Breaking
by Rick Radewagen

Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)

Dear Reader,

this blog post is about Server Side Template Injections for the Apache Freemarker Template Engine, how to detect them, how to craft an exploit and what countermeasures can be implemented. Server Side Template Injections are critical because they often allow even Remote Code Execution, like the exploit of Apache OFBiz 13.07.03 that triggered this post in the first place. It is fair to note, that the exploit of Apache OFBiz requires a valid session with the server, but often this is just an inconvenience for an attacker.

Continue reading “Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)”

Continue reading
Breaking
by Prof. Dr.-Ing. Andreas Dewald

New Ransomware-Wave Analysis

In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.

As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.

The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.

Further information is following in the next section.

It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.

Continue reading “New Ransomware-Wave Analysis”

Continue reading
Breaking
by Brian Butterly

Notes on Hijacking GSM/GPRS Connections

As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Continue reading “Notes on Hijacking GSM/GPRS Connections”

Continue reading
Breaking
by Stefan Kiese

Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)

The moment, when your team leader asks you to cheat at Pokémon GO…everyone knows it, right? No? Well, I do 😉

GPS Spoofing Setup
GPS Spoofing Setup

As I’m not a gamer, the technical part was of much more interest – that’s the real gaming for me.
So, challenge accepted!

Continue reading “Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)”

Continue reading
Breaking
by Sven Nobis

Jenkins Remoting RCE II – The return of the ysoserial

Jenkins Logo

Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.

Continue reading “Jenkins Remoting RCE II – The return of the ysoserial”

Continue reading
Breaking
by Wojtek Przibylla

Some infos about SAP Security Note 2258786

On the 8th of March SAP released the security note for a vulnerability we reported during an assessment of a SAP landscape. The issue affects the SAP NetWeaver Web Administration Interface.  By knowing a special URL a malicious user can acquire version information about the services enabled in the SAP system as well as the operating system used.  We wanted to share some details on the issue.
Continue reading “Some infos about SAP Security Note 2258786”

Continue reading
Breaking
by Hendrik Schmidt

VoLTE Security Analysis, part 2

In our talk IMSEcure – Attacking VoLTE Brian and me presented some theoretical and practical attacks against IP Multimedia Subsystems (IMS). Some of the attacks already have been introduced in a former blogpost and Ahmad continued with a deeper analysis of the Flooding and targeted DoS scenario. But still, there are some open topics I’d like to continue with now. The methods I am demonstrating here also help to get a better understanding of VoLTE/IMS and how it is implemented on modern smartphones.
Continue reading “VoLTE Security Analysis, part 2”

Continue reading
Events
by Hendrik Schmidt

Area41 Conference 2016

Last Friday, Brian and I were at the  Area41 Security Conference. The conference is a branch of Defcon conference and is more or less a small conference of the Swiss hacker community. Being in a “rock music club”, the speakers presented on a stage where usually the rock stars are performing – which gives the conference a very special flair and an interesting atmosphere. We’ve been at the conference to present our research about VoLTE technology including some attack scenarios we’ve evaluated in the past. More on this later, let’s first talk about the conference itself.
Continue reading “Area41 Conference 2016”

Continue reading