{"id":912,"date":"2015-10-06T07:38:49","date_gmt":"2015-10-06T06:38:49","guid":{"rendered":"http:\/\/www.floyd.ch\/?p=912"},"modified":"2022-02-09T11:32:31","modified_gmt":"2022-02-09T10:32:31","slug":"what-ive-been-up-to-a-lot","status":"publish","type":"post","link":"https:\/\/www.floyd.ch\/?p=912","title":{"rendered":"What I&#8217;ve been up to: a lot"},"content":{"rendered":"<p>Hi there<\/p>\n<p>Yes, I know, you didn&#8217;t hear from me for quiet a while (apart from the usual Twitter noise). But I wasn&#8217;t lazy! Actually I feel like I need to get rid of a lot of information. Here&#8217;s what I was up to in the last few months:<\/p>\n<ul>\n<li>Released the <a href=\"https:\/\/github.com\/floyd-fuh\/crass\" target=\"_blank\" rel=\"noopener\">code review audit script scanner (crass)<\/a> on github, which is basically a very much improved version of what I&#8217;ve talked about in <a href=\"https:\/\/www.floyd.ch\/?p=565\" target=\"_blank\" rel=\"noopener\">one of my blog posts about a grep script<\/a>. It is still heavy on the Android side, but supports a lot more now. Additionally it has some helpful other scripts as well.<\/li>\n<li>For historical reasons I released some code about the <a href=\"https:\/\/github.com\/floyd-fuh\/mona-unicode-alignment\" target=\"_blank\" rel=\"noopener\">mona.py unicode buffer overflow feature on github<\/a>, which I also wrote <a href=\"https:\/\/www.floyd.ch\/?p=629\" target=\"_blank\" rel=\"noopener\">two<\/a> blog <a href=\"https:\/\/www.floyd.ch\/?p=795\" target=\"_blank\" rel=\"noopener\">posts<\/a> about in the past. By now the entire code is part of mona.py (which you should actually use). It&#8217;s on github if someone wants to refactor and understand my code (more comments, standalone version, etc.).<\/li>\n<li>I released some <a href=\"https:\/\/github.com\/floyd-fuh\/tiny-mitm-proxy\" target=\"_blank\" rel=\"noopener\">very simple SSL MITM proxy in a couple of lines of bash script on github<\/a>. To be honest, I was surprised myself that it really worked so nicely. It probably doesn&#8217;t work in all cases. I&#8217;m actually planning to write something on all the options pentesters have for SSL MITM-Proxies. There is also <a href=\"https:\/\/www.reddit.com\/r\/netsec\/comments\/3ighku\/a_really_really_tiny_ssl_mitm_proxy\/\" target=\"_blank\" rel=\"noopener\">a Reddit discussion<\/a> going on about it and I should definitely check those comments.<\/li>\n<li>I was teaching some very basic beginner classes in Python (and learned a lot while doing it). Some of my students are going to use IBM websphere and its wsadminlib, so I had a look at that code and it honestly shocked me a little. My code is sometimes messy too, but for an official script that&#8217;s just wow. As I&#8217;m not very familiar with IBM websphere apart from post exploitation, I don&#8217;t think I&#8217;m the right guy to fix the code (I don&#8217;t even have access to an IBM websphere server). <a href=\"https:\/\/github.com\/wsadminlib\/wsadminlib\/issues\/7\" target=\"_blank\" rel=\"noopener\">So I tried to be helpful on github<\/a>. Meh.<\/li>\n<li>I&#8217;ve analyzed how <a href=\"https:\/\/www.modzero.com\/modlog\/archives\/2015\/04\/01\/android_apps_in_sheeps_clothing\/index.html\" target=\"_blank\" rel=\"noopener\">Android can be exploited on the UI level<\/a> to break its sandbox, gave a talk about it at an event in Zurich (&#8220;Android apps in sheep&#8217;s clothing&#8221;). I developed an overlay proof of concept exploit (<a href=\"https:\/\/github.com\/floyd-fuh\/AndroidOverlayPoc\" target=\"_blank\" rel=\"noopener\">which is on github<\/a>). When I emailed back and forth with the Android security team about it they had lame excuses like &#8220;we check apps that are put on Google Play&#8221;. That&#8217;s why I put malware on the Google Play Store (edit: removed link as with time I wasn&#8217;t in the mood the accept the new fine print for malware in the Google Play store, but it used to be on