Category Archives: Security

Thoughts and code about security

So, there’s a trojanized version of PuTTy circulating around.

There’s this report here posted by Cisco. If tl;dr then in a nutshell this is the case. Someone created a backdoored version of PuTTy. You can get infected if you search for PuTTy and download it from an untrusted mirror. Btw, someone can verify the integrity of the files through MD5, SHA-1 (Sidenote: both are known not be secure), SHA-256 and SHA-512.

Continue reading

Are we there yet?

There’s this constant debate when it comes to applications. Is open source software more secure than proprietary software? Is it the other way round? In a nutshell, my point on the topic is that this comparison is wrong and the metrics are wrong as well. The amount of facts we have is not enough to make a comparison. Continue reading

n00bs CTF Lab write-up

Infosec Institute launched a CTF challenge some days ago. Due to a lot of free time, I decided to take a look and have some fun.

Continue reading

No hard feelings, I stole your cookies.

and I pwned your server. Have you ever heard about the Samy worm? If not, read the link. If yes, carry on. I was having fun around when I noticed that I could input HTML in a site.

I can’t actually explain everything regarding the attack but… I bypassed their XSS-protection (HttpOnly) by using HTTP defined requests. I “debugged” their server as well because someone never turned off that feature and I was able to steal some OAUTH keys (of my victim account) which in turn allowed me to post the same code in his profile. If both profiles were public, you understand that things would turn ugly pretty fast. On top of this, while I was filing the bug report, I noticed that some cookies allowed you to login, logout, the level of access etc. Ermmm… I woke up and it was 2014, not 2005.

 

Operations Security

I have been asked a lot of times questions that fall under the general topic of OPSEC . I have been using some practices quite some time that work well, so I’ll be talking about them.  Some tools will be referenced, some not. Just bear with me.

Everything falling under security is pretty much power redistribution thus it must be treated that way. Because of the ability to redistribute power you need two things, knowledge and responsibility.

How to protect personal data? 

I could write a phd about the subject but a few quick tips. ENCRYPT, ENCRYPT, ENCRYPT SOME MORE. Do you have a few files to encrypt only? My guess is not. If you want to be totally protected encrypt your whole HDD/SDD/USB stick, whatever. Encrypting some files is cool etc but your OS logs everything you do. An Archaelogist (Forensics guys) can read the logs and get your ass busted. ENCRYPT your OS.

What happens if the feds raid my house? If you are using your encrypted OS, your password is stored in the RAM somewhere. A complete memdump will give away your pass, a hash of it or some clues. Usually people don’t want this to happen. An easy workaround is to create two encrypted OSs. The first is the dummy, the second is your main OS. In such a case, boot the dummy ;). They will dump a key that will be of no use 😉 Btw I made an assumption here, you know which cryptosystems are secure and which are not. If this is not the case, well, you better start digging.

How to protect my communications?

I am a happy ownerI used to be the happy owner of a smartphone until the company pushed a crappy update that drains my battery faster than I can imagine. Anyway, as such I use my phone to check my mails. Every now and then I deal with 0days or I transfer money from my bank account etc. As such I have to make sure that there’s no eavesdropper around, same thing applies for my laptop. How do I do this? I’ve set up an SSH in my home. Every time I connect to the internetz I hide my ass behind my SSH which is connected through a trusted VPN which leads to TOR nodes. Ok, that’s too much security but even if something fails I have another options ;). If I can’t use my tunnels I use publicly available one. You better start doing the same.

Assume now that you are in a public cafe. What do you do if you want to fuck with eavesdroppers? Easy. Grap a USB wifi adapter. Script it so that it frequently changes SSID and information. It’ll take some time for the eavesdropper to figure what’s going on 😛

Physical Protection 101

This was a part of a conversation I had with a scene whore. How do you protect your laptop from physical attacks? It’s called two factor authentication and it works, something the user has (usb stick for example), something the user knows (password). If your laptop supports fingerscanning then you can extend the authentication to something the user is (fingerprint 😉 ).

You leave your pc without locking your screen? Take the usb stick with you and the pc is locked. Advancing this scheme, lock everything your bios allows you to lock so that the PC boots only from a certain HDD. There is an attack there but the attacker must have physical access to your PC, know how to dissassemble it etc (CMOS battery removed 😛 ). Another option if you hate usb sticks is pinging your phone. If your phone is not near, PC is locked etc.

I lost my PC/Smartphone etc. Now what? Shit happens and assuming you didn’t do anything of the above or you did but it was bypassed, you can always track your pc/smartphone etc 😉 There are tons of free software out there that do that for you and they allow you to delete data, make noises, photograph the thief etc.

Have fun.

iz out

Regarding passwords

There’s been a conversation about passwords. Are they strong? Are they secure? Is a 8-digit password enough or it is easy to bruteforce it? We’ve seen huge dumps of passwords lately and companies such as google try to get rid of the password authentication method by using usb keys etc.

Before I move on to the subject some core concepts here. A hash function (such as md5) is a function that takes an input and creates a certain output based entirely on the input. We expect from hash functions to be collision-resistant, ie we want to be hard for an attacker to find an X input so that hash_function(X)=hash_function(ORIGINAL_INPUT).
Another core concept is the two-factor authentication. This is quite simple, the user must have any two of the following three:

  1. Something he, and only he, knows (a password for example)
  2. Something he, and only he, has (a private key for example or his cellphone)
  3. Something he, and only he, is (mostly biometric things)

The final concept is public key cryptography which I mentioned before. The main problem with cryptography is the need of a secure channel to exchange encryption keys but if someone has a secure channel then why doesn’t he exchange the message in the first place? Cause there’s no such thing as a secure channel (well, there is but not for everyone). In order to solve this, Diffie and Hellman proposed public key cryptography. The concept is simple. Let’s assume that B wants to share some confidential info with A. A has used a function that created two outputs. The first one is the Public-Key of A (PKA) and the second is the private key of a (KA). PKA is public and it doesn’t matter who has it. B takes PKA, encrypts the message and mails it to A. The only way to decrypt the message is to use KA. KA is only available to A so A is the only one who can see the original message.

Back to the passwords and the authentication problem. Authentication is the most commonly attacked concept of computer security. Attackers either bypass it or authenticate as a legitimate user by guessing/bruteforcing/you-name-it the authentication process. So far, so good but in my opinion the problem does not lie in the passwords. There are two main problems here, the first one is users, the second is developers.

Starting by users, users need to be educated regarding security. There have been studies around from many sources regarding both password practices and educating the users. A normal user, which may be privileged, is an insider threat to any information system. My thoughts here are pretty straightforward. An ignorant user was, is and will always be a threat to any system. Such users are extremely dangerous when they are privileged. Such ignorance is a vulnerability and chances are that the system will get owned with a usb authentication as fast as it would with a password.

What if users are already trained and someone still dumps their passwords which are pretty complicated to guess and/or bruteforce? Developers need to be educated as well. Have you seen any of these dumps lately before their passwords where “unhashed”? Most of these dumps contained passwords hashed with insufficient functions with known huge collision and rainbow tables and even without a proper salt (salt is to concatenate the password with a string and hash the concatenated string).  It is obvious that by using such functions, in case of a SQL Injection (replace SQLi with every single attack that breaches either confidentiality or integrity of the system) if a dump takes place you are in serious trouble.

As a conclusion, although I am not against using new methods such as hardware or two-factor authentication, security professionals have to make a security awareness campaign and train both users and developers because the problem does not lie in passwords but in the improper implementation of authentication mechanisms and improper passwords or bad practices.

/me iz out

Format string exploitations

I’ve been interested in security quite some time and I came to a conclusion -that I read from other guys yesterday as well- but it is common to most people out there. When you develop an application, most of the times this application takes input and reacts to it. When it comes to security, this application -under any circumstances- must filter input and distinct between what is allowed and what is not. What is not allowed may be invalid strings for example or specially crafted strings that will exploit a vulnerability thus “adding” new features to the application such as reverse TCP shells, privilege escalations, whatever the attacker feels like.

In that aspect, a vulnerability called format string exploitation exists but I haven’t seen one for a while up until May 2012 where a guy found a format string exploitation. More info about this vulnerability can be found here.

So, what is a format string exploitation? It is mentioned a lot and in various sources that strings should be treated as strings. Mistreating strings may lead to “random” features that certainly were unintentional and unwanted.

Historically talking, format string exploitations has taken by surprise the security community during 2000. Like every new class of vulnerabilities, what followed format string vulnerabilities was a huge amount of bugs and exploits. Format string vulnerabilities are programming bugs firstly and then security threats but I’ll come back to this later.

A format function, such as printf() in C, is a function that takes data and some conversion parameters and prints the data in a human readable format. It must be clear that what is human readable can be in most cases understood by humen with some knowledge.  The most common example of a format string vulnerability lies in this code

char theVuln (char *theExploit){
printf(theExploit);
}

The above block of code prints data without formatting it. If a user inputs “Hello world” everything will look fine, the vulnerability will not be exploited but there will be a vulnerability.  To correct the vulnerability the developer should add a formatting parameter to the function. The function should look like

printf("%s",theExploit);

In order to understand how and why this vulnerability works and what happens when exploited it is necessary to dive a little deeper, in order to do so I will refer quickly to stacks.

Stacks are data structures that are built in such a way so that the last member added to a stack is able to leave the stack first, because of this “behaviour” stacks are called Last In First Out or in short LIFO. When someone is dealing with stacks it is said that he is pushing -adding to the stack- data or popping -removing from the stack- data. It is obvious that the two most common commands about stacks are POP and PUSH. It is thus obvious that even CPUs have commands so that they are able to deal with stacks. The prevalent CPU architecture which is Intel x86 has two commands known as POP and PUSH. They are called OPCODES and Intel offers a range of OPCODES when it comes to stacks but this is out of scope. There are also other data structures such as lists, queues etc but I won’t refer to them here.

When we exeucte a program the operating system “creates” two data structures. The first one is a queue, which stores all the code and the data that doesn’t change during execution mostly. Queues grow upwards (meaning to higher memory ranges) while stacks grows downwards. Stacks are used to store functions mostly. The exact actions in a stack, such as when it pushes the parameters of the function, in what order etc are out of scope in this article :)

When I was referring to the printf I was referring to a function. Since this is a function it is obvious from what I stated before that it is pushed onto a stack. Printf is a dynamic library thus it is not embedded in every executable but is loaded by the OS and the OS points the executable to the address where the printf function “lives”.

printf("This is a %d decimal while this a %s string",theDecimal, theString);

Diving into the stack of the above printf the first parameter we locate the parameters in reverse order, meaning that the last parameter is found first and the first last. This is not clear enough but if you deal a little bit with functions and stack you’ll get it.

Attacking the vulnerable function is easy. The attacker can input whatever he wants -for example %n %x etc- and check the output which may indicate memory ranges thus allowing further exploitation via a shell loaded into an environmental variable etc. It is possible to crash the program, it happened in Linux where the program used coredump which allowed for an insight.

The main problem is -if the input is for example multiple %s- the attacker may access data not intended for him to read or not intended for anyone to see, read an illegal address not mapped, get an address range etc thus extracting a safe assumption of how the vulnerability works or what the program does which is definitely unwanted. Exploiting such a vulnerability a few times, there is a high chance of crashing the program thus leading to a DoS attack.

Attacking further than that, an attacker can see any memory range he wants or overwriting arbitrary memory addresses thus executing our own code. By the way and since I mentioned this, the CPU does not discern between data and OPCODES and if he is fed OPCODES when he should take data he is happily executing the OPCODES. 😛 The most common parameter is %08x which leads steadily towards the top of the stack enabling us to map the whole stack. Last thing to mention is that buffer overflows sometimes offer limitations, format string exploitations allow an attacker to overcome these limitations.

Exploiting such vulnerabilities depends heavily on the type of the vulnerability since format string vulnerabilities is a class of vulnerabilities. There may be as simple as buffer overflows, may just need string stretching or may be highly complicated and need environmental variables to hold the exploit etc.

Beware of the meta.

>What you are about to read is common knowledge to a lot of people.

Certain file formats such as MP3, JPEG, PNG -the list is big to mention here- contain special fields inside them that store extra information.
The MP3 file format for example contains meta data for comments, title, artist, etc. Even if you move this file to another computer most of this metadata remains, all of these fields are usually predefined by the algorithm. You can check this by downloading a PNG -for example- file and opening it up with the hex-editor of your choice.  Depending on the file format you may find this info either on the top or in the bottom.

Anyway, keeping this in mind helped me a lot of time mostly about hacking challenges such as the Can you crack it? Challenge or B-Sides challenges not to mention that knowing file formats brought to life new exploits and of course vulnerabilities. It was even used in the Cyber Coalition of NATO some time ago with a PDF file.

This knowledge came in handy some time ago. Some people when they buy something new they NEVER read the fucking manual, neither they figure out how this brand new shiny thing works. They just learn the essentials to use it, neither how to maximize its effectiveness nor how to stay secure. When it comes to smartphones, they have a GPS device and guess what… By default they store the location of your photo, the height of the place the photo was taken, the device that took the photo and a lot of other useful information. Then they just upload the photo somewhere.

Accessing this information is not difficult and since most of these photos are made publicly available the first tool someone needs is a web browser. Using for a variety of reasons Firefox I found an add on named FxIF that shows the metadata of a picture and I was able to access a lot of information.

About this thing. This is a privacy infrigment but it is not the manufacturer’s fault, it is the problem of the owner because he just randomly clicks whatever pops up in his screen. There are available countermeasures but they are not applied everywhere. Facebook for example cleans the metadata from the photos, not sure if it stores them somewhere though which should be a NO NO.
Twitter on the other hand doesn’t.

The problem with that lies in the fact that by default it contains a lot of info that it is easy to locate someone or blow up your anonymity. Below is an example of a picture. The picture is taking by a guy who owns an iPhone 4, we know the date taken, where it was taken, a lot of information that we don’t need and we can locate the accurate position -yes I know where it was taken-. Problem is, this building is supposed to be secure and citizens -like me- shouldn’t know where suspects are held, in this case we know both the location of the building and in which floor the picture was taken.

 Beyond the obvious fact of privacy infringment this could lead to other, severe, information leakages and I guess there are companies and people that don’t want this. So, for your own good turn off GPS location when photoshooting.

Hint: This doesn’t happen only with smartphones, checked and verified that it happens with certain dSLRs too and to no surprise you have the choice to turn it off. Turn it off.

Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings :) , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page :)

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day 😛 ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome :)

Gathering information

Before you start attacking someone, you should gather first some info. When that someone is a user, your best chance is stupidity. A lot of users are members of social networks such as twitter, facebook, LinkedIn etc. If you know a lot you can track them via their profiles. What happens though if you know only their twitter nickname?

The no 1 place where users share their photos with a lot of personal information is facebook. Facebook has a cool “feature”. User photos are stored using patterns. Go on and right click any image you want and copy its location. You’ll get something like this

https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash3/AAA_BBB_CCC_DDD_EEEE_n.jpg

Well, what I’ve figured out is that CCC is the profile id. This means that http://www.facebook.com/profile.php?id=CCC is the link that will get me directly to the user’s profile who has this photo. Btw I haven’t figured the other numbers yet, if anynone has any idea drop a comment.

Many people choose to use the same profile photo from facebook to any other sites and because they are lazy asses they choose to download the photo and upload it directly to the other social networks. This means that the photo is stored and then uploaded (in a lot of cases) as

AAA_BBB_CCC_DDD_EEEE_n.jpg

, as it is stored natively on facebook.  Even better Windows allows you to copy an image location and you can paste the hyperling (http://) and then finds the image from the /temp/ folder and uploads it as it is, meaning again the image is uploaded using the name that was stored in facebook.

Focusing on twitter now.  User A uploads a profile photo on twitter. The photo was uploaded as my_profile_pic.jpg, the photo is stored and referenced on twitter as my_profile_pic.jpg.

In twitter, many users use nicknames that aren’t directly related with their personal data such as name, surname etc. This ID spoofing is blown away though if a user uploads a photo directly downloaded from his facebook profile since someone can directly relate the twitter account with the facebook account and from that poing even go deeper diggin more info about that user.

Again, if someone knows what’s going on with the other numbers in the facebook storage pattern, let me know :)