Surveying CodeCanyon Scripts – XSS, LFI, SQLi & More

August 2, 2015

Introduction

Have a job for me? Check my about page for contact.

CodeCanyon is a well known marketplace for code such as PHP scripts. I’ve taken a little of my time this week to check through “new” items coming through as well as some popular and random scripts. I decided I would not do an extensive penetration test on each script, simply see how fast I can find a vulnerability from each script. I didn’t take any longer than half an hour on any script I chose to look at. In total I found 17 vulnerabilities, without any use of scanners or any automated tools, this was simply me and the browser.

read more …

Bypassing Client Side Adblock Protections

July 30, 2015

I recently have been seeing similar messages from various stream providers that look like this. An intriguing message that tells you the stream provider has identified you are running the adblock extension and that you should unblock them to have full features. This is a fair enough response as most stream providers make their money from advertisments, but is trivially bypassed.

a

We can use inspect element to fully understand whats going on, one of the biggest identifiers is the word mask, which makes me want to investigate this further. Looking at the CSS elements, I can change various values.

bI changed the width which directly affected the message as we can see below.

cThe mask id has an attribute which if disabled, allows us to view normally. position:absolute. A very simple CSS trick to stop normal viewers from keeping adblock on. But developers for adblock could easily bypass such protection, there needs to be a server side aspect to this adblock protection to be effective in getting adblock viewers to see adverts. Client side protection is useless, because ofcourse, it’s client side.

d

e

CyberGhost VPN – I got 99 Problems and I’m sure SSL is one

July 19, 2015

CyberGhost VPN’s website says it’s the most ‘trusted and secure VPNs in the world‘. I decided to question this and see how this could be incorrect. One thing that I did not like the sound of was the advertising feature which would be shown to users on connection of their service, this seemed a viable vector for a user to be able to have themselves tracked, so I looked further.

Straight after installation there is a mixture of requests, one of them being downloading ‘Additional Components’. These use HTTP instead of HTTPs, which is strange, I’m unsure why, because a certificate is installed and HTTPS is used later on.

aWe are then given a choice of HTTPS or HTTP when going to the start up, using sslstrip could help us achieve what we could use as a vector here. The code later redirects to a logging image. This code is used to track the user and log down their times, mostly for the advertising but also gives a userid values at some points.

bThe SSL isn’t even owned by CyberGhost VPN but indeed Cloudflare, Cloudflare haven’t got the greatest track record for SSL security and I thought being the biggest VPN that would be a priority.

c

Visiting https://advertiser.cyberghostvpn.com redirects you to the admin login, which provides attackers a clear easy way to get the admin folder in which the source provides a piece of information vital for fingerprinting the server. I couldn’t see any rate limiting on the login or the forgot my password feature which could allow bruteforcing as well, and all round bad start for security at advertiser.cyberghostvpn.com

d

One thing to learn from a quick glance at CyberGhost VPN, they’re not all that.

 

EDIT: CyberGhost VPN provided me a response within 24 hours. I like to keep things open in these instances, although there are still some things I disagree on.

 

Email #1

Hi there,

Just stumbled upon your blog post “CyberGhost VPN ā€“ I got 99 Problems and Iā€™m sure SSL is one” and found it quite interesting. Thanks a lot for critically looking at our declarations about privacy. That’s what we always encourage our users to do and that’s one of the basics that helps us to improve over time.

For your information you might like to know the following:

–Ā  Yes, it’s true, we are using advertiser to deliver ads, but you should know that we solely use our own advertiser to deliver our own offers.
– It’s also true that we look for updates via non SSL connections – but all our updates are digitally signed. So the non-HTTP requests you saw are made by our update system that uses HTTP to bypass problems. For security the update itself is signed with a private key, the corresponding public key is integrated into CyberGhost (a RSA key only used for this intend, not a public certificate, which can be faked). Every update will be checked before applaying.
– The additional components you saw are due to the installation of the Gecko engine. (Per default CyberGhost operates with the Internet Explorer engine. If the Gecko engine is being demanded, it means that you either use Windows XP or at least an outdated version of IE.)

Response #1

Thanks for responding to the article so quickly, many just ignore the articles and update silently. That’s why I didn’t send an email out to CyberGhost, it’s good to hear that you are happy about the article.

1. Although you have slightly rectified that right now but 403’ing the redirects, I didn’t like how open your service was for attackers. Although I didn’t extensively try, it seemed rather too easy to find the admin panel and bruteforce some logins for my liking.

2. I still don’t understand why HTTPS was not used aswell as your signing as most of your other requests are HTTPS.

I don’t think you should provide the option of either HTTP or HTTPS in advertiser. either http://itsjack.cc/blog/wp-content/uploads/2015/07/b.png, as I’ve outlined in the article have you thought about changing your Cloudflare SSL?

Email #2

Again, thanks for being aware of things. Some mentions you might be interested in:

In our opinion there is no need to change the Cloudflare SSL certificate – except one wants us to pay $ 1.000 per year just for using our own certificate. After all, we are still a start up and have to be sure to whom and at what time we throw our money at.

There had been no attacks on the advertiser yet, for sure no successfull ones, and since we don’t use dummy credentials one can bruteforce us until the sun dies and still won’t find a combination that works šŸ˜‰

Also, the update process had been spared for a reason. Why risk running into troubles by using SSL when there is no real need to? And since there are no private data or any secret bits involved or even transferred the self signed updater is really enough. You convinced us that it might be cool, but at the end of a long day coolness has to stay behind effectiveness for some more time šŸ˜‰

Serious, be assured that we value your work and input – and even though we won’t react at the time being, because we have a different opinion, it doesn’t mean we won’t come back on this topic. Your thoughts have entered our mind and might do their work in time, laying base for a change in your direction …

 

LuminosityLink – Extracting The Config of 1.0 and 1.1

June 4, 2015

RATS are often not taken seriously in my opinion within malware, I’m not trying to go all APT on everyone here but groups doing large scale operations still use these as a simple and easy way to control systems. Take all these articles with a pinch a salt but it’s evident that it’s not just skids that use Remote Administration Tools. Many will use such tools due to how easy they are to use, they can be a gateway to initial infection, in which a attacker will then launch a more specialist strand of malware into the system to perform the original task.

Article #1

Article #2

Article #3

I decided to look at a emerging “stable” RAT that was released early April. It’s called LuminosityLink, the developer has previous experience in malware with being the author of the malware named “PLASMA HTTP”. I found a XSS vulnerability in this certain strand of malware and was able to takeover some panels and kill some botnets. It slowly dried up, I did not follow it religiously so I’m not fully aware of why they stopped creating updates for PLASMA HTTP. Perhaps they needed a break or did not like coding a HTTP bot, nevertheless, they strayed to RATS, in which LuminosityLink has gained attraction.

read more …

When I Analysed Firmware And Found A Complete DDNS Server Fail

May 29, 2015

I am continuing the research I provided in this post. I have some notes before we go into this, as I’d just like to point a few things out.

I’ve censored the hosts because I don’t have money for a lawyer, but I think it is vital to release this information. This post is aimed to wake people up that embedded devices are no joke, I haven’t been looking at these for too long and already have a realisation how disastrous a lot of these products are. Without such security the biggest victim in all of this is the end user, the people who bought the product, that do not know the technicalities of these problems and stay unaware that they are at risk. This is why I decided to release this research, not for ego or 1ups. I should say right now I did not modify or change any values within this system.

read more …

Soundcloud Gives Me Everything For Free

May 7, 2015

I have little time for looking at CCTV systems so thought I should update this blog with something that took me about 2 minutes to do. Soundcloud is a great website that I’ve used for a couple years now, you should all know it by now, a lot of emerging music is on there. I decided to investigate how easy it would be to get the audio of a track with the download option disabled, sadly, it was painfully easy. For this test I will be using tracks I’ve uploaded on Soundcloud, so nothing wrong there. I was originally going to make a YouTube video on this but feel it’s too risky with YouTube’s strict rules.

The first place to start is to open up the source and see whats happening from there. I came across this, it’s one of the first few lines. This shouldn’t work, I’ve disabled the download option.

a

This is the correct response, I can’t just download something through the API when it’s disabled so I’m happy that this feature works.

b

So the next thing I choose is to track what’s happening with the network feature in Firefox, a great feature for capturing something like this and understanding how the system works. I intentionally wait before the page loads before clicking play on a track, this will help distinguish anything of relevance, although there is a possibility it’s already been loaded.

c

Checking the type in the network feature is also important, it helps you understand what the web application is doing. As we can see from the screenshot above, the type “mpeg” is delayed probably due to it trying to load the whole audio (some web apps do it differently). The mpeg is the actual audio, but for creating a Soundcloud downloader it doesn’t give us much clues. Another interesting part of these requests is the type JSON request.

https://api.soundcloud.com/tracks/197144403/plays?policy=ALLOW&client_id=b45b1aa10f1ac2941910a7f0d10f8e28&app_version=d71942f

The API needs a track ID which we can get (check the source, first picture). The client ID and App version are not unique to us, I checked with a Google dork and saw requests with the same client_id. When requesting this API we get a “http_mp3_128_url” and a “preview_url”. We ofcourse want the first, the response you will get is something like this.

