Free OWASP membership

Posted on April 12, 2012 by floyd

Timeline:

Beginning of 10.2011: OWASP was informed (including details) that the OWASP membership registration has a logic flaw (“please inform vendor”).
Beginning of 10.2011: Response from OWASP, vendor can not reproduce problem. Sent more details.
Beginning of 10.2011: Response from OWASP, vendor still can’t reproduce problem. Sent video below.
19.10.2011: Bug report opened.
15.02.2012: Checked back and asked OWASP if problem is resolved.
26.02.2012: They don’t know. Checked flaw again, it still exists. Advised OWASP to get in touch with one of the organisation’s security expert to handle the issue (no response from OWASP).
30.03.2012: Checked flaw again, it still exists. Informed OWASP and vendor directly that the video will be released in two weeks if it doesn’t get fixed.
30.03.2012: Response from OWASP, they would find a solution until end of April. Agreed to wait until end of April.
04.04.2012: Response from vendor, it’s fixed.

In my opinion half a year is long enough. Putting on some more pressure (regarding the release of the video) worked very well. I felt like I owe it to all the paying OWASP members.

Enough words, enjoy the video: http://www.floyd.ch/download/free-owasp-membership.mov

PostFinance Digipass 810

Posted on March 30, 2012 by floyd

Here in Switzerland, PostFinance (the bank of the national mail company) uses a small, yellow card reader for the two-factor authentication (I don’t want to talk about how good this two-factor authentication is, but errrr). Because I don’t need my device anymore I decided to poke around a little bit. First of all, it’s really nice that they tell you from the beginning which type of card reader it is (sticker on the back):

Digipass 810
MADE IN CHINA
WWW.VASCO.COM
US PATENTS: 4.599489 and 4.609777

Easy start. If you look Digipass 810 up, you’ll see that it is compliant to something called “Europay-Mastercard-Visa Chip Authentication Program Enhancements”. A card which has no chip at all, will get you the error message “Falsche Karte” (“wrong card” in German). It doesn’t like my debit cards either (which have chips on them), it displays different error messages: “Karte Ungültig” (“invalid card”) and “card error”. So I simply tried my credit cards and both (Visa and Mastercard) did work. The reader prompts for a code/challenge, I just entered 1234 and it asked for my PIN. Interestingly it will only accept the correct PIN which was set for the credit card and will then output some TAN. A wrong PIN will result in an error message. Funny!

So a malicious person who wants to try out the PINs for your credit card, but doesn’t want to risk to be recorded by a security camera at the ATM can use a Digipass 810 instead.

TODO (i still need my credit card):
- Check if you really only have 3 tries
- Check if card is really locked (e.g. in store or at an ATM) after 3 tries
- Of course there is much more card stuff out there, eg. a presentation at PHNeutral 2011

Microsoft .NET: Circumventing XSS request validation

Posted on February 22, 2012 by floyd

Ha – I’m back!

I guess most of you know how annoying it is to start a Web Pentest and notice that the request validation of Microsoft IIS / .NET is on. I mean the big red error messages “A potentially dangerous request…” or for the .NET programmers, the HttpRequestValidationException. I nearly always found a way around it. There is a really nice post on stackoverflow about which kind of characters will trigger the exception. But for the lazy ones a list of unallowed strings I figured out myself a while ago:

&#
</
<?
<!
<a to <z
<A to <Z

Firstly, you can just not use the < and & character. Just find a place where you are already inside a tag and write something like

" onmouseover="alert(123)" alt="

Second of all, a string that is allowed and I claim to be the first one who found it (I'm sure I was just not able to find someone else who did it before, let me know!):

<%#

Yeah, wow, I know. It's not really that impressive and you can't construct a working XSS with it, but you can use it to break the HTML code (at least in Internet Explorer). But nice anyway.

Additionally, you can send your XSS payload in any of the HTTP Headers to .NET and it won't be checked. Or if there is a Web Service which does the same as the Web Application, just send a SOAP request with the XSS string (no HttpRequestValidationException there).

Of course there are always different encodings that could work. For example you could try HTML (<) and Unicode (\u003c).

Enjoy!

Officially untrusted

Posted on December 10, 2011 by floyd

I’m very proud to anounce that my site is now officially hacker untrusted! It was a lot of work to get the certification and the certification process was very expensive. We cultivated value-added interfaces, orchestrated bleeding-edge ROI and iterated cross-platform partnerships. But finally we’re done. In the end it I know it will pay out. As a proof I’m proud to feature the official Hacker Untrusted logo in this blog post, which I received by myself and was approved by myself:

I hope I’ll be as successful with my new logo as the other guys here (read it and lol).

How to store credentials on Android

Posted on November 17, 2011 by floyd

There is a lot of discussion going on how to store credentials on the Android platform. What I’m going to discuss is focused on the Android platform, but you’ll notice that most of the things can be applied to all mobile plattforms. There are some differences, e.g. that you should use the much more evolved secure keystore of the iOS. There will be a keychain in Android 4.0. But of course you can screw up the secure storage on all platforms or even examples of the vendor show you how to screw up.

