Internal workshops are one of the reoccurring events at ERNW, that help us to gain knowledge in areas outside our usual expertise. One of the recent workshops which happened during the week from August 22nd-25th was Hardware Hacking. Held by Brian Butterly (@BadgeWizard) and Dominic Spill (@dominicgs), this workshop took place in two parts. Brian kickstarted the introductory session by guiding us through the fundamental steps of Hardware Hacking. Brian did an excellent job of making things simpler by giving a detailed explanation on the basic concepts. For a beginner in hardware hacking, the topic could be rather intimidating if not handled properly.
At the 16th of September Apple released its new version of the mobile operating system iOS 9. As several versions before, this new iteration suffers from a weakness that makes it possible to bypass the lockscreen without entering the respective PIN code. Exploiting this flaw requires Siri to be enabled and phyiscal access to the phone. A successful exploitation results in a major loss of confidentiality as all photos and contacts in the phonebook can be accessed by the attacker. The following steps lead to the lockscreen bypass: Continue reading “New iOS Version – New Lockscreen Bypass”
End of May eight ERNW members were travelling to Moscow (Russia) to visit the PHDays V conference. It was a very nice trip because we met a lot of gentle people, ate some great food and had quite some fun in this exciting and history-charged metropole, and we were able to get around using hands and feet (and Google translate ;-)).
The remainder of this post contains summaries of some of the most interesting talks at PHD V:
There are lots of interesting places to visit in Amsterdam, but if you are there between the 26th and the 29th of May, then our booth at HAXPO exhibition should be your main destination.
HAXPO is a great exhibition, where you can become up-to-date with the latest security technologies, attend various workshops and get in touch with more than 35 IT and information security companies. It will take place in the beautiful historical building “Beurs van Berlage” in the center of Amsterdam. As usual, ERNW will take part in HAXPO. We will be waiting for you in the Community Village section (booth NL-018). Come visit and get to know more about us. You are invited to take our hacking challenges, where the levels of complexity vary from beginners to advanced. Furthermore, we will bring our KNX hacking suitcase!
In addition to the exhibition, HAXPO offers a very interesting track of must-see briefings about security and cutting-edge innovations. Don’t miss the talks held by ERNW members! On May 29th, you will see Oliver Matula and Christopher Scheuring with their talk “When You Stare into the Sandbox, It Stares Back at You: Evaluating the APT Armor”. On the same day Rafael Schaefer and Jason Salazar will lead you through “Pentesting in the Age of IPv6”.
During one of our latest web application code review projects I came across a vulnerability for which I think it is worth to speak about. It is an injection based attack against XML parsers which uses a rarely required feature called external entity expansion. The XML specification allows XML documents to define entities which reference resources external to the document and parsers typically support this feature by default. If an application parses XML input from untrusted sources and the parsing routine is not properly configured this can be exploited by an attacker with a so called XML external entity (XXE) injection. A successful XXE injection attack could allow an attacker to access the file system, cause a DoS attack or inject script code (e.g. Javascript to perform an XSS attack). Continue reading “XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]”
During one of our last projects in a large environment we encountered an interesting flaw. Although it was not possible to exploit it in this particular context, it’s worth to be mentioned here. The finding was about Cross-Site Request Forgery, a quite well-known attack that forces a user to execute unintended actions within the authenticated context of a web application. With a little help of social engineering (like sending a link via email, chat, embedded code in documents, etc…) an attacker may force the user to execute actions of the attacker’s choice. Continue reading “Cross-Site Request Forgery with Cross-Origin Resource Sharing”
From 15th – 17th of May, the sixth Google I/O conference took place in San Francisco, California and I was one of the lucky guys attending. More then 5500 people, primarily web, mobile, and enterprise developers, attended this annual event. A lot of presentations included announcements of new and exciting technologies, APIs as well as of two new devices.
During the first minutes of the keynote some of Google’s managers announced that by now over 900 million Android devices are activated and that 48 billion apps are installed, which demonstrates that this market is still heavily growing. As the major part of the audience were (app-) developers, these numbers were received quite greatfully and euphoric.
Some of the presentations announced new services as well as new features and designs for existing services like:
Google Play Music All Access, which makes it possible to stream music legally for a monthly fee (comparable to spotify).
Underwater Streetview, where Google tries to capture all coral reefs worldwide in order to enable virtual diving.
The new user interface and features of Google+, which make it easier to use the social network while providing more functionalities (e.g. automated sorting and quality assurance of uploaded holiday pictures).
Google Maps, which now provides more intelligent localization features for target locations of users as well as clouds hovering over the world in realtime.
“Sign in with G+” which is a OAuth2 based Single Sign-On that can be used to replace all kind of web authentication mechanisms.
