Building

IPv6 Extension Headers: New Features, and New Attack Vectors

This is a guest post from Antonios Atlasis

IPv6 introduces a lot of new features and consequently, a lot of new capabilities. Obviously, the most significant of them is the huge address space that it offers. However, this is not the only one. IPv6 also introduces the use of the IPv6 Extension Headers. The IPv6 header has been considerably simplified in comparison with IPv4 one. On the other hand, the IPv6 Extension Headers, not only do the “job” of most of the fields which were removed from the main header, but, additionally, they add many more. However, any new “technology” creates new attack opportunities and a “new” protocol, such as IPv6 could not be an exception, especially since its design and implementation is more complicated than it’s predecessor.

Continue reading “IPv6 Extension Headers: New Features, and New Attack Vectors”

Continue reading
Breaking

Apple iOS and the history of a workin’ lockscreen… NOT

Once again a vulnerability in Apples mobile operating system iOS was found by some guys of the Jailbreak Nation. The newest version of this operating system suffers from a weakness that makes it possible to unlock the lockscreen of all iPhones that use iOS version 6.1. In this case it does not matter whether a PIN or a password is used to unlock the phone. After successful exploitation an attacker is able to see and edit contact-information, to add new contacts to the phonebook, to view all pictures, to call the inbox or any of the contacts and to see and delete the list of recent calls or parts of it.
Continue reading “Apple iOS and the history of a workin’ lockscreen… NOT”

Continue reading
Breaking, Events

Paparazzi over IP

Almost every higher class DSLR on the market today features multiple and complex access technologies. To name a few, canons new flagship features IP connectivity wired via 802.3 as well as wireless via 802.11. All the big vendors are pushing these features to the market and advertise them with real time image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those, so here is what we found while examine the EOS 1D X:

Continue reading “Paparazzi over IP”

Continue reading
Breaking

Mobile Application Testing

Our new workshop about mobile application testing, held for the 1st time at the Troopers conference 2013, is coming closer. So I would like to take the opportunity and post an appetizer for those who are still undetermined if they should attend the workshop ;-).

While the topic of mobile application testing is a wide field that may contain reverse engineering, secure storage analysis, vulnerability research, network traffic analysis and so forth, in the end of the day you have to answer one question: Can I trust this application and run it on my enterprise devices? So first you have to define some criteria, which kind of behavior and characteristics of an application you regard as trustworthy (or not). Let us peek at malware … besides harming your devices and data, malware is typically:

  • obfuscated and/or encrypted
  • contains anti-debugging features
  • contains anti-reverse engineering features

This makes the analysis process a difficult task and comparing these characteristics especially to ordinary iOS applications from the AppStore, at least one is also true for these apps: Those are encrypted and are only decrypted at runtime on your Apple gadget ;-).

Continue reading “Mobile Application Testing”

Continue reading
Events

TROOPERS13: TelcoSecDay, IPv6 Security Summit and some more Updates

Here’s a number of updates as for upcoming TROOPERS13.

The preliminary agenda for this year’s TelcoSecDay can be found here.

Here‘s the (again: preliminary) agenda of the IPv6 Security Summit.

Last, but not least we’ve included another four talks in the main conference:

======

Sergey Bratus & Travis Goodspeed: You wouldn’t share a syringe. Would you share a USB port?

Synopsis: Previous work has shown that a USB port left unattended may be subject to pwnage via insertion of a device that types into your command shell (e.g. here). Impressive attack payloads have been delivered over USB to jailbreak PS3 and a “smart TV“. Not surprisingly, USB stacks started incorporating defenses such as device registration, USB firewalls, and other protective kits. But do these protective measures go far enough to let you safely plug in a strange thumb drive into your laptop’s USB port?

We demonstrate that the scope of the OS code manipulation feasible through a USB port is much broader than could be expected. USB stack abuse is not limited to emulating HID keyboards or a few exotic devices — it is a clear and present danger throughout the USB software stack and can reach into any part of the operating system kernel and driver code. We show a simple development environment that is capable of emulating any USB device to engage whatever software on the host computer is meant to interact with such devices — and break any and all of the assumptions made by such software, leading to pwnage. In a nutshell, sharing a USB port belongs in the past — just as the era of downloading arbitrary executables and other Internet “free love”.

 

Continue reading “TROOPERS13: TelcoSecDay, IPv6 Security Summit and some more Updates”

Continue reading
Building

Fragmentation (overlapping) attacks in IPv6. Have we learned our lesson, yet?

This is a guest post from Antonios Atlasis

It has been a year since fragmentation attacks in IPv6 were last examined publicly (in Black Hat Europe 2012). Issues well known from the IPv4 era appeared again in IPv6. Surprisingly enough, some of the most popular Operating Systems (OS), included ones considered “secure”, were proven to be vulnerable to such attacks, although fragmentation overlapping is strictly forbidden in IPv6 since 2009 (RFC5722). Some other OS, although in a better shape, still appeared to have some issues in specific cases.

But a year has already passed since then and the vendors should have fixed these issues now; or not? Definitely, a significant progress (in some cases) has been made but, is this enough? In the IPv6 Security Summit that will take place during Troopers13, in the “Fragmentation Overlapping Attacks Against IPv6: One Year Later” presentation, various fragmentation overlapping scenarios will be tested to examine if such attacks can still be successful or not. Detailed results of extensive tests will be presented and any non-compliant behaviors will be further discussed regarding the potential security implications.

Continue reading “Fragmentation (overlapping) attacks in IPv6. Have we learned our lesson, yet?”

