Wells Fargo – Online Banking Authentication Weakness / “Feature”

Try as I might to contact Wells Fargo regarding an almighty issue of issues regarding their authentication logic.

Probably equally secure

So let’s say your password that you set purposely to “SuperDuperPassword” or better yet your actual password if you use Wells Fargo you can try this at home. Back to the monologue; so you want a secure password for your account? Who wouldn’t? So you add lower cases and upper case into the mix. Try to make your password all sexy and shit right?

 

Now imagine this, none of the complexity that you created means anything. Login to your account with all upper case, lower case or mixed case it doesn’t matter.

Click here to Read More

New Forum!

So I have been for the life of me been trying to introduce a way to get this group of individual hackers to grow into a community. Well, look no farther friend!

Plus! Just like this website, https://forums.thegh0stship.com is always utilizing HTTPS with a Trusted Root CA

(Cough, it wasn’t that hard for me to do it, why can’t some of my clients?)

 

Happy HTTPS Everywhere + Only Day!

Well, I finally tackled the whole HTTPS SSL Certificate thing and boy did I mess up the first go around 😀

Accidentally purchased and generated a SSL certificate for the wrong domain name and didn’t even realize until I went to go assign it and it’s screaming at me about name mismatch.

Welp, moment of discovery… a while later… Finally got the other certificate revoked and removed, got the new cert in place and enabled some fancy browser side security headers (not a challenge to break please).

Anyways, I’ll be posting another post here in a minute announcing a new forum I’ve setup for folks.

Meltdown Write-up (Old News)

This is a write up I did, after reading the white paper and investigating the workings of speculative execution. I was genuinely interested in how it all played out and how this seems like the year for exploits and vulns.

I’m legitimately wondering if this ever did get weaponized yet. I’ve often thought about trying to implement it with BEeF as a post module of sorts as a JavaScript payload.

Also take note, that I really didn’t have the energy to try to read through Spectre even though its probably the worst one.

A non-technical synopsis of the microprocessor and kernel flaws.
Meltdown (CVE-2017-5754)

Read More

 

Welcome!

Welcome to the new domain for anything any everything unrelated to what you were probably looking for.

Lets go explore this rotting mess we call the internet on our trusty Gh0stship =J

 

The Evil SVG Project

The Evil SVG Project

The purpose of this article is to provide a repeatable means to performing cross-site scripting attacks via a SVG file. SVG, otherwise known as “scalable vector graphics” in which a XML document used to build an image.


The above code generates the following image:

However, by introducing JavaScript or HTML within the SVG, it is possible to in effect store XSS payloads that execute whenever the SVG is loaded into the page’s dynamic content.

However, let’s tweak it to add in some JavaScript and officially “weaponized” the SVG.

Which after loading the SVG within a browser results in XSS.

 

By simply adding a pair of script tags, an attacker can include any JavaScript functions, actions or even in a worst-case scenario remotely include a JavaScript file whenever the SVG is loaded.

In our case, we are using BeEF (Browser Exploitation Framework) to attack users of an application by including the BeEF JavaScript file within the page allows attackers to carry out attacks and get Beef Shells all from this SVG.

Take for example the following code:

With all of this in mind, seriously consider limiting or blocking SVGs from being uploaded. More often than not, developers have overlooked SVG as a potential threat vector and allow profile picture upload of malicious SVG files.

Additionally, if you are familiar with XXE attacks, this can also be used for that attack vector in some circumstances. If you aren’t already scanning uploads regardless of their extension or mime type, it might be time to change that.

Long story short, if you can pop XSS within a SVG you can do pretty much anything up to and including store malicious JS, malicious XML or malicious HTML in-line.

Dear Diary – Its barely 2018 and skeletons are a plenty…

Excited to see how this Spectre and Meltdown patch madness will pan out, $10 says an engineer somewhere finger flubs something, then the debugger doesn’t catch it and pushes to production distribution.

Meanwhile, still waiting on meaningful exploit code beyond telling me that I’m either vulnerable or not.

In other news, will be trying to post more here. Life is hard, but add in blog stuff on top of that, work and family and you probably have a better idea of my life than I do myself.

Expect more content, I have tons written up for consuming, but need to sort through all the garbage that is my internal monologue dictating narration in them.

That and the non-stop quest to not rehash or regurgitate others works. Once its been done, there is no other point to doing it.

Discovery and the unknown are my two favorite friends, meanwhile chaos and curiosity continue to be my low key friends. We’ll explore all the closets I’ve encountered (minus NDA ones), and hopefully provide something of value to the next person.

Unless you call yourself someone’s “right hand person”, you can stop right there…

CVE-2017-9554 – Synology DSM User Enumeration – Unspecified Vector… Yea Right…

Previously this was identified by the developer and the disclosure states “via unspecified vectors” it is possible to enumerate usernames via forget_passwd.cgi

Haven’t identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.

CVE-2017-9554
Per the CVE:
“An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.”
Well then… Here you go, cracked the code and figured it out.
https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX
Where XXX should be your injection point for username lists.
Several usernames I’ve found are admin, administrator, root, nobody, ftp, and more. I’m unsure of whether Synology is pulling these entries from it’s passwd file or not, but there you go.
***Update***
This is now published within ExploitDB

https://www.exploit-db.com/exploits/43455/