Digital Security Research Group: Publications

Whitepaper "Python arsenal for Reverse Engineering" version 1.1

Digital Security Research Group

Python programming language has become a language of hackers. And it is not surprising, because it has all the necessary qualities: − Free − Portable − Powerful − Mixable − Easy to learn etc. A great role in this were played by such projects as IDA Pro, WinDBG, OllyDebug, gdb, which, being a de-facto standard among disassemblers and debuggers, eventually began to support the scripting engines in Python. Of course, they had maintained their own API for plug-in developing, and it was not a small number of them, but exactly with the appearance of the Python support they received a strong push in the development: increased the number of plug-in, increased community, and of course their flexibility also increased, which allowed them to interact both with each other and with other applications, using the best aspects of each other. But in the beginning of the path there was naturally only hacker spirit and idea.
Python arsenal for RE 1.1.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Whitepaper "Architecture and program vulnerabilities in SAP�s J2EE engine" from BlackHat USA 2011

Digital Security Research Group

Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. This talk will focus on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical. We will explain the architecture of SAP’s J2EE engine and give a complete tour into its internals. Thereafter, we will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform. Finally a chained attack which use multiple logic vulnerabilities and gives full control on SAP’s J2EE Engine will be demoed. A free tool will also be presented to automatically scan custom applications against this attack.“
A crushing blow at the heart SAP J2EE engine_whitepaper.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Whitepaper "Python arsenal for Reverse Engineering" version 1.0

Digital Security Research Group

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Presentation "DNS for EVIL" from CONFidence Krakov 2011

Digital Security Research Group

Talk about DNS reverse tunnel that author uses for penetration tests. Finally was published own reverse DNS shellcode and payload that was written special for pen-test tasks. This work also demonstrates how malware C&C and BOT can work together. The main idea of this work that it’s necessary to pay more attention to the DNS traffic.
dns_shl[1].pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Presentation "Forgotten World: Corporate Business Application Systems" from BlackHat DC 2011

Digital Security Research Group

Agenda: ‛Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications – the core of many companies.“ The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system. <a href="http://www.dsecrg.com/files/pub/pdf/Forgotten%20World.%20Corporate%20Business%20Application%20Systems-Whitepaper.pdf">Whitepaper can be downloaded here</a>
Forgotten World - Corporate Business Application Systems (Polyakov,Smith at BlackHat DC).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Attacking SAP Users with Sapsploit Extended 1.1" from DEEPSEC Vienna 2010

Digital Security Research Group

Alexander talk was about the possible ways of getting unauthorized access to corporate SAP servers through the SAP Frontend vulnerabilities and misconfigurations with new examples of attacks. This presentation covers some new possibilities of gaining cleartext passwords from user workstations. Also first sttistics from <a href="http://erpscan.com">ERPSCAN Online</a>) was presented at the conference. Only 30% of users use patched SAPGUI applications.
DSECRG SAP SECURITY - Attacking SAP users with sapsploit eXtended 1.1 (DEEPSEC).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Attacking SAP Users with Sapsploit Extended" from HITB Kuala-Lumpur 2010

Digital Security Research Group

Alexander talk was about the possible ways of getting unauthorized access to corporate SAP servers through the SAP Frontend vulnerabilities and misconfigurations with new examples of attacks. He also demonstrated that the scenario which was done by Stuxnet for SCADA systems was applicable for ERP systems for example in SAP and it is possible to make a worm which wiould steal business critical data. The new free online service (<a href="http://erpscan.com">ERPSCAN Online</a>) was presented at the conference, it is meant for assessing SAP Frontend security and user awareness and decreasing the possibility of SAP Stuxnet scenario.
Alexander Polyakov - Attacking SAP Users with sapsploit Extended.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Russian Bank-Client Systems under Attack" form InfoBez-Expo Russia

Digital Security Research Group

Russian Bank-Client Systems under Attack.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Evolution of Penetration Testing" from InfoBez-Expo 2010 Russia

Digital Security Research Group

Evolution of Penetration Testing_eng_edited.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"ERP Security. Myths, Problems, Solutions" from Source Barcelona 2010

Digital Security Research Group

In the first part of this talk we cover the common myths on the ERP security, like ERP security is a vendor's problem, ERP is in the internal network and cannot be hacked from outside, ERP's are very complex and specific and hackers can't beat us, and of course - ERP is only about SOD, and dispel them. Then the talk will be about the problems of the ERP Security in common. As it is divided into different levels like Network, OS, Database, Application and Client sides we will cover all these areas. Finally, the first version of annual statistics – Business Application Vulnerability Statistics 2009, methodologies to assess ERP Systems and the ERPSCAN Online new service for checking security of SAP Frontend will be presented.
ERP Security. Myths, Problems, Solutions.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Some notes on SAP security" from Troopers 2010

Digital Security Research Group

In this slides were presented some old and not published attacks on SAP.
Troopers10 - Some notes on SAP Security.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"Attacking SAP Users with Sapsploit" from HITB Amsterdam 2010

Digital Security Research Group

HITB - Attacking SAP Users with Sapsploit.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"JIT-Spray Attacks and Advanced Shellcode" from HITB Amsterdam 2010

Digital Security Research Group

HITB - JIT-Spray Attacks and Advanced Shellcode.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