Of course, quite some talks dealt with the privacy critic project Google Glass, that had been introduced at last years I/O. From a technical point of view Google Glass is an interesting project not only due to its new “in-eye-projection” technology. Also the voice interface allows to easily control the device. By saying “OK Glass, take a picture” the user’s actual view is captured and directly uploaded – of course to Google servers. In addition, the integrated navigation system is an interesting feature which enables augmented navigation by means of semitransparent arrows being displayed directly in the users’ field of view. However, there is the other side of the coin: privacy. All data that is captured by the device is processed by Google’s servers. The fact, that one of the responsible Google managers answered the question, in which way Google handles the captured and GPS data, with “in the same way as Google handles all the other data that is collected by our other services”, does not calm at that point. It rather states that when considering Lawful Interception as it exists in almost all countries (and in particular in the USA), Google Glass can turn into a surveillance instrument par excellence. Of course this does not only imply an impact for owners of Google Glass but also for all other people being faced by people wearing Googles new toy. In fact, there is a tiny LED shining while the device is taking a video. However, this can easily be manipulated (e.g. with a sticker) and it is questionable if visibility of this LED is in appropriate proportion to the resolution of the integrated camera. In other words, it is possible to be filmed and photographed while walking in the streets without even being able to notice it. Since Glass is not publicly available so far we have some time left to think about how to deal with this…
All in all Google I/O was a very impressive and informative event. In some kind I felt amazed like a child when I saw all these crazy Android figures hanging around and being surrounded by remotely controlled zeppelins flying through the building.
Once again a vulnerability in Apples mobile operating system iOS was found by some guys of the Jailbreak Nation. The newest version of this operating system suffers from a weakness that makes it possible to unlock the lockscreen of all iPhones that use iOS version 6.1. In this case it does not matter whether a PIN or a password is used to unlock the phone. After successful exploitation an attacker is able to see and edit contact-information, to add new contacts to the phonebook, to view all pictures, to call the inbox or any of the contacts and to see and delete the list of recent calls or parts of it. Continue reading “Apple iOS and the history of a workin’ lockscreen… NOT”
During one of our pentests in some corporate environment we were to analyze an application-server called Liferay. Liferay comes with a lot of functionalities, runs on top of Apache Tomcat and includes a nice API that makes it very easy to add components or further functionality that are not part of the core. These (potentially selfmade) “addons” are called “portlets” and they can be inserted in any place in the frontend.
We quickly found an active default-account (test@liferay.com : test) which immediately led to the question: how to get access on the system-layer through the account on the application. Because we were not aware of any portlet which provided the desired functionality, we decided to write it on our own and created a straight-forward portlet for system level command execution.
As mentioned above, Liferay offers an API for adding portlets to the core. This can be done by creating a standard war-file which contains java-classes, including the desired functionality and some – in this case – Liferay-specific xml-based configuration files. War files are often used to expand the functionality of java-servers (e.g. Tomcat can also be extended via war-files) – it just needs to contain the application-specific xml-files.
Our java-class includes a html-form consisting of an input-field and a button, which sends commands (via GET) to the server. On the server the input gets executed in a shell – a new java HTTP-Shell is born. After some adjustments regarding to the operating system and the java compiler (1) we had a GET-Parameter-based HTTP-Shell.
The following steps are necessary to deploy the shell portlet:
3.) Execute create.bat / create.sh [Note: javac and jar must be installed in the PATH.]
4.) Have fun with the ShellPortlet.war
How to deploy the war-file?
1.) Login to your Liferay-System with a privileged user-account and open http://yourdomain.com/group/control_panel/manage
2.) You should find a category called “Server” on the left side in the navigation. Click “Install Plugin” and on the next site click “Install more plugins” followed by “Fileupload”
3.) Upload the war-file and use “tail -f $CATALINA_HOME/logs/catalina.out” or (on Windows) the Tomcat-console to observe the logs for any error/exception. When everything worked you’ll find an entry like “1 Portlet for ShellPortlet is available for use”
4.) Now go back to your mainpage via the link in the upper area “Back to Liferay”. Then click “Add” -> “More” and you will see all categories in which the portlets are sorted.
5.) If everything went right you will find a category named “Ownage” in this list. Click on it and drag&drop the shellportlet anywhere on your website.
6.) Have fun playing! 🙂
This shows – once again – that it’s not that hard to gain system-access over a (web-) application. Everyone who uses web-applications should secure the higher-privileged accounts by strong passwords or better deactivate them in case they are not needed. It also shows that – once again – comprehensive and reasonable hardening would have prevented the compromise of yet another system.
(1): The java-class must be compiled by the same compiler-version which the tomcat-server is using. (E.g.: If the tomcat uses jre1.6, the java-class in the war-file must be compiled by a javac which is out of the jdk1.6)