Archive for December 2011
4 Comments | Posted by Timo Schmid
In a .NET environment WCF services can use the proprietary WCF binary XML protocol described here. Microsoft uses this protocol to save some time parsing the transmitted XML data. If you have to (pen-) test such services, it would be nice to read (and modify) the communication between (for example) clients and servers. One possibility is Fiddler.
Fiddler’s strengths include its extensibility and its WCF binary plugins. Sadly, these plugins can only decode and display the binary content as XML text.
Our first tool of choice for webapp pentests (Burp Suite) has also a plugin feature, and one can also find plugins for decoding (and encoding XML back to) WCF binary streams. But all WCF binary plugins out there are based on the .NET library which means one either has to work on MS Windows or with Mono. Another disadvantage is the validation and auto-correction feature of such libraries… not very useful for penetration testing 😉
That’s why we decided to write a small python library according to Microsoft’s Open Specification which enables us to decode and encode WCF binary streams. The library has a rudimentary commandline interface for converting XML to WCF binary and vice versa, as well as a plugin for our python-to-Burp plugin (pyBurp).
One of our favorite tools for conducting penetration tests (especially, but not only, web application tests) is Portswiggers’s Burp Suite. Burp allows to extend its features by writing own plugins. But because Burp is written in Java, it only supports Java classes as plugins. Additionally, Burp only allows to use one plugin at the same time which has to be loaded on start-up.
Now we have written a Burp-Python proxy (called pyBurp) which adds some features to the plugin system:
- write plugins in Python
- load and unload plugins at every time
- load multiple plugins
About two months ago the Bluetooth SIG renamed their latest standard, which was previously known as “Bluetooth v4.0”. When version numbers get higher and higher marketing likes to interfere and try something new. In this case: Bluetooth Smart.
Sounds smart, but is it?
Without getting into too much detail, let me quickly quote Wikipedia to get started:
“Cost-reduced single-mode chips, which enable highly integrated and compact devices, feature a lightweight Link Layer providing ultra-low power idle mode operation, simple device discovery, and reliable point-to-multipoint data transfer with advanced power-save and secure encrypted connections at the lowest possible cost.”
http://en.wikipedia.org/wiki/Bluetooth#Bluetooth_v4.0 (sounds more like a marketing text than a proper technical specification, but gives you a rough idea what you as an end-user can expect ;)).
So we’re talking about the usual stuff: Lower energy consumption combined with more functionality. Great!
Sounds smart, but is it safe?
With “Bluetooth Smart Ready” products just coming in it’s too early to tell. But one thing is for sure: 2012 will be the year where every major consumer product (smartphones, heart-rate straps or even simple clocks) will be equipped with it. Oh, and guess what… a new wireless standard doesn’t just come along with a new shiny gadget. Obviously you need an app for that. How about tracking your heart beat? Personally I’m looking forward for the first Bluetooth Smart Ready cardiac pacemaker…
And back to security: Either you trust the Bluetooth committee which states “Bluetooth technology is an industry leader when it comes to wireless data security.”, OR you ask somebody who would tell you the plain truth (given there is one): Michael Ossmann.
We did the latter and invited Michael to talk at TROOPERS12. He is a wireless security experts who also makes hardware tools to progress with his research. In early 2011 he successfully crowd-funded his latest gadget: Ubertooth One. A very capable Bluetooth monitoring device.
We’re looking forward to mid March where we all meet to discuss things in more depth at TROOPERS12. Until then keep yourself up-to-date and have a look into Michael’s latest blog entry: Bluetooth for Bad Guys
Have a wonderful Christmas time,
PS: Drop us a comment, when you find some “Bluetooth Smart Ready” labels under your Christmas tree 😉
During one of our pentests in some corporate environment we were to analyze an application-server called Liferay. Liferay comes with a lot of functionalities, runs on top of Apache Tomcat and includes a nice API that makes it very easy to add components or further functionality that are not part of the core. These (potentially selfmade) “addons” are called “portlets” and they can be inserted in any place in the frontend.
We quickly found an active default-account (firstname.lastname@example.org : test) which immediately led to the question: how to get access on the system-layer through the account on the application. Because we were not aware of any portlet which provided the desired functionality, we decided to write it on our own and created a straight-forward portlet for system level command execution.
As mentioned above, Liferay offers an API for adding portlets to the core. This can be done by creating a standard war-file which contains java-classes, including the desired functionality and some – in this case – Liferay-specific xml-based configuration files. War files are often used to expand the functionality of java-servers (e.g. Tomcat can also be extended via war-files) – it just needs to contain the application-specific xml-files.
Our java-class includes a html-form consisting of an input-field and a button, which sends commands (via GET) to the server. On the server the input gets executed in a shell – a new java HTTP-Shell is born. After some adjustments regarding to the operating system and the java compiler (1) we had a GET-Parameter-based HTTP-Shell.
The following steps are necessary to deploy the shell portlet:
How to create the war-file?
3.) Execute create.bat / create.sh [Note: javac and jar must be installed in the PATH.]
4.) Have fun with the ShellPortlet.war
How to deploy the war-file?
