In our talk IMSEcure – Attacking VoLTE Brian and me presented some theoretical and practical attacks against IP Multimedia Subsystems (IMS). Some of the attacks already have been introduced in a former blogpost and Ahmad continued with a deeper analysis of the Flooding and targeted DoS scenario. But still, there are some open topics I’d like to continue with now. The methods I am demonstrating here also help to get a better understanding of VoLTE/IMS and how it is implemented on modern smartphones.
Continue reading “VoLTE Security Analysis, part 2”
Area41 Conference 2016
Last Friday, Brian and I were at the Area41 Security Conference. The conference is a branch of Defcon conference and is more or less a small conference of the Swiss hacker community. Being in a “rock music club”, the speakers presented on a stage where usually the rock stars are performing – which gives the conference a very special flair and an interesting atmosphere. We’ve been at the conference to present our research about VoLTE technology including some attack scenarios we’ve evaluated in the past. More on this later, let’s first talk about the conference itself.
Continue reading “Area41 Conference 2016”
SAMLReQuest Burpsuite Extention
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between a Service Provider (SP) and an Identification Provider (IdP). SAML is used in many Single Sign-On (SSO) implementations, when a user is authenticated once by IdP to access multiple related SPs. When a user requests to access a SP, it creates a SAML Authentication Request and redirects the user to IdP to be authenticated according to this authentication request. If the user is successfully authenticated, IdP creates a SAML authentication response and sends it back to SP through the user’s browser.
Continue reading “SAMLReQuest Burpsuite Extention”
Continue readingThe ULIN Story
Some of you might have noticed the articles, or the leaked manual itself, about a tool called ULIN. ULIN is a “bleeding-edge spy tool” for mobile communication networks. According to the manual, it is aimed to be a surveillance software for agencies (or others with enough money) for tracking and intercepting the Voice Calls and SMS of arbitrary phones. They call this “remote recording and geolocation of mobile handsets using 2G/3G/4G networks”.
Continue reading “The ULIN Story”
IPv6 & Threat Intelligence
Tomorrow, I will join a meeting where I’m expected to contribute, amongst others, to a discussion on the impact of IPv6 on threat intelligence. To prepare for that I started putting together some thoughts & ideas on the topic, and I even thought I might share this in a post (the one you read right now ;-), not least to, maybe, stimulate a discussion.
Continue reading “IPv6 & Threat Intelligence”
Continue readingNew Methods for Exploiting ORM Injections in Java Applications (HITB16)
The HITBSecConf or “Hack In The Box” in Amsterdam is a well known security conference in Europe. We also attended this year too, and there were quite some interesting talks at the HITBSecConf16 conference. One of the talks was about “New Methods for Exploiting ORM Injections in Java Applications” by the security researchers Mikhail Egorov and Sergey Soldatov.
Continue reading “New Methods for Exploiting ORM Injections in Java Applications (HITB16)”
Continue readingImplementing an Obsolete VPN Protocol on Top of HTTP: Because Why Not?
Recently I’ve started some research on MikroTik’s RouterOS, the operating system that ships with RouterBOARD devices. As I’m running such a device myself, one day I got curious about security vulnerabilities that have been reported on the operating system and the running services as it comes with tons of features. Searching for known vulnerabilities in RouterOS on Google doesn’t really yield a lot of recent security related stuff. So I thought, there is either a lack of (public) research or maybe it is super secure… 🙂
Not really satisfied with the outcome of my research about previous research one day I thought I give it a shot and just take a quick look at the management interfaces, mainly the web interface. As it turns out, there could be a third explanation for the lack of security related search results on Google: obfuscation. The communication of the web interface is obfuscated, most likely encrypted, which may discourages researchers that just came around to search for low hanging fruits. Continue reading “Implementing an Obsolete VPN Protocol on Top of HTTP: Because Why Not?”
Continue readingTelescope – Peering Into the Depths of TLS Traffc in Real-Time (HITB16)
Last week we have visited the HITBSecConf16 – conference in Amsterdam.
There were many interesting talks, and in this post I am going to tell you about a talk held by Radu Caragea – “Telescope: Peering Into the Depths of TLS Traffic in Real-Time”.
Continue reading “Telescope – Peering Into the Depths of TLS Traffc in Real-Time (HITB16)”
CVE-2016-1409 – IPv6 NDP DoS Vulnerability in Cisco Software
Dear readers,
As you may have already noticed, Cisco released an urgent security advisory describing an IPv6 Neighbor Discovery DoS Vulnerability in several flavors of Cisco’s operating systems. Currently IOS-XR, XE and NX-OS are affected while ASA and “classic” IOS are under investigation. At first glance, it might look like yet another IPv6 DoS vulnerability. Looking closer, Cisco is mentioning an unauthenticated, remote attacker due to insufficient processing logic for crafted IPv6 NDP packets that are sent to an affected device. Following the public discussion about the vulnerability, it seems that these packets will reach the, probably low rate-limited, LPTS filter/queue on IOS XR devices “crowding” out legitimate NDP packets resulting in a DoS for IPv6 traffic, or in general a high CPU load as these packets will be processed by the CPU. More details are currently not available, but this might indicate the affected systems aren’t doing proper message validation checks on NDP packets (in addition to the LPTS filter/queue problem).
Continue reading “CVE-2016-1409 – IPv6 NDP DoS Vulnerability in Cisco Software”
Continue readingThe Beauty of IPv6 Link-Local Addressing. Not
In November 2014, after quite some controversy in the IETF OPSEC working group (for those interested look at the archives), the Informational RFC 7404 “Using Only Link-Local Addressing inside an IPv6 Network” was published. It is authored by Michael Behringer and Eric Vyncke and discusses the advantages & disadvantages of an approach using “only link-local addresses on infrastructure links between routers”.
Continue reading “The Beauty of IPv6 Link-Local Addressing. Not”
Continue reading