Continue reading
Events

Troopers 2013 – Third Round of Talks Selected

We’re very happy to announce the third round of Troopers 2013 talks today (first round here, second here).

So much quality stuff… it seems to get (ever) better every year ;-).

Here we go:

==================

Michael Ossmann & Dominic Spill: Introducing Daisho – monitoring multiple communication technologies at the physical layer.

Synopsis: Most communications media can be monitored and debugged at various levels of the stack, but we believe that it is most important to examine them at the physical layer. From there, the security of every level can be investigated and tested. The task of monitoring physical layer communications has become increasingly difficult as we try to squeeze more and more bandwidth out of our links. A passive tapping circuit can be used to monitor a 100BASE-TX connections, but no such circuit exists for 1000BASE-T networks.

Our solution to this problem is Project Daisho; an open source hardware and software project to build a device that can monitor high speed communication links and pass all of the data back to a host system for analysis. Daisho will include a modular, high bandwidth design that can be extended to monitor future technologies. The project will also produce the first open source USB 3.0 FPGA core, bringing high speed data transfer to any projects that build on the open platform.
As a proof of concept at this early stage, we will demonstrate monitoring of a low bandwidth RS-232 connection using our first round of hardware and discuss the challenges involved with the high speed targets such as 1000BASE-T and USB 3.0 that we will take on later this year.

Bios: Michael Ossmann is known for his experience with radio communications technology and open source hardware design, having produced both the Ubertooth and HackRF as well as regularly teaching workshops on software defined radio. He has spoken about his work with software defined radio and Bluetooth at Troopers, Black Hat, DEF CON, ToorCon, ShmooCon and more.

Dominic Spill has been building a Bluetooth packet sniffer since 2007; last year he took over as lead developer for the Ubertooth and has recently begun working with Michael on Daisho. He has previously presented his Bluetooth work at DEF CON, ShmooCon, USENIX WOOT, and Kiwicon.

Both speakers have a passion for building open source tools to allow curious people to examine the technologies and protocols that we use to communicate.

Continue reading “Troopers 2013 – Third Round of Talks Selected”

Continue reading
Events

Troopers 2013 – Second Round of Talks Selected

We’re very happy to announce the second round of Troopers 2013 talks today (first round here).
Some (well, actually most ;-)) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.

Here we go:

==================

Andreas Wiegenstein & Xu Jia: Ghost in the Shell. FIRST TIME MATERIAL

Synopsis: Security conferences in the past years have made it clear, that common security vulnerabilities such as SQL Injection, XSS, CSRF, HTTP verb tampering and many others also exist in SAP software. This talk covers several vulnerabilities that are unique to SAP systems and shows how these can be used in order to bypass crucial security mechanisms and at the same time operate completely below the (forensic) Radar. We uncovered undocumented mechanisms in the SAP kernel, that allow launching attacks that cannot be traced back to the attacker by forensic means. These mechanisms allow to *actively* inject commands at any time into the running backend-session of an arbitrary logged on user, chosen by the attacker. We named this attack mechanism “Ghost in the Shell”. We will also demo how to use this attack vector to distribute malware to the attacked user’s client machine despite mechanisms in the SAP standard that are designed to prevent this.

Bios: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications. Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as Troopers, BlackHat, HITB, RSA as well as many smaller SAP specific conferences. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of BIZEC.org [LINK], the Business Security Community.

Xu Jia is researching SAP security topics since 2006. His focus is on static code nalysis for ABAP and he is the lead architect for a commercial SCA tool. Working in the CodeProfiler Research Labs at Virtual Forge, he also analyzes (ABAP) security defects in SAP standard software. Xu has submitted a significant number of 0-days to SAP, including multiple new forms of attack that are specific to SAP software. He already presented some of his research at the 16th IBS security conference, 2012 in Hamburg.

Continue reading “Troopers 2013 – Second Round of Talks Selected”

Continue reading
Breaking

Analysis of Rails XML Parameter Parsing Vulnerability

This post tries to give an overview about the background and impact of the new Rails XML parameter parsing vulnerability patched today.

The bug

The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON and XML are supported. While support for JSON is widely used in production, the XML functionality does not seem to be known by many Rails developers.

XML parameter parsing

The code responsible for parsing these different data types is shown below:

# actionpack/lib/action_dispatch/middleware/params_parser.rb 
....
DEFAULT_PARSERS = {
      Mime::XML => : xml_simple,
      Mime::JSON => :json
    }
....
def parse_formatted_parameters(env)
        ...
        when Proc
          strategy.call(request.raw_post)
        when : xml_simple, : xml_node
          data = Hash.from_xml(request.raw_post) || {}
          data.with_indifferent_access
        when :yaml
          YAML.load(request.raw_post)
        when :json
          data = ActiveSupport::JSON.decode(request.raw_post)
          data = {:_json => data} unless data.is_a?(Hash)
          data.with_indifferent_access
        else
          false
        end
...

Continue reading “Analysis of Rails XML Parameter Parsing Vulnerability”

Continue reading
Building

Insider Threats in the Cloud

at first a happy new year to all our readers!
And, of course, to everybody else, too ;-). May 2013 bring good things for you all, in particular (but not only) in the infosec space.

At the recent ATSAC 2012 conference a guy from the CERT Insider Threat Center gave a talk on the exact topic. Given that the ENISA Cloud Computing Risk Assessment lists “Cloud Provider Malicious Insider” as one of the top eight risks (out of overall 35 risks evaluated) and we just had some discussion about this in a customer environment, this might be of interest for some readers.

The slides of the talk can be found here.

best

Enno

Continue reading