Breaking – Page 14 – Insinuator.net

February 23, 2015 by Felix Wilhelm

The Dangers of x86 Emulation: Xen XSA 110 and 105

Xen Logo

Developing a secure and feature rich hypervisor is no easy task. Recently, the open source Xen hypervisor was affected by two interesting vulnerabilities involving its x86 emulation code: XSA 110 and XSA 105. Both bugs show that the attack surface of hypervisors is often larger than expected. XSA 105 was originally reported by Andrei Lutas from BitDefender. The patch adds missing privilege checks to the emulation routines of several critical system instructions including LGDT and LIDT. The vulnerable code can be reached from unprivileged user code running inside hardware virtual machine (HVM) guests and can be used to escalate guest privileges. XSA 110 was reported by Jan Beulich from SUSE and concerns insufficient checks when emulating long jumps, calls or returns.

Continue reading “The Dangers of x86 Emulation: Xen XSA 110 and 105”

Breaking

January 28, 2015 by Enno Rey

Evasion of Cisco ACLs by (Ab)Using IPv6 & Discussion of Mitigation Techniques

This is a guest post of Antonios Atlasis.

During our blogpost regarding DHCPv6 Guard evasion, one of the side-effects was that Access Control Lists (ACLs) configured to block access to UDP ports 546 can be evaded by abusing (again) IPv6 Extension headers. Having that in mind, we decided to check the effectiveness of Cisco IPv6 ACLs under various scenarios. Our goal was to examine whether the IPv6 ACLs of Cisco routers can be evaded, as well as under which conditions this can take place. To this end, several representative scenarios from enterprise environments or other potential ones are examined.

Continue reading “Evasion of Cisco ACLs by (Ab)Using IPv6 & Discussion of Mitigation Techniques”

Breaking

January 20, 2015 by Brian Butterly

Riding the Z-Wave, Part 1

Simple everyday work dialog:
“The heater in the basement is still missing a proper thermostat, the ‘binary solution’ isn’t that effective”
– “Buy one…”
– “Ok”
– “Get one you can break…”
– “Ok, but then I’d like a few tools, too”
– “Go for it.”
(That’s the way work should be!)
Result of the dialog: a Danfoss Living Connect Z ( 014G0013 ) and a TI CC1100 Wireless Mini Dev Kit plus a copy of Z-Force to start with.
Goal: Talk to the thermostat!

Continue reading “Riding the Z-Wave, Part 1”

Breaking

January 15, 2015 by Brian Butterly

(In-)secure SD cards on WP8.1

During our first year of testing Windows Phone 8 applications we had yet another, let’s say: “surprising” finding. It all started with the first approaches on pentesting mobile applications on that new and rather closed platform. Lacking jailbreak, root, and similar approaches we had a closer look at alternate approaches to have a look at an apps interior. We quickly hooked onto using modified firmwares (with deeper system access) and found a perfect solution in a little flaw concerning the handling of SD cards in WP8.1. A flaw that was, sadly for us, fixed silently….

Continue reading “(In-)secure SD cards on WP8.1”

Breaking

January 2, 2015 by Hendrik Schmidt

Telco Research 2015

Hello and a happy new year 2015 to everybody!

As follow up of our 2014 talk “LTE vs. Darwin” I want to inform you about our telco research in 2015. We are currently dealing with the so called IP Multimedia Subsystem (IMS), which handles the call and media logic of 4G telecommunication networks. This network part provides functions like VoIP (or VoLTE) and takes care of the interconnection to other call or media related networks.
Continue reading “Telco Research 2015”

Breaking

December 23, 2014 by Felix Wilhelm

Revisiting an Old Friend: Shell Globbing

One interesting observation we make when testing complex environments is that at the bottom of huge technology stacks, there is usually a handful of shell scripts doing interesting stuff. More often than not these helper scripts are started as part of cron jobs running as root and perform basic administrative tasks like compressing and copying log files or deleting leftover files in temporary directories. Of course, these high privileges make them an interesting target for privilege escalation attacks and one class of vulnerability we reliably encounter in shell scripts is unsafe handling of globbing or filename expansions. Continue reading “Revisiting an Old Friend: Shell Globbing”

Breaking

December 19, 2014 by Benjamin Schwendemann

Getting 20k Inline-QR-Codes out of Burp

Lately we had to analyze QR-Codes in a pentest. Those held some random data which was used as a token for login and we wanted to know if that data was really random.

Continue reading “Getting 20k Inline-QR-Codes out of Burp”

Breaking

December 11, 2014 by Enno Rey

Penetration Testing Tools that (do not) Support IPv6

We just released a white paper authored by Antonios Atlasis that provides an overview which pentesting tools currently support IPv6 and how to (still) use them if that’s not the case. It can be found in our newsletter section.

Best

Enno

Breaking

November 22, 2014 by Florian Grunow

Scal(e)ing down Privacy

As you might know we are continuously doing research on medical devices. I presented some of the new results at Power of Community 2014 last week and we thought we would share some of the details with you here. The focus of the previous work was testing medical devices that are used in hospitals like patient monitors, syringe pumps or even MRIs. This time we looked at a device that every user can use at home and which is available to anyone on the market: A smart scale.

The scale implements some basic features as you might have guessed, that is measuring your weight. In this case there are a lot more additional features that you can use, e.g. measuring the air quality, the room temperature, your heart rate and your fat mass. The latter makes testing this device quite hard, because somebody has to step on it and the results were not funny at all and will be kept secret! 😉

Continue reading “Scal(e)ing down Privacy”

Breaking

November 17, 2014 by Niklaus Schiess

GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities

Recently we had the pleasure to take a look at GitHub’s Enterprise appliance. The appliance allows one to deploy the excellent GitHub web interface locally to host code on-site. Besides the well known interface, which is similar to the one hosted at github.com, the appliance ships with a separate interface called the management console, which is used for administrative tasks like the configuration of the appliance itself. This management interface is completely decoupled from the user interface.

During our assessment we focused on the management console where we found several vulnerabilities (others may have found them, too). On November 11, 2014 GitHub released a security advisory which included the most critical findings that have been fixed in GitHub Enterprise 2.0.0. Because the advisory doesn’t include any detailed information, we will discuss some of those vulnerabilities in detail.

Continue reading “GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities”