The reason why your exploit does not work

March 24th, 2014 by Israel in General

This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:

  • && dir
  • ; ls

 

There are two options for running a command:

  1. Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
  2. Split the words of the command into an array, execute the first word, and pass the rest as parameters.

 

The difference is when, for example, the command is:

Notepad.exe a.txt && dir

The first method will run both commands (open  Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as  parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.

This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.

.

Therefore in Java, if our code is “CmdInjection.java”:

Runtime runtime = Runtime.getRuntime();

String command = “notepad ” + args[0];

System.out.println(“\nOur command is: ” + command + “\n”);

Process proc = runtime.exec(command);

You cannot use any of the following special characters to add or create effects to other files or commands: && || > <.

.

But… it is still vulnerable to command line injection. Even though you cannot run another program or command, you can manipulate the arguments. In this example, instead of opening a file, you can add the attribute /p to print it, or /pt and choose a driver.

Since we want pass to our code a few words as one word (we want to pass /p filename.txt but catch it with args[0]), we should just wrap it with quotes. I added a printLn(command) that shows that our whole command was caught. Now we’ll run:

java CmdInjection “/p a.txt”

.

Of course, it can happen that we’ll be able inject a shell’s special characters too, if the code is:

Runtime runtime = Runtime.getRuntime();

String command = “cmd.exe /c notepad ” + args[0];

System.out.println(“\nOur command is: ” + command + “\n”);

Process proc = runtime.exec(command);

In this case, Java calls the OS shell and give it the whole command to parse and run. In this case, it will parse special characters such as &&, so we’ll be able to inject:

java CmdInjection “a.txt && dir”

Because of the quotes, this whole string (a.txt && dir) is transferred to the CmdInjection file as one parameter, which passes it to the cmd.exe shell, which parses it as a regular shell command line.

Also note that during some exploitations, you may need to use double quoting: java CmdInjection “‘a.txt’ && dir”

.

References:


X-Frame-Option is dead, long live Content Security Policy!

March 10th, 2014 by Tal Melamed in General

Clickjacking, (A.K.A UI Redress attack) is an attack in which an attacker utilizes multiple transparent or opaque layers in order to trick a client into clicking on a button or link on a different page; they are then mislead to think they were clicking the top level page link. Accordingly, the attacker is “hijacking” clicks meant for their page and routing them to the other, probably owned by another application and/or domain. With a carefully crafted combination of stylesheets, iframes, and text boxes, users can also be led to believe they are typing in the password to their own email or bank account,rather than typing into an invisible frame controlled by the attacker.

Existing anti-clickjacking measures include frame-busting codes and X-Frame-Options, yet it cannot be used to protect resources where the set of origins that ought to be permitted and denied is unknown, where attacks may originate from origins expected to be permitted by a use scenario, or defend against timing-based attacks which include multiple windows rather than multiple frames. Frame-busting scripts also rely on browser behavior that has not been designed to provide a security ensure. As a consequence, such scripts may be unreliable if loaded inside a sandbox or otherwise disabled.

Content Security Policy (CSP) is a declarative policy that lets a web application restrict the behavior of a document, e.g. the origins where it can load its resources from or the ways it can execute scripts. By controlling the presentation or the interactivity of a resource when its interacts with the user, it may be used  in an ambiguous or deceitful context due to the spatial and/or transient contiguity with other content displayed by the user agent.

Multiple host-source values are allowed primarily to enable scenarios involving embedded application compoments that are multiple levels below the top-level browsing context. For example, consider a service application at https://service/api/embed/. The service allows this resource to be embedded by both merchant Paul and merchant Lisa , who compete with each other. Sending:

Content-Security-Policy: frame-options https://Paul https://Lisa would allow Paul to re-frame Lisa’s resource and create fraudulent clicks, perhaps discrediting Lisa with her customers or the service. If the service used additional information (e.g. as part of a URL like https://service/api/Embed?merchant=Lisa) to send individually-tailored headers listing only the host-source values needed by each merchant, this attack would be eliminated.

Other available policy headers within CSP:

  • To prevent the resource from being displayed in an embedded context, regardless of the origin attempting to do so, and all other values in the directive are ignored, you can use:

Content-Security-Policy: frame-options 'deny'

  • You can also instruct the user agent to apply the heuristic UI redressing protections to user input events, such as click, keypress, touch, and drag, before they are delivered to the resource, using the input-protection. For example, A resource wishes to block delivery of UI events to the DOM element with the id of “submitButton” and suggests a 15% tolerance threshold for determining obstruction:

Content-Security-Policy: input-protection element-id=submitButton tolerance=15

  • A resource wishes to receive reports when the UI Security heuristic is triggered for any element in the:

Content-Security-Policy-Report-Only: input-protection; report-uri https://example.com/csp-report?unique_id=12345

  • A resource wants to allow itself to be embedded by any resource between the protected resource and the top of the window frame tree (ancestor) that are same-origin or from the origin https://check.out.me:

Content-Security-Policy: frame-options 'self' https://check.out.me

  • An example violation of JSON reports that the user agent might send to a server when the protected resource violates a sample policy:
{
  "csp-report": {
    "document-uri": "http://example.org/page.html",
    "referrer": "http://evil.example.com/haxor.html",
    "blocked-event-type": "click",
    "blocked-event-client-x": "325",
    "blocked-event-client-y": "122",
    "touch-event": "false",
    "device-width": "800",
    "device-height": "300",
    "blocked-target-xpath": "/html[0]/body[0]/div[6]/form[2]/input[0]",
    "violated-directive": "input-protection",
    "original-policy": "input-protection; report-uri https://example.org/csp-report.cgi?unique_id=12345"
  }
}

The updated Content Security Policy (CSP) has many more feature policy headers to help protecting against Clickjacking attacks. For more information please refer to W3C’s Directives for Content Security Policy.


Erez Metula is presenting at the International 2014 Cyber Security Summit in Tel Aviv, Israel

January 1st, 2014 by Jessie Pincus in Mobile, Presentations

On January 16th, 2014, Erez will be giving an important presentation on Android Hacking in Mobile Application Security.

Full logistical details can be found here: http://cyber-security-tlv-summit.events.co.il/save-the-date

CYBERSEC-LUZ

We’d love to see everyone there and we’re looking forward to the exchange of ideas. For now, take a look at the  Synopsis so you have an idea of what’s ahead!

 Synopsis of his upcoming speech:

The mobile apps revolution has completely changed the way we use our mobile devices, that up until  recently were used just to make phone calls. Mobile applications nowadays handle our most sensitive data –  phone calls, SMS text messages, geographic location, financial information, internet browsing, etc., but the  question is “How can we really tell how secure are those applications? Who can assure us they are not spying on  us? Or, can it be abused by other applications taking advantage of security vulnerabilities in those apps?”

During this presentation we will answer such questions, while focusing on Android mobile applications. We will  start by describing the threat model of mobile apps vs. traditional apps, then we’ll demonstrate a couple of  common application level vulnerabilities, and the tools/techniques used to expose them.

Participants of this presentation will also witness the usage of the AppUse Android Penetration Testing VM – an open source virtual machine created by AppSec Labs for the sole purpose of pentesting Android applications.

 


Getting to know our experts: Chilik Tamir

December 15th, 2013 by Jessie Pincus in General, Interview

Over the last few years AppSec Labs has been building a strong reputation for excellence in the field of Application Security. We offer services including pen-testing and full code review. As we’ve grown we’ve increased our experience, branching not only from pen-testing, but to in-company training and e-learning. We’ve developed a product line in e-learning which we are selling world-wide, and we’re expanding our market.

So, it’s about time that we show you who we are and what motivates us to do what we do. This will be the start to a few blog interviews letting you (our community) get to know us (your community) BETTER. We hope you enjoy hearing more about us and we look forward to hearing more from you.

Keep in touch with us via Twitter and Facebook!