"You can�t stop us: latest trends on exploit techniques" at CONFidence 2010

Digital Security Research Group

Confidence2010 ROP and JIT-Spray.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Penetration: from Application down to OS.Getting OS Access Using Lotus Domino Application Server Vulnerabilities

Digital Security Research Group

This time we will talk about Lotus Domino – a very popular application that provides enterprise-grade e-mail, collaboration capabilities. This system stores a huge amount of critical corporate data and represents a good target for a potential attacker. Also people must be aware of that this system is usually available from the Internet and can be hacked to get access to the operation system of the server in DMZ and then to the internal servers of corporate environment and in this paper we will show how to do this.
Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Writing JIT-Spray Shellcode for fun and profit

Digital Security Research Group

Attacks on clients’ browsers have always been the real threat for everyone. And here vulnerabilities have been not only in the browser but also in plug-ins. Bank-clients, business software, antivirus software – all of them use ActiveX (for IE) for clients and here have been and are still many vulnerabilities. Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms. The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP. And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible. But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only) and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC untill now.
Writing JIT-Spray Shellcode for fun and profit.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Penetration: from application down to OS. Getting OS access using Apache Geromino Application Server vulnerabilities

Digital Security Research Group

This article describes the ways of obtaining access to the server operating system through vulnerabilities in Apache Geromino application server.
Penetration_from_application_down_to_OS_(Apache Geromino).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

SAP Security: attacking SAP clients

Digital Security Research Group

Business application security is one of the most important tasks in a complex information security process. Nowadays SAP platform is the most widespread platform for managing enterprise systems and store the most critical data. None the less people still don’t attend much to a technical side of SAP security. There are some well-known problems about access control, SoD matrix and probably SAP router security. But there are also many problems on all levels of SAP system such as: network level, operation system level, database level, application level and presentation level i.e. SAP clients. As for SAP server security there you can get some information from Cybsec presentations on BlackHat 2007 and Blackhat 2009 where you can see how insecure SAP servers and RFC protocol. But there is still so few information about SAP client security which can be the weak point in your company even if it has secure SAP server environment.
SAP_Security_-_attacking_SAP_clients.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Presentation "Oracle security problems:latest trends" (ruscrypto 2009)

Digital Security Research Group

Subjects described in this paper: * Oracle security in common from guessing a SID to penetrating into OS and subverting additional security mechanisms. * Vulnerabilities of database vault * Vulnerabilities of Oracle Applications * New exploitation methods and automation of exploitation with help of metasploit.
Oracle_security_latest_trends_ruscrypto_2009_ru.pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user

Digital Security Research Group

Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with Administrator privileges (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about other ways. What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections? Of course, there are some methods of escalating privileges without exploits. For example: find clear-text passwords in the database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way, maybe it's not all-applicable but better than the described one. In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.
Penetration_from_application_down_to_OS_(Oracle database).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Penetration: from application down to OS. Getting OS access using IBM Websphere Application Server vulnerabilities

Digital Security Research Group

In this article describes ways of obtaining access to the server operating system through vulnerabilities in IBM Websphere application server.
Penetration_from_application_down_to_OS_(IBM_Websphere).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Whitepaper "Different ways to guess Oracle database SID"

Digital Security Research Group

Nowadays there is a lot of public information about Oracle security and different vulnerabilities that hacker can use to get access to the database. Many of these steps are good explained in public resources and in my paper "Oracle database security". Default user accounts are a big known problem, there are many information about it. As for vulnerabilities, there are only 10 percent of DBA’s regularly installing Critical Patch Updates. Access to OS files and shell can be obtained using many different techniques such as Extproc, Java, DBMS_JOB, UTL_FILE, DBMS_LOB and others. As for rootkits and cleaning-audit data, in this field hackers are one step behind DBA’s. In this information about Oracle security there is one part that is not very good explained as the others. I'm talking about getting Oracle SID. Without knowing Oracle database, SID attacker cannot get access to the database even if he knows username and password. With Oracle 10g getting database SID is not so trivial as before. That’s why I've decided to research this area and write this document as a result of my researching. In this whitepaper I've collected all the ways to get the database SID and add some new techniques.
Different_ways_to_guess_Oracle_database_SID_(eng).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary

Article "Uploaded images filter evasion for carrying out XSS attacks"

Digital Security Research Group

As it is known, users can upload images on a Web-server which is provided by numerous Web-projects, such as all kinds of CMS (Bitrix, runCMS, Mambo), forums (PhpBB, vBulluten), mail services (mail.ru, yandex.ru), blogs and social networks (facebook.com, livejournal.com, vkontakte.ru, liveinternet.ru, myspace.com). Such sites are potentially vulnerable to XSS-attacks that can use the flaw in the features of the images handling mechanism in Internet Explorer. This feature is not new, but since it has not been corrected in Internet Explorer 7.0, we decided to make an article about this problem. This feature of the pictures processing and displaying is not new, and the ability to carry out an XSS-attack via picture has been known to hackers. Due to the fact that this feature was ignored in the new version of Internet Explorer 7.0, the issue can be discussed again with more features.
XSS_in_images_evasion_bypass_(eng).pdf

Digital Secruity Research Group — www.dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary