Monthly Archives: December 2010

Facebook Redirect Link – New Bypass Method – “:/” after the domain name

Facebook is using “facebook.com/l.php?u=THE_External_URL” whenever you click on an external link; and as a result:
1- Your current page won’t be sent via the “Referer” section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point (“l.php” page).

Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the “facebook.com/l.php” page:

Add a “:/” at the end of the domain name! That’s it!
PoC:
Put these links in a comment section on your Facebook page and click on them too see the result (If you know how to work with local proxy tools such as burp suite, you can directly post a link on your wall [not just in comment section] with “:/” in the URL to exploit this flaw):
     – https://fp.auburn.edu:/oit/show_server_variables.asp
     – http://soroush.secproject.com:80:/

Now, do not click on the links which have “:/” after the domain name with or without port number! (18 Dec. 2010)

NOTE: This issue had been reported to Facebook at least twice more than 1 month ago without having any response.

JSReg Bypasses – OLD

Sorry for the delay as I am/was too busy. Some of my friends had asked me to write about bypassing the JSReg in Hackvertor.com based on a challenge which was on sla.ckers.org forum by Gareth Heyes.

However, Gareth Heyes has already written great things about it that I can just refer you to the pages (instead of writing it again):

http://www.thespanner.co.uk/2010/10/31/jsreg-bypasses/
http://rgaucher.info/planet/The_Spanner/2010/11/07/Soroush_Dalili_breaks_JSReg_again

Gareth is writing these functions alone, so if you have any great idea please let him know. He is a nice and clever guy; so, do not miss your chance to have a great friend!

Again, thanks Gareth.

A Dotty Salty Directory: A Secret Place in NTFS for Secret Files!

I was playing with “::$Index_allocation” and “:$I30:$Index_Allocation” in an NTFS partition to make a directory which ends with some dot characters (“.”) or just includes some dots!

The result was a bit interesting and scary! I could find a secret place that important data can be hidden in as well as the malwares! I want to share it with you as some malware writers might already know about this. It is actually another Microsoft weird feature!

In order to create a dotty directory and monitor its behavior, follow me:
1- Open the Windows Command Line (cmd.exe).
2- Go to a test directory.
3.0- Now, insert the following commands and hit Enter:
          md ..::$index_allocation –> (Tested in Win XP)
          md …::$index_allocation
          md ….::$index_allocation
          md irsdl
          md irsdl.::$index_allocation
          md irsdl..::$index_allocation
3.1- You can use “echo test > ” instead of “MD” if you have any problem.
4- Now get a directory list from the folder that you are currently in (by using “Dir”)
5- In order to open each of these directories use “CD DirName::$Index_Allocation”.
          cd …::$index_allocation
6- You can create some files inside these directories as well.
7- Now use Windows Explorer to see these directories.

The result in Windows XP:
– The double dot (“..”) directory is hidden and you cannot see it.
– In windows explorer, directories with a single dot at the end show the files which are inside a directory with same name but without any dot. For example: “irsdl.” shows content of “irsdl”. Directories with a double dot at the end show the files which are inside a directory with the same name but with a single dot. For example: “irsdl..” shows content of “irsdl.”. And so on.
– In Windows Explorer, if you modify a directory with some dots at the end, the modification will be applied on a directory with a dot lesser than the modified directory. Therefore, if you delete “irsdl.”, “irsdl” folder will be deleted instead!
– It is not possible to delete these directories by Windows Explorer. (use “del DirName::$Index_Allocation\*.* & RD DirName::$Index_Allocation” instead)

In Windows 7:
– It is very similar to Windows XP. However, if you click on the directories by Windows Explorer, it may show you the content of a specific directory for all the Dotty ones.
– It is not also possible to create a folder with only double dots “..”.
The directories which only contain several dots such as “…”, show the content of their root directory although it is not so real!

Result:
Dotty directories are very good places to hide some files and data! It is not easy to be detected and it is not easy to be deleted! As malwares can use the same technique to hide themselves inside an NTFS partition, we should be very careful about it.