https:\/\/play.google.com\/store\/apps\/details?id=ch.example.dancingpigs) and of course they didn&#8217;t detect it. But Google doesn&#8217;t seem to care, it&#8217;s still on there. We publicly wrote about it in April 2015, that&#8217;s 6 months at the moment. Nearly no downloads so far, but you get the point, right? Regarding if the overlay issue is considered a bug, Android only acknowledged that &#8220;apps shouldn&#8217;t be able to detect which other app is in the foreground&#8221;. So when I sent them a link to a stackoverflow posting showing them that they failed at that in Android 5.0 they opened Android bug ANDROID-20034603. It ended up in the (finally!) newly introduced <a href=\"https:\/\/groups.google.com\/forum\/#!msg\/android-security-updates\/Ugvu3fi6RQM\/yzJvoTVrIQAJ\" target=\"_blank\" rel=\"noopener\">security bulletins (August 2015)<\/a>, referenced as &#8220;CVE-2015-3833: Mitigation bypass of restrictions on getRecentTasks()&#8221;. I didn&#8217;t get credited because I wasn&#8217;t the author of the stackoverflow posting. Whatever.<\/li>\n<li>I&#8217;ve released and updated my <a href=\"https:\/\/github.com\/floyd-fuh\/afl-crash-analyzer\" target=\"_blank\" rel=\"noopener\">AFL crash analyzer scripts (Python)<\/a> and <a href=\"https:\/\/github.com\/floyd-fuh\/afl-fuzzing-scripts\" target=\"_blank\" rel=\"noopener\">other AFL scripts (mostly bash)<\/a> on github.<\/li>\n<li>I have to be a bit more realistic about the heap buffer overflow exploits <a href=\"https:\/\/www.floyd.ch\/?p=865\" target=\"_blank\" rel=\"noopener\">I said I was &#8220;writing&#8221;<\/a>, I&#8217;m currently more failing at being able to exploit them (which is very good, I learn a lot at the moment). It seems I found crashes (with AFL) that are pretty hard to exploit. I&#8217;m currently looking at something that needs to be exploited through a <a href=\"https:\/\/www.win.tue.nl\/~aeb\/linux\/hh\/hh-11.html\" target=\"_blank\" rel=\"noopener\">free<\/a> call (I guess). Anyway, not a problem, I&#8217;ll just dig deeper. I just have to make sure that I further do crash analysis rather than setting up new fuzzers all the time&#8230; so much fun!<\/li>\n<li><a href=\"https:\/\/www.modzero.com\/modlog\/archives\/2015\/09\/24\/on_responsible_full_disclosure\/index.html\" target=\"_blank\" rel=\"noopener\">We went full disclosure on Good Technology<\/a>, we released <a href=\"https:\/\/www.modzero.com\/advisories\/MZ-13-03-GOOD-XSS.txt\" target=\"_blank\" rel=\"noopener\">a XSS from 2013<\/a> that enabled you to wipe all mobile devices of your company as a regular user (just an example). Additionally, I found <a href=\"https:\/\/www.modzero.com\/advisories\/MZ-15-03-GOOD-Auth-Delegation.txt\" target=\"_blank\" rel=\"noopener\">a new issue, an exported Android intent<\/a> (aka insecure IPC mechanism) that can be exploited under certain conditions.<\/li>\n<\/ul>\n<p>cheers,<br \/>\nfloyd<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi there Yes, I know, you didn&#8217;t hear from me for quiet a while (apart from the usual Twitter noise). But I wasn&#8217;t lazy! Actually I feel like I need to get rid of a lot of information. Here&#8217;s what &hellip; <a href=\"https:\/\/www.floyd.ch\/?p=912\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[148,158,161,165,164,166,110,163,162,159],"class_list":["post-912","post","type-post","status-publish","format-standard","hentry","category-various","tag-afl","tag-android","tag-crass","tag-good-technology","tag-google-play","tag-insecure-ipc","tag-mona-py","tag-tiny-ssl-mitm-proxy","tag-wsadminlib","tag-xss"],"_links":{"self":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=912"}],"version-history":[{"count":12,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/912\/revisions"}],"predecessor-version":[{"id":1293,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=\/wp\/v2\/posts\/912\/revisions\/1293"}],"wp:attachment":[{"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.floyd.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}