Day 2 kicked off with the great recovery breakfast from Securosis (thanks Rich) and Threatpost. I skipped the keynote today as the theme, although interesting, really didn’t sound like it would be worth missing the conversation at breakfast for. Seems like I was right, as at least 1 person fell asleep mid-keynote it seems. Maybe it was a late night 😉
[Mobile] Attacking SMS
RingZero –> https://luis.ringzero.net
These guys didn’t mess around. No fluff here. The first part of the presentation was a quick demo using 2 iPhones to complete the spoofed SMS message.
Using an iPhone application to send an MMS message from a forged number (using AT&T’s 611 number as the source).
All research was completed on GSM networks. Nothing yet on the UMTS side.
SMS in these terms is a catch-all term used for SMS, MMS and other associated messaging technologies. SMS is a store and forward technology. When communicating SMS messages between carriers, the carrier often converts the message into an email to be transferred to the remote carrier and then returned to SMS format to be delivered once the recipient is back within signal coverage. MMS is much more involved.
Functionality is becoming ever more feature rich
Mobile phones are a unique attack surface as they’re always on. Turning the phone off only delays the delivery of the attack in this case (due to store and forward). It’s become much easier for attackers due to new platforms such as iphone/Android.
HTTP –> MMS
TCP –> SMS
IP –> SMS
SMS UDH allows new functionality to be added to standard SMS (content information, splitting messages over multiple texts, ….)
GSM modems support AT commands (AT+CMGS, AT+CMGW, etc….) Some phones expose their serial interface when you connect to them via bluetooth. some modems don’t support all AT commands.
PDUSpy http://www-nobbi-com/pduspy.htm –> for encoding things into a format that can be used in AT commands
Incoming messages can be read from the SIM (prior to any modifications that the phone may make) by using a SIM card reader and a modified version of pySimReader.
Implementation flaws discovered during testing .:
- Android flaw in parsing UDH for concatenated messages
- SwirlyMMS (Jailbroken iPhone) from field denial of service
- Turns off CommCenter process indefinitely
- Need to reset the SIM in another phone before service is restored
- Windows Mobile WAP push SL “Vulnerability”
- Executes binary without notifying the user
- Not a Microsoft issue !
- Configuration error causes the vulnerability (registry key setting)
Carriers use SMS as a management tool for phones on their network. This opens the door for Architecture Attacks.
- Voicemail notifications
- Change settings (proxy settings, etc…)
Able to bypass all security features of the carrier by hosting the content on the attackers server. By sending a notification it’s possible to force the phone to connect back to the attackers server over HTTP. By examining the HTTP headers in the request (User-Agent, …) it’s possible to enumerate/force specific attacks on the target phone.
TAFT (There’s an Attack For That) –> Available on Cydia on 8/15 (earlier if you email and ask)
Jailbroken iPhone app (not submitted to the iPhone store)
Covers a number of the flaws mentioned in this presentation. The iphone application sends the content to an attacker owned system. The system then returns an MMS link which is sent to the carrier to be delivered to the target (bypassing all filters as it’s a notification and not a new message).
IPhone is a good platform to run attacks against as the subject line of MMS messages are hidden from the user (they look exactly like an SMS to the user).
These issues are at the carrier and not on the phones. Carriers are currently attempting to fix, however it should still work. Carriers are however monitoring for this kind of attack while they work on a fix.
Attacking SMS in the future will become easier due to the increase in GSM capable hardware.
[Random] Mo’ Money, Mo’ Problems
Legal disclaimer… They did read it, honestly 😉
69% of companies were told that their company had been hacked by a third party. This means that making money the blackhat way is easier than it should be. Companies aren’t detecting the attacks as quickly as they should. However you don’t want to be the one who does get caught.
Fully targeted attacks and where the clever and profit driven ($$$) attacks exist.
Holiday grinch-bot — Some contestants used scripts to buy items and win the contest. As this purchases were automated other users began listing their items in eBay and fooled the bots into buying their items as well.
Hacking email accounts… “Is Dan Kaminsky here ?”
Review of the Strongwebmail contest ($10,000 to hack into the strongmail webmail). By finding a XSS vulnerability in the the Rackspace Webmail software and emailing email@example.com and the CEO saying they won the contest. This prompted the CEO to open the email and then trigger the XSS vulnerability.
Hacker Croll’s attack on twitter by using the reset password. Due to the secondary email account registered on Twitter being deactivated (hotmail) he could re-register the account and get the password emailed to him.
