We’re excited to announce that Bonsai Information Security has partnered with Rapid7! This partnership will allow our company to expand it’s market in north america by leveraging Rapid7’s impressive growth in the last years.

This partnership was possible because of our constant search for excellence, our customer need driven approach to consulting and our service quality. More deals like this, and Bonsai will be soon named Oak!

andres.riancho bonsai, security bonsai, bonsai information security, grow, partners, rapid7, US, USA

Recently, we’ve found an Open Redirection vulnerability in Twitter. To understand a little more about this, we can cite OWASP’s definition:

“An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.”

The following Proof of Concept was sent to the Twitter security team:

https://twitter.com/login?redirect_after_login=http://www.bonsai-sec.com

After a successful login, the affected user is redirected to http://www.bonsai-sec.com without any warning allowing possible phishing attacks.

This vulnerability was patched by Twitter security team last week (after we reported it and got almost no answer from them).

Detailed information can be found at: http://www.bonsai-sec.com/en/research/vulnerabilities/twitter-open-redirect-0108.php

nahuel bonsai, security open redirect, open redirection, OWASP, twitter, url redirection, vulnerability

El día 30 de Junio de 2010 se llevó a cabo el OWASP Day en la sede de Paseo Colón de la Facultad de Ingeniería de la Universidad de Buenos Aires. Se realizaron charlas relacionadas con la Seguridad en Aplicaciones Web y otros aspectos relacionados a la Seguridad de la Información.

Bonsai Information Security participó siendo Sponsor y presentando a Nahuel Grisolía, Project Leader de Bonsai, como ponente en una de las charlas.

Más información sobre el OWASP Day aquí.

A continuación, las Slides que se utilizaron en el evento:

nahuel bonsai, conferences, security conferences, conferencias, eventos, events, OWASP, security

If you think that vulnerability research is only for computer geeks or hackers, you are wrong! Simple but effective “grep dorks” will be just fine to discover dirty pieces of code in, for example, PHP open source software.

Let’s focus on Cacti and use it as our case study as we’ve recently found its latest vulnerabilities using this technique. The next steps were followed to identify and exploit the latest Cacti OS commanding vulnerability found by our research team:

1. Download Cacti 0.8.7e
2. Uncompress Cacti
3. Under Cacti’s directory, find Operating System Function calls, such as “system”, “exec”, “shell_exec” or “popen”

1. $ grep –i –r “shell_exec(” *

1. The above command should result in some scripts using shell_exec PHP function
2. Edit one of those, for example, “lib/ping.php” and take a deeper look at it, near the OS call.
3. The function “ping_icmp” in “Net_Ping” class is using shell_exec function without sanitizing the host parameter. Uhmm… interesting!
4. Let’s see, where ping_icmp function is being called and let’s find out if we can manipulate hostname parameter in order to do our injection.
5. Note that in lib/ping.php, line 634, ping_icmp is being used inside the “ping” function.
6. Let’s search where Net_Ping is being used and where the ping function is being called and have a real look at the host parameter.
7. $ grep –i –r “net_ping” *
8. Ok! host.php script is using Net_Ping class, let’s have a deeper look again…
9. Line 625 in host.php script: note that the hostname is being used as a parameter, again, without sanitizing it.

1. So, if inside the application, you create a device (or host) with FQDN (without single quotes) ‘NotARealIPAddress;CMD;’, save it, and then, reload any data query, CMD will be executed with Web Server rights. More information on this, can be found in OS Commanding Injection in Cacti.

1. Eureka! 0day vulnerability found!

This is just an example of how some vulnerabilities might be identified and exploited using simple but effective techniques in real world applications.

You can also find other techniques to identify Web Application vulnerabilities, such as using Google’s code search.  Consider revising this article and this blog post too.

nahuel open source, security

In the context of the 7th International Congress of Information Security, Andrés Riancho was awarded with the Segurinfo award for his efforts in the development of w3af, and Open Source tool for identifying Web application vulnerabilities. We would like to congratulate him and the rest of the project contributors for this well deserved award!

En el contexto del séptimo Congreso Internacional de Seguridad de la Información, Andrés Riancho recibió el premio Segurinfo 2009 por sus esfuerzos en el desarrollo del software de detección de vulnerabilidades Web Open Source, w3af. Queremos felicitarlo y al resto de los desarrolladores del proyecto por un muy merecido premio.

admin conferences, security, w3af award, buenos aires, premio segurinfo 2009, premio segurinfo 2010, segurinfo, w3af