Before you start storing credentials the most important question is:

Do I really want to store that data and why?

Before you simply answer “yes”, consider the following:

Do you want to authenticate the user inside the app to check if he is allowed to access the app and other data?

Then use a secure cryptographic hash function (e.g. SHA-2). Use a salt which is long enough and randomly generated on the fly. You can store the salt in plain along with the generated hash. Use multiple hashing rounds (e.g. 10’000).
Don’t forget to check in every Activity that the user is already authenticated, because Activities can be invoked directly.

Do you want to authenticate the user against a server?

Before I go back to how you should store the credentials: Please use a secure channel to the server. One possibility is to use SSL (e.g. a HTTPS connection), but make sure you check the server certificate. Another possibility is to include a public key and have the corresponding private key on the server (actually I like this version even better, because you don’t have to trust hackable CA root companies).
Change the server side. Talk to your customer if you are developing an app for someone else, it’s not a big deal to change something on the server side. Try to store a session token instead of the password. Even increasing the expiry time for sessions is better than storing passwords on the client. Only increase it if the request is coming from the Android app, but not for all clients (like standard browser authentication).
If your really can’t change the server side and you can not use a token, you have a problem. Whatever you are doing from now, you have to store the password in reversable form, but the client isn’t a good option for that. Attackers equipped with root exploits and reverse engineering skills will always be able to get that password from somewhere (most of the time from the code or the filesystem). Consider that people often reuse passwords, which is a bad habit and if the password for your application is extracted, there might be other services that have to suffer from the laziness of the user.

There are several ways of how you could try to protect the credentials, but again, they’re all useless against a sophisticated attacker: E.g. encryption (key in the source code) and good obfuscation (some are just useless)
At least tell the user how the credentials are stored, why it could be a problem and what they can do to be protected (e.g. disable “remember password”).

Hashdays

Posted on November 3, 2011 by floyd

Last weekend I had a talk at #days in Lucerne about the Android topic again. Because the slides are nearly identical, I just provide the 0sec slides here. The conference was amazing, I really enjoyed it. Additionally I can really recommend the “Win32 Exploit Development Bootcamp” by Corelan, it’s one of the best courses I’ve ever attended.

0sec talk

Posted on October 29, 2011 by floyd

Two weeks ago I had a talk about “Reversing Android Apps – Hacking and cracking Android apps is easy” at 0sec. You can download the slides. The video on slide 6 (circumventing the Android lock screen with button mashing) is available here. If you’re interested in the topic, you should check out the other posts in the Android category.

Android Pentest Tools

Posted on October 13, 2011 by floyd

During my research for the Android platform and in some pentests I tried several things and used different techniques. This is kind of a summary post and I packed some of my tools together into one zip file. The contents are:

Importing Burp CA into the Android phone, which I already wrote a blog post about
Some Ubuntu bash scripts that can be used to compile statically linked ARM binaries for Android, which I already wrote a blog post about
Decompiling/Disassembling bash scripts that I used to disassemble/decompile 3’500 apps from the market, including the Apple Script for Mac to automate the JD-GUI decompilation
A simple Python script that can be used to install a list of apps on your Android mobile
A list of Google Market App IDs, one list with free apps, one list with apps that cost money
A bash script that creates the Metasploit ARM reverse TCP shell payload
GingerBreak2 and RageAgainstTheCage exploit but including Ubuntu bash ARM compilation scripts, that let you compile the binary on your own instead of using the shipped ARM binary (I only tested the RageAgainstTheCage exploit)
A list of interesting files on the Android filesystem, that serves as a starting point if you don’t know where to start. Having a rooted phone to access the entire filesystem and using a text editor (.xml and .conf files) and a sqlite db viewer (files ending on .db) you’ll find pretty interesting stuff.
A file with the Hidden Secret Codes I found on my HTC Desire and in some apps. Actually only two of the 3’500 apps I decompiled had secret codes: The Twicca Twitter client (dial *#*#459338#*#*) and Baidu, the chinese search engine app (*#*#22438#*#*)

You can download the zip file here. I didn’t want to make up my own Android tool project svn or anything like that, but if you have your own toolset (e.g. you’re the developer of one of the tools below), I’d be happy to give my scripts to your project. If you have any feedback, just let me know, I’m happy to discuss it.

Addtionally, I thought I’ll write down some project/tools I used or I want to look into in the future:

Androguard
Apkinspector (GUI combining apktool, dex2jar, a Java decompiler, byte code, etc.)
DED
androidAuditTools
Smartphonesdumbapps
Taintdroid (Privacy issues)
Android Forensic Toolkit
viaExtract (There’s a VMWare with viaExtract installed. Does standard Forensic for Android: calls, sms, etc. Needs USB debug on)

I might update this post once in a while

Cross-compiling bash for Android ARM

Posted on October 2, 2011 by floyd

Most Android mobiles are running on the ARM archtiecture. Therefore you have to use a special compiler for such binaries. The Android SDK built in adb shell has no auto completion, which is really a nightmare in my opinion. Therefore I was looking for a way to compile bash for Android. Altough a lot of tutorials tell you to download the CodeSourcery cross-compiling toolchain, they are not really necessary (at least if you do a static compile like I do here).

