe a new button that will show/hide the desktop (so, no, you won’t be needing the quicklaunch shortcut anymore). Secondly, the possibility to change icon order has finally been implemented. And thirdly, all third-party/ irrelevant/ unused icons will no longer occupy most of the space in your tray: all of them can be accessed with just one click on a small arrow to the left of the tray area.

As you might have heard already, the Superbar isn’t the only major change brought to the Windows 7 taskbar. You can now finally change the order of your windows in the taskbar. Furthermore, the thumbnails have been considerably tweaked, and they no longer function as a small, singular preview of an application.

Windows 7 will now display a thumbnail for each window of a group, and from each thumbnail, users can close the corresponding window or, in some cases, access its common controls, like Play, Previous, or Next in the case of Windows Media Player. Another example of how the thumbnails have been improved is the possibility to view the tabs of an application as if they were separate windows just by hovering over its taskbar icon with your mouse. Naturally, the thumbnail will also function as a preview to a specific window, so you won’t necessarily need to switch windows in order to just take a quick peek at another program – for instance, hovering over the thumbnail will do the trick instead.

contd…
WINDOWS 7:worth installing?? (ch-1)
WINDOWS 7:worth installing?? (ch-2)

Windows 7 screenshots

Ankit Kumar Agarwal — Thu, 01 Jan 2009 09:04:00 +0000

Windows is preparing to launch its latest OS windows 7.Though its beta version is still not publically availabele still its creating a sensations in the windows market about its features!! Its expected beta release is in first qauter of 2009.Well i Hope that it would be worth the wait.Not like the Vist which was much hyped but had nothing in store instead only created problems for its XP users in uninstalling it.Well anyways here are a few screenshots from Windows 7 which will definetly amaze you!!

Cable damage hits India, Qatar and UAE hardest

Ankit Kumar Agarwal — Sat, 20 Dec 2008 17:54:00 +0000

Damage to three major undersea cables seriously disrupted more than half of internet and phone services between Europe, the Middle East and Asia on Friday, with India, Qatar and the United Arab Emirates the worst affected, France Telecom said.

The telecom operator said initial estimates show 82 percent of service to India was disrupted, while 73 percent of service to Qatar and 68 percent to the UAE was affected.

Around 50 percent of service to Saudi Arabia, Jordan and Egypt was also disrupted, it said.

“The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear,” France Telecom said in a statement on its website.

The company said a ship set off in the early hours of Saturday morning to fix the lines, but that it would not arrive until Monday and that it could take until Dec. 31 until normal service was restored.

UAE telecom Etisalat said it had taken “precautionary measures to ensure the flow of internet services”, state news agency WAM reported, citing a company statement.

“Etisalat was able to use alternative routes shortly after the disruption of the three international cables, thereby ensuring the continuity and smooth flow of internet services in the UAE,” the statement said.

Du, the UAE’s second telecom, said it had re-routed data and international voice traffic east through alternative cable systems.

“The top 50 voice destinations are now unaffected and only 15 percent degradation overall remains. Internet capacity is reduced but again additional capacity is being activated to the east which will restore performance to more normal levels,” the company said in a statement.

Qatari telecom Qtel said loss of capacity in Qatar was being kept below 47 percent and the country “is only experiencing limited effects”.

“Qtel’s network of alternative transmission routes and back-up cables has ensured that Qatar has remained connected,” the company said in a statement.

However, it did warn users might experience some slowdown in internet speed and access problems until the cables were repaired.

Kuwait’s Ministry of Communications said the damage had affected internet service and some international communications in the Gulf state, state news agency KUNA reported.

The ministry said it had “contacted local, regional and international parties to secure communications’ alternatives to provide the service”.

France Telecom spokesman Louis-Michel Aymard was quoted by newswire AFP as saying the cuts were unlikely to be an attack. He said the cables could have got caught up in trawlers’ nets or there could have been an underwater landslide.

Aymard said one of the cables seems to have been severed, while the other two seem to have been only partially cut.

The cables are jointly owned by several dozen different countries. One of the cables is 40,000 km long and links 33 different countries while a second is 20,000 km long and serves 14 states.