1.) Login to your Liferay-System with a privileged user-account and open http://yourdomain.com/group/control_panel/manage
2.) You should find a category called “Server” on the left side in the navigation. Click “Install Plugin” and on the next site click “Install more plugins” followed by “Fileupload”
3.) Upload the war-file and use “tail -f $CATALINA_HOME/logs/catalina.out” or (on Windows) the Tomcat-console to observe the logs for any error/exception. When everything worked you’ll find an entry like “1 Portlet for ShellPortlet is available for use”
4.) Now go back to your mainpage via the link in the upper area “Back to Liferay”. Then click “Add” -> “More” and you will see all categories in which the portlets are sorted.
5.) If everything went right you will find a category named “Ownage” in this list. Click on it and drag&drop the shellportlet anywhere on your website.
6.) Have fun playing! 🙂
This shows – once again – that it’s not that hard to gain system-access over a (web-) application. Everyone who uses web-applications should secure the higher-privileged accounts by strong passwords or better deactivate them in case they are not needed. It also shows that – once again – comprehensive and reasonable hardening would have prevented the compromise of yet another system.
(1): The java-class must be compiled by the same compiler-version which the tomcat-server is using. (E.g.: If the tomcat uses jre1.6, the java-class in the war-file must be compiled by a javac which is out of the jdk1.6)
I just stumbled across this document recently published by the European Network and Information Security Agency (ENISA). It’s part of their smartphone security initiative which we’ve already mentioned in this post.
Here’s an excerpt from the introduction:
“This document was produced jointly with the OWASP mobile security project. It is also published as an ENISA deliverable in accordance with our work program 2011. It is written for developers of smartphone apps as a guide to developing secure apps. It may however also be of interest to project managers of smartphone development projects.
In writing the top 10 controls, we considered the top 10 most important risks for mobile users as described in (1) and (2). As a follow-up we are working on platform-specific guidance and code samples. We hope that these controls provide some simple rules to eliminate the most common vulnerabilities from your code.”
After having a first look at the document’s content I can, while not being a developer myself, state there’s a lot of valuable guidance in it. Which is particularly useful as our assessment experience shows that quite some things (examples to be discussed in this upcoming talk at Troopers) can go wrong as for application security on smartphones.
have a good one
today I’ll give a short preview of my newest tool, pytacle. It is simply a little helper program to control gnuradio/airprobe/kraken/some_other_tools, convert their input/output and to find a use able clear/cipher text combination to break A5/1. In the end it should record, crack and decode/play a gsm phone call with ~5 mouse clicks.
Take a look at this video:
The code is not available yet, as its not finished 😉 the recording and cracking part are working, but the decoding doesn’t. I need to put some more time into the code, but there isn’t much spare in that time of the year 😀
We’re delighted to provide the first announcement of talks of next year’s Troopers edition. Looks like it’s going to be a great event again 😉
Here we go:
Andreas Wiegenstein: Real SAP Backdoors
Abstract: In the past year the number of lecture sessions with traumatizing headlines about hacking SAP systems has dramatically risen. Their content, however, is usually the same. Insecure implementations of algorithms, side effects in commands, flawed business logic and designs that brilliantly miss the point of security. In essence, security defects built into the SAP framework by mistake.
This session, however, demonstrates several security defects in SAP NetWeaver that do not appear to have been created by mistake. In order to make a point, I will first discuss with the audience what exactly defines a backdoor. Then I will demonstrate several zero day security defects discovered by me & my team and finally discuss with the audience if these defects qualify as backdoors. All security defects shown are highly critical and have never been publically discussed before. They enable attackers to remotely execute arbitrary ABAP commands and arbitrary OS commands. In essence, full control over SAP NetWeaver Application Server ABAP.
Bio: Andreas Wiegenstein has been working as a professional SAP security consultant for 9 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. He leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.
Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as BlackHat, HITB, Troopers and RSA. He is co-author of the first book on ABAP security (SAP Press 2009). He is also a founding member of BIZEC.org, the Business Security community.
Mike Ossmann: Welcome to Bluetooth Smart
Abstract: Bluetooth Smart, formerly known as Bluetooth Low Energy, is an entirely new wireless protocol that is not backward compatible with “classic” Bluetooth. With consumer devices emerging in early 2012, this is the perfect time to review Bluetooth Smart and how it works. Packet captures from actual devices will be dissected, and particular attention will be given to the new security procedures specified for Bluetooth Smart. Depending on what devices are commercially available by the time of the conference, I may or may not have a live demo prepared with actual consumer devices. At the very least, I will be able to do a demo using development boards as targets.
Bio: Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.
Previous work includes:
ShmooCon 2011: Project Ubertooth: Building a Better Bluetooth Adapter
ToorCon 2010: Real Men Carry Pink Pagers (with Travis Goodspeed)
ShmooCon 2010: Bluetooth Keyboards: Who Owns Your Keystrokes?