@AppSecLabs

https://www.facebook.com/appsec.labs.5

https://www.youtube.com/user/AppSecLabs/videos

Author: Jessie A. Pincus, International Sales Director and Academic Director, AppSec Labs

Getting to Know our Experts:

Chilik Tamir, Chief Scientist, AppSec Labs

Question: How did you originally get into the field of Cyber Security?
Chilik: It was a hobby that became a job.  I saw the WarGames movie back in the 1980’s and it intrigued me.

Question: Since you focus your research on the Apple iOS platform, what do you see as its main vulnerabilities, and where has it improved or made changes to compensate?
Chilik: Apple is beginning to implement security features that are set to ‘ON’ as the default setting, instead of relying on developers to officially turn them on. The pairing notification message and the protection class encryption are enabled by default. Until iOS 7 they weren’t enabled by default.

Question: What aspect of the field of Cyber Security initially grabbed your attention and made you say “I want to work in that field.”?​
Chilik: I wanted to exploit new technologies. The research of new technologies and the process of discovering their new vulnerabilities had so far been overlooked. The knowledge and know-how that you accumulate during the research efforts for the clients is translated into tools. This is the frontal role in the global area of application security and branches forward to a whole new continent through the identification of vulnerabilities, and the solution of problems that haven’t even yet been found. For me, it’s intriguing to think about new ways to uncover new vulnerabilities and the development of tools that enable the process to continue in the best possible way.

Question: What professional contribution do you hope to add to the field with your work? Do you have long-range goals for contribution?
Chilik: I believe that the key point of research is making it useful for end-users. Their acceptance and usage is the pass-rate for these tools. The users prove their worth. The key goal in security research is to produce tools that any security professional can use in a quicker and more efficient way.

Cyber Security Trends:
Question: What are you focusing your attention and activities on this month?
Chilik: I’m currently looking into Gap Analysis of iOS 7.02 and trying to map out updates for the iNalyzer framework know-how on to the iOS 7.2 operating system.

Question: ​​What are the recent research topics and interesting findings ​that have caught your eye this month?​
Chilik: I’m overwhelmed with Barnaby Jack’s sudden death several days before his talk at BlackHat concerning pacemaker vulnerabilities. In 2012 he published research about the remote exploitation potential of insulin pumps and heart pacemakers. The slides aren’t available online. From what I understand, the exploitation potential is completed via the Internet on a wirelessly connected pacemaker. I think medical device security is the next big thing and I find it funny that it’s in this way that my degree in Biomedical Engineering will end up being useful to me in my career.

Question: What are some new changes you’ve seen in the field of cyber and application security over the last year?
Chilik: I see how Awareness has grown. Development groups want more specific know-how about the security trade and what are the Do’s and Don’ts. Now we’re seeing it earlier and earlier during the development stages. That is, they want a black box test, and we are more and more integrated into the early stages of the development lifecycle. It’s an excellent change in perspective over the last few years.

Question: ​As of this month, what do you think is the top threat worth solving, and why?
Chilik: Consumer privacy is the hot topic for the upcoming months because all of the press on the NSA in the news and the misinformation that’s being aired. For example, Apple said they cannot read user messages, and that has been proven incorrect (i.e. “It seems that their deceleration was inaccurate”). Privacy for the end-user and mobile user will be a crucial element over the coming months.”

That’s all for now! Tune in next time to read the latest installment in our feature blog series, “Getting to Know the Experts.”

Have a productive week!


Getting to Know Our Experts: Erez Metula

November 6th, 2013 by Jessie Pincus in General, Interview
Blackhat 2013. Las Vegas, Nevada

Blackhat 2013. Las Vegas, Nevada

Over the last few years AppSec Labs has been building a strong reputation for excellence in the field of Application Security. We offer services including penetration testing and full code review. As we’ve grown we’ve increased our experience, branching from pen-testing to in-company application security training and e-learning. We’ve developed a product line in e-learning which we are selling world-wide, and we’re expanding our market.

So, it’s about time that we show you who we are and what motivates us to do what we do. This will be the start to a few blog interviews letting you (our community) get to know us (your community) BETTER. We hope you enjoy hearing more about us and we look forward to hearing more from you.

