{"id":42,"date":"2011-08-19T04:21:25","date_gmt":"2011-08-19T04:21:25","guid":{"rendered":"http:\/\/www.gironsec.com\/?p=42"},"modified":"2011-08-19T04:21:25","modified_gmt":"2011-08-19T04:21:25","slug":"bad-cod-and-microsoft-web-services","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2011\/08\/bad-cod-and-microsoft-web-services\/","title":{"rendered":"Bad Code and Microsoft Web Services"},"content":{"rendered":"

Microsoft gives out way too much info with its web services. simply dorking for ‘asmx’ files gives plenty of web service test pages.<\/p>\n

My favorite ones are the ones that don’t even bother to make sure you’re on localhost to return info:<\/p>\n

http:\/\/mapserv.utah.gov\/WSUTSGID_FeatureAttributes\/default.asmx?op=GetFeatureAttributes_wsdlTest<\/p>\n

It reminds me of the mail server I was reversing looking for bugs. Their software protection was meager and their registry key was checked against a web service (just found a random asmx link in the binary). Like the link above it didnt bother making sure I was on the localhost before returning data. Whats better was since it gave me all of the parameters, I was able to construct a dummy web service on my localhost that ALWAYS returned true when I passed the serial number to it.<\/p>\n

What does this mean? More and more software is utilizing web services for interaction between their desktop applications and server based code. Don’t get me wrong, its a great little concept and C# makes it SO GOD DAMN EASY to do so(connect to web services that is) its disgusting.<\/p>\n

 <\/p>\n

<%@ WebService language=\"C\" %>\r\n\r\n  using System;\r\n  using System.Web.Services;\r\n  using System.Xml.Serialization;\r\n\r\n  [WebService(Namespace=\"http:\/\/localhost\/MyWebServices\/\")]\r\n  public class FirstService : WebService\r\n  {\r\n      [WebMethod]\r\n      public int Add(int a, int b)\r\n      {\r\n          return a + b;\r\n      }\r\n\r\n      [WebMethod]\r\n      public String SayHello()\r\n      {\r\n          return \"web services yo\";\r\n      }\r\n  }\r\n\r\nThats it, thats all the code you need. As for instantiating it, all you gotta do is use the special form\r\nwithin visual studio to connect, then just call it like any other object. \r\nBorrowing from msdn, the case of this web service is just a temperature converter.<\/pre>\n
using System;\r\nnamespace Application1\r\n{\r\n   class Class1\r\n   {\r\n      static void Main()\r\n      {\r\n         Converter.Service1 cService = new Converter.Service1();\r\n         Console.WriteLine(\"Temperature in degrees Fahrenheit: \");\r\n         double dFahrenheit = Convert.ToDouble(Console.ReadLine());\r\n         double dCelsius = cService.ConvertTemperature(dFahrenheit);\r\n         Console.Write(\"Temperature in degrees Celsius: \");\r\n         Console.WriteLine(dCelsius.ToString());\r\n      }\r\n   }\r\n}<\/pre>\n
 <\/p>\n
Not much too it eh? Well lets take it a step further. Here’s an example of a web service which fails hard and is vulnerable to blind SQLI:<\/p>\n
<%@ WebService language=\"C\" %>\r\n\r\n  using System;\r\n  using System.Web.Services;\r\n  using System.Xml.Serialization;\r\n  using System.Diagnostics.Process;\r\n\u00a0[WebService(Namespace=\"http:\/\/localhost\/MyWebServices\/\")]\r\n  public class FirstService : WebService\r\n  {\r\n      [WebMethod]\r\n      private void fail(string id)\r\n      {\r\n          SqlConnection myConnection = new SqlConnection(\"user id=username;\" + \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"password=password;server=serverurl;\" + \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"Trusted_Connection=yes;\" + \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"database=database; \" + \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"connection timeout=30\");\r\n\u00a0myConnection.Open();\r\nSqlCommand myCommand= new SqlCommand(\"SELECT username,password FROM users where userid = \" + id, myConnection);\r\nmyCommand.ExecuteNonQuery();\r\n\u00a0\u00a0\u00a0 myConnection.Close()\r\n      }\r\n\r\n      [WebMethod]\r\n      public String execfail(string cmd)\r\n      {\r\n     \u00a0string output;\r\n      System.Dagnostics.Process p = new System.Diagnostics.Process();\r\n      p.command = cmd;\r\n      p.execute;\r\n      p.output = output;\r\n     \u00a0return output;\r\n      }\r\n  }<\/pre>\n
 <\/p>\n
These two examples, while contrived as all hell demonstrate how easy it is to fail HARD at web services. Now imagine like my previous thoughts, theres no check for localhost with the web service. All you have to do is cruise over to fail.asmx and you’ll see the parameters, function name, and even a little box to ‘test’.<\/p>\n
 <\/p>\n
I love you microsoft. keep on failing.<\/p>\n","protected":false},"excerpt":{"rendered":"
Microsoft gives out way too much info with its web services. simply dorking for ‘asmx’ files gives plenty of web service test pages. My favorite ones are the ones that don’t even bother to make sure you’re on localhost to return info: http:\/\/mapserv.utah.gov\/WSUTSGID_FeatureAttributes\/default.asmx?op=GetFeatureAttributes_wsdlTest It reminds me of the mail server I was reversing looking for […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/42"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=42"}],"version-history":[{"count":1,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/42\/revisions"}],"predecessor-version":[{"id":43,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/42\/revisions\/43"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}