{“http_mp3_128_url”:”https://cf-media.sndcdn.com/48IpIAsFWirw.128.mp3?Policy=(random)__\u0026Signature=(random)__\u0026Key-Pair-Id=(random)”,[redacted preview url]}

I have obviously modified things to make this easier, the first thing I notice is the \u0026, this is simply unicode for “&”.Ā  If you’re confused why I have (random) replacement, this is what a actual response looks like.

dIf we copy the “http_mp3_128_url” value and replace the \u0026 with & we are pleasantly surprised with an mp3 which plays, this allows us to create an automated downloader, as we are simply using a API call to the URL. We do not have to be logged in or have cookie values, I’ve tested with the TOR browser and seems to go swimmingly. One thing to note is that if you wait too long after the API call you won’t be able to get the mp3. You will be instead given a not authorised message. This makes sense. If you just clicked the play button and it’s sent a JSON request it shouldn’t take longer than a second.

 

 

e

f

If you’re not later than a few minutes, you should have a track you can play nicely.

Unpacking CCTV Firmware

April 25, 2015

I’ve been increasingly interested interested in firmware and have also stated in my previous articles that I would write an article on unpacking and hacking firmware. I thought this would be a good start. This isn’t some old firmware, the build date is February 2015 and has some interesting features. I see a lot of people writing articles on routers and thought I’d change things up a little and look at CCTV.

aFirst of all the firmware on this brand is publicly available, which is obviously great for me and it includes some release notes and a image file. The first thing I notice when looking through the hex is this:

bHaving a little search through the internet I find it’s a particular processor which is optomised for such things as CCTV monitoring. Nothing else grabs my attention after this, I can’t find any magic numbers manually. So I move on to what most people do and look to binwalk to identify for me, what I have in this .img file.

cSeems like we don’t have a whole lot of work on our hands in extracting this, looks like just some simple compression. I had a hunch but wanted to be fully sure of the entry points (manually checking entry points are annoying). Potentially you can view the .img to see that gzip is used, there are many strings to give it away.

Edit: Someone has pointed out that gzip strings doesn’t neccessarily mean gzip. You must still search for a magic number.

dAfter using binwalks extract functionality I was presented with 2 files. The first file I checked seemed to be a simple tar archive and was easy enough to just use tar to extract the contents of it. So far, so good.

eThe other file returned just data when trying to identify it. I decided to delve back into a hex editor and found a magic string that looked like a squash file system. I also found some paths that would relate to a file system.

f

I extracted it with binwalk and was full of crt files and a config file. Edit: This is the kernel config file.

gA little nosey around the file system and I find something interesting. To run a web interface for the user, the firmware runs Lighttpd, this will allow it to use a lightweight application to run a web server. hIn the web directory, the first thing that strikes me is the lack of robots.txt, I’ve just checked and I have found multiple sites running this particular software. I could share dorks, but some of these sites are charities, and so I’ve decided not to. I’ll have a show of what it looks like though; it runs on Java, which isn’t.. amazing. Most have not implemented it with authentication (atleast the ones spidered).

 

iI decided I didn’t want to destroy the system (I’m only looking), and decide to just view “Live View”. Nothing spectacular about it, but still, it’s a CCTV with no authentication. Which is due to the CCTV administrators not the manufacturer. Although robots.txt wouldn’t go a miss here.jDepending on what device you are using and where you are located will depend on what java applet you get. It goes through some trivial checks on what device you use (although obviously the check doesn’t have to be extensive) before giving you a version that suits you. Mobile’s are not served with an applet by viewing it on a browser. Instead it gives you simply a “setup” option.

k

The applet itself drops a .dll onto your home folder in Java. In the folder “CWS”, nothing too major about the applet, nothing was obfuscated or anything just a simple read through JD-GUI will do for me.

lOn further inspection of the .dll file it seems its packed with a common packer that a lot of people use, UPX. This could be a potential problem because dropping a .dll from Java which is packed by UPX could start off a few AV’s. UPX is widely triggered as either malicious or PUP by AV’s due to the sheer amount of malware that uses the packer. Customers may be turned away if the Java applet keeps getting detected as malicious. UPX is really easy to unpack so I won’t show anything here, what I do see is that it seems an outsourced job for the software there are many comments in the PHP code which seem to be Korean and although it’s nothing much the language on the bins are Korean.

m

I haven’t had much time to look at reversing the files yet, but it was very easy for me to just view the camera, although, I am unable to control it, privacy issues exist with people not correctly authenticating the machine. The code seems very rushed or unorganised. There is a page that shows you all the information about the device, this can be used by an attacker to find specific flaws. I’m also given a list of all buyers of this software, so I can exploit there systems too!

qThat’s all from me for now.

