DoS with LIKE query

I was assessing an application. The application was properly sanitizing all the characters which have special meaning for SQL Injection attack. So SQL Injection was not possible in the application. But then again I came across few search modules in the application where it was taking input of part numbers to proceed.
I entered single quote(') and the application was perfectly filtering it returning "Parts can't be found". Then out of curiosity I entered '%' character and observed the response. Now the application stuck into the loop of the search continuously searching.The two things I deduced from it:
1. The application was using LIKE query to search matching terms.
2. This can be used to perform a DoS by overloading the database.

The % and _ qualifier is often overlooked by developers to filter as its not so devastating as other characters. They are used for matching 0 or more characters and single character respectively.

$searhterm = mysql_real_escape_string(“%anything”); // still %anything
mysql_query(“SELECT * FROM messages WHERE subject LIKE ‘{$searchterm}%’”);

The intention of the query above is to search the contents matching user specified $searchterm.
In normal conditions the query will execute fast. But when entered a term with a leading % quantifier the query takes too long to perform as it can't find the index. It progressively goes slower as amount of data in table grows.
Same is the case with _ (underscore).
Although these are valid inputs, we need to filter them out. in PHP there is a function which actually excludes the terms specified.
Use addcslashes() for escaping the above characters:

$searchterm = addcslashes(mysql_real_escape_string(“%anything_”), “%_”); // $searchtearm == \%something\_
mysql_query(“SELECT * FROM messages WHERE subject LIKE ‘{$sub}%’”);

Here, the input is processed by the database’s prescribed escape function and is then filtered
through addcslashes() to escape all occurrences of % and _.

In case of my application it can be determined by the fact that entering % one or more times was causing the whole application to be non responsive for a longer time

Reference: http://dev.mysql.com/

Secure Network Architecture Desing

Few days back I was going through an article on "Managing Network Security". Although it was a bit technical, it presented some fundamental idea about designing secure network architecture of an organization. I just picked up few points from the article easy-to-grasp, left the detailed and technical ones.
Design a secure network architecture:

1. Make sure hosts are not permitted to access the Internet directly. They should access
it through content filtering proxies capable of scanning the packets for malicious code. If
they need to be connected by a NAT rule on the firewall, ensure that the necessary network
and security controls (such as desktop firewall, antivirus and antispyware tools) are
present on the host.

2. All emails should pass through a secure mail gateway that is capable of filtering email threats.

3. Implement strong authentication for accessing networked resources.

4. Host hardening lowers the chances of system compromise or exploitation. Stick to best
practices of system installation, followed by hardening and conducting of regular vulnerability
scans. Hardening hosts and network devices directly after installation considerably reduces the attack surface.

5. If your organization uses wireless as a network connectivity option, ensure that proper
security controls are placed to safeguard the flowing of data through a wireless network.
Some of the security measures to be taken are:
a) Secure the wireless access via VPN tunnels or strong encryptions like WPA2.
b) Wireless access points should be hardened and endpoint security measures should be taken.
c) Implement wireless IPS and rogue device detection techniques.

6. Implement a strong password policy in your organization to safeguard online accounts
against password attacks such as brute force, dictionary or hybrid password attacks.

7. Use automated tools to gather network information on a regular basis and analyze them. Create the latest network map based on the information and a list of assets belonging
to your organization. This assists in the detection of rogue devices on wired or wireless
networks. Maintain and update the switch port, router port configuration document. Keep
unused ports disabled on all network points.

8. Use a Security Information and Event Management tool to obtain meaningful security
logs and events correlations. SIEM/SIM tools assist in infrastructure security by providing
important logs to centralized security server and correlate them at that point. It helps IT
security operations personnel be more effective in responding to external and internal
threats.

These points figure out an ideal architecture of an oragnization or how it should be.

Unknown Root Certifiacte Authority in Firefox-Miscommunication Drama

Mozilla has detected that an unknown certificate named as "RSA Security 1024 V3" is installed in the Firefox browser whose owners are unknown. Even RSA has denied that it is holding anything like current certificate. As per Kathleen Wilson these are the details of the certificate and he has recommended to remove it from NSS where all trusted certificates are maintained:
OU = RSA Security 1024 V3
O = RSA Security Inc
Valid From: 2/22/01
Valid To: 2/22/26
SHA1 Fingerprint:
3C:BB:5D:E0:FC:D6:39:7C:05:88:E5:66:97:BD:46:2A:BD:F9:5C:76


In the first communication the RSA says that it doesn't own this root. As per Kathleen:

“…I have not been able to find the current owner of this root. Both RSA and VeriSign have stated in email that they do not own this root.

Therefore, to my knowledge this root has no current owner and no current audit, and should be removed from NSS."

Mozilla now says it has received official word from RSA that they do in fact own the root CA.

Katleen says:

An official representative of RSA has sent me email to confirm that RSA
is still in possession of the private key for the "RSA Security 1024 V3"
root certificate.

RSA has also agreed that the "RSA Security 1024 V3" root certificate
should be removed from NSS.

This is a bit funny!

More Read: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc#26fca75f9aeff1dc

COM Parsing

I came across a very good post about a tool for COM parsing.This tool parses the Type lib info of the activex file and gets all the interfaces and members with in the interface and their addresses in the dll file.

More information: http://ronniereverseengineering.blogspot.com/2010/03/com-vftable-parser.html