Keep in touch with us via Twitter, Facebook, and YouTube!

@AppSecLabs

https://www.facebook.com/appsec.labs.5

https://www.youtube.com/user/AppSecLabs/videos

 

Author: Jessie A. Pincus, International Sales Director and Academic Director, AppSec Labs

Getting to Know our Experts:
Erez Metula, Application Security Expert, Founder of AppSec Labs

Jessie Asks: How did you originally get into the field of Cyber Security?
Erez Answers: I started coding at the age of 12. I was very interested in the subject of gaming and I got frustrated when I had to bypass stages in order to continue. So, I wondered how I could do it and I thus got into hacking and patching. Once I learned more I understood that it was all about coding. In order to do it properly I needed to be a developer, so I started learning Computer Science.

Jessie Asks: What aspect of the field of Cyber Security initially grabbed your attention and made you say “I want to work in that field.”?
Erez Answers: I was fascinated by new vulnerabilities and ways to exploit them.

Jessie Asks: What professional contribution do you hope to add to the field with your work? Do you have long-range goals for contribution?
Erez Answers: I really enjoy teaching people how to properly write secure code, investigate new discoveries, find new vulnerabilities, and figuring out how to demonstrate them to other people. It’s not a trivial subject since the reconstruction of the entire scenario and the building of the proof-of-concept can be very intricate.

 

Cyber Security Trends:

Jessie Asks: What are you focusing your attention and activities on this month?
Erez Answers: I’m focusing on Android Security as a whole. I’m creating new, updated content for our ongoing training courses based on what’s happening now in the field. I’m constantly constructing and improving our AppUse Android penetration testing platform and tools.

Jessie Asks: What are the recent research topics and interesting findings that have caught your eye this month?
Erez Answers: I learned a lot of new things about android internals lately. It’s really cool. Regarding interesting findings, I guess the router backdoors found in many network devices, the fact the devices come with built-in hidden surveillance capabilities, and the whole espionage fiasco between the USA and other nations made me start to think that everyone is eavesdropping on everyone these days. There are no secrets anymore.

Jessie Asks: What are some new changes you’ve seen in the field of cyber and application security over the last year?
Erez Answers: I’ve noticed that developers are more aware of the overall challenge. They understand the importance, the basic vulnerabilities, and the countermeasures needed. They are getting more involved in more advanced topics now. Management of the companies has become more focused and important.

Jessie Asks: As of this month, what do you think is the top threat worth solving, and why?
Erez Answers: I think the main threat is the fact that there is so much personal information out there and available. Most people don’t know what’s going on with that personal information, what happens to it when it’s sent back to the servers, and what those collection companies are doing with it. The threat is real and it’s being take advantage of on a daily basis. The fact that there are still so many people who still don’t pay attention or are aware of the state we’re in, is the major threat.

Jessie Asks: Where do you think researchers should focus their attention overall in the field of Cyber Security for the next 3 months? Why?
Erez Answers: I guess that field would be mobile application security. As mobile computing is new, we as security experts know less about this in comparison to “traditional” applications such as web apps, desktop apps, etc. Mobile apps are riskier than web apps (their server side contains all the vulnerabilities in a similar manner as other web apps PLUS additional client side vulnerabilities related to mobile apps).

That’s all for now! Tune in next week to read the latest installment in our feature blog series, “Getting to Know the Experts.”
Have a productive week!


SSL Vulnerabilities Analyzer 1.1 published

December 28th, 2012 by Israel in Tools

Hi people

After a few months of work and research we have updated the SSL Analyzer tool to version 1.1. So, here is a description about the SSL Analyzer and who should use it.

SSL Vulnerabilities Analyzer

What is it?

This tool was created for penetration testers and for site administrations who want to check if their server allows usage of insecure SSL algorithms.

SSL did not allow attackers to read/change the traffic between the client (computer/mobile browser) and the server, if the server allows insecure algorithms, the attacker can force the browser to use them and break the encryption (as they are named, they are insecure algorithms…).