Using Affiliate links be forcing cookies to be set when a user views your page (no click required). By using referrer addresses you can set cookies based on where the user has been forwarded from (i.e. where the iframe was loaded). This can bypass the protections of affiliate link sites. The attack required 2 websites (both unconnected) that force iframes to be opened based on referrer links.
Poisoning Google Maps — Add your own business to Google Maps. Add 1,000 new businesses (with a similar name) around your competitors address to make it harder to find them.
Money laundering through iTunes store – Market your own music through a 3rd party company to iTunes, then use stolen credit cards to purchase their songs and profit. In this case (UK based) they bought over $825,000 in songs, however were caught as they didn’t try to hide their tracks.
Playing with permit systems –> Brasilian timber permit site was hacked and allows $833,000,000 worth of timber to be stolen. In the US, 70 FAA websites were tested and 763 high-risk vulnerabilities were discovered. These exposed systems such as air traffic control.
Vulnerable systems are not hard to find. Learning the skills to exploit them is also not hard. The problem begins when you need to think of what to do with the money.
[Hardware] “Smart” Parking Meter Implementations, Globalism, and You
This talk… protected by the EFF 😉
These systems are taken for granted. Located all-over the world, and basically miniature computers. The industry is so large that it’s become a target. $28 billion annual industry.
Attacks have series implications
Case study is San Francisco Municipal Transport Agency (MTA) however these attacks effect systems far beyond this.
New systems are pure electronic smart systems. Infrastructure allows for separation of duty. viewing logs, maintenance, payment retrieval. This was designed to prevent fraud being committed by employees.
Administrator interfaces can be visible, or embedded. RFID hidden within the coin slot. As well as standard interfaces like Wireless (RF, GPRS), Serial (sometimes through things like the key slot), Infrared.
Can you tazer a meter and get it to reset ?
General Process of research
- Attack postulation
- Covert Channels/message passing via LCD
- Denial of Service
- Set meter to “Out of Order”
- Destruction of smartcard or coin processing circuits
- Cause legitimate user to be added to fraud blocklist (if used)
- Immediate deduction of credit
- Audit log retrieval/modification
- Change date/time
- Unlimited payment via smartcard
- Information gathering
- Social Engineering
- Crawling the internet
- Dumpster Diving
- Acquire target hardware
- Hardware analysis
- Disassemble hardware
- Identify components
- Typically different models (even between manufacturers) aew based on the same components
- Firmware Analysis (optional – based on attack)
- Extract programcode
- Quick runthrough with strings
- Disassembly and Reverse engineering
- Clues to possible entry points
- Smartcard Analysis
- Monitor communications
- Decode communications
- Protocol analysis
- Interact with the reader
The attack on San Francisco system was made possible as the MacKay model (Guardian) in use was based on a previous revision the was available to be purchased and reversed. This goes to prove that you can find vulnerabilities by looking at older versions of the same device.
$35 Million pilot program to replace 23,000 mechanical meters in 2003. These systems are MacKay Guardian XLE models.
Payments are through stored value smart cards ($20 or $50). It is easy to replay communications to obtain unlimited parking –> Found using an oscilloscope capture of the smartcard transaction –> Succeeded in 3 days
ISO7816 compliant cards. Newer cards are using a microprocessor based solution that hinted at undocumented features, possibly for maintenance or administration.
Multiple captures were made (different serial numbers, different values). Once the data was captured it could be broken using a pen and paper.
CTC1 is the only value changed on the card. Based on the value of the card a set number of uses (CTC1 counter) are possible. It was also possible to set the card value to $999.99 by changing the value on the card (not unlimited, but close). The final phase of the attack was writing the code to a PIC Silver Card to make it easy and almost undetectable (just add a sticker on the card to make it look 100% authentic).
Code will be released – however un-weaponized to prevent exploitation. Code currently available on http://www.grandideastudio.com/portfolio/smart-parking-meters
[Virtualization] Cloudburst: Hacking 3D and exploiting vmware
Several other CVE’s exist when it comes to VM attacks and vulnerabilities.
Security researchers rely too much on Virtual Machines to conduct security related work. It’s not beyond the realm of possibility that an attacker could write an exploit for Adobe that also breaks out of a VM.
Why attack the VM devices ?
