tag:blogger.com,1999:blog-75198327770727842832024-02-20T08:36:59.014-08:00TROTMASTER'S BLOGRamblings, adventures of inept superheroes and poorly though through inventions.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.comBlogger131125tag:blogger.com,1999:blog-7519832777072784283.post-44137595629761403252014-04-27T04:25:00.000-07:002014-04-27T04:26:15.686-07:00Wickr account cloning vulnerability<h2>
USB backup attacks against Android applications</h2>
Android allows users to make online backups of their application data. This happens silently based on settings created by the applications' developers (<a href="http://developer.android.com/google/backup/index.html">http://developer.android.com/google/backup/index.html</a>). According to the documentation, the data is held in "cloud storage" (the exact definition will vary based on the OEM), allowing users to restore their data when they get a new phone.<br />
<br />
But the backup function also allows users to make backups over USB using the "adb backup" command. This command will backup data from all applications that have not explicitly set the allowBackup flag to false in their manifest. The data that is retrieved is taken from the sandbox of the applications, in escence giving users access to the contents of their applications' sandboxes without being root. This is something that the shell user can not normally do. For an excellent writeup as to how to access, edit and restore data using adb backup by Nikolay Elenkov see here: <a href="http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html">http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html</a><br />
<br />
As far as an attack vector it is often contrived and unrealistic. Essentially an attacker would need to have physical access to an unlocked phone. If they have this then they could do all manner of nasty things, like replace applications, install trojans or just ringing their premium rate phone line.<br />
<br />
For a number of applications however, the vector is more reasonable. The value of the assets is high and they can only be accessed from the sandbox. Below are three applications that can be compromised using the ADB backup restore functionality:<br />
<br />
<br />
MyWicker (com.mywickr.wickr) - 1.9.8.8 Beta<br />
F-Secure Freedome VPN (com.fsecure.freedome.vpn.security.privacy.android) - 1.04<br />
OpenVPN(net.openvpn.openvpn) - 1.1.12<br />
<br />
<br />
<h3>
OpenVPN / F-Secure Freedome VPN</h3>
Both the OpenVPN and F-Secure Freedome were found to allow backups over ADB<br />
<br />
According to Android documentation:<br />
<blockquote class="tr_bq">
android:allowbackup<br />
Whether to allow the application to participate in the backup and restore infrastructure. If this attribute is set to false, no backup or restore of the application will ever be performed, even by a full-system backup that would otherwise cause all application data to be saved via adb. The default value of this attribute is true.</blockquote>
<br />
Performing a backup on the Freedome app we can see the following:<br />
<br />
<pre class="brush: shell" name="code">androidvm@androidvm:/tmp$ adb backup com.fsecure.freedome.vpn.security.privacy.android
Now unlock your device and confirm the backup operation.
androidvm@androidvm:/tmp$ dd if=backup.ab bs=1 skip=24| openssl zlib -d > backup.tar
8726+0 records in
8726+0 records out
8726 bytes (8.7 kB) copied, 0.0134311 s, 650 kB/s
androidvm@androidvm:/tmp$ tar -xaf backup.tar
androidvm@androidvm:/tmp$ cd apps/com.fsecure.freedome.vpn.security.privacy.android/
androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls -la
total 24
drwxrwxr-x 5 androidvm androidvm 4096 Jan 14 16:15 .
drwxrwxr-x 3 androidvm androidvm 4096 Jan 14 16:15 ..
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 f
-rw------- 1 androidvm androidvm 1506 Jan 14 16:15 _manifest
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 r
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 sp
androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls f/
clp-beta-prov.client.crt clp-beta-prov.client.key clp-beta-prov.servers.conf clp-ca-server.pem pvpn.conf
</pre>
<br />
We can see that there are a number of files available for us either to just read, or to alter and restore.<br />
<br />
For Freedome, we are able to overwrite the configuration and key files used by the application. This would mean that every time the user then ran this application, they would connect to our malicious VPN. This would allow us to MITM the user's traffic.<br />
<br />
The OpenVPN looked almost identical in terms of what we could access and change. This would give us access to their private VPN keys and configuration, letting us connect to the user's VPN. It would also allow us to overwrite the VPN settings as per Freedome and have them connect to our malicious VPN without them realising.<br />
<br />
<h3>
Wickr</h3>
Wickr was found to also allow backups by not explicitly disabling it<br />
<br />
MyWickr allows users to select the "remember me" option. If this is selected (the user must accept a warning), then they can log in to the app without entering their password. When they choose this option, two extra files are created in the sandbox (pcc.wic and pcd.wic). These can be accessed using the ADB backup.<br />
<br />
<pre class="brush: shell" name="code">androidvm@androidvm:/tmp/com.mywickr.wickr$ ls
db f _manifest r sp
androidvm@androidvm:/tmp/com.mywickr.wickr$ ls f/
icu magic.mgc pcc.wic pcd.wic
</pre>
<br />
This would allow an attacker to clone an account by performing and ADB backup on the victim device and then an ADB restore on to a different device. A safe guard against this is that Wickr's functionality relies on the Android device ID for decryption. Unfortunately, Wickr store the device ID when the app is first run in a shared preferences file. As this is copied as part of the backup, the security control doesn't work.<br />
<br />
It is therefore possible for an attacker to clone a Wickr account on to a different device using the ADB backup/restore functionality. Below is a video demo-ing a wickr account on the device to the left being cloned on to a device on the right.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwL7HCStJjulHTZB8_GrTwWakZqhfQK_bv1HBd5mEEMGQVsTw_6Lx7RqFwrJJcjNlYmuxk76e10Y7Xpv9br' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
<br />
<h3>
Communication with Wickr</h3>
19-01-2014 - Emailed Wickr with details of vulnerability<br />
12-02-2014 - Wickr replied accepting issue as a valid vulnerability<br />
15-04-2014 - Wickr permitted vulnerability to be disclosedtrotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com2tag:blogger.com,1999:blog-7519832777072784283.post-74814845575586874492014-01-24T06:13:00.002-08:002014-01-24T06:13:42.983-08:00Is your phone here? Then own that tooSo an interesting post has been made by Symantec regarding a piece of Windows malware. Nothing unusual in that, except it has a quick poke at ADB<br />
<br />
<a href="http://www.symantec.com/connect/blogs/windows-malware-attempts-infect-android-devices">http://www.symantec.com/connect/blogs/windows-malware-attempts-infect-android-devices</a><br />
<br />
ADB (the Android Debug Bridge) is used mainly by Android application developers to unlock extra features on their Android phone and allows them to more easily sideload and monitor applications.<br />
<br />
Enabling this feature is not trivial. On a modern phone you need to display the initially hidden settings menu, select to enable ADB, accept the warning, plug in the phone via USB, accept the PC's RSA certificate, install adb on the PC and finally run adb from the command line.<br />
<br />
This surely represents a very small group of people. But the malware takes a poke anyway...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.symantec.com/connect/sites/default/files/users/user-2998361/figure1_11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.symantec.com/connect/sites/default/files/users/user-2998361/figure1_11.png" height="265" width="320" /></a></div>
<br />
<br />
According to Symantec, it installs adb and then tries to run "adb.exe install AV-cdk.apk", a malicious app designed to attack Korean bank users. It would require the user to have their Android phone with ADB enabled, plugged in to the PC via USB. This raises a number of interesting options:<br />
1. If the malware is doing other things, then this is perhaps just a stab in the dark that might affect 1 in a million.<br />
2. The malware is targeting a very niche group of people: developers<br />
<br />
<br />
<br />
<br />trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-63301390628345951952013-12-10T11:19:00.000-08:002013-12-12T03:23:52.106-08:00Android to Arduino: the codeIn a follow up to the Android to Arduino post, here's the code used. The code currently takes a command from an Android app (a button press), and sends a value to the Arduino over serial. In the mean time the arduino is sending a "nop" string back to the app every second. Not much, but enough to prove input & output over serial.
<br />
<a href="http://youtu.be/zcdz1fehmDQ">Video of it working here</a>
<br />
Arduino code:
<br />
<pre class="brush: shell" name="code"> #include <servo .h=""> String inData;
Servo myservo;
int pos=0;
// the setup routine runs once when you press reset:
void setup() {
// initialize serial communication at 115200 bits per second:
Serial.begin(115200);
myservo.attach(14);
}
// the loop routine runs over and over again forever:
void loop() {
while (Serial.available() > 0)
{
char recieved = Serial.read();
inData += recieved;
// Process message when new line character is recieved
if (recieved == '\n')
{
Serial.print("Arduino Received: ");
Serial.print(inData);
Serial.print("\n");
inData.trim();
int dataAsInt=inData.toInt();
if(dataAsInt>0 && dataAsInt<360 buffer="" clear="" dataasint="" delay="" indata="" myservo.write="" nop="" pre="" recieved="" serial.println=""><!--360--><!--360--><!--360--><!--360--><!--360--></360></servo></pre>
The Java app is based on the example from <a href="https://github.com/mik3y/usb-serial-for-android/tree/master/UsbSerialExamples">https://github.com/mik3y/usb-serial-for-android/tree/master/UsbSerialExamples</a>
but has a button with an onClick function with mSerialIoManager.writeAsync("10\n".getBytes());trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-52995104397642507252013-12-02T13:37:00.004-08:002013-12-02T14:00:11.763-08:00Linking Android to ArduinoI've started our latest project (to be unveiled soon). It requires Arduino to receive commands from an Android device. It needs to be as light as possible, so ideally needs to be powered from the USB connection.<br />
<br />
I've seen a number of solutions using Android ADK and special Arduinos, but this seems rather unnecessary. The problem seems to be the USB communication on either side, requiring USB sheilds (<a href="http://www.freetronics.com/products/usbdroid#.Upz8jx8hG1E">http://www.freetronics.com/products/usbdroid#.Upz8jx8hG1E</a>). Alternatively there's Bluetooth (<a href="http://blog.arduino.cc/2013/07/18/how-to-control-arduino-board-using-an-android-phone/">http://blog.arduino.cc/2013/07/18/how-to-control-arduino-board-using-an-android-phone/</a>), but that would mean an external power source.<br />
<br />
So instead, just use a Serial interface. There are Java libraries that can be used on Android. Everything including examples can be found here:
<a href="https://github.com/mik3y/usb-serial-for-android">https://github.com/mik3y/usb-serial-for-android</a><br />
<br />
I've hooked up my arduino Uno to an SIII using an A to B USB cable and OTG cable. It all works nicely.
Stay tuned for what we're going to use it for ;-)
trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-30694576314733512772013-11-14T13:21:00.000-08:002013-11-14T13:21:23.014-08:00How Many Apps are on my phone?I've seen several people posting about how they have "over a hundred apps" on their phone. I don't think this is accurate. There are a lot of apps installed by default that the user doesn't see (and can't uninstall).
Interestingly, I couldn't find a good way to display the total number of packages (apps), installed on a device using the GUI. You can list apps using Settings->Apps but this is incomplete.
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga1DuMAVw_RGqeDRYd-C1hJZNSRMkpgIBs1mXewj6PyyrjmgsKnQqVr1E180k-2X6dcLgiCv6ehQb76ZVQs2e2XoF52xrDYHjJ3bRiPEt1PKLwJ0zBiG6GDAib-tKT-0kZbqMdG2UdXWZC/s1600/out.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga1DuMAVw_RGqeDRYd-C1hJZNSRMkpgIBs1mXewj6PyyrjmgsKnQqVr1E180k-2X6dcLgiCv6ehQb76ZVQs2e2XoF52xrDYHjJ3bRiPEt1PKLwJ0zBiG6GDAib-tKT-0kZbqMdG2UdXWZC/s320/out.png" /></a></div>
Instead using a USB cable and ADB it's possible to get a clearer picture.
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWnjkkJfFrgyhpessJVJ3aDRWUnxuj4FHYDpbOB0_nYvwY7v8-pm3y9-99yOECS8KmVPKt9Ez43mc4-ObMWtfqRcWEDppHuWLaL0qlYKD8H0bYhrTXW6SQUweaY13UnIIzp0UBZvf36c5z/s1600/Screenshot+from+2013-11-14+21:11:53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWnjkkJfFrgyhpessJVJ3aDRWUnxuj4FHYDpbOB0_nYvwY7v8-pm3y9-99yOECS8KmVPKt9Ez43mc4-ObMWtfqRcWEDppHuWLaL0qlYKD8H0bYhrTXW6SQUweaY13UnIIzp0UBZvf36c5z/s320/Screenshot+from+2013-11-14+21:11:53.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbwaqrLQhpydSEfxVwlPRzeqYkdpQ8JN75rEyBto032hGWrCNqV4MoUmWqDDjTfETE0b54LEEsF_wdCyh8sHVHpqwQ19lKQdOaEAPOGH7ndjhPwbaz8jO1LAMf0uWXxKsZ5g-Nz8KDavg/s1600/Screenshot+from+2013-11-14+21:12:31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQbwaqrLQhpydSEfxVwlPRzeqYkdpQ8JN75rEyBto032hGWrCNqV4MoUmWqDDjTfETE0b54LEEsF_wdCyh8sHVHpqwQ19lKQdOaEAPOGH7ndjhPwbaz8jO1LAMf0uWXxKsZ5g-Nz8KDavg/s320/Screenshot+from+2013-11-14+21:12:31.png" /></a></div>
So the total number is more like over 300trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-68023777473350469272013-09-19T08:07:00.001-07:002013-09-19T08:16:54.734-07:00automated odex to dex scriptWhen grabbing a new Android device, most applications' dex files have been optimised for the device. A few people have written a guide to using smali and baksmali in this situation (<a href="http://forum.xda-developers.com/showthread.php?t=1208320">http://forum.xda-developers.com/showthread.php?t=1208320</a>), but here's a handy script to do it all. You'll need smali.jar and baksmali.jar in the local directory when you run it.<br />
<br />
<br />
<pre class="brush: shell" name="code">echo "+------------------------------+"
echo "+ +"
echo "+ mass de-odexer +"
echo "+ TROTMASTER +"
echo "+ +"
echo "+------------------------------+"
mkdir BOOTCLASSPATH 2>/dev/null
mkdir tobedeodexed 2>/dev/null
mkdir deodexed 2>/dev/null
#clear out the previous contents COMMENT THIS OUT IF YOU ARE USING THE SAME BOOTCLASSPATH etc.
rm BOOTCLASSPATH/* 2>/dev/null
rm tobedeodexed/* 2>/dev/null
rm deodexed/* 2>/dev/null
#get bootclasspath files TODO:get only .jar files
echo "pulling boot class path files..."
adb pull /system/framework/ BOOTCLASSPATH/ > /dev/null 2>&1
#get odexes
echo "pulling .odex files..."
for i in $(adb shell ls /system/app/*.odex | sed -e 's/odex./odex/'); do adb pull $i tobedeodexed/$(echo $i|cut -d"/" -f 4)>/dev/null 2>&1;done
#Now run smali then baksmali to change odex to dex. may need -a to change api level
for i in $(ls tobedeodexed/*.odex);do rm -R out/ 2>/dev/null; echo baksmali-ing $(echo $i|cut -d"/" -f 2);java -Xmx1024m -jar baksmali.jar -x $i -d BOOTCLASSPATH/; echo smali-ing $(echo $i|cut -d"/" -f 2);java -Xmx1024m -jar smali.jar -o deodexed/$(echo $i| cut -d "/" -f 2).dex out;done
</pre>
trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-77119425878177817422013-09-08T03:43:00.001-07:002013-09-08T03:43:55.452-07:00Settting the phone number in an android emulatorSo this is another short post to help answer a question that the Internet seems to faff around with:<br />
"How do I set the phone number in an Android emulator?"<br />
<br />
This was important for me as I have been producing a proof of concept app that relies on using the phone number as a way of identifying you. Rather hard if all the emulators are on the same number.<br />
<br />
So as a result it appears that the following information can be used:<br />
- The number of the phone ends in the four digits relating to the port number that the emulator is listening on. So for instance when it's run on port 5554:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdQmqeMqBuvks_b_9BVAQBuk9EHrMlpuOLPfru-8U60pKn-akIQ79D40rkO82gzHj-BoaP7E5NjOOYCB0l_jvJbOqIndJGBrcit965C7k51kh7yG732TDg24-I8Uulbc8GPtXKlENsgYBC/s1600/Screenshot+from+2013-09-08+11:37:59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdQmqeMqBuvks_b_9BVAQBuk9EHrMlpuOLPfru-8U60pKn-akIQ79D40rkO82gzHj-BoaP7E5NjOOYCB0l_jvJbOqIndJGBrcit965C7k51kh7yG732TDg24-I8Uulbc8GPtXKlENsgYBC/s1600/Screenshot+from+2013-09-08+11:37:59.png" height="286" width="320" /></a></div>
<br />
To change, you can run ./emulator -avd <your-emulator-name> -port <port-to-listen-on></port-to-listen-on></your-emulator-name><br />
There doesn't seem to be a way to set the port when using Eclipse's AVD manager, but they will at least start on incrementing ports from 5554 onwards so no chance of a collision.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-34954194680481540152013-09-05T11:59:00.002-07:002013-09-05T12:07:17.722-07:00android adb - daemon still not runningerror: cannot connect to daemonFor people getting:
<br />
<pre class="default prettyprint prettyprinted"><code><span class="pun"> </span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span class="pun">*</span><span class="pln"> daemon </span><span class="kwd">not</span><span class="pln"> running</span><span class="pun">.</span><span class="pln"> starting it now on port </span><span class="lit">5037</span><span class="pln"> </span><span class="pun">*</span><span class="pln">
</span><span class="pun">*</span><span class="pln"> daemon started successfully </span><span class="pun">*</span><span class="pln">
</span><span class="pun">**</span><span class="pln"> daemon still </span><span class="kwd">not</span><span class="pln"> runningerror</span><span class="pun">:</span><span class="pln"> cannot connect to daemon</span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span class="pln"> </span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span class="pln"> </span></code></pre>
Check your iptables!
<br />
if you are whitelisting INPUT on local interface, you'll get this error. You need to allow at least port 5037 through on lo.