I wrote a script that compiles bash-4.0. Should work out-of-the-box in Ubuntu 11.04.

#!/bin/bash
#BASH source code from http://ftp.gnu.org/gnu/bash/
#Example for compiling bash on Ubuntu 11.04
#Warnings during the compilation process seem to be alright, errors would be bad
BASH_VERSION="bash-4.1"

echo "[INFO] Checking if packages installed"
dpkg --status autoconf | grep -q not-installed
if [ $? -eq 0 ]; then
    echo "[INFO] Apt-get installing autoconf, please provide sudo password"
    sudo apt-get install autoconf
else
    echo "[INFO] autoconf already installed, good"
fi
dpkg --status gcc-arm-linux-gnueabi | grep -q not-installed
if [ $? -eq 0 ]; then
    echo "[INFO] Apt-get installing gcc-arm-linux-gnueabi, please provide sudo password"
    sudo apt-get install gcc-arm-linux-gnueabi
else
    echo "[INFO] gcc-arm-linux-gnueabi already installed, good"
fi
echo "[INFO] Starting bash source code download"
wget http://ftp.gnu.org/gnu/bash/$BASH_VERSION.tar.gz
tar xvfz $BASH_VERSION.tar.gz
cd $BASH_VERSION
CC=`which arm-linux-gnueabi-gcc`
./configure --host=arm-linux-gnueabi --enable-static-link --without-bash-malloc
make clean
make
file bash | grep -q ARM
if [ ! $? -eq 0 ]; then
    echo "[ERROR] Looks like bash was incorrectly compiled with another compler than arm-linux-gnueabi-gcc"
    echo "[ERROR] The resulting bash binary will not run on ARM, therefore aborting!"
    exit
fi
arm-linux-gnueabi-strip -o bash-stripped -s bash
cp ./bash-stripped ../bash
cd ..
file bash
echo "[INFO] Your bash binary is finished (file 'bash' in current directory), happy autocompleting on ARM!"

By changing the variable BASH_VERSION to bash-4.1 you should be able to compile an even newer version. Bash-4.2 did not work for me.

Sending generic HTTP(S) requests in python

Posted on September 27, 2011 by floyd

During Web Application Penetration tests I always need to automate requests, e.g. for fuzzing. While most of the local proxy/testing softwares (Burp, WebScarab, w3af, etc.) include a repeater/fuzzer feature, I often want to do addtional computations in python (e.g. calculating a hash and sending it as a fuzzed value or comparing parts of the response). The following script will take an entire HTTP(S) request as a string, parse it and send it to the server. As I show with the POST parameter “fuzzableParam” in this example, values can easily be fuzzed.

def send_this_request(http_request_string, remove_headers=None):
    """
    Always HTTP/1.1
    """
    import urllib2
    if remove_headers is None:
        remove_headers=['content-length', 'accept-encoding', 'accept-charset',
        'accept-language', 'accept', 'keep-alive', 'connection', 'pragma',
        'cache-control']
    for i, remove_header in enumerate(remove_headers):
        remove_headers[i] = remove_header.lower()
    if '\n\n' in http_request_string:
        headers, body = http_request_string.split('\n\n',1)
    else:
        headers = http_request_string
        body = None
    headers = headers.split('\n')
    request_line = headers[0]
    headers = headers[1:]

    method, rest = request_line.split(" ", 1)
    url, protocol = rest.rsplit(" ", 1)

    merge_host_header_into_url = False
    if url.startswith("http"):
        merge_host_header_into_url = False
    elif url.startswith("/"):
        info("Warning: Defaulting to HTTP. Please write URL as https:// if you want SSL")
        merge_host_header_into_url = True
    else:
        fatalError("Protocol not supported. URL must start with http or /")

    header_tuples = []
    for header in headers:
        name, value = header.split(": ", 1)
        if merge_host_header_into_url and name.lower() == 'host':
            url = 'http://'+value+url
        if not name.lower() in remove_headers:
            header_tuples.append((name, value))

    opener = urllib2.build_opener()
    opener.addheaders = header_tuples
    urllib2.install_opener(opener)

    try:
        return urllib2.urlopen(url, body, 15).read()
    except urllib2.HTTPError, e:
        info('The server couldn\'t fulfill the request. Error code:', e.code)
    except urllib2.URLError, e:
        info("URLError:", e.reason)
    except Exception, e:
        error("DIDNT WORK:", e)

def info(*text):
    print "[PY-INFO] "+str(" ".join(str(i) for i in text))

def error(*text):
    print "[PY-ERROR] "+str(" ".join(str(i) for i in text))

request = '''POST http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Referer: http://example.com
Content-Length: 132
Cookie: test=somevalue; abc=123
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

id=123&fuzzableParam='''

additionalValue = "&anotherParam=abc"

for i in ['78', '-1']:
    print send_this_request(request+i+additionalValue)

floyd's

IT Security