- Doesn’t require low-low mojo
- Common to ALL Vmware products
- They “run” on the host (vmware-vmx-process)
- They can be accessed from the guest (Through port I/O or memory-mapped I/O)
- They are written in C/C++
- Sometimes parse complex data
Around 10 Virtual devices are installed by Vmware (8 on vmware player as it doesn’t support USB/Audio devices). VMware SVGA II was the one selected to be most likely to yield results.
Combination of 3/4 bugs in the Vmware emulated video device make the exploitation possible.
- Host memory leak into the Guest
- Host arbitrary memory write from the guest
- Some additional DEP friendly goodness
Vmware products effected: Workstation, Fusion (?), ESX Server 4.0 (RC2 Hardfreeze). The issues were silently patched on 31/02/2009. Cloudburst was released to CANVAS early updates 04/04/2009.
Lots of detailed information on the SVGA FIFO and how it interacts between the guest and the host.
During 2D rendering FIFO commands are used to mark changed regions in the frame buffer.
During 3D rendering FIFO commands are used as a transport layer for the architecture independent SVGA3D rendering protocol. This is much more complex than the 2D rendering.
Many SET commands within the 3D rendering appear to be flawed. There is no bounds checking, meaning that you can put minus numbers into the SET commands to overwrite arbitrary locations. Without knowing the value of ESI it’s not possible to target this (without using the memory leak flaw within the 2D rendering).
Requires Admin rights on the VM (guest) in order to use the information stored in the framebuffer in the desired way (i.e. to add a driver to the system to permit reading of this memory).
ASLR is defeated as all the memory addresses required are leaked by the host into the guest using the framebuffer as a transport mechanism. Bypassing NX is however another issue.
MOSDEF (built into CANVAS) was used as the final exploit. In order to tunnel the shell it needed to be tunnelled over the framebuffer (MOSDEF over BMP). By scanning the video card memory for a signature it was possible to extract and parse the data.
- VMware isn’t an additional security layer
- Silent patching in 2009 is ridiculous
- Given memory bug primitives everything can be defeated
- If a feature isn’t used in an area of your product, or is disabled, it shouldn’t be loaded regardless
[Mobile] Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone
Iphone 2.x architecture
Security Architecture Overview
- Reduced attack surface
- Stripped down OS
- Code signing
- Randomization (or lack thereof)
- Memory protections
Due to the memory protections it’s not possible to do something like placing shellcode into the HEAP and then executing it. Uploading applications and running them is not possible due to the issue of signing all applications before they can be run.
Iphone version 2.x made things harder to exploit. Version 3.0 is even tougher than version 2.x
Beep and vibrate (second ever iPhone payload) –> demonstrated on an iPhone 2.2.1 setup for development, however would also work on a stock iPhone 3.0
Ability to set the Rx registers using a return to libC style attack –> demonstrated on an iPhone 2.2.1 setup for development
Tricking the iPhone to run unsigned code by patching the shared library on the fly –> demonstrated on an iPhone 2.2.1 setup for development
In order to run code it’s only possible to map the injected library ontop of an existing library.
Harder to run Meterpreter on iPhone than on Mac OSX due to the restrictions.
Now that you can insert directly and run it on the remote device it’s possible to interact with things like GPS, listening device, and anything else on the phone using C/C++.
Macterpreter — Porting from Mac OSX to iPhone is almost just a recompile. Some limitations exist (monolithic, runs in own process, can’t exec other processes). Shellcode for the iPhone was setup using the same exploit as used above.
Final demo of Macterpreter –> iPhone 2.2.1 (not jailbroken/development). Setup for exploitation using a vulnerable program
Within the macterpreter it’s possible to send SMS, make phonecalls, or make the phone vibrate. It’s also possible to pivot through the session.
Due to the release of firmware 3.0 between the talk being submitted and presented there were a few new things to consider.
Version 3.0 prevents meterpreter running on factory phones currently. However currently it’s possible to get the code running on developer versions of the phone or jailbroken phones. “They patched our bug, those bastards!” get-task-allow has been set to false which prevents this method of exploitation.
Differences between 2.x and 3.x
- XN is not really enforced
- get-task-allow can’t “act like a debugger”
- ptrace() plays a key role
Currently the exploit code when executed on a 3.0 phone is killed as soon as it’s run. A new trick is needed. Still no ASLR, so return to libC style attacks are steal possible.
Well that’s it for Blackhat, hope you’re liking the write-ups. If so leave a comment and let me know.
It’s been great so far. Next stop Defcon (and some parties)