ShmooCon 2009: Building an All-Channel Bluetooth Monitor (with Dominic Spill)
Black Hat USA 2008: Software Radio and the Future of Wireless Security
Daniel Mende & Enno Rey: Protecting Voice-over-IP in 2012
Abstract: We’ve recently conducted a number of pentests in (mostly large) VoIP environments. While the fraction of “traditional VoIP attacks” (re-direct/sniff VoIP traffic, reconstruct VoIP calls) has decreased over time, we’ve been able to severely compromise pretty much every environment due to implementation flaws on the infrastructure or “supporting systems” level. Based on a number of warstories, in this talk we will lay out what went wrong in the respective cases and how to protect from the (types of) attacks we performed. Some demos will add spice to the talk. Furthermore a number of previously undisclosed severe vulnerabilities in the crypto architecture of a major vendor’s VoIP solution will be presented.
Bios: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.
Graeme Neilson: DISCQO: “Discourse on Implications for Security and Cryptography from Quantum Oddness”
Abstract: Quantum computing is a fascinating, emerging technology with a potentially huge impact on security. This talk introduces the principles of quantum computing and the current state of the art. This is followed by a discussion on the uses of quantum based computer systems within security, the potential implications for cryptography, now and in the future, and the possibility of hacking current quantum based cryptography systems.
What is quantum computing?
What is quantum key exchange?
Can quantum key exchange be hacked?
Will a quantum computer be able to decrypt all my encrypted data?
Do I need a quantum computer?
Do quantum computers even exist?
What are the implications of quantum computing on my current cryptography?
Bio: Graeme Neilson is NOT a quantum physicist or any other kind of physicist…not in this universe anyway…
Still, he does think it’s probable that he can help illuminate the subject of quantum computing for other non-physicists in IT. With over 14 years of experience in IT security Graeme currently works as a security researcher / consultant for Aura Information Security with specialisations in cryptography, reverse engineering and networking. Based out of New Zealand he is a regular speaker at international conferences including Blackhat, H2HC, CanSecWest, DayCon and Troopers.
Pete Herzog: Securing Robot Mosquitoes with Laser Beams for Eyes in the Enterprise
Abstract: One day employees start bringing robot mosquitoes into the office. They have robot mosquitoes at home and just they’re so damn useful for checking mail, making appointments, singing naptime songs, and spying over the neighbor’s fence. So why wouldn’t they? Your security policy doesn’t expressly forbid robot mosquitoes with laser beams for eyes or anything like it so here they are: riding the internal WiFi, carrying who knows what diseases and parasites from public, cyber ponds, melting the plastic plants, boiling the water cooler, and causing all sorts of other disruptions. Before you can ban them though you see that the CEO starts to bring his robot mosquito with laser beams for eyes in too. And he wants you not only support it but to make sure it doesn’t get hacked. Sounds familiar, right?
There will always be new technologies. Many of those new technologies pose new risks, perhaps even risks we hadn’t considered as risky to us before. So someone has to secure those new technologies. But how do we secure something we know so little about? Well, there’s a methodology for that. This talk will cover how to test new technologies, how to create the right policy for them, and how to control them, including robot mosquitoes with laser beams for eyes.
Bio: Pete Herzog is the Managing Director of the security research organization ISECOM and the creator of the OSSTMM.
Chema Alonso: Excel (and Office apps) Kills the Citrix (or Terminal Services) Star
Abstract: Microsoft Office (and Excel) are common applications in big companies and in a big amount of cases they are published through Terminal Services or Citrix. However, securing that environment against malicious users is very complicated. In this talk you’ll see a lot of demos hacking Citrix and Terminal Services using Excel… and maybe you’ll be scared after having seen this session.
Bio: Chema Alonso is a Security Consultant with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politecnica de Madrid. During his more than six years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including BlackHat Briefings, Defcon, ShmooCon, HackCON, Ekoparty and RootedCon. He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA, the meta-data extraction tool which he co-authors.
Rene Graf & Enno Rey: BYOD – Does it work?
Abstract: In many organizations “Bring Your Own Device” (BYOD) approaches are either subject to intensive discussion or are already practiced (with or without “proper governance”). Usually two security controls are of particular interest in BYOD scenarios, that are container solutions and acceptable use policies (AUPs).
The speakers have contributed to BYOD “implementations” in several environments and – based on actual case studies – are going to discuss three main aspects in their talk:
– What’s the role of the supply chain of a device, in BYOD settings? Is it possible to securely process – e.g. by means of a container solution – sensitive data on a device that was acquired on ebay or that the VIP using it received “as a present during an industry fair in an emerging market country”?
– What level of security is actually provided by container solutions? Do they sufficiently secure data (incl. temporary data) and which user behavior might be required for this?
– When are good AUPs needed and which elements should be included in those?
The goal of the talk is to enable the audience to realistically assess the security approaches and risks in BYOD scenarios.
Bios: Rene Graf leads the “Mobile Security” team at ERNW and has performed a number of BYOD projects including pentests of container solutions and forensic analyses of devices used by CxOs. Enno Rey leads the “Risk and Security Management” team at ERNW and has undertaken the risk assessments in several BYOD projects and written the accompanying AUPs.
More talks to follow next week, so stay tuned 😉
See you @Troopers, have a great sunday everybody