Notes:
Note 0: I might miss some other interesting points. Please let me know when you find one.
Note 1: some of these directories might be accessible by IIS.
Note 2: I experienced a crash in Windows Explorer in Win7 during playing with these directories.
Note 3: Norton Internet Security 2011 in Win 7 could find and delete the EICAR virus inside these folders. It’s not tested on the other things.
Note 4: Windows XP did checkdisk after a restart.
Note 5: You can do the same to create a file by using “echo > …::$Data”. And delete it by “del *.*”.

Skype Privacy Concern: It sends detected numbers + URLs to its server!

Default installation of the Skype installs Skype Add-On (Plug-In) on the browsers. After that, if you browse a page, most of the telephone numbers will be detected.

For example:

And look at this if you currently have installed a Skype on your computer: 0044-7987654321

Now the problem is: Skype always sends all of these selected numbers to one of its servers “pnrws.skype.com”. The worst thing is that they are actually sending the page URL in “referrer” section of the header as well. As a result, Skype server can log all of this information with IP address of the user to track a user or to identify a person. And the question is why Skype needs this information?

For proof of concept, I will put a phone number in a Facebook page and monitor the HTTP requests by using Fiddler. The result has been shown in the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Facebook page:

In Fiddler:

As you can see, my Facebook URL and the phone number are sent to the Skype server.

However, I think number detection of Skype Add-On does not send more important information such as credit card numbers!

Now, if you are a bit concern about your privacy, just disable the Skype Add-Ons (Plug-Ins) in your browsers.

Please let us know if you know how Skype uses this information and why Skype needs this information.

How Secunia PSI put the privacy in danger

“The Secunia PSI software is a free security tool designed to detect vulnerable and out-dated programs.” Although this application is very useful to secure a computer by keeping it up to date, unfortunately it will put the user’s or company’s privacy in danger. Based on the latest post in the following URL, user’s information “is never passed on with personally identifiable information (such as the usernames in path names)”:

http://secunia.com/community/forum/thread/show/4951/secunia_psi_how_to_delete_information

 I want to prove that the Secunia PSI actually passes the following information which can be treated as a confidential data for a company or causes privacy issues for a real person:

1- Domain Name or Workgroup Name (“langgourp”)

2- Computer Name (“hostname”)

3- Username (as there are special files on “Application Data” directory such as Mozilla Firefox “extensions” folder which should be listed by using Secunia PSI)

4- List of directories of the hard disk which contain some special name with extensions such as “exe”, “dll”, “ocx”, and so on. Some of these directories can contain important information such as the personal names, project names, company names, and so on.

My proof is very simple and you can do it yourself. As Secunia PSI is based on a Web Application, all of its messages to its server can be monitored by using Fiddler HTTP Debugging Proxy which is absolutely free: http://www.fiddler2.com/Fiddler2/version.asp

Now follow these steps:

– Scanning the computer once by using the Secunia PSI (If it is the first time)

– Close the Secunia PSI application completely from the task manager

– Open Fiddler and go to “Tools”> “Fiddler Options”> “HTTPS”> and select “Decrypt HTTPS traffic” option and click on “OK”

– Now, open Secnuia PSI application again

– Monitor its behavior by using Fiddler. If there isn’t anything on Fiddler, click on “Start Scan” button of Secunia PSI to scan your computer.

– Now, look at the responses from the Secunia server. As you can see there are information of your computer in responses which means the Secunia server has stored them on its database.

For example, look at the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Now, my recommendation for Secunia is to use a local database on each computer to keep location of files and folders private. The only thing that should be passed to the server is the user ID, signature (hash) of the application, and file or application ID which can be linked to the database in order to find the exact place of that files and/or folders on the local computer. Moreover, I cannot understand why it needs to send the Domain/Workgroup Name and the Computer name to its server (maybe it is used for copyright!).

My suggestion to the users: Currently – 1st Dec. 2010 -, using Secunia PSI for those people who want to be anonymous and those companies which want to keep all of their information private is a nightmare and this application should be removed. Ask Secunia to fix this issue.

Hope to see a better Secunia PSI soon.