Easy to use

SSL Vulnerabilities Analyzer has a nice interactive tool that makes it easy to run and check if the server contains insecure algorithms also for non-technical people.

Source code

SSL vulnerabilities analyzer shared with his source code under GPL v3 license, as a gift back to the open source community.

Download

You can download the current version (1.1) from here: SSL Analyzer version 1.1 zip

For more details, source code and versions, please visit the dedicated area in our website: https://appsec-labs.com/SSL_Analyzer

To-do list

Well, I plan to add some more tests, like secure flag of cookies, cache header policy, renegotiate and more, you invited to send a feedback if you want one of them first J

If you have any thought, please let me know

Israel Chorzevski

Penetration Testing Team Leader


Wardriving? Apple? Really ??

September 27th, 2012 by Chilik in Mobile


Advanced iPhone Hacking with iNalyzer

September 27th, 2012 by Chilik in General, Mobile, Presentations, Tools

The slides from my OWASP Israel 2012 talk “Advanced iPhone Hacking with iNalyzer” have been uploaded and are available here.

iNalyzer iPhone testing tool that was presented in the talk can be downloaded directly from Here (You will need Graphviz Dot and Doxygen installed on your PC/Laptop )
Here is an Installation Video (currently no Sound..)
iNalyzer Installation and usage

Here is a small demo of iNalyzer Vs. iSafePlay
iNalyzer Vs. iSafePlay
Enjoy,
Chilik


Domain hijacking & Range attack by cPanel

February 27th, 2012 by Israel in General

CpanelcPanel navigates the requests that are sent to the server to the correct account according to domain. Of course, the account owner must declare that the domain belongs to him. In order to ensure that the domain does, in fact, belong to him, cPanel offers two options (without EPP code):

    1. To refer the domain DNS to the DNS storage server.
    2. To create a randomly-named file on the domain, created by cPanel, which is unique per-user.

cPanel assign domain options

I will go into some detail regarding the first option
In order to move from one storage to another, the site owner performs the following steps:

    1. Creates a copy of the website in the second storage.
    2. Forwards the domain to the second storage (DNS referral).
    3. Waits for DNS servers to be updated.
    4. Connects to the new storage cPanel and takes ownership of the domain.

You can immediately notice that this option does not have any authorization check. In the critical step, step 4, any other user in the cPanel can take ownership of the domain.

Even if the site owner discovers this and complains, serious damage can be caused within minutes.
Using emails:

    1. Sending and receiving emails from the stolen domain, can be exploited for social engineering to phish passwords, which will be useful also after the victim take over the account.
    2. Create SSL certificate for the site using mail addresses such as admin@victim.com / ssladmin@victim.com and use it to MITM a long time after the victim take back his account.
    3. Sending spam, it will take a while before the domain is removed from spam lists.

Using the siteitself:

    1. Phishing users’ account credentials, after that, all users needs to set a new password.
    2. Insertion of malware, which will cause the website to be rejected by search engines and it will take a while to get it re-approved.
    3. Defacement of the website

Range Attack
The attackerwill scan websites that are located on shared storages, register the domain => IP, write a small script that will sample whether the domain IP has changed. As soon as the IP changes, it is reasonable to assume that the website has moved to a new storage. Now the attacker must quickly create an account in the new storage supplier of the victim, link the domain to it and… DONE.

P.S. Another problem that exists on cPanel is that the TOKEN protection against CSRF is performed via OPT-IN, which leaves most of the storages vulnerable to serious CSRF – but that is an entirely new subject…


Tampering 101 – Automated binary protocol analysis of web applications (Chilik’s talk @ OWASP Israel 2011)

October 18th, 2011 by Chilik in Tools

The slides from my OWASP Israel 2011 talk “Tampering 101 – Automated binary protocol analysis of web applications” have been uploaded and are available here Tampering101_slides.

Belch automation tool that was presented in the talk can be downloaded directly from sourceforge in the following link Belch – Burp ExternaL CHannel v1.0.12

Enjoy,
Chilik


« Older Entries