Some of us had the pleasure to visit this year’s REcon in Montreal, Canada. Unfortunately, work caught us just when we arrived back in Germany, so I haven’t had time to sit down and write down a few words so far. However, we think that what we’ve experienced at REcon is worth writing about.
Continue reading “REcon 2016 – A Quick Recap”
Notes on Hijacking GSM/GPRS Connections
As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Continue reading “Notes on Hijacking GSM/GPRS Connections”
Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)
The moment, when your team leader asks you to cheat at Pokémon GO…everyone knows it, right? No? Well, I do 😉
As I’m not a gamer, the technical part was of much more interest – that’s the real gaming for me.
So, challenge accepted!
Continue reading “Gotta Catch ‘Em All! – WORLDWIDE! (or how to spoof GPS to cheat at Pokémon GO)”
Continue readingJenkins Remoting RCE II – The return of the ysoserial
Jenkins is a continuous integration server, widely used in Java environments for building automation and deployment. The project recently disclosed an unauthenticated remote code execution vulnerability discovered by Moritz Bechler. Depending on the development environment, a Jenkins server can be a critical part of the infrastructure: It often creates the application packages that later will be deployed on production application servers. If an attacker can execute arbitrary code, s/he can easily manipulate those packages and inject additional code. Another scenario would be that the attacker stealing credentials, like passwords, private keys that are used for authentication in the deployment process or similar.
Continue reading “Jenkins Remoting RCE II – The return of the ysoserial”
Continue readingSnoopCon Guest Day
This year I had the pleasure to join the guest day of BT’s SnoopCon. There were quite a number of interesting talks throughout the day such as Continue reading “SnoopCon Guest Day”
Continue readingSome infos about SAP Security Note 2258786
On the 8th of March SAP released the security note for a vulnerability we reported during an assessment of a SAP landscape. The issue affects the SAP NetWeaver Web Administration Interface. By knowing a special URL a malicious user can acquire version information about the services enabled in the SAP system as well as the operating system used. We wanted to share some details on the issue.
Continue reading “Some infos about SAP Security Note 2258786”
VoLTE Security Analysis, part 2
In our talk IMSEcure – Attacking VoLTE Brian and me presented some theoretical and practical attacks against IP Multimedia Subsystems (IMS). Some of the attacks already have been introduced in a former blogpost and Ahmad continued with a deeper analysis of the Flooding and targeted DoS scenario. But still, there are some open topics I’d like to continue with now. The methods I am demonstrating here also help to get a better understanding of VoLTE/IMS and how it is implemented on modern smartphones.
Continue reading “VoLTE Security Analysis, part 2”
Area41 Conference 2016
Last Friday, Brian and I were at the Area41 Security Conference. The conference is a branch of Defcon conference and is more or less a small conference of the Swiss hacker community. Being in a “rock music club”, the speakers presented on a stage where usually the rock stars are performing – which gives the conference a very special flair and an interesting atmosphere. We’ve been at the conference to present our research about VoLTE technology including some attack scenarios we’ve evaluated in the past. More on this later, let’s first talk about the conference itself.
Continue reading “Area41 Conference 2016”
SAMLReQuest Burpsuite Extention
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between a Service Provider (SP) and an Identification Provider (IdP). SAML is used in many Single Sign-On (SSO) implementations, when a user is authenticated once by IdP to access multiple related SPs. When a user requests to access a SP, it creates a SAML Authentication Request and redirects the user to IdP to be authenticated according to this authentication request. If the user is successfully authenticated, IdP creates a SAML authentication response and sends it back to SP through the user’s browser.
Continue reading “SAMLReQuest Burpsuite Extention”
Continue readingThe ULIN Story
Some of you might have noticed the articles, or the leaked manual itself, about a tool called ULIN. ULIN is a “bleeding-edge spy tool” for mobile communication networks. According to the manual, it is aimed to be a surveillance software for agencies (or others with enough money) for tracking and intercepting the Voice Calls and SMS of arbitrary phones. They call this “remote recording and geolocation of mobile handsets using 2G/3G/4G networks”.
Continue reading “The ULIN Story”