from.hell

With Xmass a New wave of WoW fake mails has arrived. And they look quite good to succeed.
It shocked me last night since I viewed the text version without link or full header on my phone.

The mail consist of both a TXT and HTML part.
In text it looks fine:

but the HTML versions contains of course a link to a malicious website, marked red

hxxp://www.battle.net-securelogin-management.com/login/en/login.asp?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Fbeta-profile.xml&app=bam

www.battle.net-securelogin-management.com has address 200.63.44.35
Host 35.44.63.200.in-addr.arpa. not found: 3(NXDOMAIN)

17 172 ms 187 ms 196 ms so-3-0-2.usa.pan-pob-edge02.columbus-networks.co
m [63.245.5.145]
18 211 ms 209 ms 208 ms ge-2-0-0.usa.pan-pob-edge01.columbus-networks.co
m [63.245.5.149]
19 210 ms 208 ms 208 ms PANAMASE-38D28A [190.242.68.130]
20 207 ms 208 ms 208 ms 200.63.44.35
Wellcome to Panama =]

http://whois.arin.net/rest/net/NET-200-0-0-0-1

Domain registration info.. hmm rgistered 26.11.2010 looking very “trushworthy” ..


Domain Name: NET-SECURELOGIN-MANAGEMENT.COM
Registrar: HICHINA ZHICHENG TECHNOLOGY LTD.
Whois Server: grs.hichina.com
Referral URL: http://www.net.cn
Name Server: DNS23.HICHINA.COM
Name Server: DNS24.HICHINA.COM
Status: ok
Updated Date: 26-nov-2010
Creation Date: 26-nov-2010
Expiration Date: 26-nov-2011



Registrars.Domain Name ..................... net-securelogin-management.com
Name Server ..................... dns23.hichina.com
dns24.hichina.com
Registrant ID ................... hc061023234-cn
Registrant Name ................. wu an
Registrant Organization ......... wu an bo
Registrant Address .............. henansheng zhengzhoushi
Registrant City ................. zhengzhou
Registrant Province/State ....... HA
Registrant Postal Code .......... 530012
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.037165862108 -
Registrant Fax .................. +86.037165862108 -
Registrant Email ................ mmm123456789@qq.com
Administrative ID ............... hc061023234-cn
Administrative Name ............. wu an
Administrative Organization ..... wu an bo
Administrative Address .......... henansheng zhengzhoushi
Administrative City ............. zhengzhou
Administrative Province/State ... HA
Administrative Postal Code ...... 530012
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.037165862108 -
Administrative Fax .............. +86.037165862108 -
Administrative Email ............ mmm123456789@qq.com
Billing ID ...................... hc061023234-cn
Billing Name .................... wu an
Billing Organization ............ wu an bo
Billing Address ................. henansheng zhengzhoushi
Billing City .................... zhengzhou
Billing Province/State .......... HA
Billing Postal Code ............. 530012
Billing Country Code ............ CN
Billing Phone Number ............ +86.037165862108 -
Billing Fax ..................... +86.037165862108 -
Billing Email ................... mmm123456789@qq.com
Technical ID .................... hc061023234-cn
Technical Name .................. wu an
Technical Organization .......... wu an bo
Technical Address ............... henansheng zhengzhoushi
Technical City .................. zhengzhou
Technical Province/State ........ HA
Technical Postal Code ........... 530012
Technical Country Code .......... CN
Technical Phone Number .......... +86.037165862108 -
Technical Fax ................... +86.037165862108 -
Technical Email ................. mmm123456789@qq.com
Expiration Date ................. 2011-11-26 11:22:22


Mail header:
Return-Path: wcp.com>
Delivered-To:
Received: from localhost (localhost [127.0.0.1])
by hades.hell.sk (Postfix) with ESMTP id 6A9DD22A6
for <>; Sun, 28 Nov 2010 07:37:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at hades.hell.sk
Received: from hades.hell.sk ([127.0.0.1])
by localhost (hades.hell.sk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id F-GyfDyCczp6 for ;
Sun, 28 Nov 2010 07:37:33 +0100 (CET)
Received: from wcp.com (213-132-178-164.multikabel.nl [213.132.178.164])
by hades.hell.sk (Postfix) with ESMTP id 687B822A3
for <>; Sun, 28 Nov 2010 07:37:30 +0100 (CET)
Reply-To:
Message-ID: <7EA52D8C342BF823B870791BBCEDBC16@wcp.com>
From: "noreply@blizzard.com"
To: <>
Subject: Battle.net Account - Account Change Notice
Date: Sun, 28 Nov 2010 14:37:41 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_059D_0120B3AA.103DB080"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512


Please NEVER click on links in e-mails! =]

Yeah.. migration proces continues well.. wp successfully migrated to hades! =]

1.- Overlong UTF-8:
As REQUIRED by UNICODE 3.1, and noted in the Unicode Technical Report #36, UTF-8 is forbidden to interpretate a character’s non-shortest form.