<br />
<pre class="default prettyprint prettyprinted"><code><span class="pln"> </span></code></pre>
Or if you're happy with allowing all input on lo:
<br />
<pre class="default prettyprint prettyprinted"><code><span class="pln">sudo iptables -I INPUT -i lo -j ACCEPT</span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span class="pln">
</span></code></pre>
<pre class="default prettyprint prettyprinted"><code><span class="pln">
</span></code></pre>
hope that saves you the hour I just wasted :-)
trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-22510631904031076622013-07-19T08:41:00.003-07:002013-09-30T11:33:42.199-07:00Android webview security loadDataWithBaseURLA quick lesson in web views in Android. Normally they are a big risky area, be it adding JavaScript interfaces (<a href="http://labs.mwrinfosecurity.com/blog/2012/04/30/building-android-javajavascript-bridges/">http://labs.mwrinfosecurity.com/blog/2012/04/30/building-android-javajavascript-bridges/</a>), or just generally enabling javascript and opening yourself up to webkit exploits (which given how little the OEMs update their firmware, is not hard to do).<br />
<br />
So another interesting bit to concern yourself with is found on the following page's code:<br />
<a href="http://www.androidsnippets.com/webview-with-custom-html-and-local-images">http://www.androidsnippets.com/webview-with-custom-html-and-local-images</a><br />
<br />
The code is as follows:<br />
<pre class="brush: shell" name="code">/**
* This code loads a custom HTML from a string which references a local image
* - for this to work, simply place the image in the directory /assets/
*/
public void loadHTML() {
final String mimeType = "text/html";
final String encoding = "utf-8";
final String html = "<h1>
Header</h1>
Custom HTML
<img android_asset="" file:="" image1.jpg="" src="\\" />
";
WebView wv = (WebView) findViewById(R.id.wv1);
wv.loadDataWithBaseURL("fake://not/needed", html, mimeType, encoding, "");
</pre>
<div class="prettyprint" id="code_pre" name="code">
<br /></div>
<div class="prettyprint" id="code_pre" name="code">
The problem is with the loadDataWithBaseURL's first argument. This defines how relative links on the page should be dealt with. Normally setting it to null or "" is enough, although this obviously produces invalid links. A better way is to use "file://android_asset". The problem with "fake:" is that if any other app registers for this custom url scheme, they will receive the link and start one of their activities.</div>
<div class="prettyprint" id="code_pre" name="code">
<br /></div>
<div class="prettyprint" id="code_pre" name="code">
Not a bad issue, unless the url has sensitive data in it right? Well as a malware writer, this is could still be useful. Imagine if this screen is part of the Facebook app and has a relative link on it, or has JavaScript that changes the window.location to a relative page. All the malware needs to do is dress the pop up screen in nice Facebook attire and ask the user to re-enter their creds. It doesn't even require the malware app to request any permissions from the user.</div>
<div class="prettyprint" id="code_pre" name="code">
<br /></div>
<div class="prettyprint" id="code_pre" name="code">
To fix it, just set the baseurl to null, or include a custom webview client (setWebViewClient)</div>
trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-87927655436954025402013-04-20T11:53:00.000-07:002013-04-20T12:04:10.763-07:00Beer fridge on the go<div class="separator" style="clear: both; text-align: center;">
<object width="320" height="266" class="BLOGGER-picasa-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://lh6.googleusercontent.com/-x-vrsCxL3CE/UXLmKUfiajI/AAAAAAAAAcY/3nrz9LTzqb0/s1600/VID_20130420_193037.mp4"><param name="movie" value="http://video.google.com/googleplayer.swf?videoUrl=http%3A%2F%2Fredirector.googlevideo.com%2Fvideoplayback%3Fid%3D040482015dc96510%26itag%3D18%26source%3Dpicasa%26cmo%3Dsensitive_content%253Dyes%26ip%3D0.0.0.0%26ipbits%3D0%26expire%3D1369076522%26sparams%3Did%2Citag%2Csource%2Cip%2Cipbits%2Cexpire%26signature%3D2CA904BFBD0B3170D41A559DBEA08F507C14DF84.C7885D893397B25D333CA0A6AA0A08C38EE823D1%26key%3Dlh1" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="http://video.google.com/googleplayer.swf?videoUrl=http%3A%2F%2Fredirector.googlevideo.com%2Fvideoplayback%3Fid%3D040482015dc96510%26itag%3D18%26source%3Dpicasa%26cmo%3Dsensitive_content%253Dyes%26ip%3D0.0.0.0%26ipbits%3D0%26expire%3D1369076522%26sparams%3Did%2Citag%2Csource%2Cip%2Cipbits%2Cexpire%26signature%3D2CA904BFBD0B3170D41A559DBEA08F507C14DF84.C7885D893397B25D333CA0A6AA0A08C38EE823D1%26key%3Dlh1" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<br />
<br />
<br />
It's been a little while since my last post about the beer fridge so let's get you up to date. Since my last post:<br />
1. My company has sponsored the fridge (so they'll pay for all the parts :-) )<br />
2. We spent a Saturday getting to work on it.<br />
3. It's not finished yet<br />
4. I'm having issues with the MOSFEST/solenoid part<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEf1XYmPpjLpoKljvzbEIvzFKlQWHMRGh5ONGBCDDAkmb7fMp7C5fOFXUTQjR8W0PsG1QAmqVUxzzZo4I6JSpA43QGuALR3dqucgCJgu100v1xZur5KWmeOeOjKNY3KWvOpsqnXRkrbfhE/s1600/IMG_20130406_171653.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEf1XYmPpjLpoKljvzbEIvzFKlQWHMRGh5ONGBCDDAkmb7fMp7C5fOFXUTQjR8W0PsG1QAmqVUxzzZo4I6JSpA43QGuALR3dqucgCJgu100v1xZur5KWmeOeOjKNY3KWvOpsqnXRkrbfhE/s1600/IMG_20130406_171653.jpg" height="240" width="320" /></a></div>
<br />
The basic design is as follows:<br />
A fridge will be locked from the inside by a set of solenoids acting as bar locks. The solenoids and the corresponding LEDs are controlled by an Arduino. The Arduino takes commands from a Raspberry Pi over serial and the Pi will have network connectivity.<br />
<br />
If you want to open the fridge, complete the fiendish hacking challenges on the Pi. Each challenge will control 1 or more solenoid. Unlocking the solenoid will only keep it unlocked for 30 seconds.<br />
<br />
On the front of the fridge is a little black box. This has a set of red and green LEDs that will change whenever a lock is opened. There will also be (very importantly), a key lock that will bypass all challenges and power all the solenoids. This is because if (when) the pi or Adruino crashes, I still have a way to open the fridge. Otherwise it would be a matter of crowbar and damage.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg789hvCnAHDQ7KG_gXRsqknyED-FDKpHpGC-O7t9Neq3K9JqwwgIkZah9r_Drlu4cHCfIVYyNKVGcV0MPFpq7d6Ey8I8VMF5lQGtPzsJ4rhs4E6agbFXFOy5sQhyphenhyphenlRKnNSz4gqOCM8nKjq/s1600/IMG_20130406_172447.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg789hvCnAHDQ7KG_gXRsqknyED-FDKpHpGC-O7t9Neq3K9JqwwgIkZah9r_Drlu4cHCfIVYyNKVGcV0MPFpq7d6Ey8I8VMF5lQGtPzsJ4rhs4E6agbFXFOy5sQhyphenhyphenlRKnNSz4gqOCM8nKjq/s1600/IMG_20130406_172447.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">fridge with the override lock</td></tr>
</tbody></table>
The next steps will be getting it in a working state. Currently there is only 1 solenoid (they are an absolute pain to mount correctly given the fridge's build and the small range of motion of the solenoid).<br />
<br />
I was thinking of having a Python script that sent the command over serial. The problems are that the exact serial port can change and also that writing to the serial port requires root permissions. I need to create a user to do this then Suid the python file (possible?).<br />
<br />
Finally it will be a matter of mounting it on the door. I'm a little worried that the condensation inside the fridge will screw with the electronics. Time will telltrotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-8125107809919042772013-03-23T11:10:00.003-07:002013-03-24T15:48:37.069-07:00SQLite injection - beyond SELECTI work a lot with mobile and that means whenever I see SQLinjection vulns, chances are that they're in SQLite. This is a massive pain because:<br />
a) no-one really writes guides/tools for SQLite injection<br />
b) It's really limited (as we'll see)<br />
<br />
Unfortunately this post is about what is <b>not</b> possible in SQLite injection. Hopefully it will give you a guide to where to focus attacks/defence.<br />
<br />
SQL injection as my previous post mentioned is a subset of regular SQL. There's no command execution, file reading/writing or anything particularly cool. You can't even stack queries unless the developer is using less orthodox functions (like rawquery). In essence it normally boils down to information disclosure (i.e. reading from tables that you shouldn't).<br />
<br />
<h3>
Select Statements in Mobile SQLite</h3>
With Android you (as the attacker) will hopefully be able to inject on 'projection' variable, that is the part that goes in the "SELECT ____ FROM". This obviously allows you to redirect the statement to go to anywhere else. The ideal test is to try projection=" * FROM SQLITE_MASTER; -- ". If you can get to the master table, you can get anywhere else (unless the programmer has some custom code ready to black list you out of having fun).<br />
Failing this you could try on the 'selection' variable and try a union statement. (see my <a href="http://trotmaster.blogspot.co.uk/2012/04/sqlite-injection.html">previous post </a>for more details<br />
<br />
This week has been spent looking at the other commands (insert,update,delete). The goal for the attacker is to change values in other tables in the .db file. The big issue here is the table to be queried is selected before your variables get included.<br />
<br />
<h3>
Inject into INSERT statements </h3>
<br />
insert into<i> </i>TABLENAME<i>(field1,field2) </i>values <i>(val1,val2)</i><br />
<i> </i><br />
Here you can maybe control <i>field1 </i>& 2 and <i>val1 </i>& 2. The problem is that you can't jump tables. SQLite doesn't permit UNIONs or JOINs in anything other than select statements. You can use CASE to hide SELECT statments in the middle of this but that doesn't get you much in the way of altering data powers. You also can't use table.field in the query. Essentially you are stuck altering the data within that table.<br />
<br />
It is therefore possible for SQL injection through inference of values being changed with CASE statements to read data from a table, but it's not possible to jump to and attack other tables.<br />
<br />
<h3>
Inject into UPDATE or DELETE statements</h3>
UPDATE table SET (<i>val1 </i>= <i>val2</i>) WHERE <i>condition</i><br />
DELETE FROM table WHERE <i>condition</i><br />
<br />
Similarly the update query permits field names (<i>val1</i>), updated values (<i>val2</i>) and where clauses (<i>condition</i>), but no changing of the table name. The delete function is similarly limited.<br />
<br />
I'm scratching my head finding a more useful attack vector that somehow nests more useful things inside statements. All comments are welcome. In the meantime, this should make for some useful reading:<a href="http://www.sqlite.org/syntaxdiagrams.html"> http://www.sqlite.org/syntaxdiagrams.html</a>trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-50292040644723361962013-03-04T13:58:00.001-08:002013-03-04T13:58:32.198-08:00Hacking Android dynamic Broadcast ReceiversAn interesting point was raised this week when the subject of attacking IPC endpoints in Android applications was being discussed.<br />
Attacking Endpoints is a method by which a malicious application on an Android device can communicate with, and misuse functions of other applications installed on the device. This can lead to anything from information disclosure to code execution.<br />
<br />
To find these end points it's normally a matter of checking the application's manifest file (which can be recovered from the apk)<br />
<br />
<code>
adb shell "pm list packages"<br />adb shell "pm path com.example.apptotest"<br />adb pull /data/app/com.example.apptotest-1.apk<br />aapt d xmltree com.example.apptotest-1.apk AndroidManifest.xml</code><br />
<br />
This process (which can be sped up with <a href="http://mwr.to/mercury">mercury</a>), gives you a whole list of text which allows you to identify which of these end points are exported either on purpose or otherwise, and which have permissions.<br />
<br />
This gives us a list of things to look at in code, but I believe we are missing a step here. This assumes that these are the only end points we can talk to. Obviously some require permissions that we as a malicious app might have ourselves by just asking the user for it, but for this instance the malware will have zero permissions.<br />
<br />
It is possible to register a broadcast receiver dynamically, typically by doing the following:<br />
<code>registerReceiver(BroadcastReceiver myreceiver, new IntentFilter("android.some.THING"))</code><br />
<br />
This is fine, and often required to listen out for an event on a device. There are 2 things that can go badly wrong here though. First if the broadcast filter is listening for an intent that isn't a restricted broadcast then the malicious app can start sending them without needing any permissions. Secondly if the receiver goes on to use the extras sent with the broadcast, or to start running other functions, then the malware has a whole new entry point to your application.
Of course it would require the malware to send the broadcast at the right moment, but hell just have it send the broadcast every second and run all the time.<br />
<br />
To protect your broadcast, you need to register permissions when you declare it (<a href="http://developer.android.com/reference/android/content/Context.html#registerReceiver%28android.content.BroadcastReceiver,%20android.content.IntentFilter,%20java.lang.String,%20android.os.Handler%29">details here</a>), secondly don't trust the data that is being sent with it. It's passing through a trust zone to arrive in your app, so validate it!
Details on Android permissions can be found <a href="http://www.android-permissions.org/permissionmap.html">here</a>.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-91967794270206258732012-12-01T02:01:00.000-08:002012-12-01T02:02:34.899-08:00What is Android application licensing?I ran into this permission this morning:<br />
<br />
com.android.vending.CHECK_LICENSE<br />
<br />
What it means is that the app will check with Google play (aka android marketplace) that the app was bought by the user that is now running it. The application holds the public key and uses this to check the "check_license" response from Google.<br />
<br />
Is it possible to mess with this process? Well it would depend on where the public key is stored and how Google implements the process (including obviously security of transmission).<br />
<br />
One thing that immediately stands out is this following piece of advice from Android themselves:<br />
<blockquote class="tr_bq">
A typical implementation would extract some or all fields from the license
response and store the data locally to a persistent store, such as through
<code><a href="http://developer.android.com/reference/android/content/SharedPreferences.html">SharedPreferences</a></code> storage, to ensure that the data is
accessible across application invocations and device power cycles. For example,
a <code>Policy</code> would maintain the timestamp of the last successful license check, the
retry count, the license validity period, and similar information in a
persistent store, rather than resetting the values each time the application is
launched.</blockquote>
Sharedpreferences is only secured by using the sandbox model. This means any rooted devices would permit the user to alter these values simple by editing the .xml file.<br />
<br />
What Google have done to allow developers to defend against this is to create AESObfuscator. This encrypts the data using the Android ID as the key. Obviously this is still recoverable by the user, but certainly makes it take a little longer to perform.<br />
<br />
I can foresee two attacks coming out of this.<br />
#1 - Applications on 3rd party app stores stating they can "unlock" licensed applications. They would require a r00ted device to work and could do all sorts of nefarious things in the background. Because they would not be allowed on Google Play, they would have no checking and could contain malware.<br />
<br />
#2 - Applications implementing their own obfuscation/ trusting license info input. Their is a long history of Android applications assuming the best about files in their own sandbox and implementing their own logic and functions when using the data contained. It allows attackers who can overcome the sandbox (say by running on a rooted device) to inject data that is then used in the context of the app. trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-40363045525561233422012-10-31T12:55:00.000-07:002012-10-31T12:55:10.481-07:00On the road with ArduinoWell the Arduino UNO <a href="http://proto-pic.co.uk/proto-pic-boffin-kit-for-arduino-uno/">kit </a>has arrived and I'm very impressed. Lots of things to try and I'm already well beyond the flashing LED tutorial that is the electronics version of HelloWorld.<br />
<br />
Some quick experimenting has shown that the servo is easy to position using this <a href="http://www.arduino.cc/playground/ComponentLib/servo">example</a>. Similarly I have built up a quick serial communication app that replies to a specific string (based on <a href="http://www.smacula.co.uk/2011/07/arduino-serial-communication.html">this</a>). Interestingly you need to <a href="http://binglongx.wordpress.com/2011/09/27/arduino-and-putty/">tweak </a>PUTTY to talk to it correctly <br />
<blockquote class="tr_bq">
<br />
// Command line variables<br />
String command; // String input from command prompt<br />
String temp1,temp2; // temporary strings<br />
char inByte; // Byte input from command prompt<br />
char carray[6]; // character array for string to int // manipulation<br />
int a,b,c; // temporary numbers<br />
<br />
void setup(){<br />
Serial.begin(9600);<br />
}<br />
<br />
<br />
void loop(){<br />
<br />
// Input serial information:<br />
if (Serial.available() > 0){<br />
inByte = Serial.read();<br />
// only input if a letter, number, =,?,+ are typed!<br />
if ((inByte >= 65 && inByte <= 90) || (inByte >=97 && inByte <=122) || (inByte >= 48 && inByte <=57) || inByte == 43 || inByte == 61 || inByte == 63) {<br />
command.concat(inByte);<br />
<br />
}<br />
<br />
}// end serial.available<br />
// Process command when NL/CR are entered:<br />
if (inByte == 10 || inByte == 13){<br />
if (command.equalsIgnoreCase("hey")){<br />
Serial.println("hello there!");<br />
}
command="";
}<br />
}</blockquote>
trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-75101619990195749382012-10-26T11:52:00.001-07:002012-10-26T11:52:28.703-07:00ASCII only exploitingSo an interesting problem was given to a group of us this week. The vulnerable function in IE was controlled using an ASCII string. Most people took this as a sign that heap spraying was required and therefore used a string like " " to point to heap space and hopefully their NOP sled.<br />
<br />
I took the "crafty" approach and instead decided that the whole shell code could be contained in the string, not just the pointer.<br />
<br />
msfencode (part of Metasploit) has an excellent encoder option that will encode only using alphanumeric characters. Unfortunately when you try this, you will get non alpha characters mixed in wherever it fails to find the right commands.<br />
<br />
<blockquote class="tr_bq">
msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/alpha_mixed</blockquote>
<br />
<br />
In this case, you will need to find a ROP gadget to move the address of the start of your shell code in to one of the registers. If you're lucky it will already be in one. You can then give it to msfencode as an argument:<br />
<blockquote class="tr_bq">
msfpayload windows/exec CMD=calc.exe R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed</blockquote>
If you need to go searching for ROP gadget there are a couple of tools that may help you. First check out Immunity's !gadget command. Alternatively there's Mona, a Python add-on (<a href="https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/">https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/</a>). These were enough to go searching through for a non-ASLR'd gadget that moved the right value to the right register.<br />
<br />
<br />trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-35041476270759592452012-10-25T13:24:00.001-07:002012-10-25T13:24:57.459-07:00R00t beer fridgeSo as an update to the previous post, I've been doing some research over the last couple of days and found that:<br />
a) servos are weird things that require crazy Pulse Width Modulation (PWM) to <a href="http://en.wikipedia.org/wiki/Servo_control">control them</a>. This is not something Raspberry Pis do out of the box. I've seen a few cases where they use an in between piece of hardware to work around this.<br />
b) arduinos can be made to do some crazy stuff. Like <a href="http://www.arduino.cc/playground/Code/WebServer">run a web server</a><br />
<br />
For these two reasons I have (sadly) moved over to using Arduino. I would love to use a Pi but it's horses for courses and although I think it's possible to use a Pi for a project like this, it's just too much effort.<br />
<br />
The Arduino will be delivered tomorrow so I can get to grips with the basics over the weekend and have the first photos next week.<br />
<br />
It looks like the locking mechanism will be best done with Meccano. Using servos to move the locks into place will mean that they can be used without a second power source and won't "fail open" if someone was to pull the plug. It will either be a sliding bar, or a latch. trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-37866260396252876592012-10-20T04:21:00.003-07:002012-10-20T04:22:22.978-07:00Raspi: zero to hero.So I'm at step zero here. Let me just give a quick intro first to what I want to do along with a little background.<br />
<br />
The goal is to create a hacking challenge for some friends. The prize is a can of "r00t" beer. This beer will be locked away in a fridge. The lock is controlled by a Raspberry Pi. There will be several stages to pass before the fridge will unlock and the prize will be gained.<br />
<br />
Now the background. I have owned a Raspi for about 2 months. In that time I have rather sadly not done much with it. It currently sits as a XMBC server for my television, but it's lack of YouTube support and limited Codecs means that it's not all that great. I know that Raspis have support for electronics but my electronics know how is very "trial and error" (see the Glone if you don't believe me).<br />
<br />
My goal of blogging about this is I feel my position now is very similar to many people out there. We have a Pi, we want to build something cool, but we don't know where to start. Well I will try to get this project seen through to completion and along the way blog about the various resources and mistakes I run into that may help you all out there.<br />
<br />
<br />
So... the first step. I want to get a raspi installed with a *nix build that will support the IO functionality. A basic layout is <a href="http://elinux.org/RPi_Low-level_peripherals">here</a>. If I can get an LED to turn on and off with a command then that's level 1 completed. The next step will be getting it to drive a motor. Stay tuned :-) <br />
<br />
<br />
<br />trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-11052472968392670872012-08-06T04:12:00.000-07:002012-08-06T04:12:37.672-07:00Cross App Request Forgery in Android - CARFAn interesting thing about Android application security is that it is all very "What if?". Most scenarios I hear involve malicious apps. Malicious apps get installed by unsuspecting users and run in the guise of some innocent game whilst maliciously harvesting or installing other bits and pieces. The usual goal is to recover important data from another application or to use premium rate services or as botnets.<br />Normally the idea of malware specifically targeting other apps on a user's device would seem ludicrous but given the nature of some of the apps coming out on to the market place (sorry, Google Play), this seems more and more likely a vector in these more extreme cases.<br />This article has two points: The flaw in the root attack theory, and a potentially unthought of and certainly overlooked attack vector, the cross app request forgery (CARF)<br /><h4>
Attacking an app with root.</h4>
I've often heard of a scenario in which malware elevates to root, and then attacks the flaws in the Manifest or file system of a specific app. Often android manifest writers overlook the fact that just because the action isn't exported it doesn't mean that it can't be run by other users. Root users may run all actions (including your precious providers), whether or not they are exported, unless they are explicitly not exported (exported=0x0).<br />But this is a bad argument for an attack vector. If you have root, why go after the app? You can access all the files, allowing you to grab the db files and everything else. If the db is encrypted, switch out the binary and trick the user into giving out the information you need to decrypt it. When you're done, switch the apps back, send off the data and disappear. This is far simpler to write (and portable to attack any app), than trying to pick apart and exploit specific vulnerabilities in others' apps.<br /><h4>
Protecting against root?</h4>
When it comes to protecting against this vector there are three answers, keep the information off of the device (best), use the secure element, or encrypt information with a decent user entered password. <br />Keeping information off the phone means interacting with a server. Ideally the user sends up a hashed password, the server checks and responds with the information, allowing authentication and no chance for offline brute force attacks. <br />Secondly, the secure element is a purpose built secure vault with lock-out and no public bypasses. This is limited by having to partner with either a device (for an on-device secure element), or a network provider (if it's on the SIM).<br />Finally there's user passwords. These are used to encrypt the data on the file system. This is obviously limited as no one likes typing in long passwords on phones, and still vulnerable to social engineering.<br /><h4>
CARF-ing</h4>
The inability of many developers to control cross app communications securely leads to some unusual attack vectors. Normally these vectors are too complicated for the minimal rewards achieved for the amount of work, but given the nature of more high risk apps turning up on the market, the rewards are increasing.<br />An app may export several actions but it's careful only show up the login screen to outside attackers. Unable to login, the vector is closed right?<br />Well maybe. I was rather surprised on this one. Several apps developers are assuming that this is game over for the attacker and stop the protection there. I assume the point of this is that the phone user is using one app, passes some info across to the secure app at which point there is a prompt for password, limiting what information gets passed to only that which the user has permitted.<br />The issue is that if the user is already logged in, they are not prompted for their password. So if a user session exists, the doors are open to any app sending through information in this window. This could be done by an app without root permissions, so far more likely to make it through app store checks.<br />Either the app could try to indirectly monitor for when the app is in use, such as reading the log files, or just blindly hit the app every 5 minutes.<br /><h4>
Protection</h4>
Firstly Exported=0x0 is your friend. Everything should be explicitly not exported unless absolutely required.<br /> Secondly, always require user interaction before doing anything. Even validating the input before asking the user to confirm it allows for foreign arguments to be processed in your app. One mistake in this area of code means a vulnerability that could be exploited. If the user is using the phone, having one simple confirmation pop up won't hurt user experience, and scuppers the attack.<br />trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-11364271463956257762012-06-06T08:59:00.000-07:002012-06-06T08:59:01.510-07:00Alternative to DirBuster - dirscanz.pyOften when testing, I need to run an automated scan for common directories on a web site. The traditionally recommended tool for brute forcing directories is DirBuster. Unfortunately along with occasionally crashing, it also kept filling the results with irritating 500 error files and other bad results requiring manually sifting.<br />
After getting annoyed once too often with DirBuster, I went ahead and built one that was tailored to my own needs. It has the following useful features:<br />
- selecting file types to search for<br />
- HTTP return codes to ignore<br />
- Depth to search to<br />
- All the usual functions<br />
<br />
The python source can be grabbed <a href="https://docs.google.com/open?id=0B0eg0ZdSPdR_SldtS09Dc1l0SFE">here</a> and an example list of directories and files to try can be downloaded <a href="https://docs.google.com/open?id=0B0eg0ZdSPdR_a2NHcEpBV21NM1U">here</a>. Hopefully it will provide a few of you with a much needed alternative.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com1tag:blogger.com,1999:blog-7519832777072784283.post-46877840218592931032012-06-05T05:47:00.001-07:002012-06-06T07:28:02.512-07:00PS3 HDMI fixWell it takes suffering to learn things. I just hope this one was worth it. I've just spent the best part of an hour trying to fix my PS3 after installing a bf3 update. The screen went blank and there was no sound or video.<br />
<br />
"Oh God it's broken my PS3!"<br />
<br />
Well close but no cigar. It actually broke the HDMI connection between the PS3 and my television. So to fix it turn off (i.e. unplug) both the PS3 AND the television. Restart and fixed.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com1tag:blogger.com,1999:blog-7519832777072784283.post-14873653488659308682012-05-22T07:53:00.004-07:002012-05-22T07:54:54.169-07:00CMS exploits<br />
<h4>
A path to experience</h4>
CMS exploit development has been running rampant around places like exploit-db for ages. I took to doing a few of my own with positive results a few months back. But why is it so popular? And is it really worth doing?<br />
<h4>
CMS sploiting for fun '; -- and profit</h4>
Content Management Systems (CMS), are used to make developing and running web sites simple. They come fully loaded with useful tools and db plugins, giving a quick, professional look. No wonder they are used in their droves to produce many of the web sites we visit. There are many to choose from and range from the strictly amateur to the professional/expensive.<br />
Exploit development has been a serious past-time for the following reasons:<br />
- Many of them are open source<br />
- They can be set up offline, speeding up/legalising the hacking process<br />
- They are used in real life, so the results of finding vulns are more rewarding<br />
<br />
CMSs are therefore a cheap, easy way to get into web exploit development and source code review. No wonder juniors everywhere are using them to cut their teeth on web app pen testing and exploit development. <br />
<br />
But surely they have been done to death. Is it still worth it? Are their vulnerabilities out there?<br />
<h4>
CMS 2012</h4>
Certainly finding straight SQL injection on the home page is only going to be the case if you're looking at an old, poorly maintained or infrequently used CMS. Not really rewarding and unless you are just starting out, not very educational. You therefore have two options:<br />
#1 - Find low risk vulns (reflected XSS, CSRF)<br />
#2 - Dive into source code<br />
<br />
I'm not going to talk about #1 aside from the fact that I'm not a fan. Instead I wanted to run through a better CMS analysis method. I'm afraid you will need to look at the source. This may take the fun out of it for most, but if you want to find a worthwhile vuln that is actually respectable, then you need to broaden your game.<br />
<b> 1. Start by grepping</b><br />
You need to know key functions that will give you the big wins. Things like exec(), sql_query() and fopen() are gold. If you can find these in the files, then you have a starting point.<br />
<b> 2. Find out their variables</b><br />
Do they take variables? If so start following the breadcrumbs. There are some basic tools for this but they aren't particularly good and may lead to false negatives. In any case, this is a learning process so take the time to do it by hand, at least at first. Are they in functions or classes? Are these functions or classes called anywhere?<br />
<b> 3. Edit the script to make life easier</b><br />
The joy of offline analysis is that you can change the code. Add in a few extra echos to help follow through the code as it gets executed. It won't be like that in the end, but then you will have the exploit ready and no longer need them.<br />
<br />
That's really it. I wanted to write this because there is so much good development in the CMS community and they're getting stronger and stronger for it. It's also infinitely more rewarding to get code execution from a CMS that is really out there and being used. Far better than dull little unrealistic test sites. Just be ethical with your disclosure!trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-90202522207621142782012-05-09T05:10:00.001-07:002012-05-09T07:19:52.776-07:00CSRF - improving the basic attack<h4>
CSRF is a low risk vuln for script kiddies</h4>
I think Cross site request forgery (CSRF, which I've always been alone in calling see-surf) gets a pretty bad rap, not least because script kiddies are flooding exploitdb with boring CSRF attacks against CMSs that no-one uses. But let's not write off CSRF as a bland client-side attack just because people are using it poorly. CSRF actually has very viable and useful applications that takes a little longer to create, but the results are totally worth it.<br />
<br />
It all revolves around how we are trusted when we log in. Normally this means C-surfers go looking for all the functions that doesn't require creds or authentication to complete. Most half decent apps will therefore check and protect against this. But quite often they make a mistake.<br />
<h4>
A better surf</h4>
Lets take an example:<br />
<i> Joe's email web portal allows users to log in and then allows passwords to be changed. Fearful of CSRFing, they make the user include their old password in the request. Solved! But of course the user is who they say they are, so don't limit them on retries when they get the password wrong....</i><br />
<br />
Yep. We can run dictionary attacks through CSRF.<br />
<br />
So is this so great? It's a little slow (maybe a couple of minutes to run through a decent dictionary and ultimately still limited to having people visit your site that have to be logged in to the site you want to hit to be vulnerable. So yes it's still a limited client side attack, but it's one that works on some pretty popular apps.<br />
Just load a dictionary into a JavaScript array and run it in a loop. JavaScript can handle GET and POST.<br />
<br />
The only problem is that it's blind. We could change 50 people's passwords with this attack, but how do we know it's worked, and to whom?<br />
<br />
<h4>
Consequences....did it work?</h4>
Obviously this is easy if there's other attack vectors, like XSS but then if you've got cross site, then you hardly need CSRFing. The important point here is that other lower vulns can be used alongside this one to build a more valid attack vector.<br />
<br />
Enumeration of usernames allows trying the altered password against the list. As you're only trying one password on each account, it shouldn't cause a lockout.<br />
<br />
CSRFing multiple points can make the attack victims more visible. Changing a profile value may be pretty lame by itself, but if it is done along side the password change, it would become a flag to compromised accounts.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-12087131023938945792012-04-25T11:48:00.000-07:002012-04-25T11:50:41.095-07:00SQLite InjectionThere does seem to be a lack of information regarding SQLite injection. This is probably because SQLite is so limited compared to other SQL databases. However, it does seem that given Android (and iOS?) interest in using them, there is something to be said for writing up some basics and findings that I've had so far.<br />
<br />
I will try to write this from a more general SQLite injection angle rather than OS specific. First enumeration. Getting out the master database is fairly straight forward as long as your injection is early on. If you can get results posted to the screen the enumerating the database structure is easy:<br />
<br />
"* FROM SQLITE_MASTER; --"<br />
<br />
The SQLITE_MASTER database holds descriptions of all the tables so is a quick win for enumeration. From there, more select statements will get you the rest.<br />
<br />
If the injection point is not at the WHERE or SELECT clause then things may get a little more difficult. More particularly interesting when the injection is at the ORDER BY clause. This means that not only can you not add in the table to select from, but you also can't use a UNION statement to join it to a fresh select statement. I've yet to find a good way to solve this one so please, answers on a postcard.
<br />
<br />
This is just an introductory post. I want to cover effective manual blind SQLite injection but this will have to wait until next time.
<br />
<br />
The other area that I want to look into is the use of the "." commands. SQLite seems to have many extra functions, which I'm guessing can not be used through API calls. Perhaps the PHP exec() function might? It would certainly be good to know where, if anywhere, these values could be used, as it would allow inclusions of other files.
<br />
<br />
Finally I want to take a look at whether the values can be overwritten with long/specially formatted strings. The .db file could then be manipulated into becoming something else (okay so this one's a long shot, but worth taking a look at).
<br />
<br />
Stay tunedtrotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com2tag:blogger.com,1999:blog-7519832777072784283.post-67744968873480126862012-02-02T00:44:00.000-08:002012-02-02T00:45:03.775-08:00vmware quick fixQuick solution to the "Taking ownership of this virtual machine failed" Error.<br />
<br />
Go to the vmware image's folder and delete the .lck filetrotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0tag:blogger.com,1999:blog-7519832777072784283.post-79105438292500599802011-10-26T01:06:00.000-07:002011-11-24T02:08:41.481-08:00Apache, php and dllsFor a while now I've been adding more and more features to Apache and PHP for testing. I want to add things like LDAP and SQL support in PHP but the libraries fail to load when I update the PHP.ini file. I have continually come up against error messages like these:<br />
<br />
<i>PHP Warning: PHP Startup: Unable to load dynamic library 'c:/php/php_ldap.dll' - The specified module could not be found.\r\n in Unknown on line 0</i><br />
<br />
and<br />
<br />
<i>PHP Warning: PHP Startup: Unable to load dynamic library 'c:/php/php_pdo_mysql.dll' - The specified module could not be found.\r\n in Unknown on line 0</i><br />
<br />
The problem I had was actually nothing to do with PHP trying to find these libraries. Instead it was to do with the other libraries that they needed. The Apache logs make no mention of this. You need to search the internet to find which dlls are needed depending on your web server and the dll you wish to include.<br />
<br />
For example, running PHP and Apache, to include LDAP, update the php.ini and then also make sure that libeay32.dll and ssleay32.dll are in the Apache bin folder. Then voila! No more nasty errors.trotmasterhttp://www.blogger.com/profile/15518304176955617619noreply@blogger.com0