The Poor Mans Spotify Premium

April 10, 2015

I left this if you could call it vulnerability for a couple of months, I haven’t gone through every single piece of code in the new version, but I think Spotify have patched this in their latest versions. When I was studying in my local college, I didn’t have mounds of money and tasked myself with finding ways to defeat the Spotify limitations on my phone. A little overview on Spotify free on a phone, you basically can’t choose a specific track, can only skip a few times and playing tracks is done with shuffle.

If any of you have reversed apk’s before, you’ll know there’s one tool up for the task, apktool, a lot has changed since I last used it and that was only a few months ago. One interesting thing to note is that I didn’t decode the resources, this will break the decompilation process that apktool is running, you will be unable to correctly re-compile the apk if this done. The argument -r is therefore needed to ensure we don’t decode to resources. Like most things I tried looking into the ins and outs of the code from Spotify, but what it boils down to usually is finding a simple vulnerability.

Spotify released a web application around the same time I was looking into the apk and gave it a little look. I found Spotify’s URI format and thought this could be useful when trying to change values in the mobile app. It indeed was, as we’ll found out in a moment.

1

I’m using version 0.7.9.1170, there have been a vast amount of different versions since and haven’t checked where it had been patched. I’ve only tested 0.7 and the latest from 10/04/2015. In this vulnerability, we’re interested in the folder /assets after we have decompiled it successfully from apktool. You’re folders may look different, I have built from this folder before so there are many folders that may not be there in the screenshot.

2In it is a file called licenses.xhtml. which is basically a file outputting all the different software it may of used to create the app. You can view it by going on Menu> Settings > Licenses. This allowed me to append some HTML into the app without doing too much with smali code. Sounds like a dream to me. Although, I believe in this version you are restricted with Javascript. So Javascript’s a no go, what can we use to defeat Spotify’s premium functionality. I chose links. My general thought process was that the app interprets spotify URI’s like it does in the web app and so I edited the HTML page and changed it like so.

3I then compiled and signed my app and put it on dropbox to be downloaded to my phone. It’s self signed and so you will have to enable “Unknown Sources” and can just enable “just once”. Once installed I logged in to my free spotify account and it worked, I could play the tracks I wanted, when I wanted. Another glitch in system is that once you’ve played a track through this, you can’t select it again. What do we do to resolve this? We delete the cache, login again and we can replay the track again. Not the most efficient way of bypassing something. But, as a student, I thought it was good enough for my needs. I uploaded a demo, and the reason I uploaded to dailymotion is because I know YouTube would probably take it down.

TR-069 with Routers – Informing Isn’t Always Best

April 5, 2015

So I first came interested into “router hacking” in the past few weeks, I’m going to have future posts on my findings because it’s such an interesting area that I don’t think enough people look at. I first started getting interested in analysing routers and dissecting the inner workings of them when I was watching a DEFCON 22 talk on the TR-069 protocol. If anyone hasn’t seen it, I have it below. The TR-069 protocol allows your ISP to interact with your CPE (Customer Premises Equipment), essentially your router. One of the big things it’s used for is upgrading your firmware on your router, can we see something wrong with that?

read more …

Malware Isn’t All Fireworks

March 15, 2015

As most of my articles commenting on the infosec area, I’m coming from my own experiences, I’ve been looking into infosec daily for about 2 years and is the nearest thing I have to a job. An increasing number of people from different backgrounds, be it network/system administration to a 14 year old school kid seem to be interested in information security. So they should be, it is a growing sector of the IT community, it pays well and has some fairly interesting aspects to it. Malware analysis is steadily becoming a hot topic in infosec due to the amount of threats it gives each year, in 2014 PoS malware boomed and several major companies around the world had been affected (Not naming any names šŸ˜‰ ). With media coverage gradually growing on such topics such as malware it seems just like me, more people are coming out and commenting on the state of the malware sector. One thing I hear very commonly is simply:

“Advanced malware uses 0-days and sophisticated methods to connect to the command and control server.”

read more …