Results 1 to 8 of 8

Thread: Garage Meet September 2010 Share/Save - My123World.Com!

  1. #1
    InfoSec Consultant the_empty's Avatar
    Join Date
    Jul 2010
    Location
    the blue no-where
    Posts
    155
    Blog Entries
    2

    Garage Meet September 2010

    I was working on a late night project last night so couldn't sleep till 8 in morning and as soon as I made up mind to sleep, a dumb from office calls me saying he has forgot the keys and I remain the only choice to go to office and open the locked doors. So as I couldn't sleep anymore plus I don't need to stay at office in day time either, I thought I would utilize this time to write up about the amazing September Garage meet.

    This meet again was an idea of 41.w4rr10r. He was in our town wanted to meet me and FB1. We surely were not having any problems. So we planned to meet in evening after finishing our jobs at some place near mine and FB1's office. The Hotel you people can see in the pics is really awesome.

    The theme is old style Panjabi House. We chose to eat there and do the discussions. Apart from me, FB1 and warrior; silent_poison and Niranjan (not a member of garage) also joined us out of curiosity.

    While eating we did our usual data transfer (mostly new movies, some study stuff, new work done etc.). FB1 showed me how well he exploited a JBOSS vulnerability that we discussed some day earlier. Just simple overview about it -

    JBOSS server version 3 lacks to set access authentication to JMX-Console by default. It needs to be configured manually. JMX-Console is used to manage all java code related stuff for that particular site / server. The flaw is that JBOSS server is configured to keep checking for new WAR files to be deployed on the server. JBOSS checks given repositories for new WAR files. With unauthenticated access to JMX-Console, we can add new repositories and put our own code there that JBOSS will deploy in its next deployment check cycle. The check cycle is generally 1 min and with JMX-console in hand we can change it if its more than your patience.

    With this idea FB1 was able to upload a WAR file which when deployed will allow attacker to execute system commands on the server. But there was an serious issue involved in this particular case. The server was not allowed to make OUTBOUND connections and thus though the simple shell was there FB1 was not able to use it. I forgot how he overcame this issue and request him to RECALL the memories and let us know what he did.

    I cant disclose the details but the SERVER he got hands on was really critical one. With that thing in hand B0nd or Godwin Austin could have fulfilled their common dream. :P

    Like all other meets we again talked about how awesome the brains of An4rki, B0nd, Punter are and how lame is ours. Everyone here hopes to see FB1 in that queue very soon. We also talked about "Boot to remote Root" of B0nd. He really has hacked not the systems but the brains of those network and system guys there on his target. How would you stop a brain like this?

    By the time we had our food eaten brutally. It simply vanishes when its in front of us. If you think this was the end of the meet then you are totally wrong, the real awesome hackerish discussion (and work) started when we left the hotel and came down stairs.

    There were several ATM machines nearby and some of us just started talking about how the ATM network works and all. As I have worked for some project which included ATM related things, I wanted to share the knowledge. I have worked on a application which was used by banks to manage the disputes. A DISPUTE is nothing but a failed or wrong transaction. For ex. you go to ATM ask for money, amount gets deduced from your account but you never received CASH. When you take this issue to the bank they call it a Dispute. What we wanted to know was how a Bank figures out whether the dispute raised by a person is false or true. And also that can there possibly be any flaw which can be exploited to earn LITTLE extra money.

    Later on I grabbed some information from various sources which is like below.

    First and most important thing, Bank notes number of each and every currency note which is deposited in ATM and also the sequence of it. When a person fires a transaction, things which are matched apart from regular information are, time of transaction in hours minutes second and micro seconds. Currency notes numbers are also mapped to that particular transaction.
    Also, An ATM machine has a different stack for Disputed currency notes. Whenever a dispute occurs, these notes are transferred to Dispute stack, so that they can be letter matched with the disputes raised by the user.

    the entire dispute and charge-back / decline process is quite sound with the process, but there are some logical flaws with the Dispute Management Software used by some banks. I know this because I have tested one such application myself. Within that there were three types of users. One was global admin who was an employee of the service provider. Other was bank admin who was an employee of the concerned BANK. And a technical person who was again employee of the service provider.

    Now when ever a dispute occurs its duty of the technical person to check its authenticity and send it for charge-back to admin. Admin by business logic was the person having rights to either raise the charge-back or decline the dispute. The flaw was as the application was available internally to the domain users only, developers never bothered to set authorization check to the charge-back approval module. Thus, an technical user can approve a charge-back even though he is not authorized to. As the organization wanted the application to be like this, it was not an technical but a logical flaw. I suppose that the flaw resides in the application till the date because the application is not certified yet. The only issue that this entire web application is used internally only and requires domain authentication. So the severity of the flaw is less than it could have been.

    So going back to the meet, as we were not pretty sure about this ATM stuff at that time, we decided to do some *****ter diving and grab some INTACT ATM slips. We got hands on many slips and want to learn about the error message codes we saw there.

    We were discussing all these stuff from like 9:30 pm to 12:00 am outside that hotel. And then we had to call off the meet with a promise that we will look into this ATM stuff seriously. I had the job to find out about the dispute process which I think I have done a little bit.

    This meet again taught us all that how a hacker spirit helps you to get through all the obstacles to achieve the goals you have dreamed. Thanks to FB1H2S again for his great contribution. Thanks Warrior for calling up the meet, Thanks Silent_poison and Niranjan for joining and showing your gratitude towards Garage. And again thanks Anarki, Bond, Punter and Neo for giving us all such a fine family to be part of.

    P.S. : The upcoming November meet will give u all a small blast of happiness to know how I was able to target a dispute system and grab some money. All those who want to know the experience and watch the show... join us. How and when - the details will be here very soon
    Last edited by the_empty; 11-11-2010 at 05:21 PM.
    ACCESS is GOD

  2. #2
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    The_empty: Nice writeup..

    You have realy very good memory...

    Which Company HDD u have in ur Head????
    Last edited by 41.w4r10r; 11-11-2010 at 05:27 PM.

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    JBOSS vulnerability

    Tht reminds me of something ;-).....I found out this flaw some 3 years back in one of the most critical servers of the country ....am not sure if FB1 dumped into the same server ...lol....

    @ Fb1 we shud discuss this offline ;-)

  4. #4
    Nice Write up as always empty
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  5. #5
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Man I soo envy you memmory power, + That night was great, especially all of ours ideas coming up one by one and the possibility of making money :P , and by the way am in short of some cash so may be we need to have lil discussion

    @anarki bro well I came across this jboss stuff but as we all know the normall JBoss exploit in which we could load and deploy a WAR file form an external location and excute it on the server, that thing was not possible in my situation as that serevr was in a NATed envi and no outbound connection were allowed . So I had 2 find a way to deploy it locally .

    For that it took few weeks for me, I downloaded the Jboss manual and the source and started learning it :P, and I found 3 different way to do it with out an outbound connections and got woot woot
    Hacking Is a Matter of Time Knowledge and Patience

  6. #6
    I missed this one lol.... Gr8 going... i am very happy with silent poison

  7. #7
    those who wants to make moeny ... dont forget this born business mind here

  8. #8
    Garage Newcomer
    Join Date
    Jul 2010
    Posts
    2
    Blog Entries
    2
    wow wow wow .. but I missed yaar :-( :-( :-( i'll join you guys on nxt meet

    & its really a nice writeup

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •