Breaking

Your Mouse Got Sick and You Don’t Know it. aka “Reverse Shell via Mouse”

Ever got a backdoor installed on your computer by your beloved mouse? Here’s the story of a poor mouse that got really, really sick.

Agent "Danger Mouse"
Agent “Danger Mouse”

Do you remember the times where people put Teensy-boards and USB hubs in their mouses? [Chris? ;)] Their aim was to attach an additional Human Interface Device (HID, like keyboards or mouses) with some payload in kind of e.g. keystrokes or mouse movements. Also, there are devices available like the USB Rubber Ducky in the housing of a USB thumb drive.
The principle is easy: The tools are using a programmable microcontroller with the capability to emulate USB HID. That’s it. Just program your board of choice with the payload fitting your needs and plug it in at the target computer. The latter will recognize it as a keyboard/mouse and the payload-keystrokes will be entered.
But why should external hardware be used? Many modern gaming peripherals provide functions to store macros on them, including enough onboard memory for little payloads.

While we were working on the layout of this years’ Troopers-Badge, I felt uncomfortable using my touchpad, so I switched over to a Logitech G-series gaming mouse. This one worked like a charm – many buttons and the feature to store personal profiles on the mouse itself, which is perfect when you work on more than one machine.

But wait – macros and profiles stored on the mouse? Recall the lines above concerning the HID story.
Could it be possible to store a macro big enough to drop a reverse shell on a Windows target?
Actually – it could.
It’s just as simple as using the Logitech Gaming Software’s Command Editor. Choose a button, put a macro on it, fit the timings and go!
The only thing you should consider, that you’re limited to about 100 keystrokes. If there should be something dropped on the target, like an executable or a script, you should think about using FTP or Powershell to download it externally, like I did here.

In this Proof of Concept the marco opens the Windows Command Line and downloads Netcat via Windows’ own ftp.exe from an external FTP server. Afterwards, it launches Netcat in background mode, while a Netcat listener already is waiting on the remote machine.

https://youtu.be/LiC1jnT6b68

I think this kind of attack is dangerous due to its minimal effort and people trusting their mouses. Who would be afraid of a manipulated mouse, while being away for just 2 minutes to grab a cold Mate drink in the kitchen? The mouse’s software in this example offers the option to delay the keystrokes. Consider, the mouse acts like usual and after 30 or 60 seconds the bad magic happens, and it would take only a few seconds, so you might even miss the chance to see the windows popping up.

 

Live long and prosper,

Stefan

Continue reading
Breaking

Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)

Dear Reader,

this blog post is about Server Side Template Injections for the Apache Freemarker Template Engine, how to detect them, how to craft an exploit and what countermeasures can be implemented. Server Side Template Injections are critical because they often allow even Remote Code Execution, like the exploit of Apache OFBiz 13.07.03 that triggered this post in the first place. It is fair to note, that the exploit of Apache OFBiz requires a valid session with the server, but often this is just an inconvenience for an attacker.

Continue reading “Remote Code Execution via Server Side Template Injection at OFBiz 13.07.03 (CVE-2016-4462)”

Continue reading
Breaking

New Ransomware-Wave Analysis

In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.

As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.

The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.

Further information is following in the next section.

It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.

Continue reading “New Ransomware-Wave Analysis”

Continue reading
Breaking

Notes on Hijacking GSM/GPRS Connections

As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Continue reading “Notes on Hijacking GSM/GPRS Connections”

Continue reading
Breaking

Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)

The moment, when your team leader asks you to cheat at Pokémon GO…everyone knows it, right? No? Well, I do 😉

GPS Spoofing Setup
GPS Spoofing Setup

As I’m not a gamer, the technical part was of much more interest – that’s the real gaming for me.
So, challenge accepted!

Continue reading “Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)”

Continue reading
Breaking

Jenkins Remoting RCE II – The return of the ysoserial

Jenkins Logo

Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.

Continue reading “Jenkins Remoting RCE II – The return of the ysoserial”

Continue reading
Breaking

Some infos about SAP Security Note 2258786

On the 8th of March SAP released the security note for a vulnerability we reported during an assessment of a SAP landscape. The issue affects the SAP NetWeaver Web Administration Interface.  By knowing a special URL a malicious user can acquire version information about the services enabled in the SAP system as well as the operating system used.  We wanted to share some details on the issue.
Continue reading “Some infos about SAP Security Note 2258786”

Continue reading
Breaking

VoLTE Security Analysis, part 2

In our talk IMSEcure – Attacking VoLTE Brian and me presented some theoretical and practical attacks against IP Multimedia Subsystems (IMS). Some of the attacks already have been introduced in a former blogpost and Ahmad continued with a deeper analysis of the Flooding and targeted DoS scenario. But still, there are some open topics I’d like to continue with now. The methods I am demonstrating here also help to get a better understanding of VoLTE/IMS and how it is implemented on modern smartphones.
Continue reading “VoLTE Security Analysis, part 2”

Continue reading