2.- Ill formed sequences:
As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, if a leading byte is followed by an invalid successor byte, then it should NOT consume it.

3.- Integer overflow:
Unsigned short has a size of 16 bits (2 bytes), that is UNCAPABLE of storing unicode characters of 21 bits, and represented on UTF with 4 bytes (1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx). PHP attempts to sum a 21 bits value to a 16 bits-size variable, and then makes no checks on the value.

The firefox one

Firefox is supposed to consider the non-shortest form exception (point #1 in the PHP vulnerabilities), and section 3.1 of the Unicode Technical Report #36 but apparently there’s a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html

OWASP guide v3
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

OPEN SOURCE BLACK BOX TESTING TOOLS

General Testing

. OWASP WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
. OWASP CAL9000: CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing
efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing
Checklist, Automated Attack Editor and much more.
. OWASP Pantera Web Assessment Studio Project
. SPIKE - http://www.immunitysec.com
. Paros - http://www.parosproxy.org
. Burp Proxy - http://www.portswigger.net
. Achilles Proxy - http://www.mavensecurity.com/achilles
. Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
. Webstretch Proxy - http://sourceforge.net/projects/webstretch
. Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
. Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html
. Grendel-Scan - http://www.grendel-scan.com

TESTING FOR SPECIFIC VULNERABILITIES

Testing Flash
. OWASP SWFIntruder - http://www.owasp.org/index.php/Category:SWFIntruder,
http://www.mindedsecurity.com/swfintruder.html

Testing AJAX
. OWASP Sprajax Project

Testing for SQL Injection
. OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
. Multiple DBMS SQL Injection tool - SQL Power Injector
. MySQL Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
. Antonio Parata: Dump Files by SQL inference on Mysql - [SqlDumper]
. Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
. Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
. Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
. SQLInjector - http://www.databasesecurity.com/sql-injector.htm
. bsqlbf-1.2-th - http://www.514.es

Testing Oracle
. TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
. Toad for Oracle - http://www.quest.com/toad

Testing SSL
. Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm

Testing for Brute Force Password
. THC Hydra - http://www.thc.org/thc-hydra/
. John the Ripper - http://www.openwall.com/john/
. Brutus - http://www.hoobie.net/brutus/
. Medusa - http://www.foofus.net/~jmk/medusa/medusa.html

Testing for HTTP Methods
. NetCat - http://www.vulnwatch.org/netcat

Testing Buffer Overflow
. OllyDbg - http://www.ollydbg.de
o "A windows based debugger used for analyzing buffer overflow vulnerabilities"
. Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
o A fuzzer framework that can be used to explore vulnerabilities and perform length testing
. Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net

o A proactive binary checker
. Metasploit - http://www.metasploit.com/projects/Framework/

o A rapid exploit development and Testing frame work Fuzzer
. WSFuzzer

Googling
. Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

SOURCE CODE ANALYZERS - OPEN SOURCE / FREEWARE
. OWASP LAPSE
. PMD - http://pmd.sourceforge.net/
. FlawFinder - http://www.dwheeler.com/flawfinder
. Microsoft's FxCop
. Splint - http://splint.org

OWASP Testing Guide v3.0
. Boon - http://www.cs.berkeley.edu/~daw/boon
. Pscan - http://www.striker.ottawa.on.ca/~aland/pscan
. FindBugs - http://findbugs.sourceforge.net

ACCEPTANCE TESTING TOOLS - OPEN SOURCE

Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and
typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to
perform security specific tests in addition to functional tests.

. WATIR - http://wtr.rubyforge.org
o A Ruby-based web testing framework that provides an interface into Internet Explorer.
o Windows only.
. HtmlUnit - http://htmlunit.sourceforge.net
o A Java and JUnit based framework that uses the Apache HttpClient as the transport.
o Very robust and configurable and is used as the engine for a number of other testing tools.
. jWebUnit - http://jwebunit.sourceforge.net
o A Java based meta-framework that uses htmlunit or selenium as the testing engine.
. Canoo Webtest - http://webtest.canoo.com
o An XML based testing tool that provides a facade on top of htmlunit.
o No coding is necessary as the tests are completely specified in XML.
o There is the option of scripting some elements in Groovy if XML does not suffice.
o Very actively maintained.
. HttpUnit - http://httpunit.sourceforge.net
o One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a
bit limiting for security testing.
. Watij - http://watij.com
o A Java implementation of WATIR.
o Windows only because it uses IE for its tests (Mozilla integration is in the works).
. Solex - http://solex.sourceforge.net
o An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
. Selenium - http://www.openqa.org/selenium/
o JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
o Mature and popular tool, but the use of JavaScript could hamper certain security tests.