One interesting observation we make when testing complex environments is that at the bottom of huge technology stacks, there is usually a handful of shell scripts doing interesting stuff. More often than not these helper scripts are started as part of cron jobs running as root and perform basic administrative tasks like compressing and copying log files or deleting leftover files in temporary directories. Of course, these high privileges make them an interesting target for privilege escalation attacks and one class of vulnerability we reliably encounter in shell scripts is unsafe handling of globbing or filename expansions. Continue reading “Revisiting an Old Friend: Shell Globbing”
Continue readingCategory: Breaking
Getting 20k Inline-QR-Codes out of Burp
Lately we had to analyze QR-Codes in a pentest. Those held some random data which was used as a token for login and we wanted to know if that data was really random.
Continue reading “Getting 20k Inline-QR-Codes out of Burp”
Continue readingPenetration Testing Tools that (do not) Support IPv6
We just released a white paper authored by Antonios Atlasis that provides an overview which pentesting tools currently support IPv6 and how to (still) use them if that’s not the case. It can be found in our newsletter section.
Best
Enno
Continue readingScal(e)ing down Privacy
As you might know we are continuously doing research on medical devices. I presented some of the new results at Power of Community 2014 last week and we thought we would share some of the details with you here. The focus of the previous work was testing medical devices that are used in hospitals like patient monitors, syringe pumps or even MRIs. This time we looked at a device that every user can use at home and which is available to anyone on the market: A smart scale.
The scale implements some basic features as you might have guessed, that is measuring your weight. In this case there are a lot more additional features that you can use, e.g. measuring the air quality, the room temperature, your heart rate and your fat mass. The latter makes testing this device quite hard, because somebody has to step on it and the results were not funny at all and will be kept secret! 😉
Continue reading “Scal(e)ing down Privacy”
Continue readingGitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities
Recently we had the pleasure to take a look at GitHub’s Enterprise appliance. The appliance allows one to deploy the excellent GitHub web interface locally to host code on-site. Besides the well known interface, which is similar to the one hosted at github.com, the appliance ships with a separate interface called the management console, which is used for administrative tasks like the configuration of the appliance itself. This management interface is completely decoupled from the user interface.
During our assessment we focused on the management console where we found several vulnerabilities (others may have found them, too). On November 11, 2014 GitHub released a security advisory which included the most critical findings that have been fixed in GitHub Enterprise 2.0.0. Because the advisory doesn’t include any detailed information, we will discuss some of those vulnerabilities in detail.
Continue reading “GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities”
Continue readingA “Please, Don’t Waste my Time” Approach and the Sourcefire/Snort Evasion
This is a guest post from Antonios Atlasis.
Yesterday we (Rafael Schaefer, Enno and me) had the pleasure to deliver together our talk at BlackHat Europe 2014 named Evasion of High-End IDPS Devices at the IPv6 Era (by the way, latest slides can be found here and the white paper here). In this talk we summarised all the IDPS evasion techniques that we have found so far. At previous blogposts I had the chance to describe how to evade Suricata and TippingPoint. In this post I am going to describe some other techniques that can be used to evade Snort, and its companion commercial version, Sourcefire. The tool used to evade these IDPS is – what else – Chiron.
The versions that we used for our tests are the latest available ones at the time of this writing, that is:
- Sourcefire, Model 3D7020 (63) Version 5.2.0.3 (Build 48), VDB version 216.
- Snort 2.9.6.2 GRE (build 77), Registered User’s Release Rules.
Continue reading “A “Please, Don’t Waste my Time” Approach and the Sourcefire/Snort Evasion”
Continue readingChiron – An All-In-One IPv6 Penetration Testing Framework
This is a guest post from Antonios Atlasis.
Last week I had the pleasure to give you my impressions regarding my experience about hacking for b33r at Ghent, that is, my participation at BruCON 2014 hacking conference. As I said among else, the reason that I was there was to present Chiron, my IPv6 penetration testing/security assessment framework, which was supported by the Brucon 5×5 program. The first version of Chiron had been presented at Troopers 14, during the IPv6 Security Summit.
Continue reading “Chiron – An All-In-One IPv6 Penetration Testing Framework”
Continue readingERNW’s Top 9 Burp Plugins
In the context of an internal evaluation, we recently had a look at most of the burp plugins available from the BApp store. The following overview represents our personal top 9 plugins, categorized in “Scanner Extensions”, “Manual Testing” and “Misc” in alphabetic order:
Continue reading “ERNW’s Top 9 Burp Plugins”
HackRF One the story continues…
Hello fellow frequency hoppers,
once again, we welcomed Michael Ossmann at the ERNW headquarters for fun with SDR. This time with Mike´s advanced SDR workshop. And to be up front about it…it was plain awesome. For everybody who is not familiar with Software Defined Radio (SDR): Let’s regard it as the ultimate tool when working with radio signals. Take a look a this to learn more.
Mike showed us the new revision of his HackRF One and explained us some more advanced techniques when it comes to Radio Frequnecies hacking. Compared to last time, the workshop focused on reversing signals and how to synthesize them. So this time we were crafting RF packets ourselves instead of just replaying a capture. This introduces different attack types which can be carried out over the air for example bruteforcing or fuzzing of radio devices.
HackRF One
We thought about some devices that would be worth taking a look at because you probably dont want to start reversing your car`s remote key.So we ended up analyzing “simpler” devices for training purposes and decided to mess around with a Shutter remote control and an Instant Messaging device.
The remote shutter control operates the shutter of a DSRL so you can take pictures without holding the camera in your hands. So a user could focus the cam and take pictures. An attacker on the other hand could take pictures when the camera is not supposed to or simply jam the reciever to prevent from pictures being taken. This was quite easy and worked very well, so we went on to other interesting devices…
Mike brought a modified version of the IM-Me (Instant Messenging device for children). We tried to record and analyze its signals to be able to spoof messages and run arbitrary shell commands on a remote system that has installed a special “IM-Me” Server application based on previous research. Our goal was to synthesize commands which are sent to the device e.g “ls”. The first step in doing this is to capture a clean signal and filter it properly to be able to demodulate the signal into binary data to process it further. Mike explaind pretty handy tricks to accomplish these tasks on which we will talk about in further posts, so stay tuned.
If yo are interested in the IM-me take a look at this and this to learn more.
So THANKS a lot Mike. It once again has been quite interesting to see
where RF testing is heading and how much more is to be learned on this field.
So long,
Wojtek & Brian
Some notes on VMware vCenter Operations Manager
While fairytales often start with “Once upon a time…”, our blogposts often start with “During a recent security assessment…” — and so does this one. This time we were able to spend some time on VMware’s vCenter Operations Manager (herein short: VCOPS). VCOPS is a monitoring solution for load and health of your vSphere environment. In order to provide this service, two virtual machines (analytics engine and Web-based UI) must be deployed (as a so-called vApp) that are configured on startup by various scripts (mainly /usr/lib/vmware-vcops/user/conf/install/firstbootcommon.sh) to match the actual environment and communicate via an OpenVPN tunnel that is established directly between the two machines. To gather the monitoring data, read-only access to the vCenter is required.
Continue reading “Some notes on VMware vCenter Operations Manager”
Continue reading