Facebook Bug - Open Redirection To Blocked Sites

Link Shim Of Facebook (l.php) 
A very good explanation for 'Link Shim' can be found here. It is a sweet note written by one of the security engineer at Facebook. In short, Facebook tries to protect their users by creating a list of harmless sites and harmful sites. So, sites which are malicious and are marked as `harmful` cannot be used on facebook.

eg. A user cannot post a link of a blocked site.

Try to post `http://ringcloud.com` on Facebook. You won't be allowed and a `warning` message will be displayed saying that `ringcloud.com` is blocked.

Send Dialog

Facebook introduced a 'Send Dialog' long time back. You can find details about it here. It was designed for sending private messages with `links` to one's friends, etc. It can be integrated on third party sites.

Have a look at this

https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in/2014/10/hackerone-bug-redirect-filter-bypass.html&redirect_uri=https://www.google.com

The 'Send Dialog' accepts few parameters.
1. app_id (App needs to be created for using send dialog)
2. link (Link to be shared)
3. redirect_uri (Redirection to site mentioned here after sending message)
- See more at: http://blog.hackersonlineclub.com/2015/01/facebook-bug-open-redirection-to.html#sthash.qDk8qdUT.dpuf

After pressing `Send` or `Cancel` user will be redirected to the site mentioned in `redirect_uri`

Final Exploit 

The values passed to `link` parameter were getting passed through 'Link Shim'. So, attacker is limited to share only those links which are present in `harmless` list of link shim. eg. Attacker can share any link like `http://pranavhivarekar.in`.

 Now, note other `redirect_uri` parameter. I observed that it was not passed through link shim. So. attacker can redirect victims to any site after sending message. eg. Attacker can redirect users to any site like http://pranavhivarekar.in/.

 So, what is the bug here? 

I checked `redirect_uri` parameter against `harmful` list of 'Link Shim' and was really amused and glad to see the redirection to `harmful` site. eg. I entered `http://ringcloud.com` and after `Sending`message or pressing `Cancel` it redirected me to `http://ringcloud.com` So, it proves that there were no access controls placed to protect users from redirection to `harmful` sites and it did violate the working of 'Link Shim'. 

So, this bug was accepted and rewarded by facebook. Now, if you try to use this exploit then it will show error like this. eg. Try this --->

https://www.facebook.com/dialog/send?app_id=145634995501895&link=http://www.pranavhivarekar.in&redirect_uri=https://ringcloud.com#sthash.9CfjyRC7.dpuf

It will show you error like.

This bug was rewarded as it affected other users of Facebook and for pointing exactly about the policy of 'Link Shim'. 

About The Author:

http://pranavhivarekar.in/

Thanks for spending time to read this ...! Comments are welcome. :-)

Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!

Have you ever desired to Video-Call the Founder of Facebook? Well, with this Vulnerability it's still possible!. The following used vulnerability allows with a GET (In-URI) CSRF Parameter to avoid the Video-Calling blocks into Mark Zuckerberg Privacy Setting's. 

.First let me introduce what a CSRF Vulnerability IS:
 "A Cross-Site Request Forgery (CSRF) Vulnerability is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user?s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated." (*) 

Now, Let's start analyzing it! First we start from this URL (like we are actually Video-Calling one of our Friends): - 

https://www.facebook.com/videocall/incall/

When we've identified the Vulnerable GET Parameter, we may apply it as below!

https://www.facebook.com/videocall/incall/?peer_id=

After the peer_id= parameter, we'll insert Mark Zuckerberg ID (which is id=4)

So, definitely, the Complete URL, will look like this below:

https://www.facebook.com/videocall/incall/?peer_id=4

Regarding this Bug, Facebook Security Team have not yet released a FIX, on the fact continuing to allow Attackers to use this flaw against the whole Social Community!.

Reference: OWASP CSRF Guide

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

About the Author 
Christian Galeone  is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Vocational Technical Institute | Vo-Tech ) attending the IT Programming Class. He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as author of Cyber Security & Critical Tools Research Articles.

FireEye is Hiring Sr. Reverse Engineer/Malware Analyst.

If you have strong programming skills, are experienced in malware analysis or reverse engineering, and are looking for an opportunity to collaborate with an industry-leading team—then the FireEye Labs Advanced Reverse Engineering (FLARE) Team is looking for you!

As a malware analyst working within FLARE you will dissect attacker tools and backdoors in support of incident responders. You will also help develop innovative tools to aid other business lines and automate malware analysis.

Essential Duties and Responsibilities
Analyze executable and malicious files.
Collaborate with a team of experienced malware analysts and researchers.
Develop novel solutions to challenges facing incident responders and malware analysts.
Support the company’s research and development efforts.
Required Skills
Strong programming skills
Ability to analyze disassembly of x86 and x64 binaries
Knowledgeable in the use of:
IDA Pro disassembler
User- and kernel-mode debuggers
Common binary file formats
Dynamic analysis tools
Network analysis tools
Desired Technical Skills
Ability to reverse engineer binaries of various types including:
C/C++
Delphi
.NET
Flash
Compiled VBScript
Strong understanding of Microsoft Windows Internals
Ability to analyze shellcode
Understanding of software exploits
Ability to analyze packed and obfuscated code
Capable of Python scripting to automate analysis tasks
Experience developing scripts to decode obfuscated data and network communications
Experience developing applications in C, C++, and .NET
Thorough understanding of network protocols
Capable of identifying host- and network-based indicators
Ability to defeat anti-reverse engineering techniques
Education
BS or MS in Computer Science or Computer Engineering

Location 
This position can be supported from any of the following office locations (Washington, DC; New York, NY; San Francisco, CA; Los Angeles, CA; Albuquerque, NM; Milpitas, CA) or remotely for well-qualified candidates.

About The Company
FireEye, ranked the fastest growing communications/networking company in North America on Deloitte's 2013 Technology Fast 500(tm), is transforming the IT security landscape to combat today's advanced cyber attacks and we want you to be part of our team.

Apply Now

Making your own shortcut key to open an folder

In this tutorial we´ll see quickest way through which you can open favorite folders and programs.With this trick , you´ll be able to open many folders (or) programs in a short period of time. It is really useful, at least by my opinion. Lets see how it works on my computer. In my example i am taking folder named as "HACKING2ALL" & "P.K" to open it in Alias Name(Short name).

1. Navigate to the folder that you want to make a Alias Name ( In my example i taken the folder named as "HACKING2ALL" & "P.K" )

2. Create a shortcut on the desktop as shown in the figure

3. Rename shortcuts to alias names(shortcut name) in my example i taken as "P" & "K"

4. Cut or Paste shortcuts to C:\WINDOWS. 

5. Go to Run option and type alias name. In my example alias names are "P" and "K"

Shortcut Key : press win logo key + R and alias key and enter.

When you press OK the folder "P.K" will opens

What is the concept behind this trick ?

The answer is Any file (or) shortcut you place inside C:\windows folder is a command for run prompt this is the logic behind this trick i hope it will helpful to you.

Leave your comments if any trouble appears

Keep visiting 

Reset Windows Password

Forgot your administrator password? Don't panic, it happens to some other people too, and you have found the solution! The following instructions will show you step-by-step how to reset your local Windows password. This only works for local user accounts, however, not domain accounts.The password recovery tool from this page is written by Petter Nordahl-Hagen, and the original information, as well as the downloadable tool, can be found from his website. According to the author, this tool should work for Windows NT/2000/XP/Vista.

WARNING! Users who have EFS encrypted files on the Windows XP or Vista computers will loose access to the EFS encrypted files after recovery of your password!

Use this trick at your own risks

The tool to reset your password can be downloaded here.

I. Download the bootdisk:
Download the bootdisk, which includes the password recovery tool here. The file contains the ISO CD image.
Unzip (extract) the ISO file and burn it to a CD. Note that this is an ISO file, you must burn it to CD as an ISO image, not as a "data" file. If you're not sure how, see this article. Also, the image is bootable, you need to burn the image to a CD using the image burning feature; do not extract the contents of the ISO and burn them to the CD, you'll end up with a CD that can't boot!


II. Understanding the process:
You'll use the bootdisk created from the above steps to bootup your computer, which you want to reset your administrator password.
You'll be asked for things like: which drive is the boot drive, which path to the SAM file, etc.. but don't worry, details will be provided.
Once you have selected an account to reset the password, you'll need to type in a new password; however, it is highly recommended to use a BLANK password at this point, then you can change your password later in Windows.
Follow the prompts to the end. You'll need to save the changes at the end!
III. OK! Enough talking. Here are the steps:
Startup your computer with the bootdisk created above. You should see a welcome screen following with a prompt:
  boot:
Just wait, the bootup process will continute automatically. Then you should see a screen similar to this:

=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
....
NT partitions found:
1 :   /dev/sda1    4001MB  Boot
2 :   /dev/sda5    2148MB

Please select partition by number or
a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]

Notice the last line "Select: [1]" which shows the [1] as default selection because the tool detected the bootup partition is [1]. This might be different on your own machine, so you should review the list shown under "NT partitions found:". The partition with the word "Boot" should be selected.

Hit Enter once you confirm the selection. You should see a similar screen as follows:

=========================================================
. Step TWO: Select PATH and registry files
=========================================================
....

What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :

Notice the last line "[windows/system32/config]" which shows the default path. This was also detected by the tool. If the path is correct, hit Enter, or if you wish to enter a different path, enter it now then hit Enter.
Here are the paths for different versions of Windows:
- Windows NT 3.51: winnt35/system32/config
- Windows NT 4 and Windows 2000: winnt/system32/config
- Windows XP/2003 (and often Windows 2000 upgraded from Windows 98 or earlier): windows/system32/config

Once you hit "Enter", you should see the next screen similar to the following:
 -r--------    1 0        0          262144 Jan 12 18:01 SAM
-r--------    1 0        0          262144 Jan 12 18:01 SECURITY
-r--------    1 0        0          262144 Jan 12 18:01 default
-r--------    1 0        0         8912896 Jan 12 18:01 software
-r--------    1 0        0         2359296 Jan 12 18:01 system
dr-x------    1 0        0            4096 Sep  8 11:37 systemprofile
-r--------    1 0        0          262144 Sep  8 11:53 userdiff

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1]
Hit "Enter" with the default option selected "[1]". Then ...:
 =========================================================
. Step THREE: Password or registry edit
=========================================================
Loaded hives:
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
 - - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1

Hit "Enter" with the default option selected "[1]". Then ...:
 ===== chntpw Edit User Info & Passwords ====

RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]

Hit "Enter" with the default option selected "[Administrator]", or select another user account. Here you can enter the full user account surrounded by < and >, CASE-SENSITIVE, or enter the RID number (i.e. 0x1f4). Assuming you select the Administrator account, you should see the following screen:
 
 RID : 0500 [01f4]
  Username: Administrator
  fullname:
  comment : Built-in account for administering the computer/domain
  homedir :

  Account bits: 0x0210 =
  [ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. |
  [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
  [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
  [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
  [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

    Failed login count: 0, while max tries is: 0
    Total  login count: 3

  * = blank the password (This may work better than setting a new password!)
    Enter nothing to leave it unchanged
    Please enter new password: *

At the prompt "Please enter new password", Enter the * for a blank password (HIGHLY RECOMMENDED!) then press Enter
  Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y

At the prompt, type in "y", then press Enter. Note that the default option is "n".
 Do you really wish to change it? (y/n) [n] y
Changed!

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !

Enter the "!" to go back to the main menu. Then select "q" at the following menu to quit:
 <>========<> chntpw Main Interactive Menu <>========<>

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
 - - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

A prompt to save changes displays, enter "y" to save:
 =========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y

The changes are saved! You should see the following screen, press Enter, and reboot your computer.
 
Writing  sam

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong
New run? [n] : n


Keep Visiting