Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Security

Shmoocon round-up

It’s been a whirlwind since I got back from DC… With work, private stuff and the odd SAP presentation. Still, Shmoocon remains fresh in my mind.

After a shaky start (whoops, my planes been cancelled), I finally got to DC with a short detour through New York and the usual run around from Delta airlines. Their staff are so nice, it’s almost like they’re family. You know, the ones you hate and fight with all the time… that kind of family 😛

Anyway, I managed to knock out a few blogposts from Shmoocon that might be interesting. I also finally got around to donating some money to Hackers for Charity, which I’ve had in my mind for a while now. It was good to say hi to Johnny even if he was distracted and rather rushed. Still, he’s doing good things, and after his presentation I’m more behind him and his cause than ever.

I have to say a special thanks to the InGuardians crew for including me in their big company night out. I’ve never been so well treated before, and it’s an experience I’ll hold with me for a long while to come. I hope to repay the favour if and when they visit Europe!

If you didn’t see the previous blogposts, here’s a short breakdown of the talks I covered :

There was a big focus on mobile vulnerabilities this year. Along with a few printer talks, which took me by surprise to be honest. Printer vulns have been talked about a lot before, and I wasn’t expecting a resurgence. Still, some interesting information for penetration testers if you care to look 😉

Despite the issues I’ve had getting to and from Shmoocon in 2010 and this year, I’ll be there next year… I just can’t drag myself away that easily 😉

Shmoocon 2011: URL Enlargement: Is it for you?

URL Enlargement: Is it for You?

Daniel Crowley

What’s behind short URLs?

  • Are short URLs really being used for bad things?
  • Do URLs contain sensitive information
    • Can you get short URLs removed
  • What are the possible solutions

Underlying issues

  • Easily guessable URLs
  • Storage of sensitive data in URLs
  • Authentication based on knowledge of the URL

URL Shorteners: The why, where and how!

Many exist (see urlshortener.org for a full list)

Very easy to make (lots of plugins available)

 

Specialized shorteners

  • go.usa.gov
    • For .gov and .mil restricted
      • Must have valid .gov/mil email address to setup
      • Restricted to .gov/mil sites
  • bieber.ly
    • Puts Biebers face on every page shortener
  • vb.ly
    • Sex shortener… it’s for PORN!
  • doz.me
    • Embeds landing site in an iFrame and launches a DoS attack against another site

Why shorten?

Users

  • Sharing links on the internet
  • Share link orally

Attackers

  • Obfuscation
  • Filter bypass (hiding direct IP links)
  • Social Engineering
  • Parasitic data storage

URL Shortening algorithms

Hash-based

  • Hash each URL to produce shortened version
  • Only 1 shortened domain per URL
  • Risk of collisions

Incremental

  • Generate shortened URLs sequentially
  • One URL can be stored multiple times
  • No collisions

Interesting attack possibilities

Hash-based

  • URL poisoning through collisions
    • Figure out hashing algorithm
    • Shorten URL containing lots of junk padding
    • Depending on the shortener, the new URL may replace existing one shortened

Incremental

  • Date tracking
    • Create URL every 24 hours
    • Determine when target URLs were shortened
    • Extract URLs for time period

Character Set

  • Base62
  • Very easy to guess

Security Shortcomings

  • Cannot predict Referer header
  • Cannot predict the accessing IP address
  • URLs are predictable
    • Small keyspace
    • Some services let you choose your own URL

The Attack: URL Harvesting

Determine character set and URI length for targeted shortener

Determine case sensitivity by modifying an existing URL

All tested shorteners tested use location header redirects (HEAD requests)

Create URLs to harvest

Profit

Examples:

Photobucket –> Security based on knowing the link

Google Docs –> Knowing the shared link gives access to the shared data

Protocol Handlers

URL shorteners don’t just shorten website addresses

  • mailto:
  • ftp:
  • file:
  • Ed2k:
  • Magnet:
  • Javascript:
  • Webcal:
  • Irc:
  • iOS app IPC
    • Many iPhone apps define there own handlers

Parasitic Storage

  • Base64 encode your file
  • Split it into chunks
  • Optionally, encrypt each chunk
  • “shorten” each chunk as a URL
  • Retrieve it later in chunk form
  • Decrypt, combine

Each chunk can be 256Kb or larger

Tools like TinyDisk offer automated way to achieve this.

In-URL Authentication

  • http://user:pass@example.com
  • Session Identifiers in the URL
  • Auth in GET variables
  • Authentication through knowledge of URL
    • Scribd
    • Facebook
    • Imageshack
    • Photobucket
    • Google Docs

Lonely people sometimes talk to URL shorteners

People type the strangest things into the “short this” box!

Vulnerabilities

Everyone seems to like putting XSS attacks in tinyurls

CSRF seems pretty popular too

  • Qaboss.com was recently hacked
  • Somewhere in Tinyurl theres still an XSS/CSRF attack…

Find 0-Day vulns

  • Search through your gathered list of URLs for SQL statements, File Includes, …

Spam

  • The biggest use of shorteners appears to be spam
  • Multiple TinyUrls pointing to the same spam site
    • Helps disguise things
    • Original TinyUrl address appears in the referrer header

Multiple Shortenings

Shortening a TinyUrl with TinyUrl?

Clearly not the length of the URL that people are worried about here

Attempts to use multiple redirections to frustrate analysis

Interesting target for analysis?

So what can we do?

Can I have my URL taken down?

  • Not easily
    • Unless it’s malicious, defamatory, or breaks the ToS
  • URL shorteners want to keep links intact

How can shorteners be more secure?

  • URL Harvesting
    • Password protected URLs (Trick.ly!)
    • Throttling
    • Temporary lockout on brute-force attempts
      • Especially for non-existant URLs
  • Parasitic Storage
    • No good answer
  • Multiple Shortenings
    • Disallow known shortened links
  • Attacks
    • Filter out common XSS artifacts
    • Compare URLs to list of known badware (some already do)

How can we protect ourselves?

  • Stop shortening sensitive URLs
  • Stop putting sensitive data into URLs
  • Check shortened URLs before accessing them (longurlplease)

Fun Facts

Your chance of finding X behind a short URL

  • Rick Astley: 1 in 12342
  • Goatse: 1 in 10872
  • An EXE file: 1 in 454
  • Audio file: 1 in 290
  • Images: 1 in 47

Most shortened domains

  • Twitter.com
  • Runner-up: YouTube.com

Links:

Shmoocon 2011: Defeating mTANs for profit

Defeating mTANs for profit

Axelle Apvrille and Kyle Yang

 

Zeus In The MObile –> ZITMO

Malware for Symbian OS > 9.0

Intercepts mTANs (one-time passwords sent over SMS)

Targeting Spanish online banks

Propagated on PC by Zeus botnet

First case seen of organized criminals exploiting mobile TANs

 

Zeus (AKA Zbot)

It’s a crimeware kit and not a single botnet (there are several)

Designed to steal banking credentials

Zitmo in a nutshell

Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.

This means attackers can do the transfer at any point they wish without any user interaction.

Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.

However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?

Reverse Engineering Zitmo

Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)

2 separate processes –> INIT and SMS Processing Engine

Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.

Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.

Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.

Zitmo Commands

  • ON / OFF (disable Zitmo)
  • SET ADMIN xx
  • ADD SENDER xx, xx / ALL
  • REM SENDER xx, xx / ALL
  • SET SENDER xx
  • BLOCK ON / OFF (block incoming calls)

Spoof administrator

Protocol flaw: Anybody can claim to be the administrator!

How to 0wn the adm1n :

  1. Method 1: Send SET ADMIN command by SMS to the phone
  2. Method 2: Craft a new settings file

By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.

Zitmo’s Hidden debug window

Zitmo was secretly writing to a hidden debug window

By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.

Conclusions

Very difficult to spot due to the lack of symptoms

One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)

It also shows in the installed applications list

Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed

This is not uncommon however as multiple malware has been signed using this abuse

Links:

  • Shmoocon Schedule –> HERE
  • Talk Synopsis –> HERE
  • Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog
  • Fortinet

Shmoocon 2011: Printers gone wild!

Printers Gone Wild!

Ben Smith

Printers are everywhere… they are ubiquitous!

Everybody seems to ignore them. They get plugged in, and just work!

HP Basics

Listens on tcp/9100

Admin page on 80/443

Many have hard disks!

HP printers have 3 passwords

  • Web admin
  • Telnet (same as the wedadmin)
  • PJLPassword

PJLPassword can be used to lockout the console, make disks read-only etc…

PJLPassword is weak… no brute-force protections

PJL is unathenticated and widely supported, going away, but will be here for a while.

SNMP can be disabled through the Web Admin, however encoding them specially they will still answer SNMP requests over port 9100

Google search “PJL DMINFO ASCIIHEX” for more info

Overview

PJL (Printer Job Langauge)

Sets up printer for jobs

Created by HP, used in many other devices

Really old!

Fun PJL commands

  • FSUPLOAD (not an upload)
  • FSDOWNLOAD (not a download)
  • FSDIRLIST
  • FSDELETE
  • RDYMESSAGE
  • DMINFO ASCIIHEX

There’s een lots of research before (Hijetter etc…)

Bringing that into the modern environment with printFS

printFS

Python tool for covert file systems using HP printers

Distributes files over multiple printers

Uses the printer RAM disks or physical disks

Works on any supported printer via network or the internet!

All stored files are compressed/encrypted and saved using random filenames

All files are stored twice with different names and keys to improve redundancy (files in RAM disk are lost on restart)

Supports panic mode (panic) remotely reboots every device in the file table to destroy the data

pfsScanner

multithreaded scanner

Scans printers to see if necessary commands are supported to use printFS

Scans are randomized in the order that functions are run and the timing between them

Test upload files are random data and given random names

Entire scan peppered with random sleeps

pyPJL

Main support lib

Used by all tools

Implements most of the documented PJL commands

printJack

A support tool for doing nasty funny things

User interface to the PJL password cracker

Mass control panel lock/unlock

Mass RamDisk/Disk Lock/Unlock

Pass printing (toner is cheap!)

pyPJLpass

Support class for printjack

Brute-forces all possible password combinations in about 2 hours (single thread)

So now it’s threaded to check multiple printers… all communicate together until one valid password is found (password reuse)

Other fun stuff to do to PJL

  • Mass reboot loop
  • Mass connect to port 9100 and remain connected (blocking)
  • Animated LCD messages
  • SE LCD messages (please call xxxxx)
  • Mass disk lock
  • Mass printing
  • Mass control panel locking

Limitations

Can only upload files form the directory you are running printFS from

Known issue where some printers won’t respond to pfsScanner if they’re offline

To ensure that printers can still print when being scanned, dynamic class is used (generating huge traffic)

Code Release

Remote-exploit.org will receive it within the next week

Links:

  • Shmoocon Schedule –> HERE
  • Talk synopsis –> HERE
  • HP PML faq –> HERE