In January, five cables in the Middle East and Europe were cut, causing severe internet disruption across the Middle East and Asia.

Cable damage hits India, Qatar and UAE hardest

UPDATE 1: Three undersea cables linking more than 47 countries damaged in Mediterranean.

OUG[orkut underground]-13 hacked?

Ankit Kumar Agarwal — Fri, 12 Dec 2008 19:15:00 +0000

I was paying one of my regular visits on 9/12/2008 evening to the wellknown OUG-13-”orkut underground community” when i saw something that was very different sight.Instead of the usual- “Gravity is not responsible for people falling at our feet, our actions made them do so” it was written “hacked by dx”.All posts and forum were completely gone…The owner name was changed!!

Fortunately soon after everything was back to control and we had the following explanation from one of the OUG moderators:-

Explaining Incident 9/12/2008 – Tuesday

So it was Around 10:30p.m. I was Out of house, that’s when i got Call from OuG member Zubin. He told me the incident I told him to put pushpak in conference. Supriya Joined in and Prateek joined in Conference. Told Supriya OuG Is taken over by n00bs. Realised his Profile was Deleted and so some guy got gain ownership option and so they took the ownership. Supriya kept the phone he came online logged in to his co-owner profile and gained back the Ownership of OuG, and transferred to Nikhilesh, and then it underwent a number of ownership and finally it is in the hands of our secret agent :-$ Rakhi sawant..she rockz

Explaining Further..
There is a kind of Idiotic Link in Google Which has a form which when filled deleted or disables the profiles of Orkut User’s(Don’t ask where is that link and which is that link – not allowed in this topic) which some n00bs used to delete the profiles and take-over the OuG community. (Still Asumed Not Confirmed). So when the profile was deleted many members got the option og gain ownership…owners were getting changed every second…and finally one idiotic DX or XD watever member got the community and then wat he deleted all the topics and claimed OuG got hacked…lol @ those n00bs
And then as i said before called suppi in conf and told him about this, etc. he went offline later coz of his exmaz. It would have not been possible to do all this without the proper communication between members, mods and owner. And then till 12:00, almost all important topics topics were restored and the community was much more stable, mods were appointed..while owner profile har baar change hoti rahegi for security reasons..This was all coz of stupidity of Google..kisi ki koi mistake nahin hai..no one can hack us simply..its just tht orkut is gay…he is giving more important to his partner than orkut so he doesn’t have time to fix this stupid bugs. AS for Now We are not accepting any new members. They will hack us again as they say coz they are gay…a BIG LOL @ THEM. Enjoy..

VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM

Ankit Kumar Agarwal — Thu, 11 Dec 2008 14:34:00 +0000

VULNERABILITY IN FACE RECOGNITION AUTHENTICATION MECHANISM
LENOVO-ASUS-TOSHIBA LAPTOPS
1. General Information
Face Recognition feature is provided by Asus, Lenovo and Toshiba as specialized software that is issued together with their laptops. This feature is embedded into all laptop families having webcams and supporting Windows Vista, XP operating system. Owners of laptops benefiting from this technology do not have to type in their passwords or use their fingerprint but to sit in front of their laptops to login.
Face-recognition is introduced by these vendors as a remarkable feature which helps prevent unauthorized people breaking into laptops and ensure information security for their owners.

Details : http://security.bkis.vn/?p=292
SVRT Advisory : SVRT-07-08
Initial vendor notification : 20-11-2008
Release Date : 08-12-2008
Update Date : 08-12-2008
Discovered by : SVRT-Bkis
Attack Type : Authentication Mechanism Bypass
Security Rating : Critical
Impact : Loss of Confidentiality and Integrity
Affected Software : Lenovo Veriface III (prior version is vulnerable)
Asus SmartLogon V1.0.0006 (prior version is vulnerable)
Toshiba Face Recognition 2.0.2.32 (prior version is vulnerable)
Video demo: http://security.bkis.vn/Proof-of-concept/Face_Recognition/FaceRecognitionBypassing_DemoVideo.wmv
2. Technical Description

After 4 months researching on Face Recognition technology apply on laptop, Bkis, Vietnam, has come to a conclusion that the User Authentication Mechanisms Based on Face Recognition of Asus, Lenovo and Toshiba haven’t met security needs.

