Building

Student Project – Audit Framework

Introduction

In 2021, ERNW collaborated with Hochschule Mannheim for their CEP (Cyber Security Entwicklungsprojekt) to build an auditing framework for testing operating system configurations against security procedures. This project is part of the education program of the university to give the students the chance to utilize the knowledge gained throughout the first semesters in a real world project. ERNW posed as the fictitious customer, providing a requirements document and regular meetings with all project groups for feedback. We planned to process and adapt the results for an open source auditing framework. Unfortunately, we were not able to finish this project yet, but we think the students should get some attention for their work independent from our side. So here is a short summary of what the students created and the corresponding repositories.
Continue reading “Student Project – Audit Framework”

Continue reading
Building

Release of PTE Analysis plugins for Volatility 3

I’m happy to announce the release of several plugins for Volatility 3 that allow you to dig deeper into the memory analysis. One of those plugins is PteMalfind, which is essentially an improved version of malfind. Another one is PteResolve which, similarly to the WinDBG command !pte, allows you to inspect Page Table Entry (PTE) information for e.g., a given virtual address. In this blog post we will have a closer look at these and more plugins, and the PteEnumerator base class and what you can do with it. The memory dump used for this blog post is available here. Some of the injection tools used in this blog post can be gathered from here.

Continue reading “Release of PTE Analysis plugins for Volatility 3”

Continue reading
Building

ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity

With this blog post I am pleased to announce the publication of a new ERNW White Paper about the HL7 FHIR communication standard.

Introduction

Digital networking is already widespread in many areas of life. More and more medical devices are also being networked in the healthcare industry. This growth makes the development and use of new medical communication standards necessary since existing solutions can only meet the changing requirements with great effort. The HL7 FHIR standard is an example of such a medical communication standard. FHIR is said to have increased the interoperability between different medical contexts,e.g., administration, billing, and clinical care, to enable data exchange of various systems. The FHIR standard addresses the security risks associated with strongly networked communication from a large number of systems across the trust and organizational boundaries only indirectly because FHIR does not define mandatory security controls or requirements.

Continue reading “ERNW White Paper 70 – HL7 FHIR: Preserving Distributed Resource Integrity”

Continue reading
Building

Reversing C++ Without Getting a Heart Attack – DEvirtualize VIrtual Calls With Devi

TLDR: This blogpost presents devi, a tool that can help you devirtualize virtual calls in C++ binaries. It uses Frida to trace the execution of a binary and uncover the call sources and destinations of virtual calls. The collected information can then be viewed in IDA Pro, Binary Ninja, or Ghidra. The plugin adds the respective control-flow edges allowing further analysis (using different plugins) or simply providing more comfort when analyzing C++ binaries.

Continue reading “Reversing C++ Without Getting a Heart Attack – DEvirtualize VIrtual Calls With Devi”

Continue reading
Building, Misc

How can data from fitness trackers be obtained and analyzed with a forensic approach?

The use of Internet of Things devices is continuously increasing: People buy devices, such as smart assistants, to make their lives more comfortable or fitness trackers to assess sports activities. According to the Pew Research Center [1], every fifth American wears a device to track their fitness. In Germany, the number increases likewise. The increasing number of fitness trackers in use can also be seen in criminal proceedings, as there exist more and more cases where these devices provide evidence.

Which useful evidential information fitness trackers collect and how to analyze them forensically was part of a paper that we presented at WACCO 2020 this year [2]. The goal was to develop an open source program to support investigators analyzing data that fitness trackers provide and to give a general approach on how to analyze fitness trackers.

Continue reading “How can data from fitness trackers be obtained and analyzed with a forensic approach?”

Continue reading
Breaking, Building, Events

ACM WiSec 2020

Last week I attended ACM WiSec. Of course, only virtually. The first virtual conference I attended. Coincidentally, it was also the first conference I presented at. While the experience was quite different from a “real” conference, the organizers did a great job to make the experience as good as possible with, for example, a mattermost instance to interact with other conference participants.

In the following, I will list a few talks and papers that I either found very interesting or that generally stood out to me:

Continue reading “ACM WiSec 2020”

Continue reading
Breaking, Building

DNS exfiltration case study

Lately, we came across a remote code execution in a Tomcat web service by utilizing Expression Language. The vulnerable POST body field expected a number. When sending ${1+2} instead, the web site included a Java error message about a failed conversion to java.lang.Long from java.lang.String with value "3".

From that error message we learned a couple of things:

  • The application uses Java
  • We are able to execute EL expressions
  • Output from the EL engine is always returned as String

Whenever you are able to execute code within a Java Context, the most interesting part is to check whether we can get a Runtime object and execute arbitrary OS commands.

Sending ${Runtime.getRuntime()} resolves to java.lang.Runtime@de30bb. Great, so we can use Runtime.exec(String cmd) to execute arbitrary code? Continue reading “DNS exfiltration case study”

Continue reading