LFI to DB and backdoor

I am decribing a high level, theortical way of converting LFI to DB compromise and creating a backdoor. A long time ago, came across an application which was vulnerable to LFI (Local File Inclusion).
The LFI found was different from traditional one, since the filenmames were not being passed in any parameter, so was hard to detect also. A file called default.cgi contained code that which looks for a file in the directory and include it for some sort of processing, that was a business requirement, if not found, displayed 'File not found' error. So in order to exploit it one need to append a file name just after default.cgi?.  This way, could view any file from app server to OS level. Many sensitive files are easily accessible even from other folders too. /etc/passwd was accessible but /etc/shadow was not present, unfortunately. 
After browsing through almost all the files present at the server, came across a few interesting files (conn.cgi) which contained the logic of connect…

Solving SSL error in python: certificate verified failed

To do away the below SSL handshake errors, where the urllib is very strict in verifying ssl certificates, we can ask it to relax:

Add the below lines:

When You face Binary translation is incompatiple VM

While moving my Kali Linux VM from my old Win7 machine to my new Win10 machine, I faced this strange issue, while starting the VM:

After banging my head for along, I figured out that by default in new laptops, the virtualization is disabled on Intel processors and for enabling it we need to enter the BIOS setup. We need to turn it on by:

 Entering the BIOS is a bit different inWin 10 machines:

Once that's enabled the VM bootup will be smooth!

When the locked account bypassed

Generally the accounts are locked when the attempt to login exceed a certain no. of unsuccessful attempts. The userids are locked by the application to thwart any further attempt to brute force. Generally the threshold is 3 unsuccessful attempts.
But I recently came across an application where there was a flaw which leads to bypass the account lockout.
Suppose an account is already locked and we try to provide the correct userid and password as now we remember the correct combination.

It acts like the below:
1. In one tab we'll access the login page and enter the userid/ password correctly. But the app will not let you in because the userid is locked and displays account locked message.

2. Now try accessing an internal url of the application in the second tab in the same browser since two tabs share the session id in most of the browsers.

3. The application lets you in the second tab!

This behavior of the application puzzled us until we inspected it closely and came to know about…

3 key 3DES, 2 key 3DES and effective security

There was a recent discussion around effective security and effective key length of 3DES algo. Basically the 3 DES is 3 times DES. There would be 3 keys (K1, K2, K3 ) involved in the operation. The size of a key in DES is 64 bit, but due to padding the actual keys being used for the encryption are 56 bits of the length. So, in 3DES the the total key size would be 168 bits.
Now there are 3 options in 3DES:
Option 1, where K1, K2, and K3  are independent, the length would be 168 bits.
Option 2, where 2 keys are similar , eg, K1=K3, still the actual length is 168 bits but the 'effective' length would be 112 bits. (also called 2-key 3DES)
Option 3, the least secure where all three keys are same, ie, K1=K2=K3, still the actual length is 168 bits, the 'effective' key length would be 56 bits.

Now due to a know attack on 3DES, Meet-In-the-Middle (MeetITM), the 'effective' security of the above options are reduced as following:

Option 1: 112 bits
Option 2: 80 bits

SecureString for managing passwords in memory

As the brush with 2-tier apps continues, the usual recommendations to manage the memory from leakage is to overwrite it quickly once its use is over. Although, it does not prevents the leakage completely, it reduces the attack surface by a considerable extent. Fortunately, for .Net application there's a method called SecureString. This class allows you to keep string data encrypted in memory. But a few things to keep in mind. Liked the below points from a discussion from stackoverflow post:
Do you know how many times I've seen such scenarios(answer is: many!):

1.A password appears in a log file accidentally.
2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password.
3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all.
4.Some tools such as  RedGate software that could capture the "value" of lo…

Memory leakage in 2-tier applications

The 2-tier applications use front-end to directly communicate to DB. There's no separate business logic tier. All the business logic are at client side. Thick client applications (mostly) are classic examples of that. Applications developed in .Net and Java could be found in big nos. inside any organization. Sometimes it's difficult to straightaway move to 3-tier architecture. Businesses are reluctant to accept this approach due to: - Moving towards 3-tier involves a great amount of coding efforts and  money. - Sometimes the applications are almost end of life and are not being retired just because of there;s no good reason to do so.  - Most of the above applications are Intranet applications. Business claims that being an internal application, this is less susceptible to attack.
But they forget one very big risk under these claims- sensitive information in memory dumps. 
The application being 2-tier connects to DB while constructing the connection string using DB credentials…