Bkis research show that the Authentication Mechanism Based on Face-Recognition of these 3 laptop vendors can all be bypassed, even when set at highest security level.

In order to make use of this technology, a laptop’s owner uses webcam to capture his or her face at a close distance and at different viewpoints. This step helps the laptop to “remember” facial characteristics of its owner, and store these data in the face database. Bkis’s research, however, show that an unauthorized person can easily regenerate suite of fake face recognition to bypass the authentication mechanism.

Performing tests on laptops with 1.3 Megapixel camera produced by Lenovo – Asus – Toshiba, using the Bypass Model above with special photos or videos of some users, we have been able to pass the User Authentication Based on Face Recognition and log into user accounts on Windows Vista without difficulty.

All the applications tested are of their latest versions and are set to Highest Security Level.
- Lenovo Veriface III
- Asus SmartLogon V1.0.0005
- Toshiba Face Recognition 2.0.2.32
3. Solution
In the mean time waiting for this vulnerability to be fixed, Bkis recommends that users all over the world stop using face authentication to log in their laptops.
Credit
Thanks Le Nhat Minh, Nguyen Minh Duc, Bui Quang Minh, Le Minh Hung.
—————————————-

————————
Security Vulnerability Research Team (SVRT-Bkis)
Bach Khoa Internetwork Security Center (Bkis)
Hanoi University of Technology (Vietnam)
Office: 5th Floor, Hitech building – 1A Dai Co Viet, Hanoi, Vietnam
Tel: 84.4.38 68 47 57 Ext 128
Mobile: +84 983 60 99 20
Email: svrt@bkav.com.vn
Website: www.bkav.com.vn

Hacking VoIP– New Book Shows How Easy it Is to Attack VoIP

Ankit Kumar Agarwal — Fri, 14 Nov 2008 18:24:00 +0000

Voice over Internet Protocol (VoIP) is an increasingly widespread new technology that allows users to escape the tyranny of big telecom and make phone calls over the Internet. But while VoIP may be cheap and convenient, it’s notoriously lacking in security. With little effort, attackers can eavesdrop on conversations, disrupt phone calls, inject content into existing conversations, change caller IDs, and access sensitive information-all without the awareness of the VoIP users making the phone calls.

Hacking VoIP ( No Starch Press, October 2008, 232 pp, ISBN 9781593271633 ) approaches VoIP security from two angles, explaining VoIP’s many security holes to both hackers and administrators. The book raises awareness of the importance of VoIP security, describes potential attacks, explains VoIP’s biggest weaknesses, and offers solutions for protecting against potential exposure and attacks. Readers learn how to defend against VoIP attacks as they explore issues with VoIP security and the boundaries of VoIP protocols.

“VoIP is fun, but it’s remarkably easy to attack,” said No Starch Press founder Bill Pollock. “People think that when they pick up the telephone they’re on a secure line, but not when that call is being made over VoIP. Hacking VoIP demonstrates just how easy it is to attack VoIP, and how best to plug those security holes.”

Hacking VoIP explains every aspect of VoIP security, discusses popular security assessment tools, and explores the inherent vulnerabilities of common hardware and software packages. Readers learn how to:

Identify and defend against VoIP security attacks such as eavesdropping, audio injection, caller ID spoofing, and VoIP phishing
Audit VoIP network security and assess the security of enterprise-level VoIP networks such as Cisco, Avaya, and Asterisk and home implementations like Yahoo! and Vonage
Use VoIP protocols like H.323, SIP, RTP, and IAX
Locate potential vulnerabilities in any VoIP network
Use both existing and newly released VoIP security tools
Whether setting up and defending VoIP networks against attacks or just having sick fun testing the limits of VoIP security, Hacking VoIP is every user’s go-to source for VoIP security and defense.

For more